10 Security Bugs You Should Be Watching4:00 PM EST Mon. Jun. 25, 2012
New malware continues to arrive on the scene every day, marking an ongoing test of wills and test of technologies that pits the good guys against the bad guys in an almost movie-like fashion. The stakes are high, with nothing less than your customers’ assets and most important data being targeted.
Some of these threats are notable because of the scale of the attack. Others, such as in the case of Stuxnet and Flame, are notorious because of the types of technologies involved, considering how these developments impact the overall risk faced by customers.
Here is a list of current threats to keep tabs on.
Russian security vendor Kaspersky Lab reports that it has identified three APK files that have been heuristically detected and identified as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. The applications are designed to hijack incoming SMS messages and upload them to a remote server with an encrypted URL stored within the Trojan. The company says that infected devices typically display a shield icon in the menu. After the infection is downloaded, there is a blue shield icon in the menu with the name, "Android Security Suite Premium."
GovCertUK, the Computer Emergency Response Team (CERT) for the UK Government, reports that an advanced feature of Adobe PDF reader is being used to deliver malicious payloads, leveraging an email-based attack vector. The organization says it has been tracking a number of spear phishing campaigns targeting governmental groups in the UK that use the XDP file format, which contains a Base64-encoded copy of a standard PDF file. The malware employs a related strategy to evade AV detection and intrusion detection systems.
Czech Republic-based Eset says it has successfully countered a worm that is designed to steal AutoCAD drawings and transmit the pilfered designs to China. More than 10,000 ACAD/Medre.A infections have been found in Latin America, mostly focused on organizations doing business with the government of Peru.
The malware is downloaded as a hidden file named acad.fas, usually accompanying an AutoCAD .dwg file. Eset’s virus scanner is equipped to remove the worm, and the company has also released a free online tool to support the removal for non-customers. In addition, the Chinese ISPs that host the recipient email addresses have reportedly begun blocking those addresses.
Cisco advised customers to install patches for its AnyConnect Secure Mobility virtual private network (VPN) client in order to close remote hacking vulnerabilities. When under attack, the AnyConnect client could be deceived into enabling access to malicious sites. The vulnerability could also allow an attacker to execute remote code, using ActiveX or Java. In addition, the company warned of a software downgrade vulnerability that could enable an attacker to reduce the VPN client to an earlier version, enabling it to exploit previously patched vulnerabilities.
Separate versions that support Windows, Linux and Apple OS X were all affected, though Cisco’s versions for Android and the Cisco Cius platform were not perceived to be vulnerable to this particular attack.
US-CERT issued an advisory that some 64-bit operating systems and virtualization software running on Intel CPU hardware are susceptible to a local privilege escalation attack or a guest-to-host virtual machine escape.
The VM escape is considered by some to be the “Holy Grail” for virtualization attackers because accessing the host can enable control of other virtual machines, or even the physical operating environment. But in this case, the effect is severely reduced by the fact that it has to be executed locally, and this particular attack might be underway in order to generate proof-of-concept.
Microsoft has acknowledged a string of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0 and 6.0. The vulnerability could allow hackers to execute their own code and assume control of the machine, once the victim receives the malware through a malicious website accessed by Internet Explorer. The vulnerability affects all supported releases of Microsoft Windows as well as all supported editions of Microsoft Office 2003 and Microsoft Office 2007.
The vulnerability is based on situations where MSXML attempts to access an object in memory that has not been initialized. This may corrupt memory, enabling attackers to execute arbitrary code in the context of the logged-on user.
South Korean security vendor AhnLab, Inc. has issued warning about variations to the SpyEye trojan and ZeuS bot that attempt to steal personal banking data, as well as incoming SMS messages, phone numbers, device identification numbers and other data that are then uploaded to command-and-control servers. Under the current exploit, the victim downloads the malicious application, which then represents itself as security software and then installs another malicious file that attempts to steal the username and password to the victim’s bank account. At this point, the company reports that the attack has mostly been focused on banks located in Germany.
On the less-scary-more-nuisance front, Symantec has issued a warning about a new Trojan that apparently executes massive, gibberish-laden print jobs that continue running until the organization's printers run out of paper. Trojan.Milicenso has been on the radar screen for about two weeks, with the most hard-hit areas located in the U.S. and India, as well as Europe and South America. Most likely to be spread by emails and websites, the bug was originally encountered in 2010 and was believed to be a malware delivery vehicle for hire. The Trojan creates and executes a dropper executable, which in turn creates a DLL file in the System folder. The dropper executable then deletes itself.
Flame gets an honorable mention after the news that the worm’s initial spread has substantially died down. And while it is weapons-grade malware that has been used successfully against Iran, and in isolated circumstances in the Far East, it is important to note that some of the most dangerous capabilities are highly modular. You can bet your bottom dollar that malware authors are working towards embedding these modules into their own attacks, even as you read this.
Hand-in-hand with Flame, Stuxnet has established a reputation for being one of the nastiest bugs in today’s IT security discussion. Originally discovered in 2010, at least two additional variants have been discovered, marking an obvious attempt to make the malware even bigger and badder through the addition of advanced functionalities and the ability to increase the worm’s propensity to propagate itself. It has proven itself as an effective military weapon, causing at least temporary delays in Iran’s alleged attempt to build nuclear weapons. In addition to being a technological cousin to the Flame worm, it is also viewed by some to be a parent to Duqu, another renowned piece of malware.