The folks over at SANS Internet Storm Center are pointing to a new study by Symantec that warns of threats posed by malicious code to virtual environments and warns that threats such as that the network traffic within virtual containers may not be monitored by services such as IDS or DLP. The paper covers how malware behaves in virtual environments. Specifically, the report examines W32.Crisis, a malicious program that is known to target virtual environments. The Crisis malware doesn’t exploit any specific vulnerability, SANS notes. Rather: it takes advantage of how the virtual machines are stored in the host system to manipulate that environment for malicious purposes while escaping detection. via InfoSec Handlers Diary Blog – Threats to virtual environments.
Symantec
DHS Warns Energy Firms Of Malware Used In Targeted Attacks
The Department of Homeland Security warned firms in the energy sector about new, targeted malware infecting industrial control systems and stealing data. DHS’s ICS CERT, the Industrial Control Systems Computer Emergency Response Team, said it is analyzing malware associated with an ICS-focused malware campaign. The malicious software, dubbed “Havex” that was being spread by way of phishing emails and so-called “watering hole” attacks that involved compromises of ICS vendor web sites. DHS was alerted to the attacks by researchers at the security firms Symantec (which dubbed the malware campaign “Dragonfly”) and F-Secure (“Havex”) -a remote access trojan (or RAT) that also acts as an installer (or “downloader”) – fetching other malicious applications to perform specific tasks on compromised networks. One of those additional payloads is a Trojan Horse program dubbed Karagany (by Symantec) that has been liked to prior attacks on energy firms. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, […]
Linux IoT Worm Still Alive And Mining Virtual Coins
A few months ago we wrote about a new Internet worm notable because it spread between devices running the Linux operating systems, and because it had the ability to infect a range of non-PC devices including set top boxes. Symantec was quick to suggest that the worm, Linux.Darlloz, was the first “Internet of Things” malware. Now, three months later, Symantec is updating the story: noting that Darlloz is still out there, and seems to have been put to use mining for virtual currencies. Writing on Symantec’s blog on Thursday, analyst Karou Hayashi said that researchers there discovered a new variant of Darlloz in January that included code changes and improvements from the version discovered at the end of 2013. Darlloz is versatile: it can run on devices using a variety of architectures, including the common Intel x86, but also hardware running the ARM, MIPS and PowerPC architectures. Those are more common […]
Veterans Targeted In Attack Using IE 10 Zero Day
Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms. Some visitors to the web site of the Veterans of Foreign Wars (VFW), vfw[dot]org, were the victim of a ‘watering hole’ attack that takes advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. The VFW site was hacked and then altered to redirect users, silently, to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system. The VFW did not immediately respond to e-mail and phone requests for comment. According to a write-up by the security firm FireEye, the vulnerability allows the attacker to “modify one byte of memory at an arbitrary address” stored […]
When The Internet of Things Attacks! Parsing The IoT Botnet Story
I spent most of last week at a conference in Florida going deep on the security of critical infrastructure – you know: the software that runs power plants and manufacturing lines. (More to come on that!) While there, the security firm Proofpoint released a statement saying that it had evidence that a spam botnet was using “Internet of Things” devices. The company said on January 16 that a spam campaign totaling 750,000 malicious emails originated with a botnet made up of “more than 100,000 everyday consumer gadgets” including home networking routers, multi media centers, televisions and at least one refrigerator.” Proofpoint claims it is the “first time the industry has reported actual proof of such a cyber attack involving common appliances.” [Read: “Missing in action at Black Hat: the PC.”] Heady stuff – but is it true? It’s hard to know for sure. As with all these reports, it’s important […]
