It would be nice if we were told how to identify any potential infection by this malware...
Magic mystery malware menaces many UK machines - new claim
Security researchers have found malware that communicates using an unknown protocol and is largely targeting UK businesses. The mystery software nasty has infected thousands of machines at organisations in finance, education, telecoms and other sectors, we're told. It initially phones home to its masters by establishing a …
-
-
-
-
-
Thursday 18th April 2013 13:59 GMT NomNomNom
Re: exactly...
yeah zonealarm worked fine for years but then it started putting up messages all the time about some application trying to connect to something or other. I tried updating zonealarm but it kept doing it so eventually I gave up and turned it off. couldn't find any alternatives and now my browser is going crazy as well trying to make me buy some windowsantivirus or something but i already have anttivirus. technology! cant live with it cant live without it.
-
Thursday 18th April 2013 15:23 GMT Anonymous Coward
Re: exactly...
quite a few of the current malware attacks check-on-install for zonealarm on PC (or LittleSnitch directories on Mac,) or the presence of VMware w.h.y. and abort install - just in case you might be a sysadmin or white-hat jam-pot researcher. So YES, really installing or mebbe just creating wireshark/firewall type directory names might give you a certain level of security...but you need a few more
repeat after me: multiple independent levels of security!
-
-
-
Tuesday 23rd April 2013 00:25 GMT Not That Andrew
@AC Re: @NomNomNom
Quite probably,I just went off automatically. That particular sort of malware is I why I no longer do computer support for friends and family. Almost impossible to get rid of without nuking and paving and then you get bitched at because you couldn't (or wouldn't) save their collection of vintage donkey porn.
-
-
-
-
-
-
-
-
-
Thursday 18th April 2013 14:55 GMT Anonymous Coward
Re: Good to see all the "heuristic malware scanners" are doing their job
"And how did it get there in the first place?"
Who says it's there at all? One AV vendor, who've offered no proof or detection method, although they obviously claim they can detect (and presumably) prevent it. A hardened cynic might wonder whether this AV outfit was previously involved in offering novel imperial clothing, and was now applying the same skills in the tech sector.
-
Friday 19th April 2013 08:18 GMT PyLETS
Re: Good to see all the "heuristic malware scanners" are doing their job
Malware remaining active on many machines and undiscovered for 11 months emphasises that scanning for known bad stuff within an everything per user access-control context isn't an effective security approach any more. Making sure you only execute known good stuff other than in very secure, application and time limited sandboxes seems to make more sense, e.g. the sandbox in which you do online purchases and run associated web-supplied Javascript shouldn't connect to any other sandbox and needs wiping and resetting to a known good state at short and regular intervals.
-
Thursday 18th April 2013 14:31 GMT adnim
I was thinking about
building a honeywall using a Raspberry Pi this morning.
Almost every piece of software I install wants to phone home without asking permission or giving any indication in the EULA or documentation that it will do so.
It's been quite a while since a ran a honeywall and honeypots, getting back into it again will be a nice refresher. Something for rainy Sunday afternoons, I expect we will get a lot of them in summer.
-
Thursday 18th April 2013 17:50 GMT All names Taken
Har dee har har!
My guess is that it is HMRC (Her Majesties Revenues and Customs) and UK Treasury based on it being limited to UK businesses (and I guess individuals too).
Those tax collecting Whitehall bods need all the cash they can get their hands on and if that means granny with her empty bedrooms or one's pension then one's pension will always win!
(Sad innit?)
-
Thursday 18th April 2013 18:45 GMT Anonymous Coward
Errr...
"In one instance, the malware contacted the command server for further instructions, and was told to create a new user — username: WINDOWS, password: MyPass1234 — enabling the attacker to remotely log into the infected computer"
Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?
-
Friday 19th April 2013 09:20 GMT amanfromMars 1
Re: Errr... SMARTR Virtual Leader Ships Fully Armoured Battle Stations with Satellite Weaponry
Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?
IT creates ACE Anonymous CyberIntelAIgent Entities to SHAPE Command and Control Mentoring and Monitoring of Virgin ProgramMING to XSS Standards for Entry to the Above. :-)
Does the Military Prevent Control Access to Sensitive Active Triggers with Realisation that Presentation of what can be Built Creatively with them, is Classified HQE/Need to Know TS/SCI.
C42QCCSystems trawling and a'hauling for Phish in Deep Intelligent Supply Counters for Alternative Moves and Power Plays/Control Blitzes.
-
-
-
-
Friday 19th April 2013 01:12 GMT garbo
Re: So.....
Been running Linux for so long I can't remember - don't you need Admin rights to create a new user on Windows? You certainly do in Linux, which's why malware downloaded by a "user" can't attack the system. No "write" or even "read" (in most cases) rights.
How does this malware gain Admin rights on Windows?
-
Friday 19th April 2013 08:23 GMT PyLETS
Re: So.....
I've also been running Linux since the late nineties, but that doesn't prevent us from being attacked by Javascript related vulnerabilities in our over complex web browsers operating cross site or across web applications. Firefox vulnerabilities will apply regardless of OS.
Insecurity results from a combination of complexity and complacency and while Linux is good it ain't no magic bullet.
-
-
-
Friday 19th April 2013 00:10 GMT John Halewood
Fishy
There's an awful lot of gaps in that blog post, perhaps most of all: "For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will popup on the RDP session for the attacker a box with the message: 'TODO:Start browser!'
That indicates thay've already got a copy of the C&C/client code, so they should have pretty well profiled what it's doing, and if they can see the "magic" id at the start of it, tha suggests it's not encrypted.
I'd be interested to see how you can run RDP through a firewall to a target machine on an RFC1918 network, unless they've implemented a reverse telnet equivalent of RDP. If so, please open source it 'cos it would make a lot of my job a lot easier and I wouldn't have to bother with VPNs anymore
-
Friday 19th April 2013 08:06 GMT amanfromMars 1
Per Ardua ad MetaDataBase Cloud Heavens:-) ..... Special AIResearch Services
"This campaign has been active and under the radar for almost a year, targeting mostly UK entities," Aviv Raff, CTO of Seculert, told The Register. "Also, the malware seems to be still under development by the attackers."
As Military Advanced IntelAIgents LAN Ware, you might best reconsider attackers as homespun Master Pilots on Sensitive AIMissions ……. Heavenly Pursuits.
And there you all were thinking that the RAF does nothing for you in Command and Control with Cyber Space Stations.
And if you want a plausible denial, ask the MOD about the current Inventory of Virtual Defence Arms with NEUKlearer HyperRadioProActive Security Protection ….. Future ForeSighted.
The System might report that IT be at Liberty to Support Secure Self-Protective Immunity ProgramMING, but as to their Actual Partaking in Programs, both Private and Pirate and Public ….. well, that one imagines is Classified Full Disclosure/Need to Know Only.
Mars in Minerva Right Stuff ….. on Active Duty AIMission ….. For the LOVE Lashes of ADA:-)
Poe's Law rules that last string and shares the Future to Critical Strategically Tactical Key Markets for CHAOS SecureIT Supply to Storming Cloud Clusters in Clouds Hosting Advanced Operating Systems, and with Virtual Machinery in Full Utility with Right Royal Command in Control, are fortunes made and remade over again for Right Royal spending on creative talent, which was what they used to do, isn't it, …. Remotely Sponsor by Royal Appointment.
Indeed, I do believe they still do provide such graces albeit presumably frightfully more hush hush underground than before and a courtesy afforded so as not to alert or alarm or harm the natives above ground and Earthed.
"The custom protocol of the malware requires a magic code for 'authentication'. The C2 server will only expose the commands for the infected machine, if the magic code will be provided at the beginning of the custom-protocol request." ®
I don't know that you do can anything to break into/crack hack such a custom protocol which requires a magic code for 'authentication', other than to learn and/or practise Magic Authentic Coding.
Methinks that Particular and Peculiar Engine be Immaculate Passion Driven in Live Operational Virtual Environments …… There be No Sins nor Vices in Perfect Pleasures Given and Received and Enjoyed in the See of Strangers that Share Light on what Living is Like in OUR Worlds/your Worlds/their Worlds. :-)
Has anyone asked the owner the purpose of the available vulnerability? It may not be malware at all that is being deployed? Although how to guarantee it not turning out at a later date to become malware is quite another matter and when regarded and considered with no questions to answer, are such situations deemed resolved and solved, if only temporarily in a cobbled together quick fix/dodgy patch.