By Nazar Tymoshyk, SoftServe
Today attackers are not being held back by anything, and malicious software is still a surprisingly common issue around the world. No wonder that more and more IT and business leaders are feeling so concerned about security these days.
How do you prevent security breaches? I've previously described six tips on how to ensure website security, but the starting point is awareness that the threat exists and is real. Understanding the danger is the first step to averting it.
Here are what I consider to be the top five malware threats to websites and mobile devices, ranked by how dangerous and widespread they are:
Backoff is a malware family that draws a bead on Windows-run point-of-sale (PoS) systems to steal customer credit card data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses. Dairy Queen and the Supervalu supermarket chain are among retailers that suffered data breaches due to Backoff.
After copying itself to the infected machine, it calls on an API, WinExec., which replaces names with hashed values to hinder analysis process. Besides hashing the blacklist processes, the malware also collects the stolen card information locally on the system.
Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware and uninstalling the malware. Backoff breaches may affect your business reputation by storing consumers' information and using it for different scams such as counterfeit purchases and account data compromises.
The Dyreza trojan (Dyre) has been triggering much fuss in the security world since the last year. By neglecting SSL, this malware sets its sights on the users of specific business apps and has targeted a range of influential financial institutions, namely Bank of America, RBS, Citybank, Ulsterbank and Natwest. Thus, Dyreza aims to steal users' credentials for online banking and other financial sites.
Using a browser hooking technique which interrupts traffic flow between users' devices and the target website, Dyreza has "conquered" Google Chrome, Mozilla Firefox and Internet Explorer. As a rule, Dyreza arrives as a bank notification message with a zip file attached. After being opened, the malware installs itself on the machine under C:\\Windows\[RandomName].exe and then contacts a command-and-control server, appearing as a false Google Update every time you start your device. Now the Trojan is exploiting the recently disclosed CVE-2014-4114 vulnerability in Windows.
Among a variety of purposes the BlackEnergy malware family (with BlackEnergy and BlackEnergy Lite as the latest 2014 variants) was created for, its key functions include DDoS attacks, spam distribution and bank scams. Its manners of spreading include technical infection methods through exploitation of software vulnerabilities, as well as social engineering through spear-phishing emails and decoy documents (Microsoft Word or PowerPoint), or a combination of both.
Installation of the malware is accomplished through the exploit shellcode that drops two files to the temporary directory: the malicious payload named "WinWord.exe" and a decoy document named "Russian ambassadors to conquer world.doc." Then these files are opened due to the kernel32.WinExec function. The WinWord.exe payload serves to extract and execute the BlackEnergy Lite dropper. At the same time, another document is exploiting CVE-2014-1761.
The danger of this malware lies in network discovery and remote code execution for collecting data off the targets' hard drives. The document is also caught in the act of exploiting the CVE-2014-1761 vulnerability in Microsoft Word, and was spotted in other attacks, including MiniDuke.
A real "trick-or-treat" for your computer is Crowti, a family of ransomware that tries to encrypt the files on a user's PC or block a user's access to the computer and ask for payment to unlock it. The fraud-scheme is classic: Win32/Crowti makes you pay for restoring your PC. This malware knocks on users' doors in the form of spam email campaigns and exploits.
Moreover, this threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. The attachment is usually hosted in a zip archive that triggers malware action when opened. Win32/Crowti is also spread through exploit kits such as Nuclear, RIG, and RedKit V2 that may take advantage of Java and Flash vulnerabilities. Win32/Crowti can be also installed via other malware, such as Upatre, Zbot, and Zemot.
Last but definitely not least is mobile trojan Andr/BBridge-A, blamed for exposing users' personal data (in particular, subscriber's ID, IMEI, phone number, network country ISO, phone model, Android OS version and Sim Card info) on a specific server relying on HTTP to communicate with it.
The trojan may be distributed as an Android installation package with an enticing file name such as "anserverb_qqgame.apk." Dropping its payload (located in "assets/anServerB.so" in the original package) as com.sec.android.bridge.apk, the malware snaps a button asking users to install it. Andr/BBridge-A also sends, scans and removes text messages (SMS) from phones.
Conclusion: Know Your Enemy
With the rapid growth of information technologies and online data storage, maintaining security at the necessary level has become a real challenge. Staying alert is a large part of staying secure, so keep up with the new security challenges that arise and know your enemy to win the security battle.
Nazar Tymoshyk is a highly-regarded IT security and network infrastructure expert. In his role at SoftServe, Inc., Nazar specializes in many security disciplines including computer forensics, malware analysis, intrusion detection and mobile application security assessments. He holds a Ph.D. in information security from the State University, Lviv Polytechnics, is the chapter leader of the OWASP in Lviv, Ukraine, and is a regular contributor to the SoftServe United blog.