malware

Auto Added by WPeMatico

What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

Powered by WPeMatico

How Marcin Kleczynski went from message boards to founding anti-malware startup Malwarebytes

Marcin Kleczynski is a shining example of the American dream.

A Polish-born immigrant turned naturalized citizen, Kleczynski grew up in the Chicago suburbs spending much of his time on computers and the early days of the world wide web. He couldn’t afford to buy computer games; instead, he downloaded them from the internet — and usually malware along with it. Frustrated that his computer’s anti-malware didn’t prevent the infection, he took to seeking help from security message boards to troubleshoot and remove the malware by hand.

That’s where Kleczynski thought he could do better, and so he founded Malwarebytes .

In early 2008, his company’s first anti-malware product was released. To no surprise, the very people on the message boards who helped Kleczynski recover his computer were the same championing his debut software. So much so that Kleczynski hired one of the people from the message board who helped him rid the malware from his computer as one of his first employees. Within months, Malwarebytes was turning over a couple of hundred thousand dollars, Kleczynski told TechCrunch.

By August came the question of whether he would run his company or go to university.

“After about a 15-second conversation with my mother, she quickly informed me that I would be attending university,” he said.

And so he did both.

Fast-forward to today, the company is a multi-million dollar anti-malware giant serving 150 million consumer customers and 50,000 paying small to medium-sized business and enterprise customers from its five offices — two in the U.S., as well as Estonia, Ireland and Singapore.

Powered by WPeMatico

Alphabet’s Chronicle launches an enterprise version of VirusTotal

VirusTotal, the virus- and malware-scanning service owned by Alphabet’s Chronicle, launched an enterprise-grade version of its service today.

VirusTotal Enterprise offers significantly faster and more customizable malware search, as well as a new feature called Private Graph, which allows enterprises to create their own private visualizations of their infrastructure and malware that affects their machines.

The Private Graph makes it easier for enterprises to create an inventory of their internal infrastructure and users to help security teams investigate incidents (and where they started). In the process of building this graph, VirtusTotal also looks are commonalities between different nodes to be able to detect changes that could signal potential issues.

The company stresses that these graphs are obviously kept private. That’s worth noting because VirusTotal already offered a similar tool for its premium users — the VirusTotal Graph. All of the information there, however, was public.

As for the faster and more advanced search tools, VirusTotal notes that its service benefits from Alphabet’s massive infrastructure and search expertise. This allows VirusTotal Enterprise to offer a 100x speed increase, as well as better search accuracy. Using the advanced search, the company notes, a security team could now extract the icon from a fake application, for example, and then return all malware samples that share the same file.

VirusTotal says that it plans to “continue to leverage the power of Google infrastructure” and expand this enterprise service over time.

Google acquired VirusTotal back in 2012. For the longest time, the service didn’t see too many changes, but earlier this year, Google’s parent company Alphabet moved VirusTotal under the Chronicle brand and the development pace seems to have picked up since.

Powered by WPeMatico

Some low-cost Android phones shipped with malware built in

Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,’” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:

The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.
The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.
The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes that this vector is similar to the Lenovo “Superfish” exploit that shipped thousands of computers with malware built in.

Powered by WPeMatico

Menlo Security secures $40 million Series C to keep malware at bay

 Menlo Security, a startup with a unique approach to protecting your company from malware and phishing attacks, announced a $40 million Series C round today. Menlo protects customers by never letting employees access an actual website or email containing malware. Instead, they isolate the original in a container, then display a clean mirror image in the browser, which has been stripped of any… Read More

Powered by WPeMatico

New malware masquerades as a ride-sharing app

 An update to the venerable Faketoken.q Android malware has made it easier for the program to steal your credit card information from ride-sharing apps. Faketoken attacks Russian ride-sharing apps by overlaying text boxes on the credit card information pages that can capture your credit number and other important information. Kaspersky writes: After getting onto a smartphone (judging by the… Read More

Powered by WPeMatico

Researchers simulate a ransomware attack on industrial controls

Aerial shot of wastewater treatment facility in Houston, Texas (Photo: Getty Images/Jupiterimages/Photolibrary) Researchers at the Georgia Institute of Technology have created a form of ransomware that can hit us where it really counts: the water supply. Their program installed itself in a model water plant and allowed the researchers to change chlorine levels, shut down water valves, and send false readings to monitoring systems.
“We are expecting ransomware to go one step farther, beyond the… Read More

Powered by WPeMatico

Beware the fake Pokémon Go apps

pokemon-1515415_1280-623x410 Earlier this month, the first Pokémon Go malware was spotted in the wild, but the app was not much of a threat to users as it never made it into the official Google Play store for download. The same cannot be said of a new group of dangerous applications targeting Pokémon Go users by promising cheats, tips, and other functionality. Despite their innocuous-sounding titles, the apps… Read More

Powered by WPeMatico

Cylance, fighting malicious hackers with AI, hits $1B valuation after raising $100M

cyber-security-data-sharing “If you can’t beat them, join them” may not sound like the most encouraging pitch for a cybersecurity company, but a startup called Cylance has created an artificial intelligence-powered brain that essentially does just that, and it has taken off — raising $100 million in a Series D round of funding and catapulting itself into the so-called ‘unicorn’ club… Read More

Powered by WPeMatico

The gaming industry can become the next big target of cybercrime

gamethief Video-game-related crime is almost as old as the industry itself. But while illegal copies and pirated versions of games were the previous dominant form of illicit activities, recent developments and trends in online gaming platforms have created new possibilities for cybercriminals to swindle huge amounts of money from an industry that is worth nearly $100 billion. And what’s worrisome… Read More

Powered by WPeMatico