Posts Tagged Malware

How Does Fileless Malware Work?

Fileless malware is defined as a type of malicious software that does not rely on virus-laden files to infect a host or victim. In contrast, it makes use of applications that are commonly used to perform legitimate and justified activity for executing malicious code in resident memory of the host. As the software doesn’t create any files, it doesn’t leave any footprints making it difficult to detect and remove.

Key Targets Of Fileless Malware:

The attackers who employ fileless malware tend to gather large amount of information in short span of time. So, they tend to focus the attack on a few key targets. Two systems that form common target are:

  • PowerShell
  • Windows Management Instrumentations

The reasons why attackers choose these systems are:

  • Security technologies trust these utilities
  • Analysts tend to assume that actions of these systems are legitimate
  • These utilities provide complete control over an endpoint
  • Most organizations refrain from shutting down these systems as it will hinder business It or DevOps work

Working Of Fileless Malware:

Following are few scenarios in which fileless malware can use a system’s software, applications and protocols to install and execute malicious activity:

  • Phishing emails, malicious downloads, and links that look legitimate are used as points of entry. Once a user clicks on these links, they load to system’s memory. This enables the hackers to remotely load codes to steal confidential data.
  • Malicious code can be injected into applications that are already installed on the system and trusted by the user. After injecting the code, these applications are hijacked and executed by hackers to carry out malicious activity.
  • Attackers create fake websites that mimic legitimate business pages. When user visits these pages, the websites search for vulnerabilities in Flash plugin. These vulnerabilities are exploited to run malicious code in the browser memory.

Fileless malware is written directly to RAM of the infected system and no changes are made on the hard disk. The malware works in memory and the operations end when the system reboots.

Defending Against Fileless Malware Attacks:

The effective way to defend against fileless malware attacks is to adopt an integrated approach that addresses the entire threat lifecycle. Employing a multi-layer defense protocol enables the user to investigate every phase before, during and after the attack.

For more information on fileless malware and tips on preventing cyber-attacks on computer networks, contact Centex Technologies at (254) 213 – 4740.

, , , ,

No Comments

What Is CryptoWall Ransomware?

A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.

Mode Of Infection:

Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.

CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.

Execution:

  • The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
  • On execution, it launches a new instance of explorer.exe process.
  • In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
  • The original process automatically exits itself after launching the injected explorer process.
  • The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
  • The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
  • A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
  • The ransomware connects to I2P proxies to find live command and control server.
  • The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
  • Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.

Protection:

  • Keep antivirus up-to-date
  • Back up the files
  • Apply windows update regularly
  • Avoid clicking random emails
  • Disable remote desktop connections
  • Block binaries running from %appdata% and %temp% paths

For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.

 

, , , ,

No Comments

Data Protection From Malicious VPN Apps

Web users intend to use VPN services with an assumption that VPN keeps their web browsing and personal data safe. However, recent research has thrown light on some vulnerabilities found in common and popular VPN apps.

These vulnerabilities include:

  • Missing encryption of sensitive data.
  • Hard-coded cryptographic keys within the app; thus, even if the data is encrypted, hackers can decrypt it using these keys.
  • Some VPN apps have user privacy breaking bugs such as DNS leaks which expose user DNS queries to their ISPs.

These vulnerabilities of VPN apps allow hackers to intercept user communications including web browsing history, username, passwords, photos, videos, and messages. The privacy breaches include location tracking, access to device status information, use of the camera, microphone access and ability to send SMS secretly. Using these vulnerabilities, hackers can manipulate the users to connect to their malicious VPN servers.

In addition to these vulnerabilities, there are some other concerns associated with free VPN apps:

  • Some free VPN apps sell your bandwidth to paying customers allowing them to use your device’s processing power.
  • Malicious VPN apps incorporate ads that may include malware. These apps may also share the online activity of users to third party marketing professionals.

Some signs that your phone has been affected by malware are:

  • Phone becomes slow.
  • Higher loading time of app.
  • Battery drains faster than usual.
  • Large number of pop-up ads.
  • Unexplainable data usage.

As the number of data breaches is exceeding, it has become important to take necessary measures for safeguarding yourself against malicious VPN apps. Following are some measures that you should take:

  • Check if you have sufficient information about the app developer. Download the VPN apps provided by trusted app developers only.
  • Check the app reviews. You can also search for the app on the search engine to check if there is any controversial news about it.
  • Audit the apps on your phone to check if they were downloaded by you or not.
    Delete apps that you don’t use frequently.
  • Run a malware scan after downloading any app to ensure it is safe.

For more information on ways to protect your data from malicious VPN apps, contact Centex Technologies at (254) 213 – 4740.

, , , , ,

No Comments

Comprehensive Guide To Mobile Data Security

PDF Version: Comprehensive-Guide-To-Mobile-Data-Security

, , , ,

No Comments

Frequently Asked Questions About Malware Botnet

A Malware-Bot is a type of malware that exercises control over the infected machine once the infection spreads through the system. It acts according to the instructions given by the master i.e. malware writer. Following are some most commonly asked questions about Malware Botnet:

  • What Actions Does A Malware Bot Perform?

A Malware Bot can perform numerous tasks such as-

  • Spying & tracking
  • Sending spams, hosting command servers, working as proxies & performing other malicious activities
  • Accessing corporate resources & hijacking
  • Stealing confidential information, documents, credentials, etc.
  • Bitcoin mining
  • Web browsing
  • Do All Malware Bots Perform The Same Actions?

The bot can perform all the above mentioned actions, however there are two types of malware actions that the Malware Bot does not perform, not because it is incapable to do so but because they make little business sense. Following are the two malware actions:

  • Actions Which Impend The Machine: A Malware Bot cannot work in a damaged environment. When the software environment is damaged the machine is usually reinstalled, thus removing the bot. So, Malware Bot does not usually perform an action that would restrain it from running on the machine.
  • Actions That Reveal The Infection: A bot does not want a user to know about its presence on their machine, which is why it operates stealthily. Thus, it does not resort to activities such as modifying browser setting, popping up dialogue box, etc.
  • How Are Botnets Investigated?

When the malware is launched, it reaches the malware researchers sooner or later. They capture it through various channels such as malware spam, honeypots, phishing sites, product reports, etc. Once captured, the malware researchers analyze it in a controlled environment to receive the updates.

  • How Is A Botnet Controlled?

It is controlled by a computer or a group of computers running a command & control server (C&C server). The server communicates & sends instructions to the Malware Bot in the format understood by it. The server then performs numerous functions such as instructing the bots to schedule or execute a task, keeping track of number & distribution of bots as well as updating the bots by replacing them with a new type of malware.

  • Why Do Botnets Emerge?

The main reason why the malware writers develop, deploy & maintain a botnet is to tap on financial gains.

  • How To Prevent A Malware Botnet?

After understanding the working of a malware botnet, let us know how to prevent it:

  • Update your operating system regularly.
  • Avoid downloading from P2P & file sharing networks.
  • Don’t click on suspicious attachments & links.
  • Install a good antivirus software.
  • Follow good surfing habits.

For more information, call Centex Technologies at (254) 213-4740.

, ,

No Comments