Tag Archives: Malware

Meltdown/Spectre PoC samples

Catalin Cimpanu for Bleeping Computer: We May Soon See Malware Leveraging the Meltdown and Spectre Vulnerabilities

“All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won’t rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions.”

Fortinet says:

“FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code.  The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

AV-Test’s list of hashes

Helpnet Security commentary

David Harley

Ransomware resource page

My first engagement with and introduction to the malware problem was back in 1989. Surprisingly, that first encounter was not a virus, even though through the 80s viruses were the aspect of security that most people were aware of, and Trojans – or trojans, as some of my colleagues in the industry nowadays insist on spelling it – comprised at that time a very small proportion of the virus-dominated malware scene. However, the ‘AIDS Trojan’ was pretty big news at the time in the fledgling anti-virus industry, even though it targeted a fairly specialized sector of the medical research community.

In fact, I still have one of the disks sent out carrying the ‘AIDS Trojan’, sometimes cited as the first ransomware, at the end of the 1980s, retained for purely sentimental reasons.

However, the impact and scale of the ransomware problem seems to have increased dramatically in recent months, so I though perhaps it was time to set up a page somewhat along the lines of our tech support scams page. Unfortunately, it’s not as polished as I’d like, due to pressure to meet other commitments. But I figured this might be one of those ‘something is better than nothing’  moments. Not that there isn’t already good information out there, but I wanted to have some links and commentary in one place.

So here it is, warts and all.

Linux malware found in screensaver


http://linux.slashdot.org/article.pl?sid=09/12/09/2215253

I hate to say I told you so…actually, that’s not true. In this case, it was sadly obvious that it would happen, but the general attitude of the whole OS/Free Software crowd is still to claim the earth is flat when it comes to Malware.
Interested readers might like to Google my EICAR paper from 2002 called “The Emperor’s New Clothes: Linux and the myth of a virus free operating system”.

There I discussed that the very thing that makes the OSS model work is also its greatest weakness, there’s little control, little QA, and 99% of the time proletariat downloading a package won’t check it (nor would most be competent to), so it’s very easy to insert malware. It’s very likely there is a lot more malware out there lurking in small fringe packages such as the one mentioned in the OMGUbuntu article.
The fact is that with the rise ofthe netbook, Linux becomes a more desirable platform to attack, and at the moment, it’s way too easy. After all, who needs anti-malware software on Linux?

NOD32 beta test versions

As we all know, there is, never has been, and never could be any Mac or Linux malware. If it did, no Mac or Linux user would fall for it, and if they did it would be their own fault. Microsoft-loving antivirus companies are simply looking for excuses to line their pockets.

(Guys, this is called irony! )

There you go. Now I’ve said it for you, there’s no need to clutter this page and my mailbox with fanboi comments and hatemail.

However, in case you’re gullible enough to believe that ESET, like other security companies, really believes that Mac and Linux users sometimes need anti-malware protection, we have now public beta test versions of our scanner available for OS X and for Linux desktop.

http://beta.eset.com/linux
http://beta.eset.com/macosx 

Declaration of interest: yes, I do currently work for ESET. And I am that gullible.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

 

Paedophilia and the Trojan (or SODDI) Defence

I just had a look at the tricky issue of the “Some Other Dude Did It” defence against conviction for downloading/possessing child pornography. Not an issue on which I want to expend two lengthy blog articles in one day, so I’ll just give you the pointer to the ESET blog.

http://www.eset.com/threat-center/blog/2009/11/26/paedophilia-and-the-trojan-defence
David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iPhone worm hits Jailbroken phones

By now the media machine has moved into action and all sorts of nonsense has been spouted about the creation of a worm that spreads on jailbroken iPhones, written by a guy called ‘ikee’. The facts are these,

  1. It ONLY affects jailbroken phones – if your iPhone is not jailbroken then you are not vulnerable
  2. It ONLY affects jailbroken phones that have OpenSSH installed (This involves you having consciously installed OpenSSH)
  3. If you have changed the default passwords for the ‘root‘ and ‘mobile‘ accounts subsequent to installation, you will not be vulnerable to this worm.

It’s tempting to say ‘I told you so’ on this one, as, I actually did state this fact 2 days before the worm was released. On a panel at the AVAR2009 Conference discussing vendor future strategy, someone brought up the idea that the iPhone will be a desirable platform for exploitation. This is true, but as I pointed out, the biggest risk is not so much to users who are using the default OS provided by Apple, because they are in a strictly controlled environment, with Apple as the benevolent dictator, as it is to those users who have jailbroken phones, at which point – you’re on your own.The whole thing does highlight the potential though, there’s no reason why any platform is automagically protected from malware, so it’s no real surprise to anyone that this sort of thing has happened. David Harley (among others) has written more on this subject here, and as always, it’s worth reading.

Andrew Lee CISSP
AVIEN CEO