Category Archives: Windows

Skype vulnerability makes hijack child’s play.

A serious vulnerability in Skype has come to light. This vulnerability allowed you to take over the Skype account of any other user, armed only with knowledge of their e-mail address.

Proof of concept for the issue was posted in a Russian forum about three months ago and the original poster posted again on a different site just yesterday that the vulnerability was still not fixed. The author also notes that abuse of the vulnerability has been widespread, affecting many users from his own contact list.
Continue reading

Windows 8 Security overview


 
Microsoft has taken some important steps forward in providing security for the Windows 8 environment. If we consider the key areas of data security, anti-malware and user authentication there are several very welcome additions to the user experience.
 
Trusted Platform Module (TPM) and Self-Encrypting Drives (SED) are now both natively supported under Windows 8, which should help push user and manufacturer adoption. The TPM provides an important hardware-based means to establish a degree of certainty over system integrity and to securely manage encryption keys, outside of the Operating System and the use of SEDs offloads much of the hard work of encrypting and decrypting data to hardware where it can be accomplished more effectively and more speedily.
 
In conjunction with TPM, the new Unified Extensible Firmware Interface (UEFI) means that, while a PC is being booted, only authorised code with a valid signature can be executed through the firmware and Operating System startup procedure. This is designed to effectively limit the possibility that malicious software is loaded before the Operating System bypassing or even disabling key security functionality and hiding its presence entirely (bootkits for example, or rootkits). In addition to this Early Launch Anti-Malware (ELAM) ensures that the first software driver to be loaded by Windows 8 is the software driver of your chosen security provider again in an effort to stop malware from overriding this protection.
 
The SmartScreen technology that you are used to seeing in Internet Explorer has now been extended across the entire Operating System so now even if you are using something other than a browser to access Internet resources and downloads, you will still be offered some level of filtering for potentially malicious downloads. Let’s hope this one isn’t as “noisy” as User Access Control (UAC) has been, encouraging more of that “next, next, next” culture.
 
When it comes to authenticating users, Microsoft have added some functionality obviously designed for those touchscreen devices they are anticipating. Picture or PIN based logins can be used once a user password has been set, as a shortcut to logging in. While this feature may be convenient, research during beta testing demonstrated that an attacker with local admin privileges could access and decrypt the passwords of accounts using this feature.
 
There are several other features, such as Dynamic Access Control that really build out the enterprise security capabilities of Windows 8 too. I don’t have the space to detail all of them here, but it’s great to see Microsoft continuing to take security seriously and allowing specialist security providers to integrate more deeply with the Operating System.
 
Microsoft Windows 8 is more secure “out-of-the-box” than it has ever been but remember the integrated anti-malware provides only baseline security, not the fully featured security of a dedicated specialist.
 

Skype worm spreading fast

Ransom by redtype

Ransom by redtype


 
It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
 
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:
 

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 
or
 

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 

Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
 
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
 
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
 
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

 

This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.