cryptolocker success leads to more malware
TRANSCRIPT
NEWS/CALENDAR
20Network Security January 2014
EVENTS CALENDAR
4-6 February 2014Smart SurveillancePerth, Australiahttp://fp7.ecu-sri.org/
12–15 February 2014NullConGoa, Indiahttp://nullcon.net/website/
24–28 February 2014RSA Conference 2014San Francisco, USwww.rsaconference.com
26–28 February 2014Engineering Secure Software and SystemsMunich, Germanyhttps://distrinet.cs.kuleuven.be/events/essos/2014/
17–21 March 2014TroopersHeidelberg, Germanywww.troopers.de
24–25 March 2014International Conference on Cyber Warfare and Security (ICCWS)West Lafayette, Indiana, USAhttp://academic-conferences.org/iciw/iciw-home.htm
25–28 March 2014Black Hat AsiaSingaporewww.blackhat.com
1–3 April 201413th European Security Conference & ExhibitionThe Hague, Netherlandshttp://bit.ly/18uLlPn
7–9 April 2014InfoSec World Conference & ExpoOrlando, Florida, UShttp://bit.ly/infosecworld
...Continued from page 19However, David McGrew, the other
co-chair of the CFRG, said that Igoe was not in a position to directly influ-ence the adoption of standards – at least, no more than any other member of the group.
Yahoo ads spread malware
Thousands of users of Yahoo.com have had their PCs infected due to
malicious iframes in advertisements. Nearly a quarter of the infections were in the UK.
The iframes, buried in ads served up by third-party ad networks, directed visitors to a dubious website capable of drive-by infections created with the Magnitude exploit kit. The site used the IP address 193.169.245.78, hosted in the Netherlands.
Victim PCs were infected with a range of malware, including the Zeus banking trojan, Dorkbot and a click-fraud trojan. Israeli firm Light Cyber said it also saw evidence of bitcoin-mining malware. And Cisco said this campaign was one of several from the same group. The ads focused on European users, with 24% of victims being in Romania, 23% in the UK and 20% in France.
Security firm Fox-IT believes that this may have caused as many as 27,000 infections an hour, and the attacks may have run for at least a week. Yahoo sub-sequently removed the malicious ads.
Yahoo later announced that it is turn-ing on SSL/TLS encryption by default for its Yahoo Mail service. However, the firm has still come in for criti-cism – and not just for being slow to implement a feature that others, such as Google and Microsoft, have had enabled for some time.
“I can’t think of a legitimate reason to prefer this weaker encryption strategy”
Unlike some companies – Google again, plus Facebook and Twitter – Yahoo has not enabled Perfect Forward Secrecy (PFS). This is a technology in which keys are constantly changed so that, should a
key be obtained at a later date (by hackers or a government agency), it would not allow an attacker to decrypt any earlier messages that had been intercepted and stored. The companies that have imple-mented PFS have generally employed Elliptical Curve Diffie-Hellman Exchange (ECDHE) functionality that generates one-time keys.
“The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome,” said Tod Beardsley, engineering manager for Metasploit at Rapid7. “I can’t think of a legitimate reason to prefer this weaker encryption strategy.”
CryptoLocker success leads to more malware
The CryptoLocker ransomware has proven to be hugely successful,
and has recently evolved in order to snare even more victims, according to researchers. And it may soon have a successor.
The malware encrypts data on infect-ed machines and demands a ransom from their users before they can get their files back. The ransom is paid in bitcoins. Analysis by Dell SecureWorks suggests that, in the first 100 days of its life, CryptoLocker achieved up to 250,000 infections. This could have netted the cyber-criminals at least $380,000, although the real figure could be in the millions.
Until now, the malware has been a standard trojan – to be infected you had to open a file attached to an email or visit a malicious web page. But now, according to researchers at Trend Micro, it has evolved into a worm, capable of spreading via USB-connected devices such as hard drives and memory sticks. On the plus side, the worm variant has its command and control servers hard-coded into it, making it easier to block.
Recently, postings on underground forums suggests that a derivative of CryptoLocker – dubbed PrisonLocker – may be in the offing. At the moment, however, it seems this is little more than a work in progress.