Malware siphons data on new rocket from Japanese space agency

Solid-fuel rocket is intended for launching satellites and space probes.

Information on one of Japan's newest rockets was stolen from a desktop computer that was infected with malware, according to a published report that cited officials from the country's space agency.

The computer, located in the Japan Aerospace Exploration Agency's Tsukuba Space Center northeast of Tokyo, was found to be collecting data and transmitting it to computers outside the agency, according to a story published Friday morning by the New York Times. The computer was disinfected after malware was found on it on November 21, and an investigation failed to find any other infected machines.

Some of the data siphoned out of the computer involved Epsilon, a solid-fuel rocket still under development, according to the post. It is ostensibly intended to launch satellite and space probes, although solid-fuel rockets of its size can also be used militarily for intercontinental ballistic missiles. Epsilon also has the ability to be remotely controlled by a personal computer. Its first launch is scheduled for about a year from now.

Read 3 remaining paragraphs | Comments

Ransomware: The Couch-Potato Vs The Backpacker

Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been…

Comparing variants of the same malware family can sometimes uncover interesting results. Trojan.Ransomlock, the highly profitable and prevalent malware, is one of those cases. This threat was originally spotted in Russia in 2009 but since then has been highly active in the wider world, particularly in the past few months.

An in-depth analysis of this month's AV detection stats for the Trojan.Ransomlock family of threats reveals two top variants: Trojan.Ransomlock.T and Trojan.Ransomlock.G.

Figure 1. Trojan.Ransomlock AV detections for the past 30 and 7 day periods

As can be seen in Figure 1, in the past 30 days Ransomlock.T has been the most active variant with Ransomlock.G following closely behind. Looking at the stats for the past seven days, we can see that Ransomlock.G has overtaken Ransomlock.T to take the number one spot. Why is this?

Let’s take a look at the following heat maps illustrating the locations where the variants have been detected in the past seven days.

Figure 2. Detections for Trojan.Ransomlock.T in the past seven days

Figure 3. Detections for Trojan.Ransomlock.G in the past seven days

We can clearly see from Figures 2 and 3 that while Ransomlock.T has decided to remain predominantly in North-America, like the proverbial couch-potato, Ransomlock.G has become an international backpacker making its way across the globe. While Ransomlock.T originated in Germany we can now safely say that it has migrated to North-America. We confirmed this by looking at detection stats for the past few months.

In the case of Ransomlock.G, the animation below illustrates just how international it has become.

Figure 4. Detections for Ransomlock.G from February to November 2012

So, why the difference? A malware's activity mostly depends on the infection vectors and social engineering methods it utilizes. Both variants are mainly delivered by exploit kits and use well-crafted scams but Ransomlock.G (also known as Reveton) seems to be doing better than other variants. It uses the latest exploit kits and quickly adopts new social engineering methods, such as the use of audio. The malware authors invest a great deal of time and resources planning the best way to spread their creation, as discussed by Gavin O’Gorman in his research paper – Ransomware: A Growing Menace.

The fraudsters responsible for Trojan.Ransomlock.G use adult advertising networks to distribute ads on pornographic websites that lead back to their exploit pack websites. Considerable investment is made into their infrastructure, with the attackers moving exploit pack websites to new addresses regularly. The amount of advertising is also substantial with at least 500,000 people clicking on their malicious ads over a period of 18 days

Kafeine also confirms the geological spread of the Reveton ransomware and discusses its latest technical enhancement, the use of audio.

We have the following protections in place for the latest versions of Trojan.Ransomlock.T and Trojan.Ransomlock.G:

Antivirus:
Trojan.Ransomlock.T

Trojan.Ransomlock.G
Trojan.Ransomlock.G!g1
Trojan.Ransomlock!g13
Trojan.Ransomlock!g14
Trojan.Ransomlock!g17
Trojan.Ransomlock!g22
Trojan.Ransomlock!g26

Intrusion Prevention System: 
System Infected: Trojan.Ransomlock.T
System Infected: Trojan.Ransomlock.T 2
System Infected: Trojan.Ransomlock.G 2

Web Attack: Trojan.Ransomlock.G Download

If you are affected by any ransomware scam—do not pay the ransom. Instead, follow our removal steps and watch our video for additional help.

Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case

In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercial…

Bank Agrees to Reimburse Hacking Victim $300K in Precedent-Setting Case

In a case watched closely by banks and their commercial customers, a financial institution in Maine has agreed to reimburse a construction company $345,000 that was lost to hackers after a court ruled that the bank’s security practices were “commercially …

Crisis: The Advanced Malware

Over the past few months, we have blogged several times about OSX.Crisis and W32.Crisis. The Crisis malware is a highly advanced malware that has multiple infection vectors and a variety of information-stealing functions.

Figure 1. The Crisis infectio…

Over the past few months, we have blogged several times about OSX.Crisis and W32.Crisis. The Crisis malware is a highly advanced malware that has multiple infection vectors and a variety of information-stealing functions.

Figure 1. The Crisis infection routine

 

It targets Windows and Mac operating systems as well as devices running Windows Mobile. It can also sneak onto virtual machines if the compromised computer has a specific VMware virtual machine image installed on it and we believe that this is the first malware that can perform host-to-guest virtual machine infections.

Some security product vendors and researchers believe that a group in Italy constructed the Crisis malware as a product to sell to law enforcement agencies. In fact, several of the functions of the Crisis malware, such as recording sounds and stealing address book information, are suitable for private investigations or espionage.

Figure 2. Crisis information-stealing functionality

 

This information, and much more, is detailed in a white paper I have written called Crisis: The Advanced Malware.