Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.

According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.

“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”

“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”

Tags:

• NEWS & INDUSTRY
• Virus & Malware

FireEye, the recently-gone-public provider of threat protection solutions, has made its flagship threat prevention platform available for small and midsize businesses (SMBs).

The platform, dubbed “Oculus” by FireEye, is a real time, continuous threat protection platform that helps organizations protect intellectual property and data. Oculus for SMB combines technology, services, and threat expertise in a solution specially tailored to small and midsized businesses, the company said.

According to Verizon’s 2013 Data Breach Investigations Report, of the 621 confirmed data breaches examined, nearly half occurred at companies with fewer than 1,000 employees, including 193 incidents at organizations with fewer than 100 workers. These stats clearly show that attackers are targeting smaller businesses that often lack advanced IT security protections that larger enterprises tend to have in place.

According to the U.S. Small Business Administration, SMBs represent 99 percent of U.S. businesses, and according to research firm IDC, SMB spending on security technology is predicted to top $ 5.6 billion in 2015.

Oculus for SMB leverages FireEye’s advanced threat prevention platforms for Web, email, and mobile, and includes:

• Web threat protection: With the FireEye NX series platform, SMBs can stop Web-based attacks often missed by next-generation firewalls (NGFW), IPS, AV, and Web gateways. The NX series protects against zero-day Web exploits and multi-protocol callbacks to keep sensitive data and systems safe.

• Email threat protection: SMBs can leverage cloud-based or the on-premise EX series platform to protect against today’s advanced email attacks.

• Mobile threat protection: SMBs can leverage a cloud-based platform to address threats targeting mobile devices and help ensure that mobile apps are safe to use.

Oculus for SMB also provides Continuous Monitoring to help ensure that constrained security resources do not hinder an organization’s ability to counter targeted threats. Capabilities include:

• Continuous Monitoring: FireEye threat intelligence augments customer IT teams to proactively recognize advanced persistent threat (APT) attacks.

• Cybercon Reports: Vertical-specific threat information provides a view of the landscape so SMBs are better prepared to manage risk in their specific threat environment.

• Health Check: Alerts notify customers when their deployments fail remote health checks to ensure uninterrupted protection against advanced threats.

“FireEye is putting virtual machine technology into the hands of SMBs,” said Manish Gupta, FireEye senior vice president of products. “With the FireEye solution, SMBs obtain a simple and scalable security solution for advanced threats to safeguard corporate assets and drive down business risks. SMBs will enjoy unmatched advanced threat protection solution with continuous monitoring to augment their limited resources.”

Earlier this year, the security firm claimed that in over 95% of its prospective customer evaluations, it found incidents of advanced threats that were conducting malicious activities and that successfully evaded the prospective customers’ existing security infrastructure

The company was founded in 2005 by Ashar Aziz who served Chief Executive Officer until November 2012, and was followed by David DeWalt who previously served as president and CEO at McAfee from April 2007 until February 2011, after Intel’s surprise $ 7.68 billion acquisition of McAfee.

Tags:

• Network Security
• NEWS & INDUSTRY
• Malware
• Security Infrastructure

US, Britain ‘Spying on Virtual World’: Report

WASHINGTON – US and British intelligence have been spying on the global online gaming world because they fear terrorists could use the hugely popular platform to plot attacks, a report said Monday.

Spies have created characters in the fantasy worlds of Second Life and World of Warcraft to carry out surveillance, recruit informers and collect data, The New York Times said, citing newly disclosed classified documents from fugitive US intelligence leaker Edward Snowden.

The report came as eight leading US-based technology companies called on Washington to overhaul its surveillance laws following months of revelations of online eavesdropping from the former National Security Agency (NSA) contractor.

“Fearing that terrorist or criminal networks could use the games to communicate secretly, move money or plot attacks, the documents show, intelligence operatives have entered terrain populated by digital avatars that include elves, gnomes and supermodels,” the Times said.

“The spies have created make-believe characters to snoop and to try to recruit informers, while also collecting data and contents of communications between players,” the report said.

It added: “Because militants often rely on features common to video games — fake identities, voice and text chats, a way to conduct financial transactions — American and British intelligence agencies worried that they might be operating there, according to the papers.”

The report cited a 2008 NSA paper that warned that the virtual games — played by millions of people the world over — allowed intelligence suspects “a way to hide in plain sight.”

The documents do not give any examples of success from the initiative, the report said, adding that experts and former intelligence officials said “that they knew of little evidence that terrorist groups viewed the games as havens to communicate and plot operations.”

The surveillance, which also included Microsoft’s Xbox Live, could raise privacy concerns, noted the newspaper.

Apple, Facebook, Google, Microsoft, Twitter, Yahoo, AOL and LinkedIn meanwhile wrote an open letter to President Barack Obama and the US Congress calling on Washington to lead the way in a worldwide reform of state-sponsored spying.

“We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide,” the letter said.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

Network security firm Fortinet announced on Monday that it would buy back up to $ 200 million of its stock as part of a share repurchase program expected to run through December 31, 2014.

The timing, number and value of shares repurchased under the program will be determined by Fortinet management at its discretion, with the company being able to repurchase shares from time to time in privately negotiated transactions or in open market transactions, the company said in a statement.

“The implementation of our first share repurchase program reflects Fortinet’s confidence in the long-term strength and strategy of the company, as well as our commitment to returning shareholder value,” said Ken Xie, Fortinet’s Founder, Chairman and CEO. “Though we remain focused on continuing to invest in our business to capitalize on our growth opportunities, at the same time, Fortinet’s financial performance and healthy cash flow generation allows us to be confident and opportunistic in repurchasing shares.”

While the Board of Directors has authorized the share repurchase program, the company is not obliged to repurchase any shares under the authorization, and the program may be suspended, discontinued or modified at any time, for any reason and without notice, the Fortinet said.

Tags:

• NEWS & INDUSTRY
• Management & Strategy

Late last week, Microsoft announced it had struck a blow against the ZeroAccess botnet in a joint operation with law enforcement and technology company A10 Networks.

But while the effort may have started a ten-count, some say the botnet was far from knocked out.

The takedown operation disrupted a botnet that is held responsible for infecting more than two million computers by targeting search results on Google, Bing and Yahoo search engines and costing online advertisers $ 2.7 million a month. The botnet hijacks people’s search engine results and redirects them to sites they had not intended to go to in order to commit click fraud. ZeroAccess relies on a peer-to-peer infrastructure that allows cybercriminals to control it remotely through tens of thousands of different computers.

To combat the situation, Microsoft recently filed a civil suit against the people behind the botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit fraud. In addition, Microsoft took control of 49 domains associated with ZeroAccess, while A10 Networks provided Microsoft with advanced technology to support the disruptive action.

However, Microsoft’s work comes up short. In a joint blog post, Yacin Nadji, a Ph.D. Candidate at Georgia Institute of Technology, and Damballa Chief Scientist Manos Antonakakis noted that any meaningful action against ZeroAccess must disrupt its peer-to-peer (P2P) communications channel.

“Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations,” they noted. “This extensive legal work can be undone in a matter of hours.”

According to a report, the operators did push out a configuration file to infected systems to bring the click fraud network back online, but the within a few hours the servers were back offline.

Fears about click fraud led to the Interactive Advertising Bureau (IAB) recently issuing a set of best practices designed to help publishers, networks and buyers reduce the risk of fraud on the Internet.

“The companies that participate in the digital advertising supply chain have been struggling with how to handle criminal enterprises intent on gaming the system,” said Steve Sullivan, vice president of advertising technology for IAB, in a statement. “These fraudsters are diluting the value of all legitimate inventory while simultaneously diminishing the integrity of the entire digital marketing industry. The introduction of these best practices is a first step in reducing the marketplace repercussions of these illegal activities.”

Tags:

• NEWS & INDUSTRY
• Virus & Malware