The United States is at the top of the list of countries with the most infections of point-of-sale (PoS) malware during the third quarter of the year, according to research from Trend Micro.

In its threat report for Q3, Trend Micro reported that the U.S. accounted for 30 percent of PoS malware infections. The next three places on the list – Taiwan, Philippines and Italy – each accounted for six percent of infections.

“Early this year, one of the largest retail companies in the U.S. disclosed that approximately 40 million consumer credit and debit card information was compromised as a result of a breach in its systems,” according to the report. “Not long afterward, Home Depot topped that record when it disclosed that more than 100 million customer records that included credit card information was stolen as a result of a payment systems breach. The threat actors behind these breaches attacked the retailers’ point-of-sale (PoS) systems. BlackPOS was implicated in the incident reported early this year, while BlackPOS version 2 was used in the Home Depot breach. This further indicates that PoS networks are highly accessible and vulnerable.”

The report identified three new pieces of PoS malware that were spotted during the third quarter: BrutPOS (Tibrun), Backoff (POSLOGR) and BlackPOS Version 2 (MEMLOG).

Recently, researchers at Trend Micro identified a new piece of PoS malware detected by the firm as TSPY_POSLOGR.K that is designed to read the memory associated with specific processes written in the .INI file. It then saves the data to files named “rep.bin” and “rep.tmp.”

“Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data,” Anthony Joe Melgarejo, threat response engineer at Trend Micro, explained in a blog post. “It is highly possible that this is deployed as a package.”

The report also noted a spike in online banking malware infections between the second and third quarters. As in the case of PoS malware, the United States was the most affected country, accounting for about 13 percent of infections.

“Our findings confirm that we are battling rapidly moving cybercriminals and evolving vulnerabilities simultaneously,” said Raimund Genes, CTO at Trend Micro, in a statement. “With this fluidity, it’s time to embrace the fact that compromises will continue, and we shouldn’t be alarmed or surprised when they occur.  Preparation is key and as an industry we must better educate organizations and consumers about heightened risks as attacks grow in volume and in sophistication. Understanding that cybercriminals are finding vulnerabilities and potential loopholes in every device and platform possible will help us confront these challenges so technology can be used in a positive way.”

Tags:

• NEWS & INDUSTRY
• Virus & Malware

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users. The threat, called WireLurker, has potentially affected hundreds of thousands of users, almost all of them located in China. 

Cybercriminals are distributing the threat by trojanizing OS X apps hosted on third party app stores. The 467 malicious apps uploaded to the Maiyadi App Store have been downloaded more than 350,000 times.

Once it infects a Mac, the malware downloads other malicious iOS application to the infected machine. When victims connect their iPads, iPhones or iPods via USB to the infected device, WireLurker installs the downloaded iOS applications onto them. The mobile component of WireLurker is capable of stealing information from infected devices.

The latest version of WireLurker is interesting because it can infect not only jailbroken devices, but also ones that haven’t been jailbroken. The threat can install the malicious iOS apps on non-jailbroken devices by signing them with a stolen code signing certificate.

Shortly after Palo Alto Networks disclosed details on WireLurker, researchers identified an older variant of the threat apparently designed to target computers running Microsoft Windows. 

The command and control servers used by the malware are currently offline and Apple has revoked the certificate used by the malware authors. However, experts believe WireLurker once again shows that Apple devices are not immune to malware.

And the Feedback Begins…

Ian Amit, Vice President of ZeroFOX:

“It’s interesting to see how malware is getting more holistic from an attack vector approach, utilizing technical vulnerabilities and elements, as well as human ones. This isn’t the first malicious code that is designed to “hop” between connected platforms, examples date back to variants such as Stuxnet that infected Windows based computers, which in turn affected Siemens PLCs. This is an interesting turn of events, as Apple’s iPhone is commonly considered a safe platform as long as it isn’t jailbroken.

Beyond the already familiar abuse of social interactions that allow the malware to run in the first place – essentially, having the victim ‘knowingly’ install it, WireLurker also abuses the trust between the victim’s PC and the iPhone connected to it, which grants it full access to the phone and it’s applications – apps can be backed up over USB, then restored to the phone, after the malware has modified them and inserted a backdoor.”

Greg Martin, CTO of ThreatStream:

“Wirelurker is being distributed via a 3rd party app-store called Maiyadi that is out of control of Apple.

The danger with third-party app stores such as Maiyadi is that Apple and Google have no vetting control of what gets added to 3rd party app stores, severely limiting their ability to protect end-users from running malicious apps. In-fact nearly all cases of known malware for the iPhones have originated from 3rd party app stores such as Cydia (App store for jailbroken iPhones) and now new ones like Maiyadi.

Monitoring these 3rd party app stores for malicious apps will become an opportunity for cyber security companies to help provide intelligence back to Apple and Google on what’s happening outside of their control.”

Steve Bell, security consultant, BullGuard:

“The really interesting thing about the WireLurker malware is the scale of the infection and how it is promulgated.  Because of the proprietary nature of Apple devices and the fact that apps are checked for malware before they go into the Apple store users have generally been protected in the past.

However, with an estimated 350,000 downloads of infected apps and the fact that the malware can also transfer via a USB port signals a serious notching up of hacker’s endeavours to hit Apple devices. In the US Apple users tend to stick to the Apple store which is wise. WireLurker shows precisely the danger of downloading apps from unregulated third party stores.

However, the use of a USB port to also transfer malware, while obvious and simple, could be potentially devastating. Without wishing to be alarmist, USB ports are an obvious vulnerability, and it’s not beyond the realms of possibility that hackers might use this to insert Trojans designed to lie dormant for a period. With Apple now putting its considerable weight behind Apple Pay, hackers have serious motivation.”

Carl Wright, General Manager for TrapX Security:

“What has enabled the success of the creators of WireLurker is the concept of transitive trust. This two-way approved relationship automatically created between parties has long been an Achilles heel to security professionals trying to ensure the validity of transactions on a more or less case by case bases.

This recent hack continues to illustrate the trade-off the end users must consider between that of maintaining security of the end point device and innovative new applications that may not be developed or certified by Apple.

In the end, the price may indeed be too extreme for corporations who desire to take advantage of end user BYOD.”

Jared DeMott, Security Researcher with Bromium Labs:

 “People still seem to think malware on the Mac is less likely than on Windows.  If this is true, it’s simply because attackers are less interested in Mac.  The relative attack surface is just as big (similar chance to find and exploit bugs) as on Windows or any other modern operating system.

In fact, my suspicion is that Macs really are exploited more than people realize.  But it’s either typically by better funded attackers, who know how to stay hidden, or because Apple in general does a better job at managing bad security press when compared to Windows.

This particular malware is distributed not in the form of an exploit, but in the form of pirated software.  China in particular, is known to run a lot of illegal software.  Thus, it’s not surprising the Chinese took the brunt of this round, considering the deployment mechanism.”

Mark Parker, Senior Product Manager, iSheriff:

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store.

By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats. The introduction of the mobile phone as a method of payment will increase the potential for attacks. Wherever there is money, there is always going to be Malware built to try to get access to that money.

This approach of using the workstation USB connection to another device could also be used in other “closed system” environments. Examples of this could be physical security system maintenance, or point-of-sale terminals that can only be maintained via a workstation USB connection, or similar method. It is always important to ensure that all workstations, even those of workers off-site, are protected from endpoint, web, and email based attacks at all times. The need for security doesn’t stop when the device leaves the network, especially in cases of workers that will be connecting to these types of devices.”

Kenneth Bechtel, Malware Research Analyst, Tenable Network Security:

 “With a resurgent BlackEnergy now targeting network routers and WireLurker spreading like wildfire across China’s iOS devices, this has been an interesting week to be in the malware business. But the thing to keep in mind is that despite the hype, neither of these threats herald an impending Internet apocalypse, though both deserve to be taken seriously.

WireLurker infects iOS through compromised OS X machines. Following successful malware trends, it is modular and updateable, having 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/ iPad/ iPod to a computer to sync the calendar or contacts list. This concept is very frightening to many users, and means it won’t be long before it spreads to countries outside of China.”

Michael Sutton, VP of Security Research for Zscaler:

 “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we’re waiting for the wrong thing. We’ll never see the drive by downloads and fast spreading device to device malware that we’ve become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn’t however mean that malware on mobile devices isn’t a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.

This is especially true for iOS devices and WireLurker represents a new advance on that front. Whether or not Apple designed their Walled Garden for security purposes or not, the fact that iOS apps must primarily be installed only from the iOS App Store, where they can first be vetted by Apple, has made malicious apps on non-jailbroken devices a rare commodity. WireLurker took advantage of an exception to this rule.

WireLurker abuses the fact that there is another way to get apps onto non-jailbroken devices. Apple allows enterprise development teams to leverage Enterprise Provisioning as a means to push homegrown apps to employees without the hassle of hosting them in the App Store. The process is still restricted and requires the use of an Apple supplied code signing certificate and provisioning profiles pushed to devices, but it does provide an alternative. The authors of WireLurker appear to have stolen a legitimate code signing certificate from Hunan Langxiong Advertising Decoration Engineering Co. Ltd., in order to pushed apps to non-jailbroken devices via provisioning profiles.”

Steve Hultquist, chief evangelist at RedSeal:

“Trust. It’s the first requirement for security, but seldom considered by consumers. In the case of WireLurker, existing trust between an iOS device and a Mac becomes the surrogate for malware to infect the devices. When the Mac user mistakenly places trust in a third-party app site to only offer uninfected applications for download, it opens the door to infection of the Mac and then the iOS devices.

This is another example of the sophistication and automation of attacks that are growing inexorably into the future. Attackers are both more subtle and more capable than ever before. This attack resulted in over a quarter of a million infected downloads, in all likelihood impacting thousands of people and devices, all because of misplaced trust.

This attack and others that will follow underscore the need for proactive security efforts, from application design-for-security to trust architectures and automated analysis of potential access paths. Without automated proactive prevention, attacks will continue to grow in volume and impact. Enterprises need to take notice, since these consumer attacks are merely the ice above the water. The enterprise and governmental attacks are the bulk under the sea.”

Until Next Friday…Have a Great Weekend!

Tags:

Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.

According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.

“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”

“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”

Tags:

• NEWS & INDUSTRY
• Virus & Malware