Showing posts with label Anti Malware. Show all posts
Showing posts with label Anti Malware. Show all posts

Sunday, 11 March 2018

Avast: Attackers CCleaner Also Wanted To Install keylogger



The attackers who hacked software company Piriform last year and added a backdoor to the popular CCleaner tool were also likely to install a keylogger on infected systems, according to anti-virus company Avast , which is the owner of CCleaner.

Last September, Avast announced that attackers had hacked CCleaner developer Piriform and added malware to the official version. This infected version was downloaded by 2.27 million users. The malware was added to the Piriform development platform between 11 March and 4 July 2017. The software company was acquired by Avast two weeks later on 18 July.

The first phase of the malware was to gather information about CCleaner users, such as the name of the computer, installed software and active processes. The second phase consisted of downloading additional malware. However, this was done with a select number of machines. Eventually, 40 computers received this additional malware. These included systems from major tech companies such as Intel, Samsung, Sony, Asus, NEC and the South Korean telecom provider Chunghwa Telecom.

There is no evidence that a third step has been carried out, but Avast has now found information indicating that it may have been planned. During the investigation into the hacked Piriform infrastructure, early versions of the first and second phase of the malware were discovered, as well as a tool called ShadowPad. ShadowPad is used by cyber criminals to control computers remotely. The tool was installed on four Piriform computers on April 12, while the second phase of the malware was already installed on March 12.

The older version of the second phase malware connected to a command & control server. The servers were no longer active at the time Avast analyzed the computers, so it is unknown what was downloaded, but given the time window it was probably ShadowPad. The Avast researchers also discovered ShadowPad log files with keystrokes from a keylogger installed on the computers. The keylogger had been active since 12 April and had stored keystrokes of all kinds of programs. The encountered version of ShadowPad appeared to have been specially made. Avast thinks that the attackers who had adapted especially for Piriform.

In addition to the keylogger, the attackers also installed a password builder and tools to install other software. According to Avast, there are no indications that ShadowPad is installed on the computers of CCleaner users. The virus fighter does state that it was the third phase of the attack. It is not known whether the attackers wanted to install the keylogger on all 40 attacked computers in the second phase, or just a few or not at all, this is still in under investigation.

Thursday, 4 June 2015

Indian Researcher Can Hack Your Computer Using Just An Image


The hidden using steganography malicious code runs when you view the image in the browser.
Indian security researcher Saum Shah (Saumil Shah) published a report on the attack method developed by him, based on the popular among users sharing links to pictures. The expert was able to hide the harmful executable code in an arbitrary pixel images, thus leaving his exploit in the most prominent place.

Part 1:

Part 2:

The researchers note that hide malicious code directly in the image was the most difficult, and for this he had to use steganography. Parts of malicious code distributed in Shah pixel image that allows you to decode them back using Canvas element of HTML 5, a conductive dynamic rendering of images.

"For a successful attack I do not have to worry about hosting your own web-site. I do not even need any domain, - the expert emphasizes. - I can take a picture, post it in the public domain, and if the victim load it in your browser, it will compromise the system. "

Separately, an expert noted that the changes occurring in the final image of the presence of extraneous code, visible only at multiple zooming images. His attack technique called Shah Stegosploit, and its details he revealed in a recent held in Amsterdam conference on Information Security Hack In The Box. Video with the details of attack, and expert commentary published on YouTube.

PDF