OTX Snapshot: Top Malware Detected
October 16, 2013
This month, AlienVault launched a new Threat Update Newsletter with the goal of sharing recent threat data from our Open Threat Exchange™ (OTX), as well as recaps of some of the most interesting (or troubling) research and industry news. You can subscribe via e-mail to the Threat Update Newsletter, or subscribe to this blog to get additional information and insight.
The threat data we collect through our Open Threat Exchange continually reinforces what those of us in the Lab know to be true: That people and organizations using the Internet for criminal activity are highly coordinated. The tools we see cyber criminals using, and the complexity and scope of attacks speaks to the ‘community’ nature of this underground; cyber criminals liberally share information on attacks, attack tools, techniques, stolen data, etc. It’s time for us “good guys” to steal this collaborative approach and band together to share threat data. The more we each know, the better we can defend the privacy, intellectual property and economic infrastructures entrusted to us.
So, in the spirit of sharing what we hope is helpful threat data and information, here are the research findings and headlines for September that were especially interesting to the AlienVault Labs team:
More MacOSX Malware
While our Lab finds millions of malware samples per month in Windows and Android, we typically only find a few unique samples a week in MacOSX. This new threat is especially pernicious; it disguises itself to look like an image file and once it is opened, the malware can allow the attacker to perform whatever actions they want. This malware is interesting because it uses a scripting language called Realbasic that provides the possibility of building the code to Windows and Linux platforms, so it’s not so weird to see this malware or this C&C running in other platforms, changing the scripts to focus the targeted platform, obviously.
Internet Explorer Zeroday
The latest Internet Explorer zero-day has been widely reported, and we’ve seen serious targeted attacks against Japanese and Taiwanese organizations. Unfortunately, we’re still in “wait-and-see” mode until Microsoft provides a patch. My advice is not to use Internet Explorer at the moment. While you could manually apply the interim fix-it, we highly recommend against doing this, as every cyber criminal will be putting the work-around in their framework.
Direct Memory Access, or DMA, is the latest crack in the door. As reported in this PC World article, graphics cards and peripherals can bypass a computer’s CPU to access and process data directly from memory. Security solutions don’t typically look for malware in peripherals, and once a peripheral infects DMA, there can be a ripple effect of damage. While this type of attack is still a novelty, information security professionals need to be aware of it because this could easily become a more wide-spread attack technique.
Data brokers hack
Brian Krebs investigated and reported on a hack of the major data brokers by an ID theft service that then sells the sensitive data it steals – including social security numbers, birth records and credit and background reports – to any cybercriminal or organization willing to pay. The ID theft service at the heart of this crime ring essentially acts as its own malicious form of data broker, enabling cybercriminals to access and purchase compromised data on the black market. For the legitimate business and consumer data aggregators that were hacked, this is a reminder: even if your business doesn’t suffer a targeted attack, if one of your systems has been infected by a regular botnet, your data is as vulnerable as if you were suffering a targeted attack. This story exemplifies how “bad guys” are collaborating to steal highly personal and valuable information and just generally wreaking havoc. If the good guys within business and government collaborated around threat data as effectively as the bad guys do around threat vectors and tools, attacks of this magnitude would be few and far between.
Icefog Cyberspionage campaign
This research by Kaspersky Lab elaborates on a series of APT attacks aimed at supply chain organizations primarily in Japan and Korea. The nature of these attacks is very complex, and the threat actor in this case, “Icefog”, gets in-and-out very quickly. While most APTs can go on for a very long time, Icefog hits hard and fast, directly taking control of infected machines during attack. The Icefog attacks show how common attack techniques—spear-phishing or exploits for known vulnerabilities—can be combined with very sophisticated cyber espionage tools to do tremendous damage.
September Threat Activity by the Numbers
The AlienVault Open Threat ExchangeTM (OTX) database is the largest crowd-sourced repository for threat information around the world. The AlienVault Labs team analyzes and validates this data to ensure it is a reliable source of actionable threat intelligence. See below for key trends from OTX for September:
OTX Snapshot: Top Countries by Number of Malicious IPs
For more detailed information, use our interactive threat map to drill into threat details for your specific region.
OTX Snapshot: Top Malware Detected
Visit OTX to learn more about how you can benefit from collaborative threat intelligence.