Ransomware

What is Ransomware?  By now, most of us know that it ruins your files – mostly pictures, documents and other personally created items by encrypting them and asking for a “ransom” to decrypt them.   Ransomware is a vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, major financial loss and intellectual property theft.    If an attack makes it through a corporation’s defenses to even one computer – it can affect the entire network by encrypting and locking out files on network shared drives used by all employees thus potentially spreading to all computers.   Ransomware can enter the network via an email, computer, phone, tablet or a USB drive.   A file that is on an infected computer or USB drive and transferred to another computer can also cause infection and propagation.  Social media sites can also be used to transfer malware via links and file attachments.

 

95% of security breaches are due to human error and lack of employee training and knowledge

What can you do?

–       Be suspicious of every email you receive.  Treat each as a potential threat especially if there are attachments and links included

–       All of your computers including MAC computers should have a reputable antivirus service

–       Don’t share thumb drives on computers you don’t know or if you are not sure they are “clean”

–       Turn on the Windows firewall on your PC

–       Backup your data and secure those backups.

–       Be wary of what you are downloading on your computer

Quote to Ponder: “Live in the sunshine, swim in the sea, drink the wild air…” Ralph Waldo Emerson

Kovter (Trojan 2018)

Kovter

A Trojan, acting as click fraud malware or a ransomware downloader. It cannot spread on its own, relies on users to run them by mistake or visit a malicious webpage it is disseminated via malspam email attachments containing malicious office macros. Reports indicate that infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.

Kovter has transformed through various iterations in its lifespan. Originally, Kovter acted as a form of police ransomware by locking infected devices and displaying a fake message pretending to be a fine payment message from legitimate law enforcement entities. Then evolved into Click fraud malware using code injection to infect its target, stole information and exfiltrated to its Command & Control (C2) servers. It current version is a fileless malware installed using by autorun registry entries and expands by adding file components for shell spawning techniques.

 

Platforms targeted:   Windows system

Infection Flow

  1. Arrives by spam mail
  2. Installs components for shell spawning
  3. Creates a registry entry containing malicious scripts;
  4. Injects a shell code in the PowerShell process upon system restart or upon execution of the shortcut or batch file
  5. Shell code will spawn the regsvr32.exe process that will connect to various URLs for click fraud.

Infection: Email attachment with JavaScript file hiding inside a 7-zip

Upon execution it downloads the second part from C2 servers and saved to %TEMP%. Once completed the Kovter elevates to a fileless operation and persistence status. It’s obfuscated JavaScript and binary payloads are written into the Windows Registry.

Prevention

  • Being careful when downloading anything from internet
  • Using an ad blockers within a web browser
  • Disabling JavaScript on a web browser

Mitigation

Running an antivirus scan, such as Windows Deference, will flag any problem programs that are of concern. Kovter uses either Explorer.exe or Regsvr32.exe to launch and run in memory.  In most Windows environments, there won’t be any Regsvr32.exe processes running for any length of time in memory. If it is found running it is possibly nefarious and should be reviewed. To identify bad versions of explorer and Regsvr32.exe, look at the number of libraries loaded in its memory space and where on disk the process was launched.

 

References:

Kovter Malware Fileless Persistence Mechanism (IBM X-Force Exchange)

Kovter Killer: How to Remediate the APT of Clickjacking

Top 10 Malware January 2018

Threat Spotlight: Kovter Malware Fileless Persistence Mechanism

 

Worm (Write Once Read Many)

A worm (Write Once Read Many) is a standalone type of malware software program that can self-replicated itself in order to spread to other computers or networks in emails, instant messaging, IRC chat, Peer to Peer network connections. Some of the more modern tends in worm mitigation techniques are using packet filters, ACL’s in routers and switches, and lastly null routing.

The one of the first computer worm attacks which was sent over the early versions of the Internet infecting nearly 10% of UNIX computes which belong to NASA, Berkley, MIT, Stanford, and the Pentagon. Release in November 2nd, 1988 was called the “Morris Worm”, named after its designer Robert Morris. Studying as an undergraduate at Cornell University experimenting with self-propagating programs, he choose to release the worm from MIT to disguise the fact it was created at Cornell. Once Robert Morris realized the extent of damage the worm was doing to the Internet he contacted a friend at Harvard to discuss how to stop the worm. The worm took advantage of a hole in the debug mode of the UNIX sendmail program to mitigate through the network.

The main difference between a virus and a worm is that worms do not need to attach itself to an existing program to infiltrate a system, whereas virus attach themselves to files and require user interaction to infiltrate the computer. Worms use a networks to travel from one computer to another without any user interaction. Worms can be programmed with a payload, code added to the worm to do more than just spread the worm, which can do any of the following:

  • Delete files
  • Encrypt files (Cryptoviral extortion)
  • Send Documents in an email
  • Install a backdoor on a computer

When a worm installs a backdoor on a computer it becomes a “zombie”, which comprises the computer and can be used remotely to perform any type of malicious task.

Not all worms are bad. There has been a lot of research over the years to designs “good intention” worms which can be used as network diagnostic programs. When research started to learn more about worms and how they spread in order to create non-malicious worms. John Shock and Jon Hupp of Xerox, researched and designed a worm to allow testing of Ethernet principles on their internal computer networks. Another type was the Nachia worm, which exploited a vulnerability in the Microsoft Remote procedure call (RPC) service to search for installed malware on a system then tried to install a security patch from Microsoft to prevent any further infection.

Programmers and network penetration testers can use Worms for either good or malicious purposes. No one can protect themselves of every type of malware or network worm, but with basic computer knowledge and anti-malware software installed on their computer, any user can protect themselves from most types of malware attacks.

External Sources

http://en.wikipedia.org/wiki/Computer_worm

http://www.bbc.co.uk/webwise/guides/internet-worms

http://en.wikipedia.org/wiki/Welchia

http://groups.csail.mit.edu/mac/classes/6.805/articles/morris-worm.html