Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Fresh Malware Specifically Attacking Tibetan Activists Spotted; ESET

Security investigators at ESET the anti-virus provider have uncovered one cyber-spying malicious program which attacks Tibetan activists as it employs strange methods to bypass security identification as also continue to stay on corrupted PCs.

Named Win32/Syndicasec.A, the malicious program evades User Account Control (UAC)system within Windows for executing random instructions while enjoying elevated rights devoid of the end-users' consent.

Head of Security Intelligence Team, Alexis Dorais-Joncas at ESET said that the malware abused 'design' vulnerability within the white-list functionality of Windows UAC which Leo Davidson a developer recorded during 2009. Indeed, it utilized Davidson's POC (proof-of-concept) program just as it was, published pcworld.com dated May 24, 2013.

The method helps to run yet another malware which registers one JavaScript code inside WMI (Windows Management Instrumentation) subsidiary system. An automatically provided Windows utility, WMI is capable of running scripts that admins create for automating administrative jobs.

Elsewhere Dorais-Joncas stated that malware's exploitation of WMI wasn't novel, although it occurred only once, published internetdo.com dated May 24, 2013.

According to him, the method had splendid dexterity obtainable from the attacker's opinion about not needing a hostile formula necessary for storing, similar to a disk record, which didn't change. That caused typical energetic research accumulation namely Process Monitor for destruction so a hostile activity became prominent, Dorais-Joncas explained.

He stated that the Stuxnet worm used for spying after it attacked Iran's key uranium enrichment plant at Natanz, utilized the same method.

When WMI is merged with malware it makes HTTP queries aimed at hard-coded domains, which point in the direction of RSS feeds belonging to giveaway blogs. Subsequently, labels that are feigned for the RSS entries within the said feeds incorporate encoded instructions, which whilst cracked, display websites from active C&C (command-and-control) infrastructures.

And once communication with one of the C&Cs is established, the system presents a perplexing JavaScript, which WMI assesses and runs while on any putrescent PC. The JavaScript carries an attacker-issued command.

Alongside the assessment, ESET began watching a Win32/Syndicasec tainted PC. Although there wasn't any activity during the initial couple of days, subsequently, ESET reported getting instructions from the command-and-control system.

ยป SPAMfighter News - 5/29/2013

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page