Fresh Malware Specifically Attacking Tibetan Activists Spotted; ESET

Security investigators at ESET the anti-virus provider have uncovered one cyber-spying malicious program which attacks Tibetan activists as it employs strange methods to bypass security identification as also continue to stay on corrupted PCs.

Named Win32/Syndicasec.A, the malicious program evades User Account Control (UAC)system within Windows for executing random instructions while enjoying elevated rights devoid of the end-users' consent.

Head of Security Intelligence Team, Alexis Dorais-Joncas at ESET said that the malware abused 'design' vulnerability within the white-list functionality of Windows UAC which Leo Davidson a developer recorded during 2009. Indeed, it utilized Davidson's POC (proof-of-concept) program just as it was, published pcworld.com dated May 24, 2013.

The method helps to run yet another malware which registers one JavaScript code inside WMI (Windows Management Instrumentation) subsidiary system. An automatically provided Windows utility, WMI is capable of running scripts that admins create for automating administrative jobs.

Elsewhere Dorais-Joncas stated that malware's exploitation of WMI wasn't novel, although it occurred only once, published internetdo.com dated May 24, 2013.

According to him, the method had splendid dexterity obtainable from the attacker's opinion about not needing a hostile formula necessary for storing, similar to a disk record, which didn't change. That caused typical energetic research accumulation namely Process Monitor for destruction so a hostile activity became prominent, Dorais-Joncas explained.

He stated that the Stuxnet worm used for spying after it attacked Iran's key uranium enrichment plant at Natanz, utilized the same method.

When WMI is merged with malware it makes HTTP queries aimed at hard-coded domains, which point in the direction of RSS feeds belonging to giveaway blogs. Subsequently, labels that are feigned for the RSS entries within the said feeds incorporate encoded instructions, which whilst cracked, display websites from active C&C (command-and-control) infrastructures.

And once communication with one of the C&Cs is established, the system presents a perplexing JavaScript, which WMI assesses and runs while on any putrescent PC. The JavaScript carries an attacker-issued command.

Alongside the assessment, ESET began watching a Win32/Syndicasec tainted PC. Although there wasn't any activity during the initial couple of days, subsequently, ESET reported getting instructions from the command-and-control system.

» SPAMfighter News - 5/29/2013