Security Roundup - 2017-04-20

The malware industry starts pointing fingers, with this article from Ars Technica on ‘Lawyers, malware, and money’. In it, a number of malware detection services and malware detection benchmark services largely all blame each other for misrepresenting their products in demos and sales bakeoffs. Some suggest that the benchmarks are not representative of the ‘real world’, others suggest that some people are rigging the game in their favor, and a number of these disputes have apparently devolved into lawsuits/revocation of licenses.

The return of the ShadowBrokers has resulted in another trove of exploits being released. Apparently, more than 1k Windows Binaries are part of this trove. Microsoft indicates a number of the vulnerabilities have already been fixed. There is plenty of coverage from multiple security sites, for those that want to dig in further.

Phishing is temporarily much easier on Chrome and Firefox, as PunyCode domains, ones using non-ascii characters, apparently render domain names that look identical to the ascii versions they are masquerading as.

The recent Struts exploit has been fixed, along with 299 other vulnerabilities in various Oracle products. This number of security fixes is a new record for Oracle, beating out the 276 reported in July 2016.

Plenty of Android malware news, where Sophos points out how Android malware is taking emulation detection techniques used in desktop malware to avoid analysis, and Threatpost going into how Google is combating malware on Android. That doesn’t stop some malware campaigns from trying their hardest to stay in the app store.

Sucuri has posted March’s Lab Notes. Of interest: Backdoors executed via cookies.

Checkpoint’s March Malware Most Wanted is out showing that, after a recent downturn, exploit kits are once more in active use.

In a bout of Robin Hood Hacking, a botnet named Hajime is competing against Mirai. Hajime infects IoT systems and then sets up protections designed to disrupt Mirai.

The FBI was involved in the recent take down of the Kelhios Botnet. Threatpost provides some details on how they were involved, while a MalwareTech researcher provides us with details on Kelhios from his own research

Another in depth into malware with Sathurbot, a malware strain that initially spreads through malicious torrents and attempt to do brute force attacks on common login portals.

Ransomware as a service hits a new low, where a version called Karmen can be purchased outright for $175 dollars.

Another instance of open source malware made the rounds this week. Labelled as a ‘remote administration tool’, which isn’t even a particularly fancy term for remote access trojan, this one used Telegram as its C&C. BleepingComputer has the details.

Written on April 20, 2017