[BreachExchange] Old-School Malware Tricks Still Work

Destry Winant destry at riskbasedsecurity.com
Wed Oct 10 23:04:54 EDT 2018


“The oldest trick in the book is pulling the head off a dead goose and
then restoring it” — Daniel Radcliffe. This is true today, especially
on the issue of cybersecurity. Thanks to the Internet, we all have
access to entertainment, shopping, our own personal financial
transactions, email and other information, 24 hours a day. This
unprecedented access to information is greater than earlier
generations could have ever imagined. The Internet has unlimited
information available to you upon demand. For most people, most of the
time, the Internet is a positive place. However, the Internet is not
without hazards. The Internet and the anonymity it affords can give
online scammers, hackers, and identity thieves access to your
computer, personal information, finances and more.

To fully understand the dangers out there in the Internet world, it’s
important to dispel the myth that successful computer attacks are the
deeds of brilliant masterminds. The truth is most attackers are there
to earn income, to profit at the expense of their victims. Information
about the vulnerabilities of all types of devices is widely available
on the Internet, as are instructions and software tools for launching
attacks. Many successful attackers today are highly motivated
individuals able to earn a lot of money through exploits; they take
advantage of well-known vulnerabilities with tools they usually
single-handedly developed for themselves.

We are living in the age of modern computer malware such as
ransomwares, bank trojan and cryptominers. However, the old styles of
infecting vulnerable computers are still there. Virus authors continue
to produce malformed MS Office documents, which when double-clicked
will trigger an exploit through the use of the unpatched
vulnerabilities of the victim’s computer.

Remote access trojans pretending to be legitimate documents such as
.doc, .docx, .xls, .xlsx and even MS Publisher documents continue to
be embedded with unsolicited emails and instant messages. Some of them
are even long-running, just like FlawedAmmyy RAT (Remote Access
Trojan) which has been infecting computers since 2016, taking
advantage of users not updating their PDF reader quick enough.

With the popularity of Microsoft Office and the Adobe PDF format,
virus authors always have the motivation to improve their craft of
developing malware-pretending to be under those mentioned formats.
Some of them are benign, running on the computer without harming the
user until it is triggered due to a condition. One such condition that
the malware watches for is when a user visits a banking website. The
moment they attempt to visit the site, the malware will trigger its
keylogging functions, sending the user credentials to its authors.

Software is no different from any other product – flaws can show up
long after it has been produced. Most car owners, for example, have at
one time, or another announced a manufacturer recall notice to address
a quality defect. Software products have defects, too. Unlike cars,
however, software has never been recalled and fixed by the developer.
Instead, the developer releases software “patches” that, when applied,
will correct defects. Software owners are expected to discover the
availability of these patches on their own and apply them themselves.
When software patches designed to correct, security-related flaws are
not applied, the computer running that software remains vulnerable.
Most of the vulnerabilities discovered over the past few years have
been in a computer operating system software, like Windows.
Fortunately, the most recent operating system versions allow the
patching process to be automated. The bottom line, never delay an
update if it is available.

More information about the BreachExchange mailing list