Papers published in November 2014


Editor: Martijn Grooten

VB2014 paper: Well, that escalated quickly: from penny stealing malware to multi-million-dollar heists, a quick overview of the bitcoin bonanza in the digital era

From the rise and demise of Silk Road to the current state of the crypto-currency frenzy, the story of bitcoin involves mysterious characters, million-dollar robberies and stealthy malware that will make you think twice before going online with your money. In his VB2014 paper, Santiago Pontiroli looks at the most interesting malware samples that target the popular bitcoin currency and some of the major events that surrounded it during this past year. He also investigates the flaws that allowed several bad guys to steal more money than one could ever imagine, and how they did it without ever firing a gun or stepping into a bank. Finally, he rounds off with some of the benefits that digital currencies offer to Latin American countries and the state of crypto-currency-stealing malware in the region and worldwide.

Santiago Pontiroli - Kaspersky Lab, Argentina

VB2014 paper: Using DMARC to improve your email reputation

In 2012, the world of email filtering created a new tool to combat spam and phishing: DMARC - a technology that is designed to prevent spammers from forging the sender. DMARC has its upsides, but it also has some drawbacks. In his VB2014 paper, Terry Zink discusses the advantages and drawbacks of DMARC, as well as the process that Microsoft went through to catalogue all of its domains in order to ensure that all of them could pass basic authentication checks.

Terry Zink - Microsoft, USA

VB2014 paper: Apple without a shell – iOS under targeted attack

Apple has a strict review process for apps published in its App Store - which, although not perfect, provides good protection for iOS users and makes it difficult for malware to exist in the App Store. However, apps may also be distributed using enterprise provisioning profiles without having to go through this review process - and apps distributed in this way have become a new attack vector. In their VB2014 paper, Tao Wei and colleagues explain the risk of an attacker distributing apps using enterprise provisioning profiles to conduct targeted attacks, including remote installation through spear phishing, autostart after reboot, background monitoring, and bypassing certificate revocation.

Tao Wei - FireEye, Inc., USA, Min Zheng - FireEye, Inc., USA, Hui Xui - FireEye, Inc., USA & Dawn Song - FireEye, Inc., USA

VB2014 paper: Bootkits: past, present & future

Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)? In their VB2014 paper, Eugene Rodionov, Alexander Matrosov and David Harley look at how bootkit threats have evolved over time and what we should expect in the near future.

Eugene Rodionov - ESET, Canada, Alexander Matrosov - Intel, USA & David Harley - ESET North America, UK

VB2014 paper: Optimized mal-ops. Hack the ad network like a boss

In their VB2014 paper, Vadim Kotov and Rahul Kashyap perform an in-depth analysis of malicious web ads, with the focus on Flash banners. They investigate various possibilities for an attacker to leverage ad networks to spread malware and showcase the fact that, from the attackers’ perspective, ad networks are no different from, and may be even better than exploit kits.

Vadim Kotov - Bromium, Inc., USA & Rahul Kashyap - Bromium, Inc., USA

VB2014 paper: Sweeping the IP space: the hunt for evil on the Internet

The total IPv4 space consists of 4 billion addresses, the public ASN visible space consists of 46,000+ AS numbers, and the BGP prefix space consists of 520,000+ prefixes. Together, they form the foundation of addressing, routing and hosting on the Internet. Most of the current reputation systems used for network-level threat detection derive scores for IPs, BGP prefixes or ASNs based on hosted content. In his VB2014 paper, Dhia Mahjoub takes a novel approach by exploring the AS graph which models the interconnections between ASNs. He uncovers hotspots of maliciousness by analysing AS graph topology, hosted content and IP space reservation, and sheds some light on suspicious relationships between ASNs and abusive IP sub-allocations.

Dhia Mahjoub - OpenDNS, USA

VB2014 paper: Labelling spam through the analysis of protocol patterns

In their VB2014 paper, Andrei Husanu and Alexandru Trifan propose ways of fingerprinting the behaviour of various email-sending software by analysing sending behaviour at the SMTP and TCP/IP protocol levels in order to identify email messages originating from botnets and isolate them from those originating from various kinds of legitimate email servers.

Andrei Husanu - Bitdefender, Romania & Alexandru Trifan - Bitdefender, Romania

Conference report: VB2014

The biggest and broadest ranging Virus Bulletin conference ever was a great success. Martijn Grooten describes the highlights of the event.

Martijn Grooten - Virus Bulletin, UK

VBSpam comparative review November 2014

Although all but one of the 15 full products submitted for testing achieved a VBSpam award this month, and five of them performed so well they earned a VBSpam+ award, performance on most accounts was poorer than it has been in recent tests. Martijn Grooten has the details.

Martijn Grooten - Virus Bulletin, UK

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.