Finding software vulnerabilities is a full-time job for some people, but for another group, discovering a flaw in popular software can be like striking gold — either buy making victims pay up or getting paid via bounty hunter programs.
To better understand why discovering flaws is so popular, we’ll examine what a software vulnerability is and most importantly what can be done with it.
ITSEC defines a vulnerability as “the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.”
I suppose we all saw this coming, ransomware authors are now posing as the NSA, claiming to be using the PRISM system to identify users performing illegal activities and demanding payment for their system to be unlocked.
This new discovery was found by security researcher Kafeine on his blog, an article labeled “Prism themed ransomware – Kovter evolution.”
The ransomware appears after a user has either executed the malware (via trickery no doubt) or by being hit by a drive-by exploit. After some time, the malware covers the screen and makes it impossible for the user to get around the ransom notice by disabling the Task Manager and forcing the notice to the front of the screen; typical ransomware stuff.
Screenshot courtesy of Kafeine @ Malware Don’t Need Coffee
The success of a malicious attack is determined by several factors including how well it is crafted and what its distribution channel is.
Over the years, we have seen different methods used by the bad guys to deliver their nasty payloads. Social engineering, the art of tricking people into doing certain things, always yields a pretty good return.
Of course, drive-by downloads, where simply browsing to a site results in your computer getting infected, is also a very popular technique.
To add to these two methods, there’s a third one that we could call extortion where the end user has no other choice but comply with the bad guys’ demands.
Did you ever wonder what it looks like when all these techniques are combined? Look no further:
Fake YouTube showing pornographic videos.
We discovered this legitimate website that had been compromised. It pretends to be YouTube, although you will (our should) never see such content on there since it is very explicit material.
Scammers are at it again with their attempts to get users to download unnecessary software, visit pointless (and potentially dangerous) sites and filling out surveys for their own profit.
This time however, their tactic method hit a little close to home.
Earlier this week, we got a tip off from one of our followers and friends on Twitter: @bartblaze about a twitter account pretending to be speaking for Malwarebytes.
The twitter account, @malwarebytesx, has posted heavily over the last couple days about Malwarebytes Anti-Malware being available (both legitimately and a cracked version) at a posted link. They even created a variation of our logo and got 51 people to follow them!
UPDATE (08/22/13): Apple revoked the fake Flash Player’s certificate which effectively removes it from Safari.
UPDATE (08/21/13): The bad guys are serving the fake Flash Player from Google Docs:
Click to enlarge
I used Fiddler to decrypt the HTTPS communication and reveal the malicious file being downloaded from Google Docs.
UPDATE (08/16/13): The rogue Flash Player extension for Apple’s Safari was signed with a valid Safari developer ID. (Hat tip to Braden Thomas for spotting it).
It belongs to “firstname.lastname@example.org” with Safari developer ID: E728F995AB.