Malware

SPOTLIGHT ON SECURITY

PowerLocker Takes Ransomware to a New Level

Up to now, the malware program CryptoLocker has been king of the ransomware roost, but PowerLocker (formerly PrisonLocker) may present a new challenge.

“It has some interesting countermeasures to thwart researchers,” Harry Sverdlove, CTO of Bit9, told TechNewsWorld.

Among those countermeasures are the ability to determine if it’s running on a virtual machine — and if so, to alter its behavior. Researchers will run questionable programs on virtual systems to avoid infecting a networked box.

“We don’t know what that behavior would be, but presumably it would be to act benign,” Sverdlove said.

PowerLocker also has sandbox detection. Software sandboxes are used to isolate an app’s behavior and prevent it from spreading any nastiness it may contain.

Bitcoin Connection

One way to thwart ransomware is to maintain a good backup regimen, so if one data set gets involuntarily encrypted, a backup set can be used to restore it. PowerLocker’s authors appear to have thought of that angle, too.

“It can scan removable devices, looking for potential backups or other tertiary files so it can encrypt those as well,” Sverdlove said.

“The authors have taken some of the lessons learned from CryptoLocker and improved upon it,” he added. “It’s the next-generation CryptoLocker.”

Ransomware has been around for sometime, but its recent rise in popularity may be linked to better means for collecting unjust rewards.

“What makes ransomware more popular now is the anonymity by which you can make and receive payments,” Sverdlove said.

One of those ways is through the digital currency Bitcoin, which “allows people to get money anonymously,” said Greg Foss, a senior security research engineer with LogRhythm.

“That’s part of why the CryptoLocker campaign has been so successful,” he told TechNewsWorld.

Yahoo Serves Up Malads

Poisoning advertising on Web pages is a common tactic used by online miscreants to spread malware. The practice was scaled up bit last week when a Yahoo server began distributing infected ads (see Breach Diary below).

“The methodology used in the recent Yahoo attack is not new,” Oscar Marquez, chief product officer at Total Defense, told TechNewsWorld. “The difference here is simply the scope of the infection.”

The technique used to infect the Yahoo ads is called “cross-site scripting.” In this case, a Web page element called an “iframe,” which is invisible to users, was used to direct them to a malicious website.

“There was no user interaction needed for the exploit to be downloaded. Simply visiting a page with an infected ad could have resulted in infection,” Marquez explained.

“The criminal enterprises behind today’s malware want to infect as many systems as possible,” he added. “The more systems they can infect, the greater their profit will be. So I believe that they will use this iframe attack type again in the future, because it has proven to work.”

College Purchasing Scams

Boston College began notifying its suppliers last week to be on the alert for university purchasing poseurs.

BC warned of a national fraud scam targeting college suppliers in an email message sent to suppliers by Assistant Director of Procurement Services Jerri Cole.

“According to multiple schools, the emails request quotes for specific merchandise,” explained the message, which was obtained by TechNewsWorld.

“Later, a purchase order is emailed to the business that bears resemblance to an authentic University purchase order. The purchase order instructs delivery to an address not affiliated with the University,” it continued.

“After shipping the merchandise, the business never receives payment and is unable to retrieve the mailed products,” the message said.

Nearby Wellesley College posted a similar warning on the home page for its purchasing department.

“It has been brought to our attention that there is an active email scam involving purchase orders and requests for product quotations that seem to originate from Wellesley College but are in fact fraudulent,” the warning declares. “We are actively working with … law enforcement to investigate these fraudulent emails.”

Jenny Shearer, a spokesperson for the FBI’s national office, told TechNewsWorld the agency was unfamilar with the scam.

Data Breach Diary

  • Jan. 5. Yahoo reports malware spread by its European advertising servers did not affect users in North America, Asia Pacific and Latin America. Also unaffected were users of Apple computers and mobile devices.
  • Jan. 6. Staysure, a travel insurer located in the UK, reveals encrypted payment card details of as many as 93,389 customers were stolen in data breach in November. Info stolen included CVV codes and names and addresses.
  • Jan. 6. Law firm Fox Rothschild releases iPhone app Data Breach 411 that provides state-specific information on what to do when a data breach is discovered, including the who, when and how of notification.
  • Jan. 7. Two Utah law firms file class action lawsuits against Target for data breach exposing sensitive information of some 70 million customers. Lawsuits allege Target violated Utah’s Unfair Competition Laws by failing to disclose information about the breach promptly, and that consumers lost property and money because of the delay.
  • Jan. 7. Better Business Bureau warns public that scam artists are exploiting Target data breach to gather personal information from consumers. Consumers are requested to “verify” they haven’t been affected by the incident by giving payment card, Social Security and other information to the scammers.
  • Jan. 9. Snapchat releases new version of its Android and iOS app that allows users to opt out of including their phone number in the software’s Find Friends feature. That feature was exploited by hackers earlier this month to expose the user names and phone numbers of some 4.6 million people.
  • Jan. 9. Phoebe Putney Hospital in Georgia notifies more than 6,700 patients that their personal information is at risk due to the theft of a laptop computer that was password-protected but contained unencrypted data. Info on notebook includes patient names, addresses, dates of birth, dates of service and Social Security numbers
  • Jan. 10. Target reveals personal information for some 70 million customers was stolen during data breach between Nov. 27-Dec. 15. Info includes names, mailing addresses, phone numbers and email addresses.

Upcoming Security Events

  • Jan. 16. Cisco to release annual security report. 8 a.m. ET. Free.
  • Jan. 17. Cisco Annual Security Report live online discussion and Q&A. 1:30 p.m. ET. Free.
  • Jan. 19-21. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Oct. 21-Dec. 1, $575; After Dec. 1, $725.
  • Jan. 27-29. CyberTech 2014. The Israel Trade Fairs & Convention Center, Tel Aviv. Registration: Until Jan. 1, $350; Jan. 2-26, $450; on-site, $550.
  • Feb. 6. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
  • Feb. 17-20. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • Feb. 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
  • March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
  • April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels