November 18 Malware Alerts - Today's 5 Biggest Threats

November 18 Malware Alerts - Today's 5 Biggest Threats

Nazar Tymoshyk is a highly-regarded IT security expert and he just released his list of the 5 biggest malware threats making the rounds today so I thought I’d pass along a thumbnail summary for your benefit.  Not all of these are brand new but their impact is being felt on the Internet now.

Backoff Malware

Backoff is a malware family that targets Windows-based point-of-sale (PoS) systems to steal customer credit card info. Dairy Queen and the Supervalu supermarket chain have suffered Backoff-related data breaches.  Over 1000 total businesses in the U.S. are reported to have been affected so far.  It usually arrives via fake e-mails supposedly from reputable financial institutions.

It copies itself to the infected machine, uses WinExec to mask itself and hinder analysis process.  The malware then collects the stolen card information locally on the system.  It also has a component that uploads discovered data, updates the malware and installs more malware.

Dyreza man-in-the-middle Trojan

The Dyreza Trojan aka Dyre targets financial institutions and steals users' credentials for online banking or for other financial sites.

It uses a browser hooking technique commonly called “man in the middle” and interrupts traffic flow between your device and the target website.  It can exploit Google Chrome, Mozilla Firefox and Internet Explorer. It usually arrives as a bank notification email with a zip file attached.  Clicking on the Zip file results in the malware installing itself on your computer and then contacts a command-and-control server. It also appears as a false Google Update every time you start your computer.

BlackEnergy Trojan

The BlackEnergy malware family’s key functions include DDoS attacks, spam distribution and bank scams. Its manners of spreading include technical infection methods through exploitation of software vulnerabilities, as well as social engineering through spear-phishing emails and decoy documents (Microsoft Word or PowerPoint), or a combination of both.

Infection is accomplished through the exploit shellcode that drops two files to the temporary directory: the malicious payload named "WinWord.exe" and a decoy document named "Russian ambassadors to conquer world.doc." Then these files are opened due to the kernel32.WinExec function. The WinWord.exe payload serves to extract and execute the BlackEnergy Lite dropper.

The danger of this malware lies in network discovery and remote code execution for collecting data from the targets' hard drives. The document was also spotted in other attacks, including MiniDuke.

Win32/Crowti Ransomware

In the tradition of CryptoLocker is Crowti, a family of ransomware that tries to encrypt the files on a user's PC or block a user's access to the computer and ask for payment to unlock it. This malware arrives in the form of spam email campaigns and exploits.

This threat can also be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. The attachment is usually hosted in a zip archive that triggers malware action when opened. Win32/Crowti is also spread through exploit kits such as Nuclear, RIG, and RedKit V2 that may take advantage of Java and Flash vulnerabilities. Win32/Crowti can be also installed via other malware, such as Upatre, Zbot, and Zemot.

Andr/BBridge-A Mobile Trojan

We can’t leave out mobile device infections currently making the rounds.   Mobile Trojan “Andr/BBridge-A” is being blamed for snatching and exposing users' personal data via a specific server relying on HTTP to communicate with it.

This Trojan is usually distributed as an Android installation package with an enticing file name. The malware then asks users to install it.  It also can send, scan and remove text messages from your phone.