1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious Trojan now attacking password managers

Discussion in 'Windows - Virus and spyware problems' started by ireland, Nov 23, 2014.

  1. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,720
    Likes Received:
    13
    Trophy Points:
    68
    Malicious Trojan now attacking password managers

    The ongoing war between people trying to secure software they use, and their opponents who are constantly searching for new ways to hack the secure software is raging on. According to a new report, a malware named 'Citadel' is now attacking password managers.

    People rely on password managers to remember multiple and/or complex passwords for various accounts. If a person inputs a 'master password' into this manager, they can access all their previously stored credentials. These softwares are now being targeted by Citadel.

    Labeled as highly evasive; the trojan has already infected millions of computers according to Dana Tamir, director of enterprise security at IBM company Trusteer. While this malware isn't exactly new, the disturbing thing revealed by IBM are the instructions it contains to compromise password management and authentication solutions.

    The malicious software can stay idle on machines for an indefinite length of time and then be triggered by a specific action by a user. This essentially means that most people do not even know that their computer is already infected by this malware. Tamir describes this trojan's activities in the following words:

    It instructs the malware to start keylogging (capturing user keystrokes) when some processes are running.

    IBM is not sure whether these attacks are opportunistic or targeted but they have found out that the attackers were using a legitimate web server as the C&C. However, by the time the IBM Trusteer research lab received the configuration file, the Command and Control files were already removed from the server, so researchers were not able to identify who was behind this configuration.

    The processes targeted by the malware include Personal.exe (neXus Personal Security Client), PWsafe.exe (Password Safe), and KeePass.exe (KeePass). IBM has contacted the vendors in question to allow them to proactively notify their customer base and to provide any product-specific recommendations.

    IBM predicts that by 2016, people will be using more reliable methods to keep software safe and passwords secure through unique biological identity and biometric data such as facial definitions, iris scans, voice files and DNA, but until then, we must keep on fighting against cybercriminals to protect our personal data.
    http://www.neowin.net/news/malicious-trojan-now-attacking-password-managers
     
  2. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,720
    Likes Received:
    13
    Trophy Points:
    68
    Highly advanced backdoor trojan cased high-profile targets for years

    Risk Assessment / Security & Hacktivism
    Highly advanced backdoor trojan cased high-profile targets for years

    "Backdoor Regin" bears a resemblance to Stuxnet, was developed by a wealthy nation.
    by Dan Goodin - Nov 23 2014, 12:01pm EST

    17
    [​IMG]
    Enlarge
    / The five stages of Regin.
    Symantec
    Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research.

    Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

    To remain stealthy, the malware is organized into five stages, each of which is encrypted except for the first one. Executing the first stage triggers a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on. Analyzing and understanding the malware requires researchers to acquire all five stages. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer's mouse, stealing passwords, monitoring network traffic, and recovering deleted files. Other modules appear to be tailored to specific targets. One such payload included code for monitoring the traffic of a Microsoft IIS server. Another sniffed the traffic of mobile telephone base station controllers.

    Symantec researchers believe Regin was a sprawling framework that was used in multiple campaigns that data back to 2008 and possibly several years earlier. Liam O'Murchu, manager of operations for Symantec Security Response, told Ars that the roster of modules used against one target was often unique, an indication that Regin was used in multiple campaigns.

    "Essentially, what we think we're looking at is different campaigns where in one infection they needed to sniff your keyboard whereas in another infection they wanted grab the user name and password of the admin connected to a base station controller," O'Murchu said.

    While almost half of the computers known to be infected by Regin were inside Internet service providers, Symantec believes they were attacked so the operators could spy on specific customers who used the ISPs. Similarly, telecommunication backbone providers, which at 28 percent accounted for the second biggest category of infected computers, were likely chosen so attackers could gain access to calls being routed through their infrastructure.

    There is still much Symantec doesn't know about Regin. So far, company researchers are aware of only about 100 infections, a number that seems small for such a sprawling framework of malware. The researchers have yet to uncover the command and control system the attackers used to communicate with infected computers, and they still don't have any educated hunches about the country behind the malware. The malware is known to have been active from 2008 until 2011, when it was abruptly pulled by its operators for unknown reasons. Regin, which is the name Microsoft assigned to the underlying trojan, resurfaced in 2013. Symantec researchers became aware of the malware in December of that year.


    http://arstechnica.com/security/201...rstechnica/index+(Ars+Technica+-+All+content)
     
  3. christinezheng

    christinezheng Newbie

    Joined:
    Dec 15, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I have an website and i see someone catch my data before it is encrypted by SSL/TLS protocols. I did use Zemana AntiLogger in before. But when i see it's not pretty for removing malware then one's suggest me to spyshelter (Paid) application. But i do not know much about it. Can you please help me to share about spyshelter antilogger applications ? It's paid version will works good ?
     
    Last edited: Dec 16, 2014

Share This Page