Researchers Warn:Trojan evolving through ‘open source’ development

Trojan malware evolving swiftly as hackers customise code according to their needs

Source: http://www.computerworld.com/s/article/9224112/Citadel_banking_malware_is_evolving_and_spreading_rapidly_researchers_warn

Citadel banking Trojan evolving through ‘open source’ development

Citadel, a computer Trojan that targets online banking users, is evolving and spreading rapidly because its creators have adopted an “open source” development model, according to researchers from cyberthreat management firm Seculert. The new piece of malware is based on ZeuS, one of the oldest and most popular online banking Trojans. ZeuS was abandoned by its creator in late 2010 and its source codeleaked online a few months later.

“Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011,” the security company claimed. “The level of adoption and development of Citadel is rapidly growing.”

Seculert has identified over 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said.

The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects. “Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement,” Seculert said.

Citadel Banking Malware Is Evolving and Spreading Rapidly, Researchers Warn (pcworld.com)
Malware devs embrace open-source (go.theregister.com)
Collaboration Fuels Rapdid Growth of Citadel Trojan (krebsonsecurity.com)

February 14, 2012 | Categories: antivirus software, BotNet, Exploit, Hacking, internet security alerts, Malware, Malware Alert, network internet security, network management security, Network Security, Network Security News, network security solution, Remote Code Execution, Security, source code, Trojan, virus protection, Vulnerabilities, Zero-Day | Tags: Bank, botnet, botnets, Citadel, community supported open source, Computer security, internet security alert, Malware, Online banking, Open source, open source development, open source projects, project html, Seculert, security alert, Security News, Source code, Trojan Horses, Vulnerability (computing), Zeus | 1 Comment

pcAnywhere Code on the Internet

Image via CrunchBase

On the Pirate Bay torrent tracker, a 1.3GB RAR archive has been published which contains the source code of the PC remote control software pcAnywhere. Symantec has already confirmed the authenticity of the code which was stolen in an incident in 2006 when unknown parties gained access to the source of various Symantec products.

The source code of Norton Utilities is already in circulation according to the company. Symantec expects that the source code of Norton AntiVirus (Corporate Edition) and Norton Internet Security will, sooner or later, also be posted online.

Pirate Bay torrent Tracker - Photo of the files

The publication is presumably the work of Yamatough, a hacker who claims to be part of the loose hacktivist collective Anonymous. Excerpts from an email exchange between Yamatough and Symantec employees have also appeared on the internet. The emails concerned a proposed payment of $50,000 to the hacker in order to prevent the publication of the source code.

Both the hacker and the company say their participation was a ruse, with Yamatough always planning to publish and Symantec saying they were being directed by a law enforcement agency. Yamatough told Reuters that “We tricked them into offering us a bribe so we could humiliate them”. Which side actually proposed the deal is currently unclear because the leaked emails do not contain the start of the negotiations.

The alleged Symantec employee, named Sam Thomas, pretended to want to take on the deal and was able to hold out for three weeks. A Symantec spokesman told Forbes that Sam Thomas was a false name used by the investigating authorities who wanted to find out the hacker’s identity.

Symantec used the extra time to patch known security holes and issue security warnings of an increased threat to customers, but it only did the latter after the hacker had published a snippet of the stolen code online. In the meantime, the company has even gone as far as to explicitly discourage the use of pcAnywhere.

Hackers release Symantec pcAnywhere source code (cbsnews.com)
Hackers fail to extort $50,000 from Symantec, as pcAnywhere source code is published (nakedsecurity.sophos.com)
Hackers Publish Symantec’s Source Code After $50,000 Extortion Attempt Fails [Hackers] (gizmodo.com)

February 8, 2012 | Categories: Anonymous, Enterprise, Exploit, General Security, Hacking, Network Security, Patching, PCAnywhere, Security, Security Advisory, Vulnerabilities, Zero-Day | Tags: Norton AntiVirus, norton antivirus corporate edition, Norton Internet Security, Norton Utilities, pc remote control software, PcAnywhere, Pirate Bay, pirate bay torrent, rar archive, remote control software, Source code, Symantec, symantec products, Yamatough | Leave a comment

NSIT Patch Notification: Symantec PCAnywhere Local Privilege Escalation, Remote Code

Edward Torkington of NGS Secure has discovered a high risk vulnerability in Symantec PCAnywhere

Impact: Local Privilege Escalation

Versions affected:

Symantec pcAnywhere 12.5.x
IT ManagementSuite 7.0 pcAnywhere Solution 12.5.x

IT Management Suite 7.1 pcAnywhere Solution 12.6.x

An updated version of the software has been released to address these vulnerabilities:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00

Image via CrunchBase

NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.

Edward Torkington of NGS Secure has discovered a critical vulnerability in Symantec PCAnywhere

Impact: Remote Code Execution (pre-auth) as SYSTEM

Versions affected:
Symantec pcAnywhere 12.5.x
IT Management Suite 7.0 pcAnywhere Solution 12.5.x
IT Management Suite 7.1 pcAnywhere Solution 12.6.x

NGS Secure Research
http://www.ngssecure.com

In the round file cabinet goes; PCAnywhere (netsecurityit.wordpress.com)
Symantec advice users to disable pcAnywhere [Clive Eplett] (ecademy.com)
Anonymous Strikes: Symantec Says Stop Using pcAnywhere – Mashable (mashable.com)
Symantec Tells Customers To Stop Using pcAnywhere (tech.slashdot.org)
Uninstall pcAnywhere now, your PC is at risk (geek.com)

January 26, 2012 | Categories: Anonymous, Cryptography, Encryption, General Security, Network Management, Network Security, Networking, PCAnywhere, Security, Security Advisory, source code, Vulnerabilities, Zero-Day | Tags: Anonymous, code execution, critical vulnerability, CrunchBase, ecademy, local privilege escalation, NGS Secure, Norton Internet Security, PcAnywhere, Security, Source code, Symantec, system versions, Vulnerability (computing), year 2012 | 1 Comment

In the round file cabinet goes; PCAnywhere

Critical flaw discovered in Symantec’s pcAnywhere

Symantec has issued a warning about a critical vulnerability in pcAnywhere, the remote control application for PCs. The vulnerability could allow an attacker to remotely inject code into a system running pcAnywhere and then run it with system privileges. This attack works because a service on TCP port 5631 allows user input during the authentication process which is not adequately checked.

Image via CrunchBase

According to Symantec, this port should, under normal conditions , only be reachable by authorised network users, so an attacker would have to first gain access to the network or another computer on the network to compromise other systems. In practice though, overly lax firewall configurations mean that such ports are always available somewhere on the internet.

Symantec is also correcting a vulnerability which meant that files installed during pcAnywhere’s installation process were marked as writable by everyone. This would allow an unprivileged user with local access to overwrite these files, possibly with code which could grant elevated privileges.
LoJack for Laptops Standard, boxed software, 1 year – 20% OFF. Was $39.99 – Now $31.99 Click Here
Further details of the two holes are still being kept under wraps by Symantec and exploits are reportedly not in circulation. As the flaws were reported by security researchers Tad Seltzer (via ZDI) and Edward Torkington (of NGS Secure) it is probable that the discovery of the flaws is not related to the recent theft of source code for an older version of pcAnywhere.

pcAnywhere 12.5.x is vulnerable to the flaws, as are versions 7.0 and 7.1 of the company’s IT Management Suite Solution. Symantec has released a hotfix which can be installed either manually or automatically with Symantec’s LiveUpdate system.

Symantec has admitted that blueprints for current versions of its pcAnywhere software were stolen in 2006 and that all users are at risk of attack and should pull the plug.

That includes users of both current and past iterations as well as those bundled with Altiris and the pcAnywhere Thin Host packaged with backup and security products.

The theft came to light when an Indian hacking group calling itself the Lords of Dharmaraja threatened to publish the source code.

The gang’s apparent spokesperson, who goes by the name of “Yama Tough,” posted code from the 2006 version of Symantec’s Norton AntiVirus to PasteBin and subsequently wrote about the breach on Google+.

It was originally unclear whether the breached source code was relevant to up-to-date installations of Symantec’s anti-virus products.

The confusion has lifted, showing that the danger to users of current products is all too real.

Symantec revealed the news in a white paper[PDF] published on Wednesday, along with a customer advisory on its website.

Symantec’s investigation so far hasn’t found increased risk of exposure to customers using any product, with the marked exception of pcAnywhere, which allows for direct PC to PC communication.

Here’s what the security firm had to say about the pcAnywhere-specific risks, as paraphrased from its white paper:

The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.

A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.

If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.

In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.

Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.

For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.

Company spokesman Cris Paden told Reuters that Symantec has fewer than 50,000 customers using the stand-alone version of pcAnywhere, which, Reuters reported, was still on sale on its website for $100 and $200 as of early Wednesday afternoon.

Symantec recommends in the white paper that customers disable the product until the company can release a set of updates to deal with the currently known vulnerability risks.

Symantec: Anonymous stole source code, users should disable pcAnywhere (arstechnica.com)
Symantec pcAnyware is not safe to use for now, says company (news.consumerreports.org)
PSA: Disable your Symantec pcAnywhere software ASAP (slashgear.com)

January 25, 2012 | Categories: Anonymous, Enterprise, General Security, Malware, Network Security, Patching, PCAnywhere, Security, Security Advisory, source code, Vulnerabilities, Wireless Security, Zero-Day | Tags: Altiris, critical vulnerability, CrunchBase, firewall configurations, NGS Secure, Norton AntiVirus, Norton Internet Security, PasteBin, PcAnywhere, pcanywhere symantec, Personal computer, Security, Source code, source code users, Symantec, symantec pcanywhere, system privileges, Transmission Control Protocol, Vulnerability (computing) | 2 Comments

Symantec: Cyber Attacks May Be Costing Your Business Big $$

As the average cost of recovering from cyber attacks approaches half a million dollars per year, Symantec says it’s time to beef up your defenses.

The security threat landscape is in a state of flux as cybercriminals become ever more sophisticated and stealthy in their efforts, and security firm Symantec believes organizations need to adapt their approach to endpoint security as a result.

Last week, Symantec released its 2012 Endpoint Security Best Practices Survey, revealing that 144,000 malicious files are detected each day, translating into a rate of more than 4.3 million per month. Symantec said it blocked 3.1 billion attacks in 2010.

Image via CrunchBase

“We’ve learned that endpoints are not what they used to be,” said Jason Nadeau, director of Product Management for Symantec Endpoint Security. “Endpoint security used to be restricted to PCs on the desk and servers in the datacenter.”

But the number and variety of endpoints are exploding with the introduction of all manner of mobile devices, virtual servers, and virtual workstations to the network. Nadeau said the firms that have had the most success in defending their endpoints in this evolving environment are the ones that have been the most aggressive in deploying so-called advanced protection in the form of intrusion prevention and data loss protection technologies.

“In terms of basic protection, the top-tier portion of respondents were six times as likely to have deployed virus and spyware protection and five times as likely to have deployed firewalls,” Nadeau said. “The same trend is evident for advanced protection. The top tier is five times as likely to have deployed intrusion prevention and six times as likely to have deployed data loss protection. I would argue that everybody needs to be doing this and that those sorts of technologies need to move to the baseline.”

Symantec’s survey collected data from 1,425 IT professionals in 32 countries. One-third of the respondents were C-level employees of business owners, another one-third were management focused on strategic issues, and the last one-third were management focused on tactical and operational issues.

Symantec divided the respondents into three tiers based on their security practices.

“Top-tier companies are faring much better in terms of outcomes from attacks than the bottom tier,” Nadeau said, noting that top-tier firms were 2.5 times less likely to see a large number of cyber attacks — including denial of service, information theft, fraud and vandalism — and their total downtime was nearly four times less than that of other firms.

Those numbers aren’t academic. Nadeau said top-tier firms suffered an average total of 588 hours of downtime for the year compared with 2,765 hours for bottom-tier firms. Additionally, successful attacks were costly. Symantec said it found that the typical organization incurred $470,000 in losses due to endpoint cyber attacks in the past 12 months.

Those losses were primarily driven by forced dedication of IT manpower to remediate the affected endpoints; loss of organization, customer or employee data; and damage to the organization’s brand and reputation.

Read More: http://tinyurl.com/7lw68es