Malicious Image files on Facebook spreading Locky Ransomware

 

Security researchers have discovered ransomwares being spread by forcibly exploiting vulnerabilities in  social networking sites including Facebook and LinkedIn. It is found that the malware is being spread through Scalable Vector Graphics (.SVG) files on Facebook Messenger. SVG is XML-based file. So it can embed content such as JavaScript. This malware manages to bypass Facebook’s file extension filter. The malware being distributed is the locky ransomware.

In the case of the Locky ransomware, all files on the affected computer are encrypted until a ransom is paid.

When the file is opened, users were prompted to install an extension. This extension downloads the Nemucod downloader which can spread the malware, which then encrypts the files.

Users should never download attachments from people they don’t know, or open those attachments with unusual file extension such as svg, js or hta. If the extension is downloaded, do not open them.

Video Demonstration of the Attack

Network covert timing channels

 

Network covert timing channels are one way of attackers use to communicate with compromised host computers on the internet.  (Cabuk, Brodley, & Shields, 2004, p. xx) says, “A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner, that can be difficult to detect.”  Network covert timing channels are slightly different.  Out of the two covert channels which are storage and timing.  Timing channels involves a sender process that signals information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by the second process, (Cabuk, Brodley, & Shields, 2004, p. xx).

There are two types of covert timing channels that exist, passive and active. (Gianvecchio & Wang, 2007, p. xx) states, “active refers to covert timing channels that generate additional traffic to transmit information, while passive refers to covert timing channels that manipulate the timing of existing traffic.”  These two types of covert timing channels have proven very effective in concealing data transfer over the internet.

Detection is broken down by two different sets of test shape and regularity.  The shape of traffic is described by statistics, mean, and variance.  The regularity of traffic is described by second or higher order statistics or correlation analysis.  Entropy and conditional entropy have shown as promising ways of detection.  (Gianvecchio & Wang, 2007, p. xx) says, “Entropy rate is the average entropy per random variable, can be used as a measure of complexity or regularity.”  This allows administrators to distinguish between randomness of timing of packets and complexity.

 

 

References

Cabuk, S., Brodley, C. E., & Shields, C. (2004). ip covert timing channels. Proceedings of the 11th ACM conference on Computer and communications security – CCS ’04. doi:10.1145/1030083.1030108

Gianvecchio, S., & Wang, H. (2007). Detecting covert timing channels. Proceedings of the 14th ACM conference on Computer and communications security – CCS ’07. doi:10.1145/1315245.1315284

AT&T and BellSouth Passing Out Routers that enable DDoS Attacks

One of the more interesting TCP-IP vulnerabilities is its ability to guarantee the location of where a packet is coming from.  RIP is an essential component of a TCP/IP network.  RIP is the Routing Information Protocol which is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network, (CHAMBERS, DOLSKE, & IYER, n.d.).  The flaw in RIP is that it doesn’t have built in authentication much like TCP/IP.  This attack is significant because RIP attacks change where the data may go to unlike common attacks that change where data has come from. When an attacker is able to compromise RIP addresses and send them from anywhere in the world this poses a huge security flaw.  Attackers can forge RIP packets claiming that they are another host and they have the fastest route or path out of the network.  This is troubling as there is a higher level DDOS attack that uses the RIPv1 protocol called Reflection Amplification Attacks. (Mimoso, 2015) says, “Reflection attacks happen when an attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines.”  Because the attacker is in control of the RIP it can send many requests on behalf of a network.  The recipients of the request issue an overwhelming flood of responses back to the victim’s network thus crashing that network, (Mimoso, 2015).

I chose this vulnerability because it’s very current in the landscape of DDOS attacks and Threat post by Kapersky Labs suggest that this is only going to grow into the coming years.  The easiest way to stop this is to use routers with RIPv2 and above.  Unfortunately, a large number of the routers that have been compromised using this deprecated technology comes from AT&T and BellSouth and they are regularly distributed in the United States.

References

CHAMBERS, C., DOLSKE, J., & IYER, J. (n.d.). tcp/ip security – department of computer and information science. Retrieved from http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html

Mimoso, M. (2015, July 1). ripv1 reflection amplification ddos attacks | threatpost | the first stop for security news. Retrieved from https://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in-ddos-attacks/113582/