Petya Ransomware encrypts the MBR

The Dell Sonicwall Threat Research team has received reports of yet another ransomware called Petya. Over the past year, Ransomware has proven to be an inceasingly lucrative business for cybercriminals and has become very widespread that victims have resorted to paying to get their data back. Petya is no different, but instead of just encrypting files it overwrites the system's master boot record (MBR) effectively locking the victim out and rendering the machine unusable unless payment is made.
Infection Cycle: 

Upon execution, Petya replaces the boot drive's MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen. 
 

The victim is then greeted with a flashing skull. 
 

After pressing any key, the instructions on how to pay to get their data back is then displayed. 

 

At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their computers but will obviously lose all of their data. 

Below are the screenshots from the cybercriminal's well crafted website on the onion network where further instructions are given on how to submit payment in bitcoins. It appears that the group behind Petya Ransomware is calling themselves "Janus Cybercrime Solutions" and are demanding victims to send them 0.95865300 Bitcoins or an equivalent to $395 with the current exchange rate. 

 

FPetya Ransomware Step 2


FPetya Ransomware Step 4

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly. 

So it is time to check update for your Gateway Security/End point Security now to prevent this threat!

Source : Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then) 

Microsoft Windows Media arbitrary code execution-CVE-2016-0101

Microsoft Windows operating system provides Windows Media for playing audio, video and viewing images. Remote attacker can entice user to open malicious media file which can lead to remote code execution with security context of user.

Windows Media uses MPEG2 Transport Stream file format to store media and protocol data. Vulnerable dynamic library is MFDS because of boundary error in it. The function MPEG2_PMT_SECTION::Parse() is used to parse descriptors array in Program Map Table (PMT) in packets of MPEG2-TS file. The function calculates the number of descriptor elements according to the Elementary Info Length field, but function does not validate the Elementary Info Length field properly. Attacker can provide large value to this field which may lead to execution of arbitrary code in user context.

Unsuccessful attempts may lead to denial of service.

This vulnerability affects the following products:

  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R
So please update your security device to prevent from this.

Source:Dell SonicWall Security Center

Have a good time.
(Be knowledgeable,pass it on then)

Runouce Trojan with IRC bot spreads via .eml files

A Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:
Infection Cycle:
The Trojan makes the following DNS queries:
On our test system the following files were created:
  • %USERPROFILE%\kuelio.exe
  • %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched)) 
  • %SYSTEM32%\runonce.exe (patched)
The following files were also created:
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\changelogs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions
    mmhkkegccagdldgiimedpiccmgmieda\0.1.1.0_0\html\readme.eml
  • %USERPROFILE%\Local Settings\Temp\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\B4ZWX2C9\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\FATM9A7M\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\HE7GL0WO\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\MDJBB39W\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\HTML\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\VS Runtime\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Smart Tag\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Stationery\readme.eml
  • %PROGRAMFILES%\Common Files\System\ado\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\AccessWeb\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms4\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms5\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Stationery\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Templates\12\MseNewFileItems\readme.eml
  • %PROGRAMFILES%\NetMeeting\readme.eml
  • %PROGRAMFILES%\WinRAR\readme.eml
  • %PROGRAMFILES%\Wireshark\readme.eml
The Trojan writes the following keys to the registry to enable continued infection activity after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kuelio "%USERPROFILE%\kuelio.exe /y"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Runouce "%SYSTEM32%\runouce.exe"
If there are shared folders or external drives attached the following file will be written to it:
The Trojan disables the ability to kill kuelio.exe.
NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe :
The Trojan infects %SYSTEM32%\runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:
The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

So, please update your gateway security and/or endpoint security to prevent from this Trojan.

Source: Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)

Preventing DROWN Attack

On March 1st 2016, OpenSSL released patches that disable the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers.

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle.
Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server.
This vulnerability is known as DROWN.

The vulnerability is referred by CVE as CVE-2016-0800. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800)

So, please patch your system to prevent this attack if you are not done yet.

Have a good time.
(Be knowledgeable, pass it on then)Type your summary here. Type the rest of your post here.