Security and Threats Update

Symbiotic Malware
(July 1, 2013)

Researchers have discovered two pieces of malware that help each other maintain a foothold on the computers they have infected. The two different strains of malware, known as Vobfus and Beebone, download updated versions of each other. The newest versions are often unknown by malware detection programs. Vobfus spreads through malicious links on websites, over network links, or on USB drives, and is normally the first of the two to infect machines. Once installed, Vobfus downloads Beebone, which recruits the infected machine to become part of a botnet.

In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.

Defeating the two viruses is tricky because Vobfus is so good at travelling via networks. Keeping software up to date we also recommend disabling the “autorun” feature on machines since Vobfus exploits this and is stalled via USB drives. In addition people should be wary of clicking links on external websites to avoid falling victim to booby-trapped URLs.

Nasty Malware Targets South Korean Government and Media Networks
(June 28, 2013)

The recent cyber attacks against South Korean government and media networks have been found to involve malware that wipes data from hard drives and makes computers unusable. The malware, called Korhigh, permanently deletes data and overwrites hard drives’ master boot records and bears similarities to malware used in attacks on South Korean websites earlier this year.

Atlassian Fixes Vulnerability in Crowd Single Sign-On Tool
(July 1, 2013)

Atlassian has fixed a critical security issue in its Crowd single sign-on and identity management tool that could have been exploited by hackers to gain access to login credentials and sensitive data. Crowd is used by 1,000 organizations, including government agencies, banks, software companies, and telecommunication companies, in 55 countries.

Security Flaws in Phone App Library
(June 30 & July 1, 2013)

Vulnerabilities in the GNU ZRTPCPP open-source security library used by some secure mobile phone apps could be exploited to allow arbitrary code execution and crash applications. The flaws include a remote heap overflow, several stack overflows, and information leakage. ZRTPCPP, an open-source library that’s used by several applications offering end-to-end encrypted phone calls, contained three vulnerabilities that could have enabled arbitrary code execution and denial-of-service attacks.

ZRTPCPP is a C++ implementation of the ZRTP cryptographic key agreement protocol for VoIP (voice over IP) communications designed by PGP creator Phil Zimmermann.

Following the recent reports about the U.S. National Security Agency’s data collection programs that appear to cover Internet audio conversations, there’s been an increased interest into encrypted communication services from end users.

The vulnerabilities in ZRTPCPP were found while evaluating the security of some of the products that offer encrypted phone call capabilities. Patches for the vulnerabilities have been added to ZRTPCPP’s code repository on Github and that Silent Circle has updated its own apps on Google Play and Apple’s App Store with fixes.