Sality Malware Delivers More than Recovered Passwords

block social media, download privileges, malware, Ophtek, password recovery, Sality, social media advertising, , , , , ,
20
Jul 2022

Forgetting a password is frustrating, so the promise of a password recovery tool is tempting. Until, that is, you find out it’s packed full of malware.

If something online sounds too good to be true, then it usually is – see the numerous adverts on YouTube which promise to make you $50k a month with minimal effort. And this is exactly the case with the Sality malware. Naturally, Sality doesn’t advertise itself as malware. Instead, it bundles itself stealthily, as a hidden extra, alongside a password recovery tool for Programmable Logic Controllers (PLC) and Industrial Control Systems (ICS). Whilst the tool does indeed help you to extract passwords, the presence of Sality opens a whole world of digital pain.

The Lowdown on Sality

Sality, in its earliest form, is believed to have been online for nearly 20 years, so it’s certainly not a new threat. However, over the years, its evolution has led to its modern variant becoming a nasty piece of malware. At present, it’s making its way into people’s PCs thanks to relatively crude, yet tempting adverts on social media sites. Advertising itself as a free download, the tool will retrieve passwords for PLC and ICS – through a vulnerability in the system’s firmware – but it also activates the Sality malware.

To understand how Sality operates, you first need to know what a peer-to-peer (P2P) botnet is. Used to generate huge amounts of processing power – usually for cracking passwords or mining cryptocurrency – a P2P botnet obtains this power by hijacking large numbers of PCs. These hijacked PCs are then forced to work together on the same task – after all, 1,000 PCs mining cryptocurrency are going to achieve their objective a lot quicker than a single PC. It appears that Sality is currently focused on cryptocurrency, but there is nothing to stop threat actors unleashing more powerful attacks e.g. taking entire IT systems down.

How Do You Handle a Sality Infection?

While Sality may have been around for some time, it hasn’t learned every trick in the book. For example, not only will it throttle an infected PCs performance by using 100% of its CPU, it also triggers numerous Windows Defender alerts. However, it does have enough sense to scan any PC it lands on for anti-virus software before shutting down any identified tools. Therefore, it’s crucial that you follow preventative approaches to avoid Sality:

  • Do Not Trust Online Adverts: legitimate password recovery tools are unlikely to be advertised on social media sites. If you have forgotten your password, then you should contact the software developers for advice. Alternatively, you can create secure backups of your passwords with an app such as Google’s Password Manager.
  • Remove Download Privileges: almost every malware threat involves a malicious download and, as such, it makes sense for your organization to limit the number of downloads taking place. By limiting download privileges to, for example, line managers, you will minimize the chances of malware being downloaded by mistake.
  • Block Social Media: if you want to make sure that you are specifically limiting the risk of Sality, you can simply block access to social media sites from within your organization’s network. However, be aware that Sality is likely to be lurking elsewhere on the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Ransomware Found Lurking in Skype Ads

Ransomware, ,
18
Jul 2017

skype-crossed-640x360Skype is a great tool for businesses to communicate with customers and partners, but now it appears that it’s being used as a delivery route for ransomware.

PC users who are using the Microsoft Skype App have reported that fake adverts have been appearing which contain a malicious payload in the form of ransomware. As per usual, this strain of ransomware locks the user’s computer, encrypts files and demands a ransom for unlocking the PC.

Ransomware is becoming increasingly more common and, as Skype is such an important communication tool, there’s a good chance that your business could find itself confronted with it. Therefore, I’m going to delve a little deeper into what’s behind this latest attack.

Skype Ransomware

ransomware-illustrationThe malicious adverts that have been appearing claim that a critical Flash update is required and offers a link to this ‘critical’ update. However, this advert – which appears on the Skype home screen – is actually a link to a HTML application that, although looking genuine, downloads a nasty dose of ransomware to your PC.

And it’s a particularly sneaky piece of ransomware as this malicious payload also runs a piece of code which deletes the downloaded application and then downloads a piece of JavaScript from a website which no longer exists. The domains being used are setup and then shut down almost instantly to prevent any form of registration fee being taken. It’s these seemingly odd processes which help to disguise the hacker’s activities and protect them from being detected by standard antivirus operations.

It’s believed that this new piece of ransomware is related to the Locky ransomware attack – which caused so much trouble in 2016 – as it shares a number of similarities such as utilizing JavaScript to shutdown computers and encrypt files without an additional app being used to execute this.

How to Tackle the Skype Ransomware

At present there is no solution to the Skype ransomware attack and Microsoft have only been able to offer the advice that users should refrain from clicking on unsolicited links. And, unfortunately, due to ransomware being so difficult to treat, prevention tends to be the best cure for ransomware.

There are, however, a few steps you can take to minimize the damage:

  • Ensure that your staff is educated to recognize what constitutes a piece of ransomware. This knowledge, though, can quickly expire if your staff isn’t regularly exposed to such attacks, so refresher courses are recommended to keep this knowledge fresh and provide updates on any changes in ransomware techniques.
  • If you fall victim to a ransomware attack then the first step you should take is to shut your network down as soon as possible. Going offline is the only way you can prevent the hacker from burrowing deep into your system and encrypting files.
  • Always back up your files so that, in the case of encryption, you still have access to your files and do not need to pay a ransom fee or invest valuable man power into tackling the attack. It’s recommended that these are backed up to physical media which has no connection to the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More
No ads when browsing the internet
No ads when browsing the internet

3 Reasons to Block Advertising on your PC

Internet, Office IT, Security, Uncategorized, , ,
19
Jul 2014

No ads when browsing the internet

Does advertising improve your web browsing experience or make it worse?  Even legitimate advertising can cause major headaches to major infections.

Advertising can be a great source of revenue for websites that offer content and information for free.  Major websites that you use everyday have taken this to an extreme by serving up video ads that talk to you and track your online behavior.  However the more websites rely on advertising for their revenue the more willing they will let any run an ad on their networks.  Here are three reasons why advertising has reached a point where it can be a threat to the average user browsing the internet.

1. Malware spreads through legitimate advertising

Youtube ads serving up malicious code

There have been many cases in the last few years where hackers and criminals have used legitimate advertising and banners in websites and in videos to spread their malware. One example is a bitcoin mining virus being spread through Yahoo advertising.  Even  Youtube fell victim to advertising serving up remote code execution. These major website quickly patched up the problem but it will take more than a break-fix approach to end this cat and mouse game.

2. Are you really getting what you click on?

Ads can trick you into installing junk

Accidentally clicking on the wrong link when you want to download a song, file or program from the internet can open the flood gates of junk on your computer.  The above image shows a legitimate download website.  Can you guess which link is the correct link to download your program?

3. Popups, search engine hijackers and junk programs

Hijacked search engines can be hard to cure

Once junk programs from advertising get their foot in the door, it can be very difficult to detect or even remove the software.  The above search engine may look like Google, but it is a knock off website meant to steer you to their partners websites.

For now until major websites have better safeguards in place to prevent malware, junk programs and sneaky advertising methods from their ad networks it’s better to steer clear from advertising all together.  We recommend running Firefox or Chrome with ad block plugins installed.

For more tips on staying safe online at your home or office, contact your local IT professionals.

Read More