Results 1 to 1 of 1
-
6th Aug 2014, 05:29 PM #1
Yahoo/Gmail Used by Malware for Communication
Security researchers discovered a new piece of malware that managed to evade detection since 2012 by relying on web platforms such as Yahoo and Gmail to communicate with the command and control servers.
Dubbed IcoScript by Paul Rascagneres from the German security firm G Data, the malware is a remote access tool (RAT), modular in architecture. It leverages the Component Object Model (COM) technology in Windows that can be used to control Internet Explorer.
Rascagneres says that it is “useful for malware developers because it allows them to manipulate the browser that is being used by a legitimate user.”
Among the advantages he points out is HTTP communication being performed by the IE’s process and not the malware piece. On the same note, because the browser session is hidden, there is no evidence of additional communication through the web browser.
Making use of an encrypted script, the threat actor optimizes “the manipulation of the browser and achieve a modular communication channel,” a VirusBulletin report on the researcher’s analysis says.
By decrypting the script, Rascagneres found that it included a multi-step action, with variables and values designed to offer the attacker the possibility to access specific online locations, pointing the information to upload, control elements and IE actions in web pages, or retrieve contents of iFrames and hidden elements on the page.
In an example provided by the researcher, IcoScript can use COM to connect to Yahoo email service through Internet Explorer, fill in the username and password fields, exfiltrate data, as well as execute commands sent through emails.
In the analyzed sample the malware used Yahoo email, but changing the platform, to Gmail, Facebook, or LinkedIn should not be difficult to achieve, says Rascagneres.
The choice to use popular email services is what allowed the malware to escape detection, since this type of traffic is not blacklisted by companies. Also, the intrusion detection systems (ISD) do not detect the strings marking the commands in the emails “because the network flow of Yahoo webmail is compressed with gzip. The data is only uncompressed in the user’s browser, so the IDS would have to uncompress on the fly.”
IcoScript is quite difficult to block because incident response teams generally block the bad URL on the proxy, but in this case communication occurs through legitimate channels, which cannot be blacklisted.
“It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive,” concludes the security researcher.Kepler Reviewed by Kepler on . Yahoo/Gmail Used by Malware for Communication http://i1-news.softpedia-static.com/images/news-700/Yahoo-Gmail-Used-by-Malware-For-Communication.jpg Security researchers discovered a new piece of malware that managed to evade detection since 2012 by relying on web platforms such as Yahoo and Gmail to communicate with the command and control servers. Dubbed IcoScript by Paul Rascagneres from the German security firm G Data, the malware is a remote access tool (RAT), modular in architecture. It leverages the Component Object Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
What is the CMS used by freshwap blog?
By Onoredone in forum Webmaster DiscussionReplies: 13Last Post: 26th Feb 2010, 05:34 PM -
[WCDDL] Accept All By Site! - For serious DDL sites only!
By tdsii in forum Webmaster ResourcesReplies: 9Last Post: 19th Jan 2010, 12:11 PM -
Get a-squared Anti-Malware for FREE! (24 hours only)
By Chutad in forum Completed TransactionsReplies: 0Last Post: 2nd Nov 2009, 06:58 PM -
Start using Google CDN for your javasripts !
By litewarez in forum Tutorials and GuidesReplies: 5Last Post: 13th Oct 2009, 07:38 PM -
Microsoft, Yahoo, Real sued by MCS Music
By DeathKnell in forum News & Current EventsReplies: 9Last Post: 7th Jul 2009, 10:28 PM
themaCreator - create posts from...
Version 3.23 released. Open older version (or...