Category Archives: antivirus

Fileless malware attack against US restaurants went undetected by most AV

Enlarge (credit: Carol Von Canon)

Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.

Malicious code used in so-called fileless attacks resides almost entirely in computer memory, a feat that prevents it from leaving the kinds of traces that are spotted by traditional antivirus scanners. Once the sole province of state-sponsored spies casing the highest value targets, the in-memory techniques are becoming increasingly common in financially motivated hack attacks. They typically make use of commonly used administrative tools such as PowerShell, Metasploit, and Mimikatz, which feed a series of malicious commands to targeted computers.

FIN7, an established hacking group with ties to the Carbanak Gang, is among the converts to this new technique, researchers from security firm Morphisec reported in a recently published blog post. The dynamic link library file it's using to infect Windows computers in an ongoing attack on US restaurants would normally be detected by just about any AV program if the file was written to a hard drive. But because the file contents are piped into computer memory using PowerShell, the file wasn't visible to any of the 56 most widely used AV programs, according to a Virus Total query conducted earlier this month.

Read 6 remaining paragraphs | Comments

AV provider Webroot melts down as update nukes hundreds of legit files

Enlarge (credit: Enesse Bhé)

Antivirus provider Webroot is causing a world of trouble for customers. A signature update just nuked hundreds of benign files needed to run Microsoft Windows, as well as apps that run on top of the operating system.

Social media sites ignited on late Monday afternoon with customers reporting that servers and computers alike stopped working as a result of the mishap. The admin and security pundit who goes by the Twitter handle SwiftOnSecurity told Ars that, at the company he or she worked for, the false positive quarantined "several hundred" files used by Windows Insider Preview. Hundreds of "line of business" apps, such as those that track patient appointments or manage office equipment, suffered the same fate. Webroot was also flagging Facebook as a phishing site.

As this post was going live, Webroot's cloud-based system for issuing commands to clients was unable to revert the quarantined files. Officials have yet to confirm they would be able to revert all the bad determinations.

Read 4 remaining paragraphs | Comments

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

Enlarge / Is it "fresh malware"? Or is it something else repackaged? (credit: from an image by Sarah Shuda)

Last November, a systems engineer at a large company was evaluating security software products when he discovered something suspicious.

One of the vendors had provided a set of malware samples to test—48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a "next generation" endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question—and found that seven weren't malware at all.

That led the engineer to believe Cylance was using the test to close the sale by providing files that other products wouldn't detect—that is, bogus malware only Protect would catch.

Read 62 remaining paragraphs | Comments