Trick Or Treat – Do You Dare To Open The Following Link?

 In ITC's Threat of the Week

ftp://malware.com/crowti.zip

Another all-trick, no–treat week, with two new threats that both Windows and Linux admins should be aware of (we guess the Mac hackers are too busy drooling over their lovely new 5k retina screens). 

On the Linux side we’ve seen a new vulnerability in the popular command line tool ‘wget’ (CVE-2014-4877). It’s nasty in that is allows a malicious or otherwise compromised FTP server to access and even erase the filesystem of the client by exploiting symlinks. This isn’t one that should keep a server admin (or their boss) awake at night as likely you’d only be running wget scripts against trusted sites anway. Probably of greater concern is that this is the latest in what’s becoming a steady stream of discoveries of vulnerabilities in core Linux/open source tools that have gone unnoticed for a very long time. Whatever next?…

And for those of a Windows persuasion, particularly the desktop admin crowd, keep an eye out for signs of a new ransomware called ‘Crowti’ that’s seen a massive upsurge in the last week or so. Very similar to Cryptolocker, this one comes in as either an email attachment (fake voicemail, tax rebates, you know the drill), a drive-by browser exploit or can just be dropped by an existing malware infection (Upatre, Zemot and Zbot, we’re looking at you). One click on that dodgy EXE posing as a PDF and you can kiss those nice plaintext versions of your files goodbye. They’ll all be encrypted and you’ll be pushed to a Tor page for payment for a supposed decryption key. Shadow copies and a tested backup strategy are your friend, as ever. Unless you’ve got good reason not to, blocking execution of files from %appdata% isn’t going to hurt either. One thing this brings into focus is just how pointless signature based desktop AV is becoming. Really, what hope is there for your AV if it’s so reliant on signatures that it doesn’t even think an executable attachment with a fake PDF icon could be suspicious for heaven’s sake.

Happy patching, and remember we’re always here to help with any and all questions you may have around vulnerability management or secure networking in general – sales@itcsecure.com or call 020 7517 3900

Author: Kevin Whelan

Recent Posts

Leave a Comment