Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.
The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered:alled out Cisco's SourceFire security appliances in particular with the encoded text, "SourceFireSux."
[...] The irony of this particular attack calling out SourceFire is that Cisco has just relaunched Umbrella—a service it acquired with OpenDNS—a product that is intended to shield from DNS exploits precisely like this.
Source:
(Score: 3, Insightful) by jasassin on Monday March 06 2017, @01:19AM
Why don't they bust the people who own the DNS servers? I must be missing something.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 0) by Anonymous Coward on Monday March 06 2017, @02:30AM
n/t
(Score: 2, Interesting) by anubi on Monday March 06 2017, @02:45AM (1 child)
And they found it apparently because of the phrase: "SourceFireSux".
How many other malwares are out there, in place, primed.. sleeper cells... just waiting to be woke up?
Contrary to what the DMCA as signed into effect by our Congress may say, ignorance is definitely NOT bliss!
But most of us won't discover this until someone completely unknown to us pulls the rug out from under all of us.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Monday March 06 2017, @10:59AM
... and we will likely encounter this at the worst possible time ( outbreak of a war, for instance ).
(Score: 3, Interesting) by Nerdfest on Monday March 06 2017, @03:49AM (1 child)
The irony of this particular attack calling out SourceFire is that Cisco has just relaunched Umbrella—a service it acquired with OpenDNS—a product that is intended to shield from DNS exploits precisely like this.
Sounds more like marketing to me.
(Score: 0) by Anonymous Coward on Monday March 06 2017, @05:30AM
Marketing: PowerShell Trojan vs. Fitbit Smart Condom? I have a feeling we will be screwed either way since Micro$oft (Hey!!! Did you see I spelled Micro$oft with a $ instead of an actual "s"! Cool, eh!) is involved, and screwing newbs is what they do. Newbs and MCSEs. Newbs and MCSEs and PHBs. Newbs and MCSEs and PHBs and Francis. So sad. Microsoft has wiretapped the sacredness of an operating system, and all we are left with is a PowerShell of Trojan Horses filled with Greeks bearing Domain Addresses. So sick.
(Score: 0) by Anonymous Coward on Tuesday March 07 2017, @11:48AM
You did figure these expenses into your Total Cost of Ownership (TCO) calculation, right?