It never ends. Hackers are becoming super savvy when it comes to gathering information undetected. The latest exploit, reported by Trend Micro, disguises itself as Adobe Flash and targets home routers. The malware then does a disappearing act, removing itself from the system.
SC Magazine learned the following details regarding the exploit in a recent email correspondence with Kenney Lu, of Trend Micro:
The malware was detected by Trend Micro as TROJ_VICEPASS.A, or VICEPASS, and it has been observed infecting users that navigate to malicious websites hosting a purported Adobe Flash update.
Once downloaded and executed, the malware uses a predefined list of usernames and passwords to attempt to connect to the home router, Lu wrote. Some of the usernames include admin, D-Link, guest, root and user, and some of the passwords include 12345678, admin, password and qwerty.
When connected to the home router, the malware scans for devices using various strings in its search, including dlink, d-link, laserjet, apache, cisco, gigaset, asus, apple, iphone, ipad, logitech, samsung, and xbox, says Lu.
Furthermore, the malware “will affect every device in the target network. If it finds any of these vendors’ devices, the devices will be given a specific vendor name, [and] other devices will be marked as ‘unknown’.”
The search results are encrypted using Base64 and a self-made encryption method, and are sent to the C&C using HTTP protocol, Lu wrote in the post, explaining that the malware will then delete itself and remove any trace of its existence.
In the post, Lu suggested that attackers could be using VICEPASS for reconnaissance for bigger campaigns. He wrote that the information gleaned from the malware could also be stored and used for future cross-site request forgery (CSRF) attacks.
To protect against these types of threats, Lu suggested using strong passwords, not clicking on links in emails, and updating software from official websites.
IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.