The next aim of malware is password manager, what is the solution that IBM thinks

ByPierre Lecourt

The password manager provided by each company is regarded as a simple solution that can secure secure Internet access and users can easily access all the websites by simply setting a strong master password It will look like. In addition, services that adopt "additional authentication system" to discriminate users by requesting physical authentication such as "registered device" "personal identification card" and "software certificate" "digital signature" for each service also increase Although malware that breaks through these combinations tackles cyber crime preventionIBM TrusteerWe found it in the investigation.

Cybercriminals Use Citadel to Compromise Password Management and Authentication Solutions
http://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/


◆ Malware infecting one PC to 500 units worldwide "Citadel"
According to IBM Trusteer, sophisticated malware that breaks through password manager and additional certification has appeared, and the malware already has infected millions of PCs worldwide Trojan horse called a new "Citadel" malware It is said to be a function.

Machines infected with Citadel,C & C serverOpen a communication channel to register malware. Then the malwareEnvironment setting fileBy not only allowing for "capture various information", "executing every function", etc. but also by replacing the existing C & C server with an alternative server and enabling control of the machine from the new C & C server Thing. Therefore, as long as malware is communicating with the C & C server, information can be obtained even if the information in the configuration file is updated.

IBM Trusteer knows that if you average the infection rate of Citadel around the world, one will be infected with Citadel in 500 units. Since millions of PCs are already infected with Citadel, attackers can easily attack an infected machine. Also, since most security systems do not detect Citadel, PCs that are not in use are not noticed in many cases, so that once the user starts using it again, it can be restarted.

◆ How Citadel's new configuration breaks through password manager
IBM Trusteer, who continued Citadel's research, found a new configuration of Citadel to attack password managers and authentication processes. IBM Trusteer actually found it on a machine infected with Citadel to do key logging when the following process is running.


"Personal.exe" is a process belonging to "neXus Personal Security Client", which is used to execute financial transactions, e-commerce, other security-dependent services, etc. securely with authentication information. Encrypted to enable secure loginMiddleware, And the process used to use common applications and Internet provider companies as well.

"PWsafe.exe" is an open source password database utility "Password Safe"KeePass.exe" is an open source password manager "KeePassProcess related to. Because the master password is saved by key logging, we allow hackers access to the entire list.

ByRobbert van der Steeg

In addition, IBM Trusteer succeeded in acquiring the machine infected with Citadel, and as a result of analyzing the environment setting file, it turned out that the hacker used the web server as the C & C server. However, at the time the sample arrived at the laboratory, the C & C file was removed from the server, so it was not possible to explore the hacker's background and target layer.

◆ IBM Trusteer's conclusion
IBM expects that "password" itself for access to resources will be abolished by 2016, and instead of ID and password, "face authentication" "iris authentication" "voice data" "DNA information" Biological measurement data such as that will be used. We should refrain from using neXus Personal Security Client, Password Safe, KeePass, since we need to use a machine that is not infected with Citadel, using a security system with high detection accuracy until password authentication system is abolished.

Also, not limited to PCs, Android devicesLastPassYaKeePassDroidPassword Manager application, includingClipCasterThere are times when it is reported that data interception is possible with an application like, so you need to carefully choose the password manager to use.

Using a password manager on Android? It may be wide open to sniffing attacks | Ars Technica
http://arstechnica.com/security/2014/11/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks/