Bogus Heartbleed cure is malware

News by Steve Gold

Heartbleed removal utility carries malware, plus researcher claims Heartbleed flaw can be exploited wirelessly

Cybercriminals have tapped into concerns about the Heartbleed OpenSSL flaw by spamming users with an email campaign offering a free Heartbleed virus removal utility. The utility, however, is actually a malware carrier, and contains a nasty Trojan (Trojan.Dropper).

According to Joseph Graziano, a senior threat analyst engineer with Symantec, the email looks legitimate enough, but seasoned IT professionals, he says, will soon spot the message is a fake.

"One warning sign that should raise suspicion is that the subject line - `Looking for Investment Opportunities from Syria' - is totally unrelated to the body of the email," he says in his analysis.

Graziano adds that the email tries to gain credibility by pretending to come from a well-known password management company.

"The email provides details on how to run the removal tool and what to do if antivirus software blocks it. The attached file is a docx file which may seem safer than an executable file to users," he notes.

"However, once the docx file is opened the user is presented with an encrypted zip file. Once the user extracts the zip file, they will find the malicious heartbleedbugremovaltool.exe file inside," he goes on to say.

The Symantec analyst says that, after the fake removal tool gives a clean bill of health, users may feel relieved that their computers are not infected.

"However, this couldn't be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider," he explains.

Wireless modems and Android devices open to `Cupid' attack

In parallel with the Trojan.Dropper spammed utility campaign, Luis Grangeia, a partner and security services manager with SysValue, says that a new attack vector seen in the original Heartbleed openSSL flaw leaves wireless routers and Android handsets open to attack.

Grangeia calls this attack vector the `Cupid' attack, as it allows cybercriminals to capture data relayed between WiFi routers and Android smartphones plus tablet computers.

What is interesting about the vector, notes, is that it uses the same Heartbleed exploit methodology, but applying it across wireless IP transmissions, rather than wireline Internet data flows.

The security manager claims that other mobile device operating systems (other than Android) may also be vulnerable to the Heartbleed Cupid attack - including Apple iOS and OS-X systems.

Commenting on these latest Heartbleed threat escalations, Rahul Kashyap, head of security research with Bromium, said it is important to understand that Heartbleed is not a virus, but is actually a vulnerability in a secure transmission protocol.

"Issues such as these further confuse users by propagating the myth that it is a virus and needs to be removed. PC and Mac users need to do nothing more than apply patches from Microsoft or Apple," he explained.

Tim Keanini, CTO with Lancope, meanwhile, said that the entire cybersecurity issue is a game that is not based on physics and might, but based on knowledge.

"It is a game of knowledge where information is both the weapon and the payoff. Those not informed are weak and will fall victim, but thereafter they are informed and adversaries need to re-invent other methods to ‘fool' their victims," he said.

Keanini says that, despite the spammers offering Internet users a Heartbleed virus removal utility, the laughable characteristic is that Heartbleed itself is not a virus, nor will it ever be.

"The sad part is the mass population does not even know this differentiation," he noted.

"The second thing is that many explanatory devices have been published in the form or cartoons, videos, screen casts, etc to educate the public on Heartbleed, yet the majority go uneducated on the matter," he said.

"Lastly, people need to help one another out and, when faced with this type of questionable software, they need to know to ask a friend or a service provider if this is valid before installing and executing the program.  All downloads on the Internet should be treated with extreme suspicion," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews