The Kovter malware family has been plaguing systems for many years and seems to be restless. A new click-ad-fraud strain of fileless Kovter is currently being spread via drive-by download attacks. The infection is triggered by a legitimate Mozilla Firefox browser update pack (firefox-patch.exe).
New Fileless Kovter Uses Legitimate Certificate
Barkly researchers released an alert about a potential threat on one of their systems, and that’s how they found the newly emerged Kovter strain.
What makes this new variant particularly nasty is that it’s the later fileless version of Kovter, and it’s now using an apparently legitimate certificate.That’s bad news because a legitimate certificate causes plenty of traditional antivirus/endpoint solutions to give the software a pass.
The good news is that Barkly researchers have already shared their findings with other anti-virus vendors. As a result, several of the included in VirusTotal’s scan solutions are now detecting the threat.
Comodo, the certificate authority that was abused by Kovter in this operation, has also been informed to revoke the certificate.
How Can I Be Protected Against Kovter and Similar Malware?
It’s very simple. Never trust unexpected pop-ups that prompt you to install software updates. You probably know that most applications, browsers included, have in-software mechanisms that download and implement updates without the need of user involvement.
Like in most malware infections, being educated about the tricks employed by cyber criminals is a crucial element of a stable online environment.
To increase your security against any malware, you can refer to the following tips:
- Make sure to use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions.
- Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
- Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
- Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
- Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
- Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
- If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
- Make sure always to update the critical security patches for your software and OS.
- Configure your mail server to block out and delete suspicious file attachment containing emails.
- If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
- Turn off Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
- Employ a powerful anti-malware solution to protect yourself from any future threats automatically.