Jump to content

Search the Community

Showing results for tags 'Malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. A new remote administration Trojan (RAT) receives command and control instructions through Yahoo Mail, and could be easily modified to communicate with its authors through Gmail or other popular webmail providers. This new RAT’s significance stems primarily from its ability to elude the notice of intrusion detection systems by operating over seemingly benign domains. According to an analysis written Paul Rascagnères of the German security firm G-Data and published by Virus Bulletin, RATs generally transmit the information they steal from victimized machines over a specified port, or by regularly connecting to remote server. Each of these behaviors are well-known flags that are likely to trigger detection on corporate networks. This RAT, known as IcoScript, has gone largely undetected since 2012. Part of the reason, Rascagnères explains, is because access to webmail services is rarely blocked or blacklisted in corporate environments and such traffic is very unlikely to be considered suspicious. IcoScript makes use of Component Object Model technology in Microsoft Windows, making HTTP requests for remote services through Internet Explorer. Another of its novelties is that it appears to use its uniquely tailored scripting language to perform various tasks. In the sample analyzed by G-Data, IcoScript connected to a Yahoo Mail account controlled by its authors. The authors manipulate the malware by sending specially crafted emails containing coded instructions. “Moreover,” Rascagnères writes, “the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked.” Incident response teams generally contain malware like this, Rascagnères claims, by blocking the URL on the proxy. However, in the case of IcoScript, these URLs are not easily blocked, because they originate from the servers of a trusted service. The efficacy of IcoScript is likely to increase if the attackers diversify the sources of their command can control, configuring samples of the malware to use any number of legitimate webmail providers, social networking sites, and cloud storage services. “The containment must be performed on the network flow in real time,” Rascagnères concludes. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.” Source
  2. A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry. In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since everything is performed in the memory of the computer system and there are several layers of code to get through in order to avoid analysis. The attack vector is an email with a malcrafted Microsoft Word document attached. The vulnerability leveraged by the attackers is CVE-2012-0158, which affects Office and several other Microsoft products. It is not new, but many users are still using old versions of the software that could be compromised. Once the file is launched, the cybercriminals turn on the persistency feature of the malware by creating an encoded autostart key in the registry. It seems that the encoding technique used by the malware was originally created by Microsoft to safeguard their source code from being altered. In order to avoid detection by system tools, the registry key is hidden by providing a name in non-ASCII characters, which makes it unavailable to the Registry Editor (regedit.exe) in Windows. By creating the auto-start key, the attackers make sure that a reboot of the system does not remove it from the computer. By decoding the key, Rascagneres observed two sets of code: one that verified if the affected machine had Windows PowerShell installed, and another one, a Base64-encoded PowerShell script, for calling and executing the shellcode. According to the researcher, the shellcode executes the payload, which attempts to connect to a remote command and control (C&C) server for receiving instructions. There are multiple IP addresses for C&C servers, all hard-coded. The peculiarity of this malware is that it does not create any file on the disk, making it more difficult to be detected through classic protection mechanisms. “To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user,” writes Rascagneres. This type of malicious behavior is not new though, as a sample was also analyzed on KernelMode.info in mid-July, this year. In that case, the same vulnerability was exploited through a malicious RTF attached to an email claiming to be from Canada Post and/or USPS mail service. Source: http://news.softpedia.com/news/Registry-Residing-Malware-Creates-No-File-for-Antivirus-To-Scan-453374.shtml#
  3. A new Remote Administration Tool for Google’s Android platform has become available in the darkest corners of the Internet. This particular type of tool is bundled into a malware package that has the ability to claim control of the devices of those who use an app that has been infected, effectively turning the unwitting smartphone or tablet into a spyware zombie. The latest addition to the arsenal of the unscrupulous goes by the name of “Dendroid” and is being sold on the underground market for as little as $300. A tool like this would normally pass by unnoticed, but Dendroid differs from others in the fact that it offers unlimited usage for the relatively small amount of money an individual has to part with. It also comes bundled with the unnerving ability to hide amongst legitimate apps on the Play Store without being detected by Google’s malware scanning abilities. The scary stuff begins when a user – who is none the wiser – installs an infected app onto their Android smartphone or tablet. The individual(s) responsible for infecting the app in the first place has the ability to gain remote access to the installed device and effectively take control of the hardware. This level of remote access would allow undetected access to photographs, stored data and message archives that are on the device. Perhaps more terrifying, it would also grant access to the microphone and camera modules. A number of researchers from Lookout Security have taken the time to look into Dendroid, and are surprised by the methods its developers have implemented purely just to evade detecting by Bouncer, Google’s malware detection software. It looks as if Dendroid was designed with evading Play Store security in mind. Amongst its numerous features, Dendroid features some relatively simple — yet unusual — anti-emulation detection code that helps it evade detection by Bouncer, Google’s anti-malware screening system for the play store. The introduction and availability of this latest sophisticated Remote Administration Tool further brings attention to the fact that the Android platform is relatively easy pickings for malicious types who are serious about embarking on malware activity. It seems that the market for these types of tools is so lucrative, and is becoming such a commonplace that security researchers involved in the field have furnished the software with the abbreviated name “RAT”. The Android platform is now responsible for a staggering 92% of all known malware on mobile platforms, which has risen from 47% two years ago. The question is, what will Google do about this, if anything? Source
  4. IObit Malware Fighter Pro 2.3.0.16 IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Keygen / Key Size: 26,62 Mb.
  5. By Casey Johnston - Jan 28 2014, 7:00am AUSEST Updates turned some Chrome add-ons maliciousnot all browsers allow that. Customers complain about activity tracking in CRXMouse on Chrome, a particularly invasive add-on. In a recent revelation by OMG Chrome and the developer of the Chrome extension Add to Feedly, it came to light that Chrome extensions are capable of changing service or ownership under a users nose without much notification. In the case of Add to Feedly, a buyout meant thousands of users were suddenly subjected to injected adware and redirected links. Chromes regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but simple and single-purpose in nature, with a single visible UI surface in Chrome and a single browser action or page action button, like the extensions made by Pinterest or OneTab. This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June. Given how Chromes system of updates, design restrictions, and ownership seemed to have gotten ahead of itself, we decided to take a look at the policies of other browsers to see if their extensions could be subjected to a similar fate. While Chrome isnt the only browser where an Add To Feedly tale could be spun, it seems to be the most likely place for such an outcome. Firefox Mozillas Firefox differs from Chrome in that it has an involved review system for all extensions that go from developers to the front-end store. Reviewers will reject an extension if it violates any of the rules in Firefoxs extension development documents. One of these rules is no surprisesan add-on cant do anything it doesnt disclose to users, and existing add-ons cant change their functionality without notifying the user and getting their permission. Firefox puts add-ons with unexpected features, like advertising that supports the add-on financially, into a separate category. Users have to explicitly opt-in to these features, says Jonathan Nightingale, vice president of Firefox. This means that in these cases, users will see a screen offering them the additional features, says Nightingale. One example is FastestFox, which pops a tab at first install asking the user to enable ad injection from Superfish. It's how developers implement these opt-in screens that could provide for a possible loophole; the addition of advertising might be obscurable by language, and data tracking could be, too (it's permitted under Firefoxs rules, but it must be disclosed in a privacy policy). Still, the review policy and need for opt-in for these more pernicious features both help prevent users from having new functionality sprung on them. Safari Safari has extensive design documents for its extensions but no central clearinghouse for them like other browsers. Apple keeps a gallery of a chosen few extensions that must meet certain regulations, but these represent a small fraction of the extensions available. Data tracking of an extensions users is possible, per the design docs, as is ad manipulation. Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user. There are no regulations for disclosing functionality changes or changes of ownership, however. Internet Explorer Microsofts browser absolves itself of responsibility for add-ons on a support page where it states, "While add-ons can make your browsing experience better by giving you access to great Web content, some add-ons can pose security, privacy, or performance risks. Make sure any add-ons you install are from a trusted source." Add on at your own risk. Like Apple, Microsoft maintains an exclusive gallery of vetted add-ons. The company encourages extension makers to get user consent for unexpected add-on functionality, but it doesnt require it or block extensions that dont do it. Markup-based extensions can only be installed from within the browser, and therefore these must have the users explicit consent according to Microsoft. Other than this infrastructure, nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on). IE10 does have an add-on management window, but some add-ons, like the ad-injecting Buzzdcock, have to be removed as if they are full-fledged applications. Uninstalling a particularly invasive IE add-on. Opera The latest versions of Opera are able to use Chromium extensions, but unlike Chrome ones, they get a review process thats similar to Firefoxs. Most importantly in Opera, there are restrictions on the types of scripts an extension can run and how they handle ads. Andreas Bovens, head of developer relations at Opera Software, told Ars in an e-mail that Opera doesnt allow extensions that include ads or tracking in content scripts, so extensions that, for example, inject ads inside webpages the user visits are not allowed. Extensions can, however, have ads in their options pages or in the pop-up that is triggered by their button in the browsers interface. Every extension gets a review, and the review team takes special care to suss out the nature of any obfuscated JavaScript code. If some of the code is obfuscated, reviewers ask the developers for the unobfuscated code to look at as well as a link to the obfuscation tool. That way we can check that the input and output indeed match, Bovens says. When an extensions ownership is transferred or the extension is updated, its subject to the same rigorous review process as an extension thats being submitted for the first time, according to Bovens. An extension that goes from having no ads to injecting ads, as some Chrome extensions do, simply would not pass [Operas] review process, Bovens says. Retiring to the not-so-Wild West? While Chrome extensions may have a better ideology than those of some other browsers, the breadth and depth of functionality that Chrome extensions can have without any kind of review process means that Chrome users trust can get taken for granted. Its similar to the Google Play app store, in that way: pretty much anything can make it to the market, but enough user complaints can get it taken down, as in the case of Add to Feedly and Tweet This Page. Based on policy and practice, users who heavily rely on extensions or have been made wary of them by developers recent transgressions may be safer on browsers like Firefox and Opera, where regulations are a bit stricter and there are people to police them. But there can be downsides to a vetting process, too, mainly in terms of rate-limiting iteration and improvements, so its a matter of weighing options. Former home? This is the current home for an awful lot of crapware add-ons, like Conduit's search hijacker, or the Ask.com toolbar that still hasn't died a thousand deaths, even though it should. http://arstechnica.com/business/2014/01/seeking-higher-ground-after-chrome-extension-adwaremalware-problems
  6. IObit Malware Fighter Pro 2.3.0.10 IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Keygen / Key Size: 26,82 Mb.
  7. 15 Jan 14 Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter The seller of the point-of-sale memory dump malware allegedly used in the Target attack In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware. This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the cards magnetic stripe in the instant after it has been swiped at the terminal and is still in the systems memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants. Target hasnt officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack. BLACK POS On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache. According to sources, ttcopscli3acs is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was Best1_user; the password was BackupU$r According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls Reedum (note the Windows service name of the malicious process is the same as the ThreatExpert analysis POSWDS). Interestingly, a search in Virustotal.com a Google-owned malware scanning service for the term reedum suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, 30503 POS malware from FBI. The source close to the Target investigation said that at the time this POS malware was installed in Targets environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. They were customized to avoid detection and for use in specific environments, the source said. That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system. According the author of BlackPOS an individual who uses a variety of nicknames, including Antikiller the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones budget version of the crimeware costs $1,800, while a more feature-rich full version including options for encrypting stolen data, for example runs $2,300. THE ATTACK Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices. The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps. Its not clear what type of software powers the point-of-sale devices running at registers in Targets U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS). Targets Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future. WHO IS ANTIKILLER? A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB. Image: Securityaffairs.co Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware. In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the authors screen capture software which reveals a profile at the Russian social networking site Vkontakte.ru. Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous. One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target. Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first. http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware
  8. By Shona Ghosh Posted on 9 Jan 2014 at 15:21 Millions of PCs may have been infected by malware inserted into ads on Yahoo websites - and then used to mine bitcoins. Yahoo confirmed this week that hackers had managed to insert malware into ads displayed on some of its European sites, but hasn't said how many users have been affected. Security company Light Cyber estimates that several million PCs have been infected, and found the malware had been used to install Bitcoin-mining software on some machines. Separate estimates this week from security firm Fox-IT suggest the UK has one of the highest numbers of affected users. Light Cyber founder and vice president for product and strategy, Giora Engel, said the hackers were potentially building a huge network of Bitcoin-mining PCs, since the task is too labour intensive for one machine. He added that the malware had delivered other tools that gave hackers control over infected PCs. "This campaign downloaded a variety of different tools - some were malware to enable attackers to control each infected PC and steal passwords," he told PC Pro. "Other tools were more specific – the Bitcoin mining tool is not malware itself, it's something anyone can download and generate Bitcoin." Engel estimated that, with several million machines at their disposal, the hackers could be making $10,000 (approximately £6,000) a day. Security companies have said the number of Bitcoin-related attacks will rise this year, after the virtual currency shot up in value. One Bitcoin is currently worth around £500, though its value fluctuates. http://www.pcpro.co.uk/news/security/386452/yahoo-malware-turns-millions-of-pcs-into-bitcoin-network
  9. By Dan Goodin - Feb 11 2014, 8:33am AEST Attackers used phishing and zero-days to infect Windows, Mac, and Linux users. Mask victims by IP address. Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries. The "Mask" campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple's iOS and Google's Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it. Mask—or "Careto" as its Spanish slang translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these "advanced persistent threats" (APTs) are much more determined. They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value. "With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than five years," Kaspersky Lab researchers wrote in a detailed analysis published Monday. "In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober, or Icefog, making it one of the most complex APTs we observed." The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. In some cases, attackers impersonated well-known websites, such as those operated by The Guardian and The Washington Post. One of the exploits recently used by the attackers targeted CVE-2012-0773, a highly critical vulnerability in Adobe's Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers. "What makes 'The Mask' special is the complexity of the toolset used by the attackers," the Kaspersky analysis stated. "This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions, and possibly versions of Android and iPad/iPhone (Apple iOS)." Kaspersky researchers first stumbled onto Mask after noticing that it exploited a vulnerability in older versions of Kaspersky antivirus products to hide itself. The vulnerability has been patched for an unspecified amount of time, but attackers were exploiting the vulnerability on machines that continued to run older versions of the Kaspersky software. Like Stuxnet and many other pieces of malware used in the last five years, Mask code was digitally signed, in this case with a valid certificate issued to a fake company called TecSystem Ltd. Such digital credentials are designed to bypass warnings delivered by Windows and other operating systems before executing programs that haven't been vouched for by credentials issued by a recognized certificate authority. The malware uses encrypted HTTP or HTTPS channels when communicating with command and control servers. Researchers were able to take control of some of the domain names or IP addresses hosting the control servers that Mask-infected computers reported to. In all, the researchers observed 1,000 separate IP addresses in 31 countries connect. They also found traces of 380 different victim identifiers designated by the Mask naming convention. The Mask campaign was abruptly shut down last week within hours of being revealed in a short blog post. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the Kaspersky analysis noted. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section." Post updated to add "slang" to the third paragraph. http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen
  10. A group of enterprising cybercriminals has figured out how to get cash from a certain type of ATM -- by text message. The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls "Ploutus" that first appeared in Mexico. The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn't show a brand name. Ploutus isn't the easiest piece of malware to install, as cybercriminals need to have access to the machine. That's probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine. Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: It is now controllable remotely via text message. In this variation, the attackers manage to open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM also has to be infected with Ploutus. "When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable," wrote Daniel Regalado, a Symantec malware analyst, in a blog post on Monday. Ploutus has a network packet monitor that watches all traffic coming into the ATM, he wrote. When it detects a valid TCP or UDP packet from the phone, the module searches "for the number "5449610000583686 at a specific offset within the packet in order to process the whole package of data," he wrote. It then reads the next 16 digits and uses that to generate a command line to control Ploutus. So, why do this? Regalado wrote that it is more discrete and works nearly instantly. The past version of Ploutus required someone to either use a keyboard or enter a sequences of digits into the ATM keypad to fire up Ploutus. Both of those methods increase the amount of time someone spends in front of the machine, increasing the risk of detection. Now, the ATM can be remotely triggered to dispense cash, allowing a "money mule," or someone hired to do the risky job of stopping by to pick up the cash, to swiftly grab their gains. It also deprives the money mule of information that could allow them to skim some cash off the top, Regalado wrote. "The master criminal knows exactly how much the money mule will be getting," he wrote. Symantec warned that about 95% of ATMs are still running Windows XP, Microsoft's 13-year-old OS. Microsoft is ending regular support for Windows XP on April 8, but is offering extended support for Windows XP embedded systems, used for point-of-sale devices and ATMs, through January 2016. Still, Symantec warned that "the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet." Source
  11. By Ron Amadeo - Jan 18 2014, 10:10am AUSEST Once in control, they can silently push new ad-filled "updates" to those users. One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it. To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension. We ought to clarify here that Google isn't explicitly responsible for such unwanted adware, but vendors are exploiting Google's extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven't heard back yet. We'll update this article if we do. A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base. This isn't a one-time event, either. About a month ago, I had a very simple Chrome extension called "Tweet This Page" suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google's policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website. When malicious apps don't follow Google's disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer. The difficult part of this for users is that normal removal techniques will not work. Virus scanners are unlikely to flag ad-injecting JavaScript as malicious. Extensions are synced to your Google account, which means that even wiping out a computer and reinstalling the OS will not remove the malware—signing-in to Chrome will just download it again. The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices. Even when you have it narrowed down to Chrome, since nothing detects a malicious Chrome extension, the best course of action is to meticulously check the latest reviews of every extension and hope that someone else has figured out where the ads are coming from. What can users do to protect themselves? It's very hard to keep yourself in the loop with Chrome extension updates. Extensions usually don't have changelogs, and there is currently no way to disable extension auto-updating. One way to stay a least slightly informed of what is going on is to install an extension that will notify you when your other extensions get updated. Other than that, the only other option is to stop using extensions entirely, which is a little extreme. Just keep an eye on the simpler extensions from smaller extension makers—those are the ones at most risk of being gobbled up by a malicious entity. Chrome will require your approval if an extension adds new permissions, but the magic permission that allows ad-injecting is called "access your data on all web pages," which many legitimate extensions already use. A malicious extension buyer could even look for an extension that already uses this permission so that their update will arouse the least suspicion among current users. The reality, though, is that while it's extremely easy for a novice user to install an extension, it's nearly impossible for them to diagnose and remove an extension that has turned sour, and Chrome Sync will make sure that extension hangs around on all their devices for a long time. The author of Add to Feedly stated that his extension had around 30,000 users before it was sold and packed full of ads. Today, despite the flood of unhappy user reviews, the Chrome Web Store shows 31,548 users. Auto-updating from a trusted source is one thing, but when that user trust can be bought and sold—and extension ownership can change hands without the users being informed—something needs to be done. http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/?
  12. Los Angeles, California - January 17, 2014 The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack. Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013. The first report on this malware was done in the beginning of spring by Andrew Komarov, IntelCrawler CEO, when he was working in another forensics company. According to own sources of IntelCrawler the first infected Point-of-Sales environments by BlackPOS were in Australia, Canada and the US. The first name of the malware was a lyric "Kaptoxa" ("potatoe" - in russian slang), which then was renamed to "DUMP MEMORY GRABBER by Ree[4]" for forums postings, but the title for C&C had string "BlackPOS". During that time, "Ree[4]" ("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve. [email protected]: http://ree4.7ci.ru/dump_grabber.php [email protected]: it is administrative panel [email protected]: password "pass" [email protected]: http://www.sendspace.com/file/zglgvy [email protected]: after infection you will receive "readme.txt", like "ping" The first C&C server of BlackPOS was installed on "ree4.7ci.ru", which was the personal host of its author with nickname "ree[4]". Some other hosts were found on this domain name, as probably it was used as a hosting for all members of the same group: - onlyddos.7ci.ru; - merzavetz.7ci.ru; - reperckov41.7ci.ru. [email protected]: http://plasmon.rghost.ru/44699041/image.png hidden: how does it keep the data ( intercepted credit cards)? [email protected]: from left side it is files, time.txt, then you click on it and you will find dumps in browser in plaintext hidden: are there any differences in terms of infected Point-of-Sale systems? [email protected]: no, but there are some nuances, for examples it doesn't work on Verifone hidden: really? I have Verifones ... [email protected]: it grabs dumps from memory, Verifone can be connected to PC, but it will be "secured", you need standalone Point-of-Sale terminals with monitor and Windows hidden: how much? [email protected]: 2000 USD [email protected]: 1st build Previously he has created several tools used in hacking community for brute force attacks, such as "Ree4 mail brute", and also earned some first money with social networks accounts hacking and DDoS attacks trainings, as well as software development including malicious code. Investigators from IntelCrawler have also made a profiling on bad actor: E-mail 1: [email protected] E-mail 2: [email protected] ICQ: 565033 Skype: s.r.a.ree4 According to operative information from IntelCrawler, the person behind the nickname "ree[4]" is Sergey Taraspov, having roots in St.Petersburg and Nizhniy Novgorod (Russian Federation), very well known programmer of malicious code in underground. "He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers", comments Dan Clements, IntelCrawler President. Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with week passwords such as: "pos":"pos"; "micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware); "edc":"123456" (EDC - Electronic Draft Capture). February 9th, 2013, 14:30 URL:http://www.rf-cheats.ru/forum/archive/index.php/t-156884.html IP Address: 71.138.234.81 Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.052230, -118.243680 Connection: 26 INTERNATIONAL INC Net Speed: (COMP) Company/T1 IDD & Area Code: 213/310/424/323 ZIP Code: 90001 Weather Station: LOS ANGELES (USCA0638) IP Address: 75.127.54.179 Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.002300, -118.211520 Connection: DESIGN COLLECTION Net Speed: (COMP) Company/T1 IDD & Area Code: 213/323 ZIP Code: 90058 Weather Station: LOS ANGELES (USCA0638) Usage Type: (COM) Commercial February 21th, 2013, 13:36 IP Address: 63.138.49.238 Location: UNITED STATES, NEW YORK, FAIRPORT Latitude & Longitude: 43.088572, -77.432766 Connection: PAETEC COMMUNICATIONS INC. Domain: PAETEC.COM Net Speed: (DSL) Broadband/Cable IDD & Area Code: 585 ZIP Code: 14450 Weather Station: FAIRPORT (USNY0477) May 21th, 2013, 18-26 URL: http://d3scene.ru/besplatnye-razdachi-i-pooschreniya/49081-razdacha-dedikov.html IP Address: 168.215.163.98 Location:UNITED STATES, COLORADO, LONE TREE Latitude & Longitude: 39.546295, -104.896772 Connection: TW TELECOM HOLDINGS INC. Domain: TWTELECOM.NET Net Speed: (COMP) Company/T1 IDD & Area Code: 303 ZIP Code: 80124 Weather Station: PARKER (USCO0306) According to The New York Times (NYT) Neiman Marcus acknowledged that the time stamp on the first intrusion was in mid-July, which may have good correlation with found compromised Point-of-Sales. July 19th, 2013 URL: http://freegaming.ucoz.net/news/razdacha_dedikov/2013-07-19-3 "EDC" - Electronic Draft Capture, also known as "EDC" or "Point Of Sale" (POS) allows you to capture and authorize a credit card. IP Address: 64.119.39.123 Location: UNITED STATES, ARIZONA, TUCSON Latitude & Longitude: 32.044150, -110.734770 Connection: PRIVATE CUSTOMER Net Speed: (COMP) Company/T1 IDD & Area Code: 520 ZIP Code: 85747 Weather Station: TUCSON (USAZ0247) September 22nd, 2013, 15:52 URL: http://ccc.gs/topic/2405-razdacha-dedikov/ IP Address: 38.82.206.34 Location: UNITED STATES, CALIFORNIA, VALENCIA Latitude & Longitude: 34.406069, -118.535302 Connection: TCAST COMMUNICATIONS INC Domain: COGENTCO.COM Net Speed (DSL): Broadband/Cable IDD & Area Code: 661 ZIP Code: 91355 Weather Station: STEVENSON RANCH (USCA1095) "Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them", commented Andrew Komarov, IntelCrawler CEO. About IntelCrawler IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat. http://intelcrawler.com/about/press08
  13. Google has removed two Chrome extensions from its store due to the way they were serving ads to users. The extensions in question, Add to Feedly and Tweet This Page, both started life as useful additions to Google's web browser, but were soon serving users pop-ups and other intrusive ads. The reason for the sudden change in behavior? In Add to Feedly's case, at least, it was purchased from its developer and quickly began serving ads to its 30,000 users. In a blog post, Add to Feedly developer Amit Agarwal describes how he got an email presenting "a four-figure offer for something that had taken an hour to create." As you'd expect, the developer decided to cash in, but a month on realized the new owners of the extension silently updated it to serve ads. "These aren't regular banner ads," says Agarwal, "these are invisible ads that work [in] the background and replace links." The issue was picked up by OMG Chrome and Ars Technica, both of which suspect the issues aren't limited to Add to Feedly and Tweet This Page. The suggestion is that advertisers regularly buy popular extensions and transform them into adware. This appears to be backed up by the developer of the popular Honey extension, who claimed last weekend he too was approached by advertisers about selling the add-on. Shortly after the articles were published, Google took action against the rogue extensions, citing a December change to its policies that outlaws complex changes to websites by extensions, according to The Wall Street Journal. Although the changes aren't due to be enforced until June, Google has clearly taken a harder stance on such flagrant abuse. Agarwal, for his part, admits "it was probably a bad idea" to sell Add to Feedly, and apologizes to users affected by the adware. Source
  14. By Ben Zigterman on Jan 24, 2014 at 6:15 PM Phil Schiller recently tweeted a link to a report that said 99% of all mobile malware is directed at Android. Usually the malware comes through the web in the form of phishing or other tactics but it usually doesnt come from PCs. However, thats not the case with a particular piece of malware uncovered by Symantec that installs malware onto Android devices when they are connected to Windows PCs. The malware, called Trojan.Droidpak, installs a fake version of the Google Play store when the Android device is connected to PCs in USB debugging mode. That mode is usually only used by developers, but is also sometimes necessary for rooting Android devices or installing alternative Android firmware. This malware appears to be directed at online bankers in Korea, Symantec has found. The malicious APK [Android application package] actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions, wrote Flora Liu, a researcher at Symantec. That being said, the method could be replicated by other malware. To avoid this threat, Symantec recommends turning off the USB debugging mode and avoiding connecting your Android device to computers you dont trust. http://bgr.com/2014/01/24/android-malware-threat-windows
  15. Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings. "I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing." As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware and allows infected machines to communicate even when they're not connected over a network. Since the article was published, researchers have attempted to reproduce the behavior Ruiu described. So far there have been no reports of success, and some of the more skeptical researchers are beginning to say Ruiu has misinterpreted or misrepresented the data. Ruiu, meanwhile, continues to stand by his conclusions. Among the skeptics is Triulzi, a security researcher who five days ago voiced confidence that Ruiu's observations were reliable. Ars originally sought out Triulzi's opinion because he developed a highly stealthy piece of proof-of-concept malware five years ago that targeted the firmware of a computer's network interface controller, a feat that's on par with badBIOS's ability to infect a computer's BIOS. On Tuesday, Triulzi said he still thinks it's possible badBIOS has done everything Ruiu says it has. But after reviewing the data that Ruiu provided in response to requests for proof, Triulzi said he is more doubtful than he was before. The data included BIOS images, disk images captured with the dd Unix command, and gigabytes worth of Process Monitor analysis, all from one or more computers that Ruiu said was infected with badBIOS. The hard drive data "are just perfectly normal disk images with nothing suspicious in them," he told Ars. Similarly, he found nothing out of the ordinary when examining the BIOS image or the Process Monitor data. Triulzi isn't the only researcher to reach the conclusion Ruiu's data doesn't show anything amiss. Tavis Ormandy, another security researcher who has also reviewed the data, posted comments to a Google Plus thread. He wrote: argumentum ad ignorantiam As every student in an intro to logic course learns, the absence of proof is not proof of absence. I continue to agree with Triulzi and other security researchers when they say it's perfectly feasible for a determined attacker to develop malware as advanced as badBIOS and unleash it wittingly or otherwise on Ruiu's machines. At the same time, extraordinary claims require extraordinary proof. If badBIOS is real, there should be no reason researchers can't independently verify its existence, especially if, as Ruiu says, it's infected more than a dozen computers and USB drives over a three-year span. So while the inability of Triulzi and Ormandy to corroborate Ruiu's findings isn't proof his badBIOS research is flawed, they are significant developments that I thought were worthy of an update. Ruiu, for his part, continues to say badBIOS behaves precisely the way he has described in a series of social media posts and in interviews with Ars. He said he's continuing to make data available to researchers so they can independently evaluate it. "I've surrendered up a couple of my laptops. We had somebody fly in from New York and pick some up yesterday," he told Ars on Tuesday, declining to identify them by name. "They're going to have some smart guys force some eyes on it. We'll get some peer review and find out if I'm completely losing it or if we found something significant." Then, he paused for a moment and added: "By the way, I still don't think I'm losing it." Source: ArsTechnica
  16. Hardly two month ago we reported about the first widely spread Android Bootkit malware, dubbed as 'Oldboot.A', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China. Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices; It modify the devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting. Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from '360 Mobile Security'. They have discovered a new variant of the Oldboot family, dubbed as 'Oldboot.B', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic analysis tools. "The Oldboot Trojan family is the most significant demonstration of this trend." researchers said. Oldboot.B, Android Bootkit malware has following abilities: It can install malicious apps silently in the background. It can inject malicious modules into system process. Prevent malware apps from uninstalling. Oldboot.B can modify the browser's homepage. It has ability to uninstall or disable installed Mobile Antivirus softwares. INFECTION & INSTALLING MORE MALWARE APPS Once an Android device is infected by Oldboot.B trojan, it will listen to the socket continuously and receive and execute commands received from the attacker's command-and-control server. Malware has some hidden ELF binaries, that includes steganographically encrypted strings, executable codes and configuration file downloaded from C&C server, located at az.o65.org (IP is 61.160.248.67). After installation, Oldboot Trojan install lots of other malicious android applications or games in the infected device, which are not manually installed by the user. MALWARE ARCHITECTURE Oldboot.B architecture includes four major Components, those automatically executes during the system startup by registering itself as a service in the init.rc script: 1) boot_tst - uses remote injection technique to inject an SO file and a JAR file to the 'system_server' process of the Android system, continuously listen to the socket, and execute commands sent. 2) adb_server - replaces pm script of Android system with itself and used for anti-uninstallation functionality. 3) meta_chk - update the configuration file, download and install Android Apps promoted in the background. The Configuration file is encrypted, that greatly increases the time required to analyze. To evade detection, meta_chk destroys itself from the file system, and left with only the injected process. Android Antivirus software does not support the process memory scan in the Android platform, so they cannot detect or delete the Oldboot Trojan which resides in the memory. 4) agentsysline - module written in C++ programming language, run as a daemon in the background to receive commands from command-and-control server. This component can uninstall anti-virus software, delete the specific files and enable or disable network connection etc. PROBLEMS FOR SECURITY RESEARCHERS To increase the problem of malware analyzers: It add some meaningless code and trigger some behavior randomly. Check for SIM card availability in the device, and it will not perform certain behavior if there is no SIM card to fool sandbox or emulators. Check for the existence of antivirus software, and may uninstall the anti-virus software before doing anything malicious. Malware uses the steganography techniques to hide its configuration file into images: "But after some analysis, we found that the configuration of meta_chk is hidden in this picture, which contains the command will be executed by meta_chk and other information." researchers said. The size of this configuration file is 12,508 bytes. "Depending on the commands sent from the C&C server, it can do many different things, such as sending fake SMS messages or phishing attacks, and so on. Driven by profit, the Oldboot Trojan family changes very fast to react to any situation." Oldboot.B is one of the most advanced Android malware that is very difficult to remove, but antivirus firm 360 Mobile Security also released Oldboot detection and removing tool for free, you can download it from their website. To avoid infection, Smartphones users should only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; don't use custom ROMs and install a mobile security app. Source
  17. A year back, Security Researchers from the Antivirus firm Kaspersky found a sophisticated piece of malware which they dubbed as ‘MiniDuke’, designed specifically to collect and steal strategic insights and highly protected political information, which is a subject to states’ security. Now, once again the MiniDuke virus is spreading in wild via an innocent looking but fake PDF documents related to Ukraine, while the researcher at F-Secure were browsing the set of extracted decoy documents from a large batch of potential MiniDuke Samples. "This is interesting considering the current crisis in the area," Mikko Hypponen, the CTO of security research firm F-Secure, wrote on Tuesday. The Hacker News reported a year ago about the malicious malware that uses an exploit (CVE-2013-0640) of the famous and actively used Adobe Reader. MiniDuke malware written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command & Control and incase twitter accounts are not active, the malware located backup control channels via Google searches. The malware consists of three components: PDF file, MiniDuke Main and Payload. Payload is dropped after the Adobe process gets exploited by opening the malicious PDF file, which refers to the topics including human rights, Ukraine's foreign policy, and NATO membership plans. The infected machine then use Twitter or Google to collect encrypted instructions showing them where to report for new backdoors and as soon as infected system connects the command servers, it starts receiving encrypted backdoors through GIF image files. Once installed, it may copy, remove, delete files, create database, stop the processes and download the new ones, that may also open backdoor access to other Trojans. F-Secure also provided screenshots of several Ukraine-related documents that were more likely twisted from already existing and real public documents. F-Secure found a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. “The letter is addressed to the heads of foreign diplomatic institutions in Ukraine.” When the researcher translated the document, it comes out to be a note regarding “the 100th year anniversary of the 1st World War.” This also signalized that the attackers have somehow access to the Ukrainian Ministry of Foreign Affairs. “We don't know where the attacker got this decoy file from,” Hypponen wrote. “We don't know who was targeted by these attacks. We don't know who's behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).” The authors of MiniDuke made the malware familiar with the work principles of antivirus software which makes it different from the other viruses. The malware turns unique for each system and contains a backdoor that allows it to avoid system analytics instruments, and in case the virus is detected, the backdoor stops malicious effects and makes it disappear for the system. MiniDuke Malware previously attacked government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, United Kingdom, United States, including Ukraine. Source
  18. Imagine, You Open a Winrar archive of MP3 files, but what if it will install a malware into your system when you play anyone of them. WinRAR, a widely used file archiver and data compression utility helps hackers to distribute malicious code. Israeli security researcher Danor Cohen (An7i) discovered the WinRAR file extension spoofing vulnerability. WinRAR file extension spoofing vulnerability allows hackers to modify the filename and extension inside the traditional file archive, that helps them to hide binary malicious code inside an archive, pretending itself as '.jpg' , '.txt' or any other format. Using a Hex editor tool, he analysed a ZIP file and noticed that winrar tool also adds some custom properties to an archive, including two names - First name is the original filename (FAX.png) and second name is the filename (FAX.png) that will appear at the WINRAR GUI window. Danor manipulated the second filename and extension to prepare a special ZIP archive, that actually include a malware file "FAX.exe", but displaying itself as "FAX.png" to the user. Cyber intelligence company, IntelCrawler also published a report, which revealed that cybercriminals specialized in cyber espionage attacks are using this zero-day vulnerability in the wild to target several aerospace corporations, military subcontractors, embassies, as well as Fortune Global 500 companies. Using this technique, an attacker can drop any malware in very convincing manner to the victim's system. "Using this method the bad actors bypass some specific security measures including e-mail server’s antivirus systems" IntelCrawler said. Danor successfully exploited winrar version 4.20, and IntelCrawler confirmed that the vulnerability also works on all WinRar versions including v.5.1. "One of the chosen tactics includes malicious fake CV distribution and FOUO (For Official Use Only)-like documents, including fax scanned messages" Using social engineering techniques, attacker are targeting high profile victims with spear phishing mails, "Most of sent malicious attachments are hidden as graphical files, but password protected in order to avoid antivirus or IDS/IPS detection." IntelCrawler reported. In above example, the Malware archive file was password protected to avoid antivirus detection, used in an ongoing targeted cyber espionage campaign. Researchers found Zeus-like Trojan as an attachment, which has ability to establish remote administration channel with the infected victim, gather passwords and system information, then send the collected and stolen data to the Command & Control server hosted in Turkey (IP 185.9.159.211, Salay Telekomünikasyon). Users are advised to use an alternative archiving software and avoid opening archives with passwords even if it has legitimate files. Source
  19. Johannes Ullrich of the SANS Institute claims to have found malware infecting digital video recorders (DVR) predominately used to record footage captured by surveillance camera systems. Oddly enough, Ullrich claims that one of the two binaries of malware implicated in this attack scheme appears to be a Bitcoin miner. The other, he says, looks like a HTTP agent that likely makes it easier to download further tools or malware. However, at the present time, the malware seems to only be scanning for other vulnerable devices. “D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looks like a simplar(sp.) http agent, maybe to download additional tools easily (similar to curl/wget which isn’t installed on this DVR by default),” Ullrich wrote on SANS diary. The researcher first became aware of the malware last week after he observed Hiksvision DVR (again, commonly used to record video surveillance footage) scanning for port 5000. Yesterday, Ullrich was able to recover the malware samples referenced above. You can find a link to the samples for yourself included in the SANS Diary posting. Ullrich noted that sample analysis is ongoing with the malware, but that it appears to be an ARM binary, which is an indication that the malware is targeting devices rather than your typical x86 Linux server. Beyond that, the malware is also scanning for Synology (network attached storage) devices exposed on port 5000. “Using our DShield Sensors, we initially found a spike in scans for port 5000 a while ago,” Ullrich told Threatpost via email. “We associated this with a vulnerability in Synology Diskstation devices which became public around the same time. To further investigate this, we set up some honeypots that simulated Synology’s web admin interface which listens on port 500o.” Upon analyzing the results from the honeypot, Ullrich says he found a number of scans: some originating from Shodan but many other still originating from these DVRs. “At first, we were not sure if that was the actual device scanning,” Ullrich admitted. “In NAT (network address translation) scenarios, it is possible that the DVR is visible from the outside, while a different device behind the same IP address originated the scans.” Further examination revealed that the DVRs in question were indeed originating the scans. These particular DVRs, Ullrich noted, are used in conjunction with security cameras, and so they’re often exposed to the internet to give employees the ability to monitor the security cameras remotely. Unlike normal “TiVo” style DVRs, these run on a stripped down version of Linux. In this case, the malware was specifically compiled to run in this environment and would not run on a normal Intel based Linux machine, he explained. This is the Malware sample’s HTTP request: DVR Malware HTTP Request The malware is also extracting the firmware version details of the devices it is scanning for. Those requests look like this: Firmware Scan Request While Ullrich notes that the malware is merely scanning now, he believes that future exploits are likely. Source
  20. The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version that can run on iOS as well. The Zorenium bot is not one of the brand-name bots that constantly make headlines. The bot is only a few months old and hasn’t yet gained the attention of many researchers. It has many of the same capabilities that other pieces of custom malware have, including from-grabbing, banker Trojan functionality, DDoS and even Bitcoin mining. But it’s Zorenium’s ability to run on recent version of iOS that sets it apart. “Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium a relatively new and unknown bot, which has been up for sale in the underground from January 2014 is getting new features in its March 18th update, including, also, ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux and Windows based machines. Also, in this update, the developers have updated the rootkit to TDL4 (This making it vulnerable to anti TDSS tools),” Tanya Koyfman and Assaf Keren of the SenseCy blog, run by Israeli company Terrogence, wrote in an analysis of the bot. Zorenium has been advertised on Pastebin and the first version of the bot was available for direct download via a link posted on Twitter in December. The Zorenium malware is related to the Betabot malware, which has been used in attacks against financial institutions and other sites since last year. The FBI issued a warning about Betabot on September, warning consumers that the malware will masquerade as a Windows security warning dialog box. “Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise,” the FBI warning says. “Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named ‘User Account Control’ that requests a user’s permission to allow the ‘Windows Command Processor’ to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.” The security measures, vertical software development and installation model and exploit mitigations included in iOS have made the platform a difficult target for attackers. There have been a small string of code-execution vulnerabilities found in various versions of iOS, many of them discovered by members of the jailbreak community. Apple has patched those, but users who jailbreak their devices typically don’t update them, because that rolls back the jailbreak and restores the normal operating system. For Zorenium to run on an iOS device, it likely is running on jailbroken phones, unless the bot uses a previously unknown vulnerability in the operating system. Source
  21. The Continuous Growth of spyware, their existence, and the criminals who produce & spread them are increasing tremendously. It’s difficult to recognize spyware as it is becoming more complex and sophisticated with time, so is spreading most rapidly as an Internet threat. Recently, The security researchers have unearthed a very complex and sophisticated piece of malware that was designed to steal confidential data and has ability able to capture network traffic. The Researchers at the German security company G Data Software, refer the malware as Uroburos, named after an ancient symbol depicting a serpent or dragon eating its own tail, and in correspondence with a string (Ur0bUr()sGotyOu#) lurking deep in the malware's code. The researchers claimed that the malware may have been active for as long as three years before being discovered and appears to have been created by Russian developers. Uroburos is a rootkit designed to steal data from secure facilities, has ability to take control of an infected machine, execute arbitrary commands and hide system activities, communicating primarily using peer-to-peer connections in a network it has penetrated to infect new machines within the network, manages to pass back the exfiltrated information back to attackers from infected machines and network data, the researchers explained. The two main components of Uroburos are - a driver and an encrypted virtual file system, used to disguise its nasty activities and to try to avoid detection. Its driver part is extremely complex and is designed to be very discrete and very difficult to identify. The malware uses two virtual file systems, one NTFS file system and one FAT file system, and both are stored locally on the infected system and are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output. The virtual file system can’t be decrypted without the presence of drivers, according to the Gdata’s analysis explained in the PDF. The driver is needed to decrypt the virtual file systems, to create several hooks to hide its activities, to inject libraries in the users land and to establish and manage some communication channels. “The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.” WITH LOVE From RUSSIA: Technical Similarities with the previous malware Agent.BTZ and that the malware Uroburos checks the presence of Agent.BTZ in the system and remains inactive if Agent.BTZ is present, makes the researchers believe that it was designed by the same by the Russian intelligence services, according to G Data analysis. “Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ,” say the researchers. They also added that the reason it is meant to be of the Russian origin is, “Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.” In 2008, USB and Removable storage drives placed on hold in the U.S. Army facilities after the spread of Agent.BTZ worm. The USB stick contained malicious code was trying to keep on multiplying further and infected the military’s network. The attacks carried out with Uroburos are targeting government institutions, research institutions, intelligence agencies, nation states, research institutions or companies dealing with sensitive information as well as similar high-profile targets. The oldest drivers identified by the researchers was compiled in 2011 is the evidence that the malware was created around three years ago and was undetected. “The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this Environment,” the G Data concluded. The team behind the development of the malware Uroburos has developed an even more sophisticated framework, which still remains undiscovered, the researchers believe. Many infection vectors are conceivable. E.g. Spear phishing, drive-by-infections, USB sticks, or social engineering attacks. Source
  22. New research carried out by analysts from Intelligent Content Protection concludes that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds of the websites are said to link to credit card scams. Entertainment industry groups hope the findings will motivate people to choose legal options instead. Most seasoned visitors of torrent sites and streaming portals know that many of the “download” and “play” buttons present are non-functional, at least in the regular sense. In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details. A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams. According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.” The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. “The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states. While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool. This nuance is left out of the official announcement, but the executive summary of the report does make this distinction. “We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes. Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware. The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access. “There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us. “An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.” This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel. The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime. “Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says. It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats. However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services. This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers. Source: TorrentFreak
  23. A boom in cybercrime levels is forcing security vendors to release defence updates every 40 minutes, according to security firm Symantec. Senior manager for Symantec Security Response Orla Cox reported the development during a briefing attended by V3. "We're seeing more sophisticated attacks than ever before and people want security," she said. "Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They're rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified." Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers. "It's been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection." She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company's rapid update cycle has increased the risk of pushing out an update with a false positive signature. "The biggest quality issue we face is the danger of false positive definitions. There's a risk of detecting something clean as malicious, that's the big no no in our industry, so it's as much about building definitions libraries about legit files as malicious," she said. False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013 Malwarebytes crippled thousands of its customers' machines when it issued a false positive update. Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. "We've had to evolve how we work, it's not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we've begun doing intelligence work," she said. "We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don't – that's the benefit of us being here every day, reverse-engineering malware. "Doing this over the years we've had to develop a number of systems and now we're trying to understand the individual attacks in the context of who did them and why." Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March. Source
  24. IObit Malware Fighter Pro 2.4.1.14 IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 26,63 Mb.
  25. IObit Malware Fighter Pro 2.4.1.15 + Portable IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,92 / 29,28 Mb.
×
×
  • Create New...