Jump to content

Search the Community

Showing results for tags 'Malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. By Dan Goodin - Feb 11 2014, 8:33am AEST Attackers used phishing and zero-days to infect Windows, Mac, and Linux users. Mask victims by IP address. Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries. The "Mask" campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple's iOS and Google's Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it. Mask—or "Careto" as its Spanish slang translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these "advanced persistent threats" (APTs) are much more determined. They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value. "With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than five years," Kaspersky Lab researchers wrote in a detailed analysis published Monday. "In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober, or Icefog, making it one of the most complex APTs we observed." The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. In some cases, attackers impersonated well-known websites, such as those operated by The Guardian and The Washington Post. One of the exploits recently used by the attackers targeted CVE-2012-0773, a highly critical vulnerability in Adobe's Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers. "What makes 'The Mask' special is the complexity of the toolset used by the attackers," the Kaspersky analysis stated. "This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions, and possibly versions of Android and iPad/iPhone (Apple iOS)." Kaspersky researchers first stumbled onto Mask after noticing that it exploited a vulnerability in older versions of Kaspersky antivirus products to hide itself. The vulnerability has been patched for an unspecified amount of time, but attackers were exploiting the vulnerability on machines that continued to run older versions of the Kaspersky software. Like Stuxnet and many other pieces of malware used in the last five years, Mask code was digitally signed, in this case with a valid certificate issued to a fake company called TecSystem Ltd. Such digital credentials are designed to bypass warnings delivered by Windows and other operating systems before executing programs that haven't been vouched for by credentials issued by a recognized certificate authority. The malware uses encrypted HTTP or HTTPS channels when communicating with command and control servers. Researchers were able to take control of some of the domain names or IP addresses hosting the control servers that Mask-infected computers reported to. In all, the researchers observed 1,000 separate IP addresses in 31 countries connect. They also found traces of 380 different victim identifiers designated by the Mask naming convention. The Mask campaign was abruptly shut down last week within hours of being revealed in a short blog post. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the Kaspersky analysis noted. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section." Post updated to add "slang" to the third paragraph. http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen
  2. A group of enterprising cybercriminals has figured out how to get cash from a certain type of ATM -- by text message. The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls "Ploutus" that first appeared in Mexico. The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn't show a brand name. Ploutus isn't the easiest piece of malware to install, as cybercriminals need to have access to the machine. That's probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine. Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: It is now controllable remotely via text message. In this variation, the attackers manage to open up an ATM and attach a mobile phone, which acts as a controller, to a USB port inside the machine. The ATM also has to be infected with Ploutus. "When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable," wrote Daniel Regalado, a Symantec malware analyst, in a blog post on Monday. Ploutus has a network packet monitor that watches all traffic coming into the ATM, he wrote. When it detects a valid TCP or UDP packet from the phone, the module searches "for the number "5449610000583686 at a specific offset within the packet in order to process the whole package of data," he wrote. It then reads the next 16 digits and uses that to generate a command line to control Ploutus. So, why do this? Regalado wrote that it is more discrete and works nearly instantly. The past version of Ploutus required someone to either use a keyboard or enter a sequences of digits into the ATM keypad to fire up Ploutus. Both of those methods increase the amount of time someone spends in front of the machine, increasing the risk of detection. Now, the ATM can be remotely triggered to dispense cash, allowing a "money mule," or someone hired to do the risky job of stopping by to pick up the cash, to swiftly grab their gains. It also deprives the money mule of information that could allow them to skim some cash off the top, Regalado wrote. "The master criminal knows exactly how much the money mule will be getting," he wrote. Symantec warned that about 95% of ATMs are still running Windows XP, Microsoft's 13-year-old OS. Microsoft is ending regular support for Windows XP on April 8, but is offering extended support for Windows XP embedded systems, used for point-of-sale devices and ATMs, through January 2016. Still, Symantec warned that "the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet." Source
  3. By Ron Amadeo - Jan 18 2014, 10:10am AUSEST Once in control, they can silently push new ad-filled "updates" to those users. One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it. To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension. We ought to clarify here that Google isn't explicitly responsible for such unwanted adware, but vendors are exploiting Google's extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven't heard back yet. We'll update this article if we do. A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base. This isn't a one-time event, either. About a month ago, I had a very simple Chrome extension called "Tweet This Page" suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google's policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website. When malicious apps don't follow Google's disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer. The difficult part of this for users is that normal removal techniques will not work. Virus scanners are unlikely to flag ad-injecting JavaScript as malicious. Extensions are synced to your Google account, which means that even wiping out a computer and reinstalling the OS will not remove the malware—signing-in to Chrome will just download it again. The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices. Even when you have it narrowed down to Chrome, since nothing detects a malicious Chrome extension, the best course of action is to meticulously check the latest reviews of every extension and hope that someone else has figured out where the ads are coming from. What can users do to protect themselves? It's very hard to keep yourself in the loop with Chrome extension updates. Extensions usually don't have changelogs, and there is currently no way to disable extension auto-updating. One way to stay a least slightly informed of what is going on is to install an extension that will notify you when your other extensions get updated. Other than that, the only other option is to stop using extensions entirely, which is a little extreme. Just keep an eye on the simpler extensions from smaller extension makers—those are the ones at most risk of being gobbled up by a malicious entity. Chrome will require your approval if an extension adds new permissions, but the magic permission that allows ad-injecting is called "access your data on all web pages," which many legitimate extensions already use. A malicious extension buyer could even look for an extension that already uses this permission so that their update will arouse the least suspicion among current users. The reality, though, is that while it's extremely easy for a novice user to install an extension, it's nearly impossible for them to diagnose and remove an extension that has turned sour, and Chrome Sync will make sure that extension hangs around on all their devices for a long time. The author of Add to Feedly stated that his extension had around 30,000 users before it was sold and packed full of ads. Today, despite the flood of unhappy user reviews, the Chrome Web Store shows 31,548 users. Auto-updating from a trusted source is one thing, but when that user trust can be bought and sold—and extension ownership can change hands without the users being informed—something needs to be done. http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/?
  4. Los Angeles, California - January 17, 2014 The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack. Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013. The first report on this malware was done in the beginning of spring by Andrew Komarov, IntelCrawler CEO, when he was working in another forensics company. According to own sources of IntelCrawler the first infected Point-of-Sales environments by BlackPOS were in Australia, Canada and the US. The first name of the malware was a lyric "Kaptoxa" ("potatoe" - in russian slang), which then was renamed to "DUMP MEMORY GRABBER by Ree[4]" for forums postings, but the title for C&C had string "BlackPOS". During that time, "Ree[4]" ("ree4") has sold more then 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve. [email protected]: http://ree4.7ci.ru/dump_grabber.php [email protected]: it is administrative panel [email protected]: password "pass" [email protected]: http://www.sendspace.com/file/zglgvy [email protected]: after infection you will receive "readme.txt", like "ping" The first C&C server of BlackPOS was installed on "ree4.7ci.ru", which was the personal host of its author with nickname "ree[4]". Some other hosts were found on this domain name, as probably it was used as a hosting for all members of the same group: - onlyddos.7ci.ru; - merzavetz.7ci.ru; - reperckov41.7ci.ru. [email protected]: http://plasmon.rghost.ru/44699041/image.png hidden: how does it keep the data ( intercepted credit cards)? [email protected]: from left side it is files, time.txt, then you click on it and you will find dumps in browser in plaintext hidden: are there any differences in terms of infected Point-of-Sale systems? [email protected]: no, but there are some nuances, for examples it doesn't work on Verifone hidden: really? I have Verifones ... [email protected]: it grabs dumps from memory, Verifone can be connected to PC, but it will be "secured", you need standalone Point-of-Sale terminals with monitor and Windows hidden: how much? [email protected]: 2000 USD [email protected]: 1st build Previously he has created several tools used in hacking community for brute force attacks, such as "Ree4 mail brute", and also earned some first money with social networks accounts hacking and DDoS attacks trainings, as well as software development including malicious code. Investigators from IntelCrawler have also made a profiling on bad actor: E-mail 1: [email protected] E-mail 2: [email protected] ICQ: 565033 Skype: s.r.a.ree4 According to operative information from IntelCrawler, the person behind the nickname "ree[4]" is Sergey Taraspov, having roots in St.Petersburg and Nizhniy Novgorod (Russian Federation), very well known programmer of malicious code in underground. "He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers", comments Dan Clements, IntelCrawler President. Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with week passwords such as: "pos":"pos"; "micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware); "edc":"123456" (EDC - Electronic Draft Capture). February 9th, 2013, 14:30 URL:http://www.rf-cheats.ru/forum/archive/index.php/t-156884.html IP Address: Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.052230, -118.243680 Connection: 26 INTERNATIONAL INC Net Speed: (COMP) Company/T1 IDD & Area Code: 213/310/424/323 ZIP Code: 90001 Weather Station: LOS ANGELES (USCA0638) IP Address: Location: UNITED STATES, CALIFORNIA, LOS ANGELES Latitude & Longitude: 34.002300, -118.211520 Connection: DESIGN COLLECTION Net Speed: (COMP) Company/T1 IDD & Area Code: 213/323 ZIP Code: 90058 Weather Station: LOS ANGELES (USCA0638) Usage Type: (COM) Commercial February 21th, 2013, 13:36 IP Address: Location: UNITED STATES, NEW YORK, FAIRPORT Latitude & Longitude: 43.088572, -77.432766 Connection: PAETEC COMMUNICATIONS INC. Domain: PAETEC.COM Net Speed: (DSL) Broadband/Cable IDD & Area Code: 585 ZIP Code: 14450 Weather Station: FAIRPORT (USNY0477) May 21th, 2013, 18-26 URL: http://d3scene.ru/besplatnye-razdachi-i-pooschreniya/49081-razdacha-dedikov.html IP Address: Location:UNITED STATES, COLORADO, LONE TREE Latitude & Longitude: 39.546295, -104.896772 Connection: TW TELECOM HOLDINGS INC. Domain: TWTELECOM.NET Net Speed: (COMP) Company/T1 IDD & Area Code: 303 ZIP Code: 80124 Weather Station: PARKER (USCO0306) According to The New York Times (NYT) Neiman Marcus acknowledged that the time stamp on the first intrusion was in mid-July, which may have good correlation with found compromised Point-of-Sales. July 19th, 2013 URL: http://freegaming.ucoz.net/news/razdacha_dedikov/2013-07-19-3 "EDC" - Electronic Draft Capture, also known as "EDC" or "Point Of Sale" (POS) allows you to capture and authorize a credit card. IP Address: Location: UNITED STATES, ARIZONA, TUCSON Latitude & Longitude: 32.044150, -110.734770 Connection: PRIVATE CUSTOMER Net Speed: (COMP) Company/T1 IDD & Area Code: 520 ZIP Code: 85747 Weather Station: TUCSON (USAZ0247) September 22nd, 2013, 15:52 URL: http://ccc.gs/topic/2405-razdacha-dedikov/ IP Address: Location: UNITED STATES, CALIFORNIA, VALENCIA Latitude & Longitude: 34.406069, -118.535302 Connection: TCAST COMMUNICATIONS INC Domain: COGENTCO.COM Net Speed (DSL): Broadband/Cable IDD & Area Code: 661 ZIP Code: 91355 Weather Station: STEVENSON RANCH (USCA1095) "Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them", commented Andrew Komarov, IntelCrawler CEO. About IntelCrawler IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat. http://intelcrawler.com/about/press08
  5. Google has removed two Chrome extensions from its store due to the way they were serving ads to users. The extensions in question, Add to Feedly and Tweet This Page, both started life as useful additions to Google's web browser, but were soon serving users pop-ups and other intrusive ads. The reason for the sudden change in behavior? In Add to Feedly's case, at least, it was purchased from its developer and quickly began serving ads to its 30,000 users. In a blog post, Add to Feedly developer Amit Agarwal describes how he got an email presenting "a four-figure offer for something that had taken an hour to create." As you'd expect, the developer decided to cash in, but a month on realized the new owners of the extension silently updated it to serve ads. "These aren't regular banner ads," says Agarwal, "these are invisible ads that work [in] the background and replace links." The issue was picked up by OMG Chrome and Ars Technica, both of which suspect the issues aren't limited to Add to Feedly and Tweet This Page. The suggestion is that advertisers regularly buy popular extensions and transform them into adware. This appears to be backed up by the developer of the popular Honey extension, who claimed last weekend he too was approached by advertisers about selling the add-on. Shortly after the articles were published, Google took action against the rogue extensions, citing a December change to its policies that outlaws complex changes to websites by extensions, according to The Wall Street Journal. Although the changes aren't due to be enforced until June, Google has clearly taken a harder stance on such flagrant abuse. Agarwal, for his part, admits "it was probably a bad idea" to sell Add to Feedly, and apologizes to users affected by the adware. Source
  6. By Ben Zigterman on Jan 24, 2014 at 6:15 PM Phil Schiller recently tweeted a link to a report that said 99% of all mobile malware is directed at Android. Usually the malware comes through the web in the form of phishing or other tactics but it usually doesnt come from PCs. However, thats not the case with a particular piece of malware uncovered by Symantec that installs malware onto Android devices when they are connected to Windows PCs. The malware, called Trojan.Droidpak, installs a fake version of the Google Play store when the Android device is connected to PCs in USB debugging mode. That mode is usually only used by developers, but is also sometimes necessary for rooting Android devices or installing alternative Android firmware. This malware appears to be directed at online bankers in Korea, Symantec has found. The malicious APK [Android application package] actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions, wrote Flora Liu, a researcher at Symantec. That being said, the method could be replicated by other malware. To avoid this threat, Symantec recommends turning off the USB debugging mode and avoiding connecting your Android device to computers you dont trust. http://bgr.com/2014/01/24/android-malware-threat-windows
  7. Five days after Ars chronicled a security researcher's three-year odyssey investigating a mysterious piece of malware he dubbed badBIOS, some of his peers say they are still unable to reproduce his findings. "I am getting increasingly skeptical due to the lack of evidence," fellow researcher Arrigo Triulzi told Ars after examining forensic data that Ruiu has turned over. "So either I am not as good as people say or there is really nothing." As Ars reported last week, Ruiu said the malware first took hold of a MacBook Air of his three years ago and has since infected his laboratory computers running Windows, Linux, and BSD. Even more intriguing are his claims the malware targets his computers' low-level Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), or Extensible Firmware Interface (EFI) firmware and allows infected machines to communicate even when they're not connected over a network. Since the article was published, researchers have attempted to reproduce the behavior Ruiu described. So far there have been no reports of success, and some of the more skeptical researchers are beginning to say Ruiu has misinterpreted or misrepresented the data. Ruiu, meanwhile, continues to stand by his conclusions. Among the skeptics is Triulzi, a security researcher who five days ago voiced confidence that Ruiu's observations were reliable. Ars originally sought out Triulzi's opinion because he developed a highly stealthy piece of proof-of-concept malware five years ago that targeted the firmware of a computer's network interface controller, a feat that's on par with badBIOS's ability to infect a computer's BIOS. On Tuesday, Triulzi said he still thinks it's possible badBIOS has done everything Ruiu says it has. But after reviewing the data that Ruiu provided in response to requests for proof, Triulzi said he is more doubtful than he was before. The data included BIOS images, disk images captured with the dd Unix command, and gigabytes worth of Process Monitor analysis, all from one or more computers that Ruiu said was infected with badBIOS. The hard drive data "are just perfectly normal disk images with nothing suspicious in them," he told Ars. Similarly, he found nothing out of the ordinary when examining the BIOS image or the Process Monitor data. Triulzi isn't the only researcher to reach the conclusion Ruiu's data doesn't show anything amiss. Tavis Ormandy, another security researcher who has also reviewed the data, posted comments to a Google Plus thread. He wrote: argumentum ad ignorantiam As every student in an intro to logic course learns, the absence of proof is not proof of absence. I continue to agree with Triulzi and other security researchers when they say it's perfectly feasible for a determined attacker to develop malware as advanced as badBIOS and unleash it wittingly or otherwise on Ruiu's machines. At the same time, extraordinary claims require extraordinary proof. If badBIOS is real, there should be no reason researchers can't independently verify its existence, especially if, as Ruiu says, it's infected more than a dozen computers and USB drives over a three-year span. So while the inability of Triulzi and Ormandy to corroborate Ruiu's findings isn't proof his badBIOS research is flawed, they are significant developments that I thought were worthy of an update. Ruiu, for his part, continues to say badBIOS behaves precisely the way he has described in a series of social media posts and in interviews with Ars. He said he's continuing to make data available to researchers so they can independently evaluate it. "I've surrendered up a couple of my laptops. We had somebody fly in from New York and pick some up yesterday," he told Ars on Tuesday, declining to identify them by name. "They're going to have some smart guys force some eyes on it. We'll get some peer review and find out if I'm completely losing it or if we found something significant." Then, he paused for a moment and added: "By the way, I still don't think I'm losing it." Source: ArsTechnica
  8. Hardly two month ago we reported about the first widely spread Android Bootkit malware, dubbed as 'Oldboot.A', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China. Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices; It modify the devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting. Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from '360 Mobile Security'. They have discovered a new variant of the Oldboot family, dubbed as 'Oldboot.B', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic analysis tools. "The Oldboot Trojan family is the most significant demonstration of this trend." researchers said. Oldboot.B, Android Bootkit malware has following abilities: It can install malicious apps silently in the background. It can inject malicious modules into system process. Prevent malware apps from uninstalling. Oldboot.B can modify the browser's homepage. It has ability to uninstall or disable installed Mobile Antivirus softwares. INFECTION & INSTALLING MORE MALWARE APPS Once an Android device is infected by Oldboot.B trojan, it will listen to the socket continuously and receive and execute commands received from the attacker's command-and-control server. Malware has some hidden ELF binaries, that includes steganographically encrypted strings, executable codes and configuration file downloaded from C&C server, located at az.o65.org (IP is After installation, Oldboot Trojan install lots of other malicious android applications or games in the infected device, which are not manually installed by the user. MALWARE ARCHITECTURE Oldboot.B architecture includes four major Components, those automatically executes during the system startup by registering itself as a service in the init.rc script: 1) boot_tst - uses remote injection technique to inject an SO file and a JAR file to the 'system_server' process of the Android system, continuously listen to the socket, and execute commands sent. 2) adb_server - replaces pm script of Android system with itself and used for anti-uninstallation functionality. 3) meta_chk - update the configuration file, download and install Android Apps promoted in the background. The Configuration file is encrypted, that greatly increases the time required to analyze. To evade detection, meta_chk destroys itself from the file system, and left with only the injected process. Android Antivirus software does not support the process memory scan in the Android platform, so they cannot detect or delete the Oldboot Trojan which resides in the memory. 4) agentsysline - module written in C++ programming language, run as a daemon in the background to receive commands from command-and-control server. This component can uninstall anti-virus software, delete the specific files and enable or disable network connection etc. PROBLEMS FOR SECURITY RESEARCHERS To increase the problem of malware analyzers: It add some meaningless code and trigger some behavior randomly. Check for SIM card availability in the device, and it will not perform certain behavior if there is no SIM card to fool sandbox or emulators. Check for the existence of antivirus software, and may uninstall the anti-virus software before doing anything malicious. Malware uses the steganography techniques to hide its configuration file into images: "But after some analysis, we found that the configuration of meta_chk is hidden in this picture, which contains the command will be executed by meta_chk and other information." researchers said. The size of this configuration file is 12,508 bytes. "Depending on the commands sent from the C&C server, it can do many different things, such as sending fake SMS messages or phishing attacks, and so on. Driven by profit, the Oldboot Trojan family changes very fast to react to any situation." Oldboot.B is one of the most advanced Android malware that is very difficult to remove, but antivirus firm 360 Mobile Security also released Oldboot detection and removing tool for free, you can download it from their website. To avoid infection, Smartphones users should only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; don't use custom ROMs and install a mobile security app. Source
  9. A year back, Security Researchers from the Antivirus firm Kaspersky found a sophisticated piece of malware which they dubbed as ‘MiniDuke’, designed specifically to collect and steal strategic insights and highly protected political information, which is a subject to states’ security. Now, once again the MiniDuke virus is spreading in wild via an innocent looking but fake PDF documents related to Ukraine, while the researcher at F-Secure were browsing the set of extracted decoy documents from a large batch of potential MiniDuke Samples. "This is interesting considering the current crisis in the area," Mikko Hypponen, the CTO of security research firm F-Secure, wrote on Tuesday. The Hacker News reported a year ago about the malicious malware that uses an exploit (CVE-2013-0640) of the famous and actively used Adobe Reader. MiniDuke malware written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command & Control and incase twitter accounts are not active, the malware located backup control channels via Google searches. The malware consists of three components: PDF file, MiniDuke Main and Payload. Payload is dropped after the Adobe process gets exploited by opening the malicious PDF file, which refers to the topics including human rights, Ukraine's foreign policy, and NATO membership plans. The infected machine then use Twitter or Google to collect encrypted instructions showing them where to report for new backdoors and as soon as infected system connects the command servers, it starts receiving encrypted backdoors through GIF image files. Once installed, it may copy, remove, delete files, create database, stop the processes and download the new ones, that may also open backdoor access to other Trojans. F-Secure also provided screenshots of several Ukraine-related documents that were more likely twisted from already existing and real public documents. F-Secure found a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. “The letter is addressed to the heads of foreign diplomatic institutions in Ukraine.” When the researcher translated the document, it comes out to be a note regarding “the 100th year anniversary of the 1st World War.” This also signalized that the attackers have somehow access to the Ukrainian Ministry of Foreign Affairs. “We don't know where the attacker got this decoy file from,” Hypponen wrote. “We don't know who was targeted by these attacks. We don't know who's behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).” The authors of MiniDuke made the malware familiar with the work principles of antivirus software which makes it different from the other viruses. The malware turns unique for each system and contains a backdoor that allows it to avoid system analytics instruments, and in case the virus is detected, the backdoor stops malicious effects and makes it disappear for the system. MiniDuke Malware previously attacked government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, United Kingdom, United States, including Ukraine. Source
  10. Imagine, You Open a Winrar archive of MP3 files, but what if it will install a malware into your system when you play anyone of them. WinRAR, a widely used file archiver and data compression utility helps hackers to distribute malicious code. Israeli security researcher Danor Cohen (An7i) discovered the WinRAR file extension spoofing vulnerability. WinRAR file extension spoofing vulnerability allows hackers to modify the filename and extension inside the traditional file archive, that helps them to hide binary malicious code inside an archive, pretending itself as '.jpg' , '.txt' or any other format. Using a Hex editor tool, he analysed a ZIP file and noticed that winrar tool also adds some custom properties to an archive, including two names - First name is the original filename (FAX.png) and second name is the filename (FAX.png) that will appear at the WINRAR GUI window. Danor manipulated the second filename and extension to prepare a special ZIP archive, that actually include a malware file "FAX.exe", but displaying itself as "FAX.png" to the user. Cyber intelligence company, IntelCrawler also published a report, which revealed that cybercriminals specialized in cyber espionage attacks are using this zero-day vulnerability in the wild to target several aerospace corporations, military subcontractors, embassies, as well as Fortune Global 500 companies. Using this technique, an attacker can drop any malware in very convincing manner to the victim's system. "Using this method the bad actors bypass some specific security measures including e-mail server’s antivirus systems" IntelCrawler said. Danor successfully exploited winrar version 4.20, and IntelCrawler confirmed that the vulnerability also works on all WinRar versions including v.5.1. "One of the chosen tactics includes malicious fake CV distribution and FOUO (For Official Use Only)-like documents, including fax scanned messages" Using social engineering techniques, attacker are targeting high profile victims with spear phishing mails, "Most of sent malicious attachments are hidden as graphical files, but password protected in order to avoid antivirus or IDS/IPS detection." IntelCrawler reported. In above example, the Malware archive file was password protected to avoid antivirus detection, used in an ongoing targeted cyber espionage campaign. Researchers found Zeus-like Trojan as an attachment, which has ability to establish remote administration channel with the infected victim, gather passwords and system information, then send the collected and stolen data to the Command & Control server hosted in Turkey (IP, Salay Telekomünikasyon). Users are advised to use an alternative archiving software and avoid opening archives with passwords even if it has legitimate files. Source
  11. Johannes Ullrich of the SANS Institute claims to have found malware infecting digital video recorders (DVR) predominately used to record footage captured by surveillance camera systems. Oddly enough, Ullrich claims that one of the two binaries of malware implicated in this attack scheme appears to be a Bitcoin miner. The other, he says, looks like a HTTP agent that likely makes it easier to download further tools or malware. However, at the present time, the malware seems to only be scanning for other vulnerable devices. “D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looks like a simplar(sp.) http agent, maybe to download additional tools easily (similar to curl/wget which isn’t installed on this DVR by default),” Ullrich wrote on SANS diary. The researcher first became aware of the malware last week after he observed Hiksvision DVR (again, commonly used to record video surveillance footage) scanning for port 5000. Yesterday, Ullrich was able to recover the malware samples referenced above. You can find a link to the samples for yourself included in the SANS Diary posting. Ullrich noted that sample analysis is ongoing with the malware, but that it appears to be an ARM binary, which is an indication that the malware is targeting devices rather than your typical x86 Linux server. Beyond that, the malware is also scanning for Synology (network attached storage) devices exposed on port 5000. “Using our DShield Sensors, we initially found a spike in scans for port 5000 a while ago,” Ullrich told Threatpost via email. “We associated this with a vulnerability in Synology Diskstation devices which became public around the same time. To further investigate this, we set up some honeypots that simulated Synology’s web admin interface which listens on port 500o.” Upon analyzing the results from the honeypot, Ullrich says he found a number of scans: some originating from Shodan but many other still originating from these DVRs. “At first, we were not sure if that was the actual device scanning,” Ullrich admitted. “In NAT (network address translation) scenarios, it is possible that the DVR is visible from the outside, while a different device behind the same IP address originated the scans.” Further examination revealed that the DVRs in question were indeed originating the scans. These particular DVRs, Ullrich noted, are used in conjunction with security cameras, and so they’re often exposed to the internet to give employees the ability to monitor the security cameras remotely. Unlike normal “TiVo” style DVRs, these run on a stripped down version of Linux. In this case, the malware was specifically compiled to run in this environment and would not run on a normal Intel based Linux machine, he explained. This is the Malware sample’s HTTP request: DVR Malware HTTP Request The malware is also extracting the firmware version details of the devices it is scanning for. Those requests look like this: Firmware Scan Request While Ullrich notes that the malware is merely scanning now, he believes that future exploits are likely. Source
  12. The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version that can run on iOS as well. The Zorenium bot is not one of the brand-name bots that constantly make headlines. The bot is only a few months old and hasn’t yet gained the attention of many researchers. It has many of the same capabilities that other pieces of custom malware have, including from-grabbing, banker Trojan functionality, DDoS and even Bitcoin mining. But it’s Zorenium’s ability to run on recent version of iOS that sets it apart. “Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium a relatively new and unknown bot, which has been up for sale in the underground from January 2014 is getting new features in its March 18th update, including, also, ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux and Windows based machines. Also, in this update, the developers have updated the rootkit to TDL4 (This making it vulnerable to anti TDSS tools),” Tanya Koyfman and Assaf Keren of the SenseCy blog, run by Israeli company Terrogence, wrote in an analysis of the bot. Zorenium has been advertised on Pastebin and the first version of the bot was available for direct download via a link posted on Twitter in December. The Zorenium malware is related to the Betabot malware, which has been used in attacks against financial institutions and other sites since last year. The FBI issued a warning about Betabot on September, warning consumers that the malware will masquerade as a Windows security warning dialog box. “Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise,” the FBI warning says. “Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named ‘User Account Control’ that requests a user’s permission to allow the ‘Windows Command Processor’ to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.” The security measures, vertical software development and installation model and exploit mitigations included in iOS have made the platform a difficult target for attackers. There have been a small string of code-execution vulnerabilities found in various versions of iOS, many of them discovered by members of the jailbreak community. Apple has patched those, but users who jailbreak their devices typically don’t update them, because that rolls back the jailbreak and restores the normal operating system. For Zorenium to run on an iOS device, it likely is running on jailbroken phones, unless the bot uses a previously unknown vulnerability in the operating system. Source
  13. The Continuous Growth of spyware, their existence, and the criminals who produce & spread them are increasing tremendously. It’s difficult to recognize spyware as it is becoming more complex and sophisticated with time, so is spreading most rapidly as an Internet threat. Recently, The security researchers have unearthed a very complex and sophisticated piece of malware that was designed to steal confidential data and has ability able to capture network traffic. The Researchers at the German security company G Data Software, refer the malware as Uroburos, named after an ancient symbol depicting a serpent or dragon eating its own tail, and in correspondence with a string (Ur0bUr()sGotyOu#) lurking deep in the malware's code. The researchers claimed that the malware may have been active for as long as three years before being discovered and appears to have been created by Russian developers. Uroburos is a rootkit designed to steal data from secure facilities, has ability to take control of an infected machine, execute arbitrary commands and hide system activities, communicating primarily using peer-to-peer connections in a network it has penetrated to infect new machines within the network, manages to pass back the exfiltrated information back to attackers from infected machines and network data, the researchers explained. The two main components of Uroburos are - a driver and an encrypted virtual file system, used to disguise its nasty activities and to try to avoid detection. Its driver part is extremely complex and is designed to be very discrete and very difficult to identify. The malware uses two virtual file systems, one NTFS file system and one FAT file system, and both are stored locally on the infected system and are used as a "workspace" by the attackers, providing a storage space for third-party tools, post-exploitation tools, temporary files and binary output. The virtual file system can’t be decrypted without the presence of drivers, according to the Gdata’s analysis explained in the PDF. The driver is needed to decrypt the virtual file systems, to create several hooks to hide its activities, to inject libraries in the users land and to establish and manage some communication channels. “The development of a framework like Uroburos is a huge investment. The development team behind this malware obviously comprises highly skilled computer experts, as you can infer from the structure and the advanced design of the rootkit. We believe that the team behind Uroburos has continued working on even more advanced variants, which are still to be discovered.” WITH LOVE From RUSSIA: Technical Similarities with the previous malware Agent.BTZ and that the malware Uroburos checks the presence of Agent.BTZ in the system and remains inactive if Agent.BTZ is present, makes the researchers believe that it was designed by the same by the Russian intelligence services, according to G Data analysis. “Due to many technical details (file name, encryption keys, behavior and more details mentioned in this report), we assume that the group behind Uroburos is the same group that performed a cyberattack against the United States of America in 2008 with a malware called Agent.BTZ,” say the researchers. They also added that the reason it is meant to be of the Russian origin is, “Uroburos checks for the presence of Agent.BTZ and remains inactive if it is installed. It appears that the authors of Uroburos speak Russian (the language appears in a sample), which corroborates the relation to Agent.BTZ. Furthermore, according to public newspaper articles, this fact, the usage of Russian, also applied for the authors of Agent.BTZ.” In 2008, USB and Removable storage drives placed on hold in the U.S. Army facilities after the spread of Agent.BTZ worm. The USB stick contained malicious code was trying to keep on multiplying further and infected the military’s network. The attacks carried out with Uroburos are targeting government institutions, research institutions, intelligence agencies, nation states, research institutions or companies dealing with sensitive information as well as similar high-profile targets. The oldest drivers identified by the researchers was compiled in 2011 is the evidence that the malware was created around three years ago and was undetected. “The Uroburos rootkit is one of the most advanced rootkits we have ever analyzed in this Environment,” the G Data concluded. The team behind the development of the malware Uroburos has developed an even more sophisticated framework, which still remains undiscovered, the researchers believe. Many infection vectors are conceivable. E.g. Spear phishing, drive-by-infections, USB sticks, or social engineering attacks. Source
  14. New research carried out by analysts from Intelligent Content Protection concludes that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds of the websites are said to link to credit card scams. Entertainment industry groups hope the findings will motivate people to choose legal options instead. Most seasoned visitors of torrent sites and streaming portals know that many of the “download” and “play” buttons present are non-functional, at least in the regular sense. In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details. A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams. According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.” The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. “The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states. While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool. This nuance is left out of the official announcement, but the executive summary of the report does make this distinction. “We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes. Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware. The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access. “There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us. “An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.” This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel. The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime. “Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says. It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats. However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services. This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers. Source: TorrentFreak
  15. A boom in cybercrime levels is forcing security vendors to release defence updates every 40 minutes, according to security firm Symantec. Senior manager for Symantec Security Response Orla Cox reported the development during a briefing attended by V3. "We're seeing more sophisticated attacks than ever before and people want security," she said. "Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They're rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified." Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers. "It's been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection." She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company's rapid update cycle has increased the risk of pushing out an update with a false positive signature. "The biggest quality issue we face is the danger of false positive definitions. There's a risk of detecting something clean as malicious, that's the big no no in our industry, so it's as much about building definitions libraries about legit files as malicious," she said. False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013 Malwarebytes crippled thousands of its customers' machines when it issued a false positive update. Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. "We've had to evolve how we work, it's not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we've begun doing intelligence work," she said. "We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don't – that's the benefit of us being here every day, reverse-engineering malware. "Doing this over the years we've had to develop a number of systems and now we're trying to understand the individual attacks in the context of who did them and why." Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March. Source
  16. IObit Malware Fighter Pro IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 26,63 Mb.
  17. IObit Malware Fighter Pro + Portable IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,92 / 29,28 Mb.
  18. A new and relatively rare Zeus Trojan program has been found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim's computer. Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies. The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus. But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C. Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page. “Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.” Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as$2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection. The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USDto get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up. "The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future." The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts. HOW TO REMOVE PANDEMIYA TROJAN The Trojan can be easily removed with a little modification in the registry and command line action, as explained below: Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.Stay Safe! Source
  19. Cybercriminals and advanced attackers are freely borrowing from one another’s repertoires to great success. The latest example involves spammers firing off up to a half-million email messages during limited campaign segments without triggering any detection alarms. Security company FireEye said the attackers have found a winning formula to evade detection in one used by a number of APT campaigns in which attack attributes are changed at a higher rate than IDS and other defenses can keep up. The campaigns, carried out by the Asprox botnet, were first spotted late last year and by the end of May were spiking noticeably. “Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys,” FireEye said in a report. In the past, APT campaigns carried out by nation states for the purposes of economic espionage or intelligence gathering, have begun to rely on tactics used in commercial malware campaigns. In May 2013, advanced attacks against NGOs, technologies companies, government agencies were spotted, and hints were found that the organizers had either borrowed or purchased commercial malware and propagation tools from the criminal underground. The Asprox campaigns have a much wider reach, infecting victims in countries worldwide in varied industries. The most recent iteration spotted by FireEye had also moved from including links to malicious sites and malware downloads, to embedding malicious code in attachments pretending to be a Microsoft Office document in a .zip file. Once the victim falls for the phishing or spam email and opens the infected attachment, the malware is injected into a process created by the attacker. Soon backdoor channels are opened to command and control servers and data is moved off machines in an encrypted format to the attackers. Formerly, Asprox campaigns used themes that ranged from airline tickets to United States Postal Service spam. The attackers have moved off those themes to court-related emails. Victims are seeing phony notices for court appearances, warrants, hearing dates and pre-trial notices.And it seems to be working. “We saw about 6400 unique MD5s sent out on May 29th. That is a 16,000 percent increase in unique MD5s over the usual malicious email campaign we’d observed,” FireEye said. “Compared to other recent email campaigns, Asprox uses a volume of unique samples for its campaign.” FireEye also said that campaigns that kicked off in May and lasted into June also were relying on a host of new command and control IP addresses. The malware includes commands to download additional code from a third-party site, code updates, registry modifications and even a command to remove itself, among others. “The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals,” FireEye said. “And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware.” Source
  20. A new spam campaign has emerged in support of the Asprox botnet. The scheme involves shipping receipt emails that contain malicious links and purport to come from the United States Postal Service (USPS). Anyone who receives one of these emails and clicks on the link therein will have a zip file downloaded onto their machine, according to a Zscaler report. After a user downloads the zip file, it shows up as a seemingly legitimate looking Word document on the Windows desktop. That file is in actuality an executable which must be opened before the user becomes infected with the malware. Researchers from the security firmStopMalvertising analyzed Asprox – also known as Kulouz – in November. They found that the strain of malware began as a password-stealing botnet, but has since evolved to where it’s primary purpose is to launch automated SQL injection attacks. Asprox, they say, is notorious for spoofing shipping companies like the United Parcel Service and FedEx. Asprox is not new, with references to it on Threatpost dating back as far as 2009. As of Zscaler’s publication, the threat was scoring a fairly dangerous 4/52 on VirusTotal. At the time of our publication, the detection engines appear to have taken notice, and the threat is now scoring a less potent 27/52. According to the report, the malware copies itself into an infected user’s Local Application Data before creating an autostarter to ensure that the infection stays around even after restart. “The common factor across all of these dropped files is that they all POST bzip2 compressed data which is then encrypted with a 16-byte random RC4 key via HTTP as reported by StopMalvertising,” wrote Chris Mannon in the Zscaler analasys. “We’re seeing a growing number of attacks which utilize this method of phone home activity. The case of this Asprox threat phones home over ports 443 and 8080.” Source
  21. Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it’s made for criminals via click-fraud schemes. Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security companies. The trio, which now includes two malware families Rotbrow and Brantall, are responsible for a startling jump in malware infections detected in the fourth quarter of last year, according to Microsoft. In its latest Security Intelligence Report (SIR), Microsoft puts the blame on Sefnit et al for a 3x increase in worldwide infection rates at the end of last year. The SIR reports on malware and vulnerability trends based on data collected by various Microsoft security products including the Malicious Software Removal Tool (MSRT). Through the first three quarters, infection rates at around six computers cleaned per 1,000 scanned. In Q4, that number jumped 18 per 1,000. Sefnit is the principal antagonist here, and it’s difficult to handle because it’s distributed through a number of non-traditional means, including peer-to-peer file sharing networks, and almost always it’s disguised as legitimate software, or bundled with something else. Enter Rotbrow and Brantall. Both of which have been re-classified as malware by Microsoft, and both present themselves to victims as legitimate software packages. Rotbrow, for example, pretends to be a safeguard against browser add-ons, while Brantall purports to be an installer for legitimate programs, Microsoft said. Microsoft said that both have been seen installing Sefnit. “Microsoft has been aware of this program since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the SIR says. “Researchers discovered that some versions of the Browser Protector process, called BitGuard.exe, drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time.” “Detections of Rotbrow decreased considerably after December, and the MMPC expects the CCM infection rate to return to more typical levels in subsequent quarters as the MSRT and other security products resolve the remaining backlog of old Rotbrow infections,” the SIR says. Sefnit, meanwhile, remains an evolving threat with a recent campaign shunning Tor as a command and control channel in favor SSH, a more traditional channel. In addition to click fraud, Sefnit is also used for Bitcoin mining and search result hijacking. A new click-fraud component discovered last year, Microsoft said, is used as a proxy service to relay HTTP traffic which is triggered to click on pay-per-click ads. The SIR also covered vulnerability trends, noting that high severity vulnerability disclosures were down almost nine percent, while medium severity were up 19 percent and accounted for 59 percent of disclosures in the second half of the year. Industry wide, vulnerabilities in apps other than browsers and OS apps increased 34 percent. OS vulnerabilities climbed 48 percent, while OS application vulnerabilities dropped 46 percent. Browser vulnerability disclosures were also down 28 percent in the second half of 2013. As for exploits, Microsoft reports that Java-based attacks are still king, followed by HTML/JavaScript attacks, though both dipped a bit in the fourth quarter, Microsoft said. The decline in both attacks could be traced to the disappearance of the Blackhole Exploit Kit upon the October arrest of its alleged author Paunch. Source
  22. Security researchers have uncovered a new Stuxnet like malware, named as “Havex”, which was used in a number of previous cyber attacks against organizations in the energy sector. Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a country’s power grid with a single keystroke. According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines. SMARTY PANTS, TROJANIZED INSTALLERS To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps. During installation, the trojanized software setup drops a file called "mbcheck.dll", which is actually Havex malware, that attackers are using as a backdoor. “The C&C server will [then] instruct infected computers to download and execute further components,” “We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.” F-Secure said. F-secure didn't mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany were targeted. INFORMATION GATHERING Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard. OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server. Other than this, it also include information-harvesting tools that gather data from the infected systems, such as: Operating system related informationA Credential-harvesting tool that stole passwords stored on open web browsersA component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.“So far, we have not seen any payloads that attempt to control the connected hardware.” F-secure confirmed. MOTIVATION? While their motivation is unclear at this point, “We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations.” F-Secure noticed. HAVEX TROJAN FROM RUSSIANS ? In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed "Energetic Bear," where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia. According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011. That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government. Source
  23. IObit Malware Fighter Pro IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the improved, unique "Dual-Core" engine and the heuristic malware detection, IObit Malware Fighter detects the most complex and deepest spyware and malware in a very fast and efficient way. Here are some key features of "IObit Malware Fighter": One-click Solution and Very Easy to Use: Traditional advantages of IObit products. We love simple and automatic styles.Complete PC Security Care: Anti-malware, anti-spyware, anti-adware, anti-trojan, anti-bots, and more. IObit Malware Fighter can assist your antivirus to defend any tricky and complex threats.Finds the Deepest Infections: Using DOG (Digital Original Gene), a novel heuristic malware detection method, while IObit Malware Fighter can find the most complex threats.Very Fast and Light Thanks to the improved, unique "Dual-Core" anti-malware engine, complicated analysis can be made faster now.Work with All Antivirus Products Everyone needs a qualified antivirus software, and IObit Malware Fighter will surely be the best mate for your current antivirus.Automated Working in the Background Just install it and forget it. This powerful utility works continuously, automatically and quietly in the background on your PC. You can set it as your schedule or just let it work automatically when your PC is idle.Automatic and Frequent Updates By the new-generation malware analysis system and our professional database team, IObit Malware Fighter catches the emerging dangerous malware in the Internet.Website: http://www.iobit.com OS: Windows XP / Vista / 7 / 8 / 8.1 Language: ML Medicine: Key / Keygen Size: 25,84 Mb.
  24. More and more pieces of malware have become capable of targeting users running 64-bit versions of operating systems. One of them is KIVARS, a piece of malware whose 64-bit version was recently analyzed by researchers from Trend Micro. According to the security firm, the Trojan is distributed with the aid of TROJ_FAKEWORD.A, a dropper that's designed to drop two executable files and a Microsoft Word document on infected systems. In the 32-bit version, the executable files are copied into the "windows system" folder with the names iprips.dll, which is detected by Trend Micro as TROJ_KIVARSLDR, and winbs2.dll, detected as BKDR_KIVARS. The latest versions of KIVARS, which can target both 32-bit and 64-bit systems, drop these components in the same folder, but under a random name, with the backdoor file having either a .tib or a .dat extension. The dropper uses the right-to-left override (RLO) technique and a genuine Microsoft Word icon to make it look like the document file, which is password protected and acts as a decoy, is genuine, Trend said. These techniques have also been used in a campaign targeted at government agencies in Taiwan, which Trend Micro recently analyzed. Once executed, TROJ_KIVARSLDR, the loader installed as a service named iprip, loads and runs the backdoor payload BKDR_KIVARS in memory, Trend explained. The backdoor is capable of carrying out various tasks, including downloading, uploading and manipulating files, uninstalling malware services, taking screenshots, activating a keylogger, manipulating active windows, and executing mouse and keyboard actions. In the versions that support 64-bit operating systems, the loader is installed as services named Iprip, Irmon and ias. Additionally, the backdoor uses a slightly modified version of the RC4 encryption algorithm to encrypt its configuration information. RC4 is also used to encrypt the first packets sent by the malware back to the command and control (C&C) server. These initial packets contain information such as the victim’s IP, OS version, username, hostname, the version of KIVARS, and the layout of the keyboard attached to the infected device. In the latest versions of KIVARS, a randomly-generated packet is sent first to the C&C, based on which a key is generated to help the malware verify the reply from the server. Only then the system information is encrypted with RC4 and sent to the C&C. "The earlier versions of this BKDR_KIVARS only encrypts the 'MZ' magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4," Trend Micro Threat Analyst Kervin Alintanahin explained in a blog post. The threat group behind this campaign also uses the POISON remote access Trojan (RAT) for its malicious activities, Trend Micro said. Source
  25. Hackers are targeting Brazil’s Boleto payment system, the second most popular payment method in the country, and have conducted hundreds of thousands of fraudulent transactions valued at close to $4 billion. Formally known as Boleto Bancario, Boletos are financial documents issued by banks that can be used by consumers to make payments to utilities and other outlets. Boletos are either printed and mailed to customers, or are generated and sent via electronic transfers. Common to all are a bar code, identification field or numerical representation of the bar code, and an identification number. Researchers at RSA Security yesterday reported the discovery of an extensive and effective malware campaign that’s been operating for two years and has ratcheted up the sophistication of Boleto fraud, which used to be confined to offline forgery of the payment documents. The Boleto malware attacks leverage man-in-the-browser infections to attack vulnerabilities in Chrome, Firefox and Internet Explorer running on Windows PCs and redirects Boleto payments to the attacker’s money mule account. “Since the malware is MITB, all malware activities are invisible to both the victim and the web application,” RSA said in its report, adding that there are up to 19 variants of the malware. RSA said it has detected 495,753 fraudulent Boleto transactions since 2012, valued at $3.75 billion USD. “Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” RSA said. “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.” In a legitimate online Boleto transaction, an online store, for example, will generate and send the Boleto to a customer. The customer can then choose where to use it once it’s displayed in the browser. Once an infected PC is used, the Boleto data is stolen along with all browser data and sent to the attacker’s server. The attacker then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank. RSA said it has detected 192,227 bots, or unique IPs, that have been infected. More than 30 bank brands have been affected in this campaign, which has also scooped up more than 83,000 email credentials and other data stolen by the malware. RSA said this type of fraud is difficult for the customer to detect because the ID number fields aren’t tied to a payee and customers don’t generally validate that type of information. Banks, RSA said, don’t detect the fraud immediately because transactions are coming from customer computers and customers make frequent Boleto payments. Fraudulent Boleto ID numbers and attack characteristics have been turned over to the FBI and Brazil’s federal police, RSA said. “While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.” Source
  • Create New...