Search the Community
Showing results for tags 'Virus'.
Turk posted a topic in Security & Privacy NewsBy Dan Goodin - Feb 11 2014, 8:33am AEST Attackers used phishing and zero-days to infect Windows, Mac, and Linux users. Mask victims by IP address. Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries. The "Mask" campaign, which gets its name from a string of text found in one of the malware samples, includes a variety of components used to siphon encryption keys, key strokes, Skype conversations, and other types of sensitive data off infected computers. There is also evidence that the Spanish-speaking attackers had malware that ran on devices running both Apple's iOS and Google's Android mobile operating systems. Victims include government agencies, embassies, research institutions, private equity firms, activists, energy companies, and companies in other industries. The sophistication of Mask makes it likely that the campaign is the work of attackers sponsored by a well-resourced nation-state, said researchers from Kaspersky Lab, the Moscow-based security company that discovered it. Mask—or "Careto" as its Spanish slang translation appears in source code analyzed by Kaspersky—joins a pantheon of other state-sponsored malware campaigns with names including Stuxnet, Flame, Duqu, Red October, Icefog, and Gauss. Unlike more opportunistic crimeware campaigns that generate revenue by targeting anyone with an Internet-connected computer, these "advanced persistent threats" (APTs) are much more determined. They're tailored threats that are aimed as specific people or organizations who possess unique data or capabilities with strategic national or business value. "With Careto, we describe yet another sophisticated cyberespionage operation that has been going on undiscovered for more than five years," Kaspersky Lab researchers wrote in a detailed analysis published Monday. "In terms of sophisticated, we put Careto above Duqu, Gauss, RedOctober, or Icefog, making it one of the most complex APTs we observed." The attackers relied on highly targeted spear phishing e-mails to lure targeted individuals to malicious websites. In some cases, attackers impersonated well-known websites, such as those operated by The Guardian and The Washington Post. One of the exploits recently used by the attackers targeted CVE-2012-0773, a highly critical vulnerability in Adobe's Flash Player that made it possible to bypass the sandbox security protection Google Chrome and other browsers rely on to prevent websites from executing malicious code on end-user computers. "What makes 'The Mask' special is the complexity of the toolset used by the attackers," the Kaspersky analysis stated. "This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions, and possibly versions of Android and iPad/iPhone (Apple iOS)." Kaspersky researchers first stumbled onto Mask after noticing that it exploited a vulnerability in older versions of Kaspersky antivirus products to hide itself. The vulnerability has been patched for an unspecified amount of time, but attackers were exploiting the vulnerability on machines that continued to run older versions of the Kaspersky software. Like Stuxnet and many other pieces of malware used in the last five years, Mask code was digitally signed, in this case with a valid certificate issued to a fake company called TecSystem Ltd. Such digital credentials are designed to bypass warnings delivered by Windows and other operating systems before executing programs that haven't been vouched for by credentials issued by a recognized certificate authority. The malware uses encrypted HTTP or HTTPS channels when communicating with command and control servers. Researchers were able to take control of some of the domain names or IP addresses hosting the control servers that Mask-infected computers reported to. In all, the researchers observed 1,000 separate IP addresses in 31 countries connect. They also found traces of 380 different victim identifiers designated by the Mask naming convention. The Mask campaign was abruptly shut down last week within hours of being revealed in a short blog post. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the Kaspersky analysis noted. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section." Post updated to add "slang" to the third paragraph. http://arstechnica.com/security/2014/02/meet-mask-posssibly-the-most-sophisticated-malware-campaign-ever-seen
Turk posted a topic in Security & Privacy NewsBy Topher Kessler February 10, 2014 1:06 PM PST Disguised as a legitimate project on GitHub called StealthBit, the malware installs a browser extension to look for and steal BitCoin wallet and account credentials. Security research site SecureMac has discovered a new trojan horse that is targeted for OS X systems, and which spies on internet traffic use to steal Bitcoins. The trojan, called OS X/CoinThief.A, is disguised as a standard OS X application called StealthBit, which was recently uploaded to GitHub. While advertised as a legitimate project for receiving Bitcoin payments on Bitcoin Stealth Addresses (a key encryption routine for securing a bitcoin transfer), the StealthBit instead was a guise to install malicious tracker software on unsuspecting Mac users. The project page on GitHub included source code along with precompiled binaries for those without the means to compile their own. While this is a common and convenient practice for GitHub projects, in this case the precompiled binary did not match the project's source code, and instead contained the malware for tracking user's Web activity. When downloaded and run, the binary would install a browser extension in the user's home folder that would run when Safari or another Web browser was launched. This extension would then monitor the sites that users visit, and log credentials entered into them, in order to send account information for BitCoin sites, along with information about the user's system, to third party servers. In order to disguise the extension, the criminals behind it have given it generic names like "Pop-up blocker," and attempted to prevent its discovery by having it search for installations of common anti-malware tools and not install on systems containing them. Being a relatively new growing market with recent prices closing at around $700 per coin, BitCoin trading has attracted a number of attempts to mine, steal, and otherwise capitalize on this currency, and this latest malware is only the latest attempt to do so. For now, not much is know about OSX/CoinThief.A, and SecureMac and other security analysts are continuing to investigate the malware; however, if you have recently downloaded a BitCoin management tool from GitHub, then for now you can check your browser's active extensions to see if any are present that you did not specifically install. For Safari users, you can go to the Extensions section of Safari's preferences to view active extensions. For Firefox, you can select Add-ons from the Tools menu, and then click the Extensions section, and in Chrome you can select Extensions from the Window menu. If you find unknown extensions in these locations, then you can disable or remove them, but then re-check periodically to see if they reappear, as such activity would indicate a persistent component of the malware that keeps the extension installed and active. This malware is known to install background tasks that launch automatically when users log into their accounts. These routines are generally managed by Launch Agent scripts, which are located in the username > Library > LaunchAgents folder. While launch agents are commonly used by updaters and other programs you run to give you alerts and to schedule update checks, they are also used by malware developers to keep malicious programs alive in the background. By opening each launch agent and checking the "Program Arguments" or "Program" key, you can see what executable (and its corresponding path) is being targeted by that launch agent, and then check various online sources such as the Apple Support Communities to see if the paths and executables are legitimate. Unfortunately, sometimes launch agent manipulation by malware developers can be somewhat difficult to identify, especially since a launch agent and executable can be easily masked to look legitimate. Therefore, if you are uncertain of how to look for and remove malware, you might use a reputable anti-malware scanner that has been updated to identify CoinThief.A. As the investigation into this malware develops, definitions for it and any future variants of it will become available, and which can be used to better detect its presence and remove it from an infected system. http://reviews.cnet.com/8301-13727_7-57618666-263/new-os-x-trojan-monitors-web-activity-to-steal-bitcoins
shamu726 posted a topic in FileSharing NewsNew research carried out by analysts from Intelligent Content Protection concludes that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds of the websites are said to link to credit card scams. Entertainment industry groups hope the findings will motivate people to choose legal options instead. Most seasoned visitors of torrent sites and streaming portals know that many of the “download” and “play” buttons present are non-functional, at least in the regular sense. In fact, many of these buttons link to advertisements of some sort, ranging from relatively harmless download managers to dubious services that ask for one’s credit card details. A new report backed by the UK entertainment industry has looked into the prevalence of these threats. The study, carried out by the anti-piracy analysts of Intelligent Content Protection (Incopro), found that only 1 of the 30 most-visited pirate sites didn’t link to unwanted software or credit card scams. According to a press release released this morning, the research found that of the 30 top pirate sites, “90% contained malware and other ‘Potentially Unwanted Programmes’ designed to deceive or defraud unwitting viewers.” The “Potentially Unwanted Programmes” category is rather broad, and includes popups and ads that link to download managers. In addition, the report links one-third of the sites to credit card fraud. “The rogue sites are also rife with credit card scams, with over two-thirds (67%) of the 30 sites containing credit card fraud,” the press release states. While it’s true that many pirate sites link to malware and other dubious products, the sites themselves don’t host any of the material. For example, none of the top pirate sites TorrentFreak tested were flagged by Google’s Safebrowsing tool. This nuance is left out of the official announcement, but the executive summary of the report does make this distinction. “We did not encounter the automatic injection of any malicious program on the sites that we scanned. In all instances, the user must be tricked into opening a downloaded executable file or in the case of credit card fraud, the user needs to actively enter credit card details,” Incopro writes. Most of the malware and “potentially” unwanted software ends up on users’ computers after they click on the wrong “download” button and then install the presented software. In many cases these are installers that may contain relatively harmless adware. However, the researchers also found links to rootkits and ransomware. The allegation of “credit card fraud” also requires some clarification. Incopro told TorrentFreak that most of these cases involve links to services where users have to pay for access. “There were 17 separate credit card schemes that were detected through our scanning, with many appearing to be similar or possibly related. Five of the sites had instances of two credit card fraud/scam sites, with the remaining 15 containing one credit card fraud/scam site,” Incopro told us. “An example is someone visits one of the pirate sites and clicks a ‘Download’ or ‘Play now’ button, which is actually an advert appearing on the page, which then asks for payment details to access the content.” This is characterized as “fraud” because these “premium” streaming or download services can result in recurring credit card charges of up to $50 per month, without an option to cancel. The report, which isn’t available to the public, was commissioned by the UK film service FindAnyFilm and backed by several industry groups. Commenting on the findings, FACT’s Kieron Sharp noted that those who fall for these scams are inadvertently funding organized crime. “Not only are you putting your personal security at risk, by using pirate websites you could be helping fund the organised criminal gangs who run these sites as a front for other cyber scams,” Sharp says. It is clear that the research is used for scaremongering. Regular users of these sites know all too well what buttons not to click, so they are not affected by any of the threats. However, there’s no denying that some pirate sites deliberately place these “ads” to confuse novice and unsuspecting visitors. Those visitors may indeed end up with adware, malware or run into scam services. This isn’t in any way a new phenomenon though, it has been going on for more than a decade already. Ironically, the same anti-piracy groups who now warn of these threats are making them worse by cutting pirate sites off from legitimate advertisers. Source: TorrentFreak
Turk posted a topic in Security & Privacy NewsBy Shona Ghosh Posted on 9 Jan 2014 at 15:21 Millions of PCs may have been infected by malware inserted into ads on Yahoo websites - and then used to mine bitcoins. Yahoo confirmed this week that hackers had managed to insert malware into ads displayed on some of its European sites, but hasn't said how many users have been affected. Security company Light Cyber estimates that several million PCs have been infected, and found the malware had been used to install Bitcoin-mining software on some machines. Separate estimates this week from security firm Fox-IT suggest the UK has one of the highest numbers of affected users. Light Cyber founder and vice president for product and strategy, Giora Engel, said the hackers were potentially building a huge network of Bitcoin-mining PCs, since the task is too labour intensive for one machine. He added that the malware had delivered other tools that gave hackers control over infected PCs. "This campaign downloaded a variety of different tools - some were malware to enable attackers to control each infected PC and steal passwords," he told PC Pro. "Other tools were more specific – the Bitcoin mining tool is not malware itself, it's something anyone can download and generate Bitcoin." Engel estimated that, with several million machines at their disposal, the hackers could be making $10,000 (approximately £6,000) a day. Security companies have said the number of Bitcoin-related attacks will rise this year, after the virtual currency shot up in value. One Bitcoin is currently worth around £500, though its value fluctuates. http://www.pcpro.co.uk/news/security/386452/yahoo-malware-turns-millions-of-pcs-into-bitcoin-network