New Java EXploit Kit:
Researchers from SpiderLabs recently spotted. Meet the RedKit, a private web malware exploitation kit, exploiting popular and already patched Java vulnerabilities, next to having an embedded QA (quality assurance) element embedded into it.
What’s so special about RedKit, and how does it differentiate itself from the rest of the exploit kits currently observed in the wild? Next to exploiting CVE-2010-0188 and CVE-2012-0507, the cybercriminals behind the kit also offer legitimate traffic that will be later on converted to malware-infected hosts as a managed service.
Malware already taking advantage of Olympics:
Security researchers from TrendMicro have intercepted a currently circulating 2012 Olympics themed emails containing malicious attachments.
The cybercriminals behind the campaign are enticing end and corporate users into opening the malicious Microsoft Office (.doc) attachment, which upon execution will attempt to exploit CVE-2010-3333 (RTF Stack Buffer Overflow Vulnerability) and will later on drop a backdoor on the infected PCs.
How safe are QR Codes?
The codes have proved to be popular with marketers, even if they are not well understood by many mobile users: a recent survey by analyst firm Russell Herder suggested that more than half of all respondents — including more than 80 per cent of respondents in the 18-24 bracket — had seen QR codes, while around 16 per cent of all respondents had actually scanned one.
Tellingly, however, one out of five respondents had no idea what a QR code is. That’s around the same percentage — 22 per cent — of Fortune 50 companies that are experimenting with QR codes in their marketing, and not entirely without success: a separate study by Comscore suggested that 14 million U.S. residents scanned QR codes in June 2011 alone
While marketers wrestle with building demand for the codes, consumers may unwittingly be wrestling with something far more threatening: what if that barcode led your smartphone to a malware-infected Web site? And what if that malware was optimized to target Apple’s iOS, Google’s Android, or other mobile operating systems with a Trojan that would run in the background and send passwords to its masters?
Religiuos sites found to contain more malware than porn sites:
Religious sites may pose a much bigger cyber-threat to surfers than adult or pornographic sites, according to a study by Symantec, a computer security vendor.
Symantec said its Internet Security Threat Report’s 2011 trends published in April showed that, “Religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites.”
Moreover, it said “We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.”
New ransomware:
Security researchers from Trusteer have intercepted a ransomware variant being pushed using the Citadel crimeware platform.
The ransomware is pushed using drive-by malware attacks. Upon execution the following activities take place:
Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.
What’s particularly interesting about this campaign, is that it’s a decent example of campaign optimization performed on behalf of the cybercriminals behind it, adding multiple monetization vectors in it. Not only will they earn revenue out of the ransomware variant, they will also be able to successfully hijack online banking transactions thanks to the Citadel crimeware that will also remain active on the system.
A campaign of “ransomware” is locking people out of their computers unless they pony up the right amount of money.
Spotted by security blog abuse.ch, the malware taps into an exploit kit known as “Blackhole.” Sold underground, Blackhole is used by criminals to infect computers through security holes in the browser or third-party plug-ins, such as Java and Adobe Reader.
If the version of Java, for example, is not up to date with the latest patches, the downloaded file will exploit the software’s weakness by downloading the Trojan to the PC and then running it. Once the PC is infected, the user will receive a message on the screen saying that the computer has been locked for illegally downloading pirated music.
The message aimed toward those in the U.K. further says that “to unlock your computer and to avoid other legal consequences, your are obligated to pay a release fee of 50 pounds,” around $80. The directions instruct the user to submit payment using an online payment system called Paysafecard. The message itself tries to look official with a logo of the Metropolitan Police at the top.
The malware has so far been targeting users in the U.K., Germany, France, Switzerland, Austria, and the Netherlands. The criminal behind this campaign appears to speak German, according to abuse.ch, since the local URLs used in this scam are all in German.
But the messages are, of course, written in the native language of the intended victims of each country, even going so far as to tell them where and how to obtain Paysafecard locally.
The ransomware carries a further payload in the form of a Trojan called Aldi Bot, which steals banking information, abuse.ch added.