Yahoo malvertising is linked to a larger malware scheme

With a look into Cisco Systems, the cyberattack that infected Yahoo users with malware is showing a link between the attack and a suspicious affiliate with Ukraine, in a traffic scheme.

Yahoo said on Sunday that European users have seen malicious advertisements, or “malvertisements,” between December 31st to January 11th.

If the advertisement is clicked, the user is directed to a website with the intention to install malicious software.
Cisco has seen malicious website victims linked to hundreds of ongoing cyberattacks.

The malicious domains all start with a series of numbers, they contain anywhere from two to six cryptic sub-domain labels and end with two random words in the second-level domain.

 

Hosted domains with a large IP block that researchers observed, shows Yahoo victims were redirected to finding 393 others that matched a pattern.

The domains seem to be a part of a scheme designed to direct people to malware.  The group behind the scam infects legitimate websites with code that redirects people to malicious sites.

Most of these malicious domains redirect to two other domains that scans data to a partner program called Paid-To-Promote.net.  People who sign up for the program are paid fees to push traffic to other websites.
It is still not clear whether the program is directly linked to the Yahoo attack.



Research has shown that the traffic traced by the affiliate program, shows the domains are used for suspicious purposes ever since November 28th.  Some of these domains are hosted in Ukraine and Canada.
These malvertisements have been put into Yahoo’s advertising network successfully.

With Yahoo’s high traffic, more people have seen the malicious advertisements, in turn a higher rate of infection.

Online advertising networks screen advertisements to ensure they are not malicious, but bad ones do sneak in occasionally.


References:

Yahoo malvertising attack linked to larger malware scheme – ComputerWorld
http://www.computerworld.com/s/article/9245325/Yahoo_malvertising_attack_linked_to_larger_malware_scheme

Scams to watch out for

http://www.hyphenet.com/blog/2014/01/08/scams-to-watch-out-for/

There are plenty of scams to look out for. Travel scams, phone scams, make money fast scams, disaster relief scams, and phishing scams to name a few.

Not all scams are directly associated to malware, many of them intend to persuade the victim to click on a malicious link or fall into the trap of handing out your hard earned cash.

Here are some scams that succeeded in 2013 and we will most likely see in 2014.

Domain Name Scams

The social engineering scam is two-fold.  Here is the letter:

(Mail to the brand holder, thanks)
Dear CEO,
Sorry to bother you inexplicably. We are a China’s domain name registration supplier, and there is one thing we would like to confirm with your company. On December 4, 2013,  we received an application form online from a company called “XinHua Trading Co.,Ltd”  who wants to apply for some domain names and brand name related to “eset”. In order to avoid confusion and  adverse impact on your company, we need to verify whether this company is a subsidiary of you or did you authorize them to register the related brand name and domain names? Currently, we have not formally accepted the application of that company, we need to get your company’s confirmation. Please give us a timely response within 7 work days. So that we can better deal with this case. Thank you.
Best regards,

The scammer is not exactly asking “is it OK if we accept this application?”  He will suggest that  if you  don’t accept the application, you will have to purchase the domain yourself.

Other domain name scams will send you a letter saying your domain is about to expire.  Even though it isn’t, most people buy domains for 3-5 years at a time and may forget to re-purchase the domain.

PC Tech Support Scams

Scammers have been soliciting bogus software for years.  Fake websites are setup, and alarming messages are sent to you to try to convince you that your computer is infected.  The software purchased to fix the problem is worthless or available some else for free.  Or the software purchased and downloaded to your computer could be malicious and infect your computer.

Most people aren’t too technical and feel vulnerable when it comes to fixing their computer.  So when you get a call from someone that appears to know-it-all and wishes to help you, people are willing to pay for the supposed problem to go away.

 Job Scams

Job scams advertise to you the “job of a lifetime” and for easily sued-ed people, it works.

The mule is often required to open an account to facilitate moving funds from a phished account with the same institution.  Scammers will go to extreme lengths to make the mail look like a serious job offer, backed up by a website.

chuoo@hotmail.com, however, is positively chatty. In a message with the subject “F.S.A” invites us enthusiastically to:
Work with us to start your stable future.
You’re close to join a unique place and see inspirational things.
If you are seeking for a challenging opening with a bright future, come work with us.
We would like to offer you a new career of FSA which is untaken for now. Your CV was provided and reviewed by a recruitment agency. An opening that may fit your experience is being offered.
Earnings:
Your salary scale during the probationary period will be 1500 Pounds per month plus 8% commission from each transaction completed. Your total income could easily be about 2500.00 pounds. After the probationary period, your base wage will be 1800.00 Pounds per month, plus 8% commission.
Employee Reimbursements (only after probationary period) Contain:
- Wage plus bonus
- Includes health and dental insurance
- Paid Leave
To apply for the F.S.A. position, please respond to hrdepartment.test@gmail.com.
Thanks,
Bobbi Power
HR Manager

These are well thought out seriously dangerous scams.  Please be mindful of who you are trusting with your information and bank account.

References:

2013: a View to a Scam – We Live Security
http://www.welivesecurity.com/2014/01/06/2013-a-view-to-a-scam/

Are you being explotied?

Software exploits are attack techniques managed by attackers to quietly install malware.  Trojans or backdoors are fastened into computers without requiring social engineering to trick victims into manually running a malicious program.

Malware installation through an exploit would be invisible to users and gives attackers an obvious advantage.

Exploitation Targets

Here are some applications most targeted by attackers through exploitation:

• Web browsers (Microsoft Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox and others).
• Plug-ins for browsers (Adobe Flash Player, Oracle Java, Microsoft Silverlight).
• The Windows operating system itself – notably the Win32 subsystem driver – win32k.sys.
• Adobe Reader and Adobe Acrobat

The most dangerous exploit attack is remotely installing code into the operating system.  Downloading or running vulnerable software increases the chance of your system becoming infected with malware.

While PDF’s are the most common document files, they can be dangerous if obtained from an unreliable source.  Adobe has extended the file format to maximize its data exchange functionality by  granting scripting and the embedding of various objects into files.  This can be exploited by an attacker.

Another target is the Adobe Flash Player.  This plug-in is used for playback of content on various browsers.  The Adobe Flash Player is updated regularly and notifies you when it’s time to upgrade.  Most vulnerabilities are of Remote Code Execution (RCE) which indicates that attackers use susceptibilities for remotely executing malicious code on a victim’s computer.

Java is also a popular browser plug-in attractive to attackers.  More than three billion devices are using this platform.  Java is vulnerable to malicious attacks and is one of the most dangerous components.  When you use Java on Windows, its security settings can be changed using the control panel applet.  Latest versions of security settings allow you to configure the environment more accurately.


Windows operating systems itself can be used by attackers to remotely execute code.  The figure below shows the number of patches the each components have received during 2013.

This shows Internet Explorer fixed the greatest number of vulnerabilities.  More than a  hundred vulnerabilities have been fixed in the course of fourteen updates.

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

This shows Internet Explorer fixed the greatest number of vulnerabilities.  More than a  hundred vulnerabilities have been fixed in the course of fourteen updates.

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

 

Windows Operating System

Newer versions of Microsoft Windows – i.e., Windows 7, 8, and 8.1 have built-in mechanisms which help protect users from destructive actions delivered by exploits.  Features became available with Windows Vista was upgraded in the most recent operating system versions.

http://www.hyphenet.com/blog/2013/12/13/are-you-being-explotied/

All operating systems or programs used are studied by attackers for vulnerabilities.  Their intent is to exploit for financial gain.  Adobe, Google, and Microsoft are all taking steps to make these attacks more difficult to achieve.

To protest yourself, change your system settings for a more secure application and keep your software up-to-date.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

References:

Exploit Protection for Microsoft Windows – We Live Security
http://www.welivesecurity.com/2013/12/13/exploit-protection-for-microsoft-windows/

U.S. Bank Attack from Shylock Trojan!

The crafty banking Trojan known as Shylock has returned.  The Shylock Trojan is attacking thousands of customers and 24 American banks.

The Shylock or Caphaw Trojan is a financial malware that functions using stealth tactics both on and off the wire.

Shylock  has incredible defense mechanisms that enable it to restore itself after and during a shutdown.
The malware is outlined as “one of the few that can steal money while a user is accessing his bank account,” by ESET Security Intelligence Team Lead, Aleksandr Matroosov.  Aleksandr Matrosov published a detailed analysis about malware earlier this year.

The Shylock has an autoload functionality to repeatedly steal money when a user is actively accessing their bank account.  The user can not recognize the money is being stolen.

The threat uses techniques for bypassing security software and evading automated malware processing.

Zscaler stated in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011.  You may recognize this threat from research done by WeLiveSecurity earlier this year in regards to this threat targeting EU Banking sites.  This time would appear to be no different.  So far, we have tied this threat to monitoring it’s victims for login credentials to 24 financial institutions.”

Zscaler reported an increase in malware detections this week, targeting 24 U.S. banks including Chase Manhattan, Bank of America, Citi, and Wells Fargo.  The first detected malware in 2011 targeted European customers in the United Kingdon, Italy, Denmark and Turkey.

http://www.hyphenet.com/blog/bank-attack-shylock-trojan/

The ESET Virus Radar is showing an increase of infections in the North America Region.  This malware is difficult to detect and is hard to stop when it’s ability to restore itself and an antvirus cleaning procedure is carried out.

The infection vector is unknown, but researchers are pretty sure the malware is served by an exploit kit that uses Java’s vulnerabilities and targets the computer.

The DGA

A Domain Generation Algorithm represents an algorithm seen in  numerous families of malware.  This generates a large number of quasi-random domain names.

The nasty Trojan avoids detection by injecting itself into legitimate processes like explorer.exe while concealing its phone home traffic through the a Generated Domain Algorithm creating address using Self Signed SSL certificates.

The Self Signed SSL certificate is an identity certificate that certifies to an organization that they are the actual signers.  So basically forging its way through the system.

ThreatLabZ is monitoring the Internet for this threat and its multiplication.  The lab is also dissecting the threat in order to obtain more information about its attack,approach, scope and impact.
What do you think about the banks being compromised? Share you comments below!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

References:
Can’t keep a bad man down: “Shylock” Trojan returns to attack U.S. banks – WeLiveSecurity
http://www.welivesecurity.com/2013/09/20/cant-keep-a-bad-man-down-shylock-trojan-returns-to-attack-u-s-banks/
September 20, 2013
New wave of Shylock Trojan targets bank customers – Net Security
http://www.net-security.org/malware_news.php?id=2592
September 19, 2013
A New Wave of WIN32/CAPHAW Attacks – A ThreatLabZ Analysis -ZScaler
http://research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html

Sandboxes Application Attacks: System Keeps on Advancing

[caption id="attachment_11397" align="alignleft" width="300"] Image courtesy of [Ventrilock] / FreeDigitalPhotos.net[/caption]In computer security, a sandbox is the surveillance structure for separating running programs.  Sandbox's are used to execute untested code, or suspicious programs from unknown third-parties, suppliers, and untrusted uses and websites.  Sandbox applications are on the attack and malware systems keep advancing outsmarting these applications.  Sandbox applications usually isolate threats and protect endpoints from malware attacks, the protection is not forceful enough against advanced malware attacks.

Rahul Kashyap, chief security architect of Bromium stated, "Outlined threat vectors sandboxes could not effectively block in a Pen-Tester's Perspective".  Not to say these sandboxes are not working, but pointing out the fact that people look at these sandboxes as fail-proof, so other security measures are often not considered.

It's as if a dead bolt lock on the front door of your home is going to keep all away.  Even if there is a home security alarm installed, burglars can still enter and rob you.

The Attack

Bromium labs grouped these attacks into two categories:

• One that bypasses the complete sandbox


• One that exploits to succeed without breaking the sandbox

The bypass techniques focus on exposing Windows OS and the sandbox itself.  The other includes post-exploitation scenarios, like keylogging, remote access, hijacking contents, screen scraping, stealing files, and getting into networking shares.

IT and network administrators shouldn't rely completely on sandboxes.  Administrators should continue to practice other security options to keep systems from vulnerabilities.   Executing malware within a sandbox is not safe, because malware is sophisticated enough to do severe damage to systems.

 Please visit http://www.hyphenet.com/blog/ for more posts on the latest technology and IT security news.

References:
Application Sandboxes Won't Stop Advanced Attacks: Research - Security Week
http://www.securityweek.com/application-sandboxes-wont-stop-advanced-attacks-research
July 24, 2013

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest security threats.

Android gets Attacked: Breaking Cryptographic Singnatures

The weakened Android apps allow hackers to break signatures

Android's vulnerability has affected more than a million devices allowing attackers to turn reliable apps into Trojan programs.   The Android app records digital signatures of applications and installs it into a sandbox when created.  The updates for the app are cryptographically signed by the same author in order to verify that they haven't been adjusted.  Researchers from the mobile security association Bluebox Security released the threat of the vulnerability that verifies digital signatures from the Android and allows attackers to modify them without breaking the signature code.  This has apparently been going on for the past four years!

Tricky Tricky

Android's record digital signatures to match other signatures so it can verify that they came from the same author.  The Android security model ensures sensitive data is being stored by an application in its sandbox can be accessed by the latest versions of that application that are signed with the primary author's key.  So the attackers add malicious code to the already signed APKs and it doesn't break their signatures.

The Android security model safeguards the susceptible data stored by one application in its sandbox and can only be viewed by new versions of that application that are signed with the author's archetypal key.  The transparency of the Bluebox allows assailants to gain full access and manipulate signatures then using them for distributing Trojan apps, sending them via email, uploading them to a third-party app store, hosting them on any website, and copying them to the intended devises via USBs.

Pau Oliva Fora, a mobile security engineer who works at security firm ViaForensics, developed a proof-of concept Linux shell script that can be benefited by modifying an app in a way that exploits the flaw. This code operates with the APKTool program and was released this past Monday on Github.

"It's a problem in the way Android handles APKs that have duplicate file names inside," Oliva Fora said Tuesday via email. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK -- the injected one that can contain the malicious payload and is not checked for signature at all."

Response from Google

Google made changes to Google Play to make sure it detects apps modified and patches it up, sharing the information with device manufacturers.  Users who install applications from sources other than Google Play is known as sideloading, this is an action potentially vulnerable to being tampered with.  However, if an adversary manually installs malicious updates for an app, it will be replaced and the new version will no longer interact with the app store.

It's confirmed that the third party device,  Samsung Galaxy S4, has the solution at bay.   Google is now working on arranging the Nexus devices, although nothing is completed.

The gradual distribution of patches in the Android ecosystem has been criticized by both security researchers and Android users.  Duo Security reported, the statics gathered through it's X-Ray Android  poor assessment app, more than half of Android devices are vulnerable to at least one of the known Android security flaws.

It's good to check the apps before you install them, do some research and look at the reviews.

Please visit http://www.hyphenet.com/blog/ for more blog posts on the latest technology and IT security news.

References:

Vulnerability allows attackers to modify Android apps without breaking their signatures - C World
http://www.pcworld.com/article/2043610/vulnerability-allows-attackers-to-modify-android-apps-without-breaking-their-signatures.html
July 3, 2013

Proof-of-concept exploit available for Android app signature check vulnerability - ComputerWorld
http://www.computerworld.com/s/article/9240645/Proof_of_concept_exploit_available_for_Android_app_signature_check_vulnerability
July 9, 2013

Researchers find another Android attack that can get past signature checks - InfoWorld
http://www.infoworld.com/d/mobile-technology/researchers-find-another-android-attack-can-get-past-signature-checks-222532
July 11, 2013

Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec - GitHub
https://gist.github.com/poliva/36b0795ab79ad6f14fd8
July 8, 2013



Image courtesy of [emptyglass] / FreeDigitalPhotos.net

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Phishing Scams: Think Before You Click

Cyber-criminals are installing malicious software onto your computer and taking everything they can with a click-of-the-mouse.  Phishing emails, scam websites, and suspicious phone calls are all designed to make them money at your expense.   With the use of social engineering, cyber-criminals are able to convince people to install malicious software without you knowing you are handing over your personal information.  So beware when you start seeing spam mail bombarding your accounts or annoying unknown numbers popping up on your phone.

Recognizing Phishing 

Online banking and e-commerce are pretty safe, but giving out your personal information or financial material should be done with caution.

1. Think before you click.

If something looks too good to be true, it most likely is.   Be aware of the websites you are on and information they contain so you don't get caught up in the glitz and glam of a thought out scam. If there are a lot of spelling errors or bad grammer, know that it might be a scam.

2. Trust who you know, not their emails

Don't trust unsolicited files or embedded links, even if it's from your friend. Look at the subject line of your message or link to determine if it's unreadable or looks foreign. If you have no idea what is on the page, don't click on it just to satisfy your curiosity. Be smarter than the malware.

3. Don't be fooled

Cyber-criminals are smart, they know ways to disguise a link to make it look as if it's something safe. Malicious links are sometimes disguised in phishing e-mails with known company's to make you think they are legitimate. Validate the page and roll your cursor over the link to see if another link shows up, you will know if this link will redirect you to another site or not.

4. Short URL's

A technique for hiding malicious links are hiding it through a URL shortener. This is a service that Twitter uses to shorten long URL's. TinyURL, bit.ly, and t.co are all legitimate Short URL services that can be used.

5. Don't be threatened

Be on top of your game. Cyber-criminals often use a threats to put you into a panic and catch you off guard. If you receive mail that you are being sued or an account is being closed, make sure you do some research before pulling out your pocketbook.

6. Spoof websites

Scammers use graphics in emails that appear to be attached to a legitimate site. When clicking on these websites it will direct you to the real site but penetrate your screen with a mass amount of pop-up windows. Be wary ofirresponsible clicking when surfing the net.

Fishy phone calls

Cyber-criminals might call you to offer help with solving computer problems, or sell you some kind of software license. Do not take these unsolicited phone calls. You might be persuaded into giving out your account information or personal information that could be the birth of identity fraud.


If you are a victim or are suspicious of any phishing activity, please report to Anti-Phishing Workers Group at www.antiphishing.org.

 Please visit http://www.hyphenet.com/blog/ for more blog posts on the latest technology and IT security news.

References:

http://www.welivesecurity.com/2013/05/29/phishing-the-click-of-death/

http://www.antiphishing.org/

http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

BIOS Too Easily Bypassed

More and more hardware stores wish to use the NIST 800-155 specification in order to keep the firmware BIOS more secure for both PCs and laptops. However, a team of researchers belonging to the MITRE Corporation state that the approach that is being presently used relies too much on the mechanisms responsible for access control. Their reason behind this is that these mechanisms are easily bypassed currently.



The researchers plan to unveil newly developed concepts that can slyly get past the TPM (Trusted Platform Module) chip and allow it to continue believing that nothing is wrong with the software. The malware can then continue infecting the BIOS even after it has been altered in any way, for example if it has been reset or flashed. Even an update may not be able to secure the software in this case.

How the Malware Gets Passed BIOS

As of now, the BIOS flash chip contains the code required for the system TPM chips to function.They are needed so that the measurement and PCR (Platform Configuration Register) keep the BIOS from being infected. However, affecting this with the malware allows it to manipulate the PCR into changing its value, following an inconsistency between this and the TPM.



Two different malware that are said to be unveiled at Black Hat are now called the “tick” and the “flea” for their abilities to either be stealthy or be able to jump between BIOS revisions. The flea is said to be able to predict a firmware update and hide itself to be a part of the update as well.

Please visit http://www.hyphenet.com/blog/ for more blog posts on the latest technology and IT security news.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Image courtesy of [Salvatore Vuono, wandee007] / FreeDigitalPhotos.net

Malware on the Rise

Microsoft is clearly the industry leader in terms of operating system and it still has a firm hold over that position. In recent times, the company has had a quiet time in terms of security risks, especially after the introduction of  Windows 8. However, a new type of malware is being distributed for the Windows OS through German spam that affects the boot record of the infected computer. Also, this malware can also give the hacker control of the infected computer.

Distributed Via Attachment

Trend Micro was the company that was responsible for the detection of this new type of malware. The researchers who analyzed this malware said that it was attached to the German spam mail, and is code named BKDR_MATSNU.MCB. The mail will claim that the recipient has to pay some money to the sender, and all the relevant details have been attached to the mail. Trend micro researchers claimed that this method is very effective in influencing the recipients to open the attachment.

Ransomware Reaction

Once the malware is downloaded and installed on the victim’s computer, the data is collected and sent to the hacker who planted the malware. Once that is done, the malware is capable of erasing the boot record on the drive, erasing data, and also locks the screen of the computer. The victim is then asked to pay a certain sum of money if the screen has to be unlocked, the classic ransomware approach.

 

Links:

German Ransomware Threatens Victims, Disables PCs | Security ...

www.technewsdaily.com/18282-german-ransomware-disables-computers...‎

6 days ago – If you become a victim of the BKDR_MATSNU.MCB ransomware, getting it off of your system may not be as simple as running a virus scan.

 

Compromised Japanese Sites Lead to ... - Threat Watch

www.trendmicro.eu/smartphone/content.php?m=TrendLabs...i...‎

Jun 5, 2013 – Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and ...

 

Backdoor.AndroidOS.Obad.a, an Advanced Android Malware Threatens Users

http://thedroidguy.com/2013/06/backdoor-androidos-obad-a-an-advanced-android-malware-threatens-users/

Jun 8, 2013 - A known computer security company revealed that there is an advanced Android malware..

 

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest security threats.

 

Super Malware that Attacks Android Discovered

Android and security threats go almost hand in hand as new and imminent threats are discovered on almost a weekly basis in today’s market. However, there was no threat that could potentially uproot Google’s Android as one of the most popular mobile operating systems in the world. But all that is set to change now, as a new virus has been detected that is very advanced and attacks the Android operating system in a new and innovative way. Also, the code is a little hard to completely remove, and can potentially detract users from using Android in the future.

Deadly Characteristics of the Virus

When a security researcher performs an assessment of any malicious software, he or she considers the most dangerous traits of that malicious software. From that viewpoint, this is one of the most dangerous Android malware discovered. Firstly, the code is so complex that it looks almost like a code that is written for a Windows computer, or even more advanced. The code also uses obfuscation techniques to confuse the OS about its true nature, thus evading detection. But the most dangerous trait of this malware is that it has been programmed to resist attempts of uninstallation by the user.

Kaspersky Labs behind the Discovery

Kaspersky, a leading security products company, detected this malware in Android and said that is has the capability of single handedly bringing down the Android operating system. They also reported that this malware exploits vulnerabilities in the Android OS that were previously, quite literally unknown.

References:
Android super-malware discovered – Is Google's platform in peril ...

virusfreephone.com/.../android-super-malware-discovered-is-googles-pla...‎

View shared post

4 days ago – Android super-malware discovered – Is Google's platform in peril? ... Android Mobile Attacks Spreading Across The Globe, McAfee Finds ›.

Android super-malware discovered – Is Google's platform in ..

malware.rsspump.com/?...android-super-malware-discovered--is...‎

View shared post

4 days ago – Android super-malware discovered – Is Google's platform in peril? ... and anti- malware software in light of the recent malicious attacks across  ...

Most Mobile Malware Target's Android Devices

According to the NQ report, one type of malware is delivered through app repackaging in which a user downloads a mobile application that looks legitimate but is actually a harmful program.

Malware can also be downloaded through fake websites when a user clicks on a URL that appears authentic but is not.

Mobile users can also be duped through so-called "smishing" -- a combination of the words SMS and phishing -- where a user receives a text message asking for personal information like a credit card number, e-mail address or social security number.

Android's malware not limited to bad apps

Stels, an Android trojan delivered via fake U.S. Internal Revenue Service-themed emails, uses "an Android crimeware kit to steal sensitive information from the device," and also makes calls to premium numbers. Sullivan said the new threat “could be a game changer.”

Users on any mobile platform, including iOS, can be targeted with spam that directs them to malware websites. However, while previous exploits have been demonstrated to allow a visited website to crack the security on iOS to "jailbreak" the device, Apple has been vigilant about patching these flaws and distributing iOS updates that scuttle the profitability of discovered threats, effectively frustrating the malware business on iOS.



Here’s Symantec’s breakdown of the types of mobile threat it identified last year, with information theft being the most common threat. Add in user tracking and more than fifty per cent of the mobile malware identified was trying to steal user info or track their movements:



Check your phone: Nations with the most mobile malware - CNN.com
edition.cnn.com/2013/04/16/.../world-most-mobile-infected-countries
Apr 19, 2013 – Security threats from mobile malware are on the rise and nearly 95% ... Android devices were targeted by malware in 2012; Mobile devices in ...

Mobile malware jumped 163 percent in 2012, mostly on Android
www.techradar.com › ... › Mobile phones‎
by Matt Swider - in 89 Google+ circles
Apr 16, 2013 – Another reason Android continues to be the most malware-targeted mobile OS is that it's more popular in pirate-heavy countries like China, ......

Android Remains Main Target For Mobile Malware Writers Despite
techcrunch.com/2013/04/16/symantec-mobile-malware/‎
by Natasha Lomas - in 770 Google+ circles
Apr 16, 2013 – Mobile malware remains a small and nascent issue, especially when ... In fact, while Apple's iOS had the most documented vulnerabilities in 2012, ... But clearly the vast majority of Android malware lands on devices via the ......

Mobile malware exploding, but only for Android - AppleInsider
appleinsider.com/.../mobile-malware-exploding-but-only-for-android‎
May 14, 2013 – Malware targeting mobile devices is rapidly growing in both the number of ... but the only platform being actively targeted is Google's Android, which ... an exploit and chose to address it with a patch, most Android users would ...

Mobile Malware grows massively, Android targeted most » Phone
www.phonesreview.co.uk/.../mobile-malware-grows-massively-android-t...‎
Apr 15, 2013 – There will be many of us that have some kind of security software installed onto our computers especially if its running Windows, but this is not ...

Malware Threat to ATMs

Malware has been a big threat to computers and there have been a lot of problems caused by this type of malicious software. As if that was not enough, a forensics and security threat firm has announced a threat that malware can be used to target ATMs. Group-IB, the firm that announced these findings, said that malware can be used to collect data from the ATMs or swiping machines, and hack into the bank accounts. According to the study, the malware stores the data and sends it to the hacker who planted the malware whenever a network connection is available for transmission.

A Few Researchers Disagree

While Group-IB discussed their findings, the Director of Research at the University of Alabama, Gary Warner, said that malware cannot be used in the way Group-IB is announcing. He said that ATM networks are secured at multiple levels and something as simple as malware cannot get through the layers of encryption and firewalls. Typically, malware tries to exploit the weaknesses in the security that protects a system.

Bank Networks Vulnerable from Inside

Warner added that banks don’t have to worry about the attacks from the outside. He said that banks should worry more about someone from the inside planting malicious software into the bank networks as that is where the vulnerability is at its highest. He said that an auto load malware can be inserted as easily as plugging in a USB drive into the computer.The jury is still out on whether malware can affect banks from the outside or not, but the question is how severe the repercussions will be in case malware does attack a bank network.

[via Bank Info Security]

Malware Distributed from Phony SourceForge Website

Make sure you double-check the URL in your browser’s address bar or dialog window before downloading files online.

Zscaler researchers discovered that cybercriminals were taking advantage of the trusted reputation of SourceForget[.net] by distributing malware through a similar domain, sourceforgetchile.net.

The malicious file analyzed by Zscaler, minecraft_1.3.2.exe, was posing as a file associated with the popular game, Minecraft as the name suggests.

In reality, the executable file was a piece of malware closely related to the ZeroAccess Trojan that, upon a successful infection, will hide in the Recycle bin, inject malicious code into running processes, recruit the computer into a botnet, and generate revenue for its operators by part-taking in click fraud.

Thankfully this threat has a high detection rate (32/46), according to a VirusTotal report. So in the event that you downloaded the Trojan, you can perform a full system scan using one of the many AV programs capable of finding & removing it.

Aside from that, stay vigilant & always double-check the URL before clicking 'Download'.

[via Zscaler]

Texas Plant Explosion Spam Leads to Malware Attack

Considering cybercriminals jumped on the opportunity to spread malware by sending spam related to Monday’s Boston marathon bombing, it’s not all that surprising that they’re now doing the same with yesterday’s fertilizer plant explosion in West, Texas.

Here are some of the subject lines to watch out for:

• West TX Explosion


• Waco Explosion HD


• Texas Plant Explosion


• Texas Explosion Injures Dozens


• CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas


• Raw: Texas Explosion Injures Dozens

Like the marathon-themed emails, the spam messages tied to the new fertilizer plant explosion trick users into following malicious links by promising video footage of the devastating event.

Image Credit: Sophos

While it’s true that the victim is presented with a series of embedded videos related to the incident, they are also being exposed to the misdeeds of the Redkit exploit kit, which will use Adobe PDF or Java vulnerabilities to silently install malware on the victim’s computer.

Avoiding these attacks should be relatively easy – don’t follow links in unsolicited emails. Aside from that, keeping your operating system (& installed software) up-to-date and running antivirus software should help your PC remain malware-free.

Have you received any suspicious emails related to the plant explosion or marathon bombing? Share your experiences below and get the word out to help protect others!

[via Sophos][via AppRiver]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Spammers Exploit Boston Marathon Bombing to Spread Malware

Click with caution if you receive unsolicited emails or find yourself wanting to click a website link related to the deadly bombing attack at the Boston Marathon on Monday.

Antivirus firms Avira and Sophos, along with email security provider AppRiver have already intercepted emails from spammers aspiring to dupe users into following malicious links by offering links to video footage of the attacks.

There are a variety of domain names and subject lines associated with this spam campaign; some of the subject lines in use are:

• Explosion[s] at Boston Marathon


• Boston Explosion Caught on Video


• Aftermath to explosion at Boston Marathon


• Video of Explosion at the Boston Marathon 2013


• Runner captures. Marathon Explosions


• 2 Explosions at the Boston Marathon

The body of the email appears to contain nothing more than a link pointing to a website that has legitimate videos from the attack. However, that same site is rigged with malicious code that will attempt to exploit Java plugin vulnerabilities in order to drop a backdoor Trojan on your machine.

Avira identifies the threat as TR/Crypt.ZPACK.Gen, while Sophos identifies it as Troj/Tepfer-Q.

Upon a successful infection, TR/Crypt.ZPACk.Gen (or Troj/Tepfer-Q) will modify the system registry and connect to a remote server, granting an attacker remote access to the affected PC.

Tips to Keep Your PC Safe

Avira warns that malicious links may also be posted on Facebook, so users should also exercise caution when following links shared on social networks. Here are a few other bits of advice to help keep your computer malware-free:

• Do not click links or download files attached to unsolicited emails.


• Stick to the official websites of your favorite news channel to get the latest updates.


• Keep your operating system and installed third-party software fully patched and up-to-date.


• Always run antivirus software and keep the virus definitions current.

Did You Already Fall for It?

Both Avira and Sophos offer security products capable of detecting and removing the malware being spread by these online attacks. So if you have the sinking feeling that you may have followed a bad link, you may want to try performing a full system scan using one of their products.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

American Airlines Spam Spreads Backdoor Trojan

Webroot is cautioning users not to fall for spam emails posing as a notification from American Airlines stating that their ticket is all set and ready for download.

This spam campaign isn’t exactly new, although previous versions may have had malicious files attached directly to the email itself.

Here’s what the current variant looks like:

 

American Airlines

Customer Notification

Your bought ticket is attached to the letter as a scan document.

To use your ticket you should Download It.

The embedded link will prompt users to download an executable, “Electronic Ticket.exe” that only 10/46 antivirus will identify as malware.

Dr. Web antivirus detects the threat as BackDoor.Kuluoz.4. Once it has infected your system, BackDoor.Kuluoz.4 will modify system files, inject itself into system processes and connect to a list of command & control servers.

Did You Get this Spam Email?

If you received a copy of this spam email, it is advised that you:

• Do not click on any links within the email.


• Do not download any files that may be attached or linked from this email.


• Forward a copy of the email, including the header to webmaster@aa.com.


• Delete the email immediately.

If You Downloaded Any Files...

If you made the mistake of clicking the link or opening any files attached to spam emails resembling the one above, you are advised to perform a full system scan using an antivirus solution offered by one of the following vendors:

• Dr. Web


• Sophos


• Kaspersky

Their products are capable of detecting and removing the threat associated with this attack. Be sure to be more careful in the future!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Watch Out for Fake HP Printer Scan Emails

Keep an eye out for fraudulent emails claiming that a document was scanned and sent to you from your office Hewletter-Packard ScanJet printer.

Sophos warns that spammers are once again sending out bogus scan-to-email notices in an attempt to dupe users into clicking malicious links that lead to websites serving malware.

Subject: Fwd: Re: Scan from a Hewlett-Packard ScanJet #1788378

A document was scanned and sent to you using a Hewlett-Packard HP9289197

Sent to you by: PEARLIE
Pages: 3
Filetype(s): Images (.jpeg) View

This isn’t the first time that spammers mimicked document-to-file scan notifications, but previous attempts involved malicious file attachments vs. links in the email itself.

The malware served in the attack was not disclosed; however, the websites associated with this attack are rigged with the BlackHole exploit kit, which typically leverages PDF, Flash & Java vulnerabilities in order to plant malware on the visiting machine.

So, keep your computer safe by:

• Not following links embedded in unsolicited emails – at least not without investigating them first.


• Running antivirus software that offers real-time scanning & keep the virus definitions current. (Btw, Sophos blocks the page as Mal/ExpJS-N.).


• Keeping your operating system and third-party software fully patched & up-to-date.

If you’ve already clicked the link, run a full system scan to detect & remove any potential malware that may have been installed on your computer.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Spyware Uses Fake Facebook Page to Steal Credit Card Data

It’s time to scan your computer for malware if you try to visit Facebook.com and land on a "security check" page requesting that you enter your credit card information to “verify your account.”

Spyware that TrendMicro researchers identify as TSPY_MINOCDO.A tricks unsuspecting users into disclosing their financial information by redirecting them to a spoofed Facebook security check page every time they attempt to visit the social networking site.

The redirect is done through the infected machine’s HOST file, and prevents the user from accessing any legitimate Facebook pages until the malware is removed.

Please complete a security check

Security checks help keep Facebook trustworthy and free of spam.

Use a credit card to verify your account

To keep Facebook a safe environment and to make sure that you are using your real name, we require you to confirm your identity by submitting your credit card information.

- This information will only be used to verify your identity.
- Your credit card will not be charged in any way.
- We do not store any credit card information on our servers.
- Please enter the following information to be able to continue using your Facebook account.

Information submitted through the false Facebook page is sent back to the cybercriminals to use as they please.

Aside from stealing payment information, researchers say that TSPY_MINOCDO.A modifies the system registry to ensure it starts every time Windows does, performs DNS queries to multiple domains to ensure that it can report back to its command server, and monitors all browsing activity.

TSPY_MINOCDO.A is distributed via drive-by-download attacks and other malware, so users can protect their computers by:

• Keeping their operating system and installed software fully patched and up-to-date.


• Always running antivirus software and keeping the virus definitions current.


• Exercising caution when following hyperlinks (do a little research first!).


• Disabling Java in their browser if it is not needed (the Java browser plugin is often targeted in cyberattacks).

Above all else, trust your instincts and don’t hand out your credit card information to “verify” your account on a FREE social networking website.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Trojan Poses as Flash Player 11 Update, Changes Browser Home Page

Be sure to refer to Adobe’s official website if you’re looking to update Flash Player to the latest version.

There’s a Trojan parading around as a Flash Player 11 update, waiting for the opportunity to sneak onto your computer and change your browser’s home page.

Trojan:Win32/Preflayer.A does its best to trick the unsuspecting end-user by arriving under the name ‘FlashPlayer.exe’ and displaying the following installer window when executed:

 

While it's not entirely clear why two two languages are used (Turkish/English), the agreement being displayed sans scrollbar makes sense since there's a disclaimer at the bottom stating that your browser homepage will be changed to one of the following upon installation:

• www.anasayfada.net


• www.heydex.com

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing.” Jonathan San Jose revealed on Microsoft’s TechNet Blog.

Thankfully, driving traffic to these websites appears to be the main goal. Once the user continues the installation, the fake installer downloads and executes a legitimate Flash Installer and changes the home page in Firefox, Chrome, Internet Explorer and Yandex, as promised.

Microsoft has already received over 70,000 reports of this malware in the last week, but given that it is posing as a fake Flash Update, avoiding it should be relatively easy.

• Only download Flash Updates from adobe.com, and not some random website.


• Pay attention when installing software, and cancel the installer if anything seems amiss (like the missing scrollbar).

Is Your Computer Infected?

To remove Trojan:Win32/Preflayer.A from your computer, perform a full system scan using antivirus provided by one of the following vendors:

• Microsoft 


• McAfee


• AVG


• Ikarus

Just keep in mind that additional steps may need to be taken to change your home page in Internet Explorer.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Malware Uses Evernote as Command & Control Server

TrendMicro researchers have recently stumbled upon a piece of malware that uses the popular note-taking service, Evernote as its command and control server.

The malware, which TrendMicro detects as BKDR_VERNOT.A is classified as a backdoor, and grants an attacker remote access to an infected system to do as they please.

“The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process,” Threat Response Engineer, Nikko Tamana  explained on the TrendMicro blog, “The said .DLL file performs the actual backdoor routines.”

Aside from downloading and executing additional files, those backdoor routines include collecting information about the infected system, such as the OS, timezone, user name, computer name, registered owner and organization.

TrendMicro researchers found that commands were retrieved from the notes saved in an Evernote account, which is also suspected to be the location where the stolen data is unloaded.

This is not the first time that malware authors have abused a legitimate service to relay information and evade detection. Twitter and Google Docs are two other services that have been used by malware in the past.

Keeping Your System Safe

BKDR_VERNOT.A is spread via drive-by-download and other malware, so users can minimize their chances of infection by:

• Keeping their operating system and installed third-party software fully patched and up-to-date.


• Running antivirus software with the latest virus definitions.


• Exercising caution when following suspicious hyperlinks (even if they appear to be harmless image links).


• Scanning email file attachments before downloading and/or opening them.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.