Tag Archive | "malware"

Tags: , ,

Cybercrooks Using Malicious Video Advertisements to Plant Malware

Posted on 13 November 2015 by GranTorinoGuy

Hackers and cybercrooks are busier than ever, and they won’t back down at anything that gets in their way of spreading their malicious creations. In an effort to more effectively spread malware, cybercrooks are taking their distribution methods to video advertisements.

What is technically known as a method of malvertising, is a process of spreading malware through advertisements, which has been around for many years. Among various ad networks cybercrooks are able to inject their malicious ads that cause redirects to malicious sites that offer or initiate the download of malware.

In the latest schemes of spreading malware through malvertising, cybercrooks are aggressively using video ads as a means of spreading malware. The video ads that hackers target are ones distributed through ads served on high-traffic sites.

What is happening in these cases is that cybercrooks grant themselves access to various ad networks where they must purchase ad space for running the more-expensive video ads. Once access is granted they misleadingly serve up ads that should not be approved by they are sneaky in their approach as to not alert the ad network serving the ads.

Currently, it is very difficult to estimate how many malicious video ads are running on any giving website, even if it is a high-traffic site well-known to internet surfers.

Companies are starting to serve more and more video ads and publishers that monetize those video ads should pay close attention to each network channel that serves up third party coding for those ads. Where there is third party ad coding involved, there is a likelihood of cybercrooks taking advantage of the ad servicing and delivering malicious ads.

As far as avoiding malicious video ads, there is no sure way. The only thing end users can do is to take proactive steps in running antivirus and/or antimalware software to detect and eliminate malicious threats when they occur. Other things computer users can do is to avoid visiting questionable sites or ones that display advertisements that seem out of the ordinary or offer something that is just too good to be true.

Popularity: 7%

Comments (0)

Tags: , ,

225,000 Jailbroken iPhone Accounts Hacked Racking Up Charges on Affected User iTunes Accounts

Posted on 01 September 2015 by GranTorinoGuy

Apple has long been the quintessential king for securing their devices and safeguarding them against hacking. As a turn events will have it, the iPhones and iOS devices that have been jailbroken, in the number of over 225,000 devices, have had their accounts hacked recently.

Jailbreaking has been a method for owners to access parts of a phone’s file system that is otherwise restricted for security reasons. Additionally, jailbreaking has been a popularized method to open up iPhones and other iOS devices so users may run 3rd party software or apps and do things outside of the iTunes and Apple infrastructure of “controlled” and approved apps. You can think of jailbreaking as a means of turning an iPhone into an open device much like smartphones running Android.

On the flip side of and consequences of jailbreaking an iPhone, it makes it vulnerable to malware that may be obtained through 3rd party apps downloaded and run on the jailbroken device. Such has happened recently where about 20,000 people have downloaded malicious software that is allowing them to steal account information from over 225,000 iPhone users who have their device jailbroken and vulnerable to attacks.

Hackers are rather clever in just about everything they do with some extra thought put into it. As such, hackers have uploaded software that lets other people purchase iTunes apps for free using victimized accounts belonging to Jailbroken iPhone users. Many of the victimized individuals report that their iTunes purchase history is now full of purchased they did not make themselves. The commonality among the users, reaching over 225,000 folks in total, are all using jailbroken iPhones or a jailbroken iPad.

Sometimes, as some may say now, jailbreaking an iPhone is just not worth the open customization benefits when it comes to a recent hacking attack like this. Jailbreaking your iPhone goes against Apple rules, and the purchases made against the users may have a hard time defending their case.

Popularity: 10%

Comments (0)

Tags: , , , ,

Ramnit Botnet Extends Infection Reach To Over 28 Countries and 500,000 Computers

Posted on 11 March 2015 by GranTorinoGuy

The Ramnit malware threat, which has recently evolved into a dangerous botnet, is extending its presence across the world infecting hundreds of thousands of computers. The systems infected with Ramnit may be used to exploit online banking accounts, much like how other well-known botnets have done in the past.

Among many of the banking theft botnets, Ramnit is a bit late to the game getting its start in 2010, then recognized as a computer worm threat. Now, after an update through as many as two command and control servers, Ramnit has the ability to shut down security applications including all security components of Windows.

The expansion of Ramnit tends to lead experts down a path where such an infection may reach over a million computers before it is stopped in its tracks. Because of the unsurpassed sophistication of Ramnit, it has an upper hand to evade tracking and detection.

Dynamic IPs used by Ramnit on infected systems makes it difficult to track them down. Additionally, in the past six months Microsoft researchers have seen more than 500,000 systems become infected making the growth rate of Ramnit rather alarming.

The vast spread of Ramnit has reached more than 28 countries, and that number is bound to go up. Among those 28 countries, the most compromised systems reside in Indonesia with about 90,925 in total accounting for 26.27% according to Symantec’s data in recording this infection thus far. India is second in line with 80,144 infections at a 23.16% rate with Vietnam at 37,708 and a 10.03% rate with Algeria at 5.73% and Thailand at 4.84% completing the top 5 locations.

Other regions of the world account for 23 countries where Ramnit has reached, including the UK Egypt, Philippines, Saudi Arabia, Pakistan, Iran, Azerbaijan, Morocco, Nepal, Nigeria, Malaysia, Romania, Yemen, Russian Federation, Turkey, Mexico, China, Brazil, Myanmar, Palestinian Territory, and Mongolia.

From the extensive list of countries showing no rhyme or reason for the locations, Ramnit’s operators have no desire to focus in on a specific target location. However, it may be prudent to mention that attackers behind sophisticated botnets like Ramnit may exploit systems that prove to be more vulnerable than others, which could lead them down a path to virtually any location in the world.

Popularity: 13%

Comments (0)

Tags: , , , ,

Android and iOS Versions of Superfish Apps Found to Have Device Tracking Capabilities

Posted on 27 February 2015 by GranTorinoGuy

The Superfish program and web browser add-on has caused some major concerns for computer users as it has been identified to contain code that can track users on the mobile versions of the application.

Superfish was ousted recently as a malicious program for computers and mobile devices. Lenovo, one of the largest producers of personal computers, made the mistake of bundling the Superfish program with several of their new laptop computers shipped out between September 2014 and December 2014. Since the discovery of Superfish’s malicious actions of exploiting security certificates leading to attackers infiltrating personal data transmitted over the internet, mobile versions of Superfish were found to be just as dangerous.

Superfish in its mobile version for Android and iOS devices was found to have code that poses a risk by the Superfish root certificate allowing attackers to track users and gather transmitted data.

The Superfish app was originally designed to help users shop for furniture or items by taking pictures of desirables and uploading it so Superfish’s servers can identify the image. Computer security researchers have identified recent versions of Superfish to be quite the malicious program in its ability to disrupt security certificates and now expose mobile devices’ unique ID through EXIF data available in photos taken by the device.

There has been much of a debate about the tracking of cell phones and mobile devices over many years. Furthermore, malware programs designed for mobile devices have become extremely sophisticated to the point that tracking a device and data that it may transmit over the internet and networks is a commonplace event for advanced hackers. Through the use of the Superfish mobile app on Android and iOS devices, it seems information on those devices may be pulled and later sold or used by other hackers and cybercrooks.

Deep in the code of the Superfish app on the Android OS and within Superfish’s LikeThat feature on iOS devices, the malicious program may reveal Mac address, CPU frequency, display type and free space to others who are in tuned to collecting Superfish’s stolen information.

The tracking of a device using Superfish may also be another aspect that hackers can determine. Though it has not been fully explored or verified, Superfish could still be a basis for pulling information from mobile devices. Through GPS positioning abilities found in Superfish’s code, iOS devices that have location services enabled could allow others to track the device. On Android versions, the tracking features may not be fully active. However, the transmitting of a user’s position is present within their SFLocatioAPI class, which is another avenue that sneaky hackers could exploit.

In any instance of Superfish being found on a device of any kind, it should be removed. Use of Superfish could make a mobile device vulnerable to many issues, including being tracked or other data compromised.

Popularity: 15%

Comments (0)

Tags: ,

Tyupkin Malware Allows Hackers to Steal Millions From ATMs

Posted on 08 October 2014 by MegaLexame

Hackers are attacking ATMs in Europe, Asia and Latin Amerika, using the Tyupkin malware and cash-collecting mules. The losses amount to millions of dollars.

The Kasperski Lab Research Team has reported a remarkable growth in ATM attacks using malicious software and skimming devices over the last few years. Things are now evolving, and hackers are attacking financial institutions by compromising ATM machines directly or by setting APT attacks against banks.

The Night Attacks of Tyupkin Malware

The ATMs, targeted by Backdoor.MSIL.Tyupkin that Kaspersky Lab has detected, run Microsoft Windows 32 bit and are produced by a major ATM manufacturer. To avoid detection, Tyupkin is active only during certain hours at night and uses a key that is based on a random seed for each individual session. This key is crucial for the interaction with the infected ATM. As the key is entered, Tyupkin shows information about the available amount of money in each cassette. This lets the attacker withdraw 40 notes from the cassette that he has selected. Reportedly, there are anti-emulation and anti-debug techniques implemented in the latest version of the malware.

Tyupkin is installed via a bootable CD, once the attacker gains access to the machine. The malware accepts commands only on certain days and hours which are consistent with the visits of the cash-collecting mules. In order to avoid unwanted attention, the withdrawals take place on Sunday and Monday nights. A video from security cameras shows that the person who collects the money calls another team member to acquire the key, needed to perform the operation. The “operator” uses an algorithm to generate the session key. Only if the key is entered correctly, the hacker can interact with the compromised ATM.

The following message is then displayed:

“CASH OPERATION PERMITTED. TO START DISPENSE OPERATION – ENTER CASSETTE NUMBER AND PRESS ENTER.”

In case the entered key is incorrect, the Tyupkin malware disables the local network. The exact reason for this action is still not clear, but experts believe its purpose is to disrupt remote investigations.

INTERPOL is investigating the case, working on the detection and elimination of the threat.

Popularity: 14%

Comments (0)

Tags: , ,

Black Energy’s New Targets – Ukraine, Poland, Brussels

Posted on 24 September 2014 by SlimboCA

Current malware campaigns in Ukraine, Brussels and Poland are most likely to target information, not cash.

BlackEnergy Strikes Again in a New Manner

The security firm ESET discovered a newer version of the BlackEnergy malware that has been targeting over a hundred industry and security organizations in the Ukraine and Poland currently. BlackEnergy has been known to the public since the cyber-attack on Georgia in 2008. So far BalckEnergy was used for DDoS attacks, distribution of spam messages and bank frauds.

According to a report of the ESET research team, the botnet-based malware has a new strategy, targeting private companies and state organizations in various industries. There have been numerous attacks throughout 2014, and they are still active this month.

Reportedly, the “lite” BlackEnergy version has over a hundert victims so far. These are mainly companies and organizations in the Ukraine and Poland.

In the meantime, another security company, F-Secure, discovered a recent BlackEnergy campaign active in Brussels. The security specialists believe this may be a sign of a breach in the European Commission or the European Parliament.

F-Secure also revealed another Russian malware campaign, CosmicDuke, which uses a fake document concerning the news about the current vote of independence in Scotland in order to lure the victim into opening it and thus introduce the threat into the system. The attacked targets companies in the oil sector, mainly situated in the UK.

BlackEnergy Lite – What’s Different?

The security experts at ESET call the newer version of BlackEnergy “lite” for a few reasons:

  • The latest BlackEnergy is cheaper.
  • The malware does not use a kernel mode driver anymore.
  • BlackEnergy does not have a rootkit functionality, that was used as a cover for the malware in the previous versions.

Although the newer version might appear a bit stripped-down, it is still able to damage the systems of numerous organizations, taking advantage of various software vulnerabilities, or by using phishing emails and fake documents to attack the victims.

The lack of kernel mode driver is a quite common tendency among malware creators lately. It may be because of technical difficulties that developers face or just because it is a big investment to create a malware like this.

The cyber crooks behind BlackEnergy Lite use it for:

  • Remote code execution.
  • Collecting data.
  • Network discovery.

The distribution mechanism of the attacks is quite interesting as well. A document named “Russian ambassadors to conquer the world” was used in one of the attacks in April. The decoy file exploited a vulnerability in Microsoft World (CVE-2014-1761). In other cases, the dropper is an EXE file hiding behind the Word icon.

Reportedly, in the attacks from the last two months the crooks used PowerPoint documents and unclear Java vulnerabilities.

The Experts’ Opinion

Security experts observe a growth in Russian malware campaigns. They believe that hackers, who were previously interested in credit card theft, are now targeting trade secrets.

Compared to CosmicDuke, the attacks of BlackEnergy may appear a bit more patriotically driven, than cash oriented. Some specialists believe that the campaigns may not even be started by Russian nation-state cyber criminals.

BlackEnergy Lite’s lack of concealment features is not something to hold it back, the experts say. Apparently, Lite has been reduced to the needed functionality.

Compared to its previous version, the malware is now easier to detect, but mainly in the lab environment. The technology used by most organizations is quite static, as they still maintain a firewall. This makes their battle against BlackEnergy even harder.

More information concerning the newer version of BlackEnergy is expected to be released by the experts of the both security companies.

Popularity: 21%

Comments (0)

Tags: , ,

BlackEnergy – Simple to Control and Hard to Detect

Posted on 16 July 2014 by SlimboCA

BlackEnergy is a web-based DDoS (distributed denial of service) bot, which was created in the mid-90′s by Russian hackers. BlackEnergy provides the attackers with an easily controlled web-based bot that can target more than one IP address per hostname and due to the runtime encrypter, the author has used, BlackEnergy botnet can prevent antivirus detection.

BalckEnergy provides a tool for hackers to create floods to different systems and servers, causing them to overload and deny service. Black Energy can accomplish those attacks from multiple systems at a time, attacking various IP addresses, which makes the attacks quite severe.

From the time, the BlackEnergy was initially launched until 2008 no significant changes in its way of work have been detected. 2008 new major update, known as Black Energy 2, has emerged. BlackEnergy is also knows as Backdoor.Win32.Blakken. Till then, the modulations mostly included different rootkits, so that various weak points in the operating systems can be exploited. Diverse droppers and Trojans were used to disperse BlackEnergy.

The most recent version of BlackEnergy has been transferred by a zip-file, claiming to contain a list of unsafe passwords. The zip-file itself opens normally, and the user can find an actual list within. Once the list is opened BlackEnergy starts to spread in the system as a background process, while an actual document with passwords acts as a decoy to the unsuspecting user.

BlackEnergy 2 – Step-by-step to Hostile Overtaking

The bot has a few main functions. Each of them is performed by a separate component of the program:

  • to hide the virus from the antimalware-program
  • to infect the system processes
  • to suggest flexible ways for the execution of the malicious activities, that the C&C (Control and Command) center sends

Similar to other threats, BlackEnergy 2 has a protective layer that does not allow the antivirus-products to detect it. As soon as an executable file is activated on the computer, the malicious application allocates virtual memory, copies the decryptor code on it and transfers control to the encryptor.

Once the decryptor code has been executed, it is placed in the memory. After its execution, a decryptor driver is created in the C:\Windows\System32\Drivers folder and a descriptor service is activated. The driver itself works as a cover for most of the interesting processes that follow after.

Inside of the decryptor driver is a block of encrypted data. That data is an infector which will insert a DLL into the svchost.exe.

The DLL inside the svchost.exe is the most important part for launching a DDoS attack from the infected computer. The DLL has a data string that creates an XML file that defines the bot’s original configuration. Among the data is the address of the botnet’s C&C. Sometimes there are more than one addresses added so there is a backup if the initial one cannot be contacted.

The bot then sends a preformed http request to the C&C, which contains details about the infected computer. That would include an identifier of the computer, serial number of the hard drive on which the Windows is installed, country, language strings, etc. If the Command and Contact Center authorizes the request, it replies with a bot configuration file which is an encrypted with RC4 XML document. The encryption itself is created with the computer identifier sent previously by the bot so that only that specific computer can operate with it.

Popularity: 30%

Comments (0)

Tags: , , , ,

Symantec Jumps Gun Claiming Antivirus is Dead

Posted on 14 May 2014 by GranTorinoGuy

It is no question that the number of PC sales has taken a dip while consumers seek out other devices such as smartphones, tablets and even convertible tablets that convert into laptops. In knowing this, it is really no surprise that Symantec has claimed that Antivirus is dead in the realm of desktop computing.

Symantec’s vice president Brian Dye said to the WallStreet journal that antivirus “is dead.” As Symantec’s revenue still accounts for about 40% from the Antivirus world, this claim raised a lot of eyebrows, and rightfully so. Dye told the WSJ that the company doesn’t consider AV to be “a moneymaker in any way.”

As a support to Symantec’s claim, Bogdan Dumitru, Chief Technology Officer at Bitdefender said, “Relying solely on antivirus is a dead end-and it has been for at least 8 years now.” Those are mighty strong words considering, as a refute, PCMag’s securitywatch blog says, “But that’s like saying that aspirin is dead because it’s not the cure for cancer, AIDS, and all of humanity’s other illnesses.”

It is possible that the WSJ article was more of a “what’s old is new again” behind the scenes view. On the other hand, WSJ could completely be leading every on about the fear of AV being dead as claimed by Symantec, who was thought to be one of the leaders of the AV solutions world.

Security analyst and SecurityWatch contributor Fahmida Rashid called Dye’s comments “an anthill made into a molehill.” In fact, she said that the statement is well in line with what Symantec has already been doing. “Symantec hasn’t said ‘install Norton and you are set for life’ in years, so it’s not backtracking to say that we need other types of security. We need behavioral analysis, we need real-time execution in the sandbox, we need layered analysis, and so on.”

The fear that comes out of Symantec’s claim could be a misleading situation where computer users think that they simply do not need Antivirus or Antimalware software, which is just a bad thought altogether. Computer users will thrive off of Symantec’s claim and think that they are invincible in a world and time where identity theft and malware is running rampart. Symantec could be shooting themselves in the foot and at the same time consumers are being misled. That is just a fact of the matter, AV is not dead and thankfully many companies that product trusted AV solutions realize this and do not drink the Symantec cool aide.

Popularity: 19%

Comments (0)

Tags: , , , ,

Over 60% of Malware Analysts Report Investigations of Undisclosed Security Breaches

Posted on 22 November 2013 by GranTorinoGuy

Security breaches are almost a common expected thing to take place in today’s massively technology-intrigued world. In a new ThreatTrack Security study, it was revealed that security breaches are occurring at a much higher rate than initially reported by many security researchers.

ThreatTrack has found that about 6 out of 10 of US-based malware analysts interviewed about security breaches failed to disclose breach incidents that their own company experienced in the past. This very detail, had led to further investigations uncovering IT security works as the main problem when it come to protecting their company against attacks.

In about 35% of cases where security breaches occur, the security professionals or staff responsible for securing the attacked network was the ones initially responsible for clicking on a malicious link in shady emails or mobile apps.

ThreatTrack CEO Julian Waits Sr said, “While it is discouraging that so many malware analysts are aware of security breaches that enterprises have not disclosed, it is no surprise that the breaches are occurring. Every day, malware becomes more sophisticated, and US enterprises are constantly targeted for cyber espionage campaigns from overseas competitors and foreign governments.” Basically, the study has revealed the idea that malware analysts are aware of the threats they face, but many of them may fail to report their inability to fight the given cyber-attacks. Additionally, they will commonly point out their lack of proper resources and tools to protect their own company from attacks.

About 40% of the 200 professionals taking part in the survey, originally conducted by Opinion Matters on behalf of ThreatTrack Security, are deemed as the main culprit in cyber-attacks against their own company. By knowing this bit of information, the rates and numbers of security breaches actually reported is totally skewed in the broad scope of finding out how many security breaches actually take place. Essentially, it makes everyone’s job a little more difficult, but the attackers are basking in their glory in knowing how they can take advantage of some companies.

Bottom line is that over 60% of security researchers are now reporting cases of undisclosed breaches from surveys and simple inquiries among US-based companies who have at one time been suspected to be a vulnerable asset in a security breach. That is rather scary in the full scope of things when you consider some of these companies may harbor your personal information or banking data.

Popularity: 19%

Comments (0)

Tags: , , , ,

Average Time It Takes Cybercriminals to Start Exploiting Breaking News Decreases to 22 Hours

Posted on 28 September 2013 by GranTorinoGuy

It is almost a daily occurrence that cybercrooks find the most popular news stories or breaking news events to exploit. Researchers from Commtouch Security have now made the conclusion for the time it takes for cybercriminals to start exploiting breaking news is now around 22 hours, the lowest we have ever seen.

Cybercrooks waste no time in their efforts to ramp up actions for exploiting some popular news story. It is almost as expected as you are to take your next breath of air. Cybercriminals in their malware distribution campaigns commonly utilize a popular news subject or breaking news to get traction on search engines. Naturally, popular search engines like Google, Bing and Yahoo will quickly pick up a breaking news story. Hackers thrive on this idea and virtually waste no time in rehashing a version of the story on either a hacked website or one specifically designed to exploit computer users through news stories eventually spreading malware.

Over the past few months, experts have taken notice to the start time of a breaking news event and how long it takes cybercrooks to react to the news by posting their malware-laced stories related to the news. It was found that, in April of this year, the average time was 27 hours when examining the Boston Marathon bombings. In recent events, such as the Royal Baby, Syrian conflict, NSA leaks and even the U.S. government shutdown, the start-time has shrunk to just 22 hours.

In retrospect, 22 hours is a short amount of time for getting breaking news stories out where the posts or pages have malware linked in one way or another. Just think, a breaking news story floods the media at 9am this morning, and the hackers have their own version of the story, only laced with malware by 7am the next morning. In some instances, this is faster than some reputable news outlets are able to confirm and relay a breaking news story on their website.

Do you think cybercrooks will eventually break popular news stories to us laced with malware faster than the top news websites in the near future? After-all, what is stopping them from doing that?

Popularity: 19%

Comments (0)