Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Friday, 22 February 2019

Rietspoof Malware on the Rise

Rietspoof Malware on the Rise
Rietspoof malware a new malware discovered by  security researchers is spreading via instant messaging sites like Facebook messenger and Skype. Researchers have said that this new form of malware develops in stages. The rietspoof malware was first discovered in August of last year but had not been taken seriously. An uptick in distribution in the last month has got the rietspoof malware back in everyone’s attention.

Rietspoof malware and its role: 


The main idea behind the rietspoof malware is to infect victims and then persist on the host victim. The malware does this so that it can download other malware onto the host device depending on orders from a central command and control server.

The rietspoof malware gains persistence by downloading an LNK file which is a shortcut file onto the host computer. This tends to be a risky area for malware as most security/ antivirus products know to look at this folder when running security scans. But rietspoof malware has all the legitimate certificates allowing the malware to bypass any security scans.

The actual rietspoof malware consists of four stages. The malware itself is dropped onto the host computer somewhere in the third stage. The last stage is the stage when a more serious malware is downloaded. The last stage malware can cause serious disruption to the computer.

Rietspoof Malware known as a “dropper” or “downloader”: 


The rietspoof malware has come to be known as the “dropper” or “downloader” by those in the tech world. This is because the malware is being used to download other more serious malware onto the computer after it itself has taken root.

Since it is only meant to download a more potent version of malware, its functionality is also reduced. The Rietspoof malware can only download, execute, upload and delete files and in a more serious scenario delete itself when in emergency. However even with this limited functionality, it can still cause serious damage.

Avast the researchers behind discovering the rietspoofmalware, say that since they have discovered the malware, the malware has changed its C&C protocol and gone through some modifications. This had led them to believe that the malware was still being developed. Avast says that they are still not sure whether they’ve got to grasps with the entirety of the malware.

Rietspoof malware not the only “dropper” on the rise: 


“Dropper” or “downloader” malware is on the rise. Rietspoof malware is not the only malware that has developed in the previous months. A malware known as Vidar has helped criminals distribute ransomware and has also obtained passwords on their behalf.

The rietspoof malware downloads itself in stages and offers no information on what hosts it picks. Since its discovery back in August, it was initially thought of to be in its early or developmental stages, since then theRietspoof malware has really begun to pick up speed.

At present the end goal of the rietspoof malware, the choice of targets and exact infection chain remain unknown.

Monday, 11 February 2019

First Clipper Malware Discovered on Google Play

Clipper malware
Android/Clipper.C impersonating MetaMask on Google Play
Clippper malware was discovered on Google Play, the official Android app store. This malicious malware was discovered in Feb 2019.

What is the clipper malware? 


Addresses of the online cryptocurrency wallets have a long string of characters that includes alphabets and numbers.These addresses are basically long for security reasons. The users generally copy and paste the addresses using the clipboard instead of taking the trouble to type them out.

The people who steal the cryptocurrency, take advantage of this lapse and replace the wallet address in the clipboard. This is the clipper malware.

The attacker intercepts the address on the clipboard and changes it to the address belonging to him.
The user then ends up with the wallet address that has been switched by the attacker.

Though the clipper malware is relatively new, where the cryptocurrency stealers alter the address, it is considered an established malware.

The origins of clipper malware


The clipper malware was first discovered in 2017 on the Windows platform.

Later it was noticed in the shady Android app stores in the summer of 2018.

In August 2018, the first Android clipper malware was discovered. It is sold on underground hacking forums and subsequently seen in shady Android app stores.

The clipper malware was also hosted on download.cnet.com. This is one of the most popular software hosting sites. This malware was discovered by ESET researchers.

In February 2019, the malware was found on Google Play, which is the official Android app store.

How does the clipper malware function? 


The clipper malware was detected on the Google Play store. This malicious malware was found out by ESET security solutions. The malware, Android/Clipper.C, impersonates a genuine service known as MetaMask.

The clipper malware basically steals the user’s credentials and private keys in order to access the user’s Ethereum funds. This malware can also change the Bitcoin or Ethereum wallet address of the user and replace it with the address of the hacker. The wallet address of the user is replaced by the wallet address of the hacker using the clipboard.

When and how was the clipper malware discovered? 


On 1st Feb 2019, the ESET security solutions discovered the clipper malware, Android/Clipper.C on Google Play, the official Android app store. This was then intimated to the Google Play security team. They immediately removed the app from the Store.

This hacking targets the users who make use of the mobile version of the MetaMask service. The MetaMask service runs Ethereum decentralized apps in the browser without any need of running a complete Ethereum node.

Currently, the MetaMask service is not offering the mobile app. They are available as add-ons for desktop browsers like Chrome and Firefox.

Previously too, malicious apps were discovered on Google Play impersonating MetaMask in order to access the victim’s cryptocurrency funds.

Security measures against clipper malware


Users should update their Android devices and use reliable mobile security solution.

Download apps from the official Google Play store.

For any Google Play search, stick to the official website of the app developer or service provider for the link to the official app.

For any sensitive transactions involving information or money, double check every step.

Wednesday, 6 December 2017

What is KRACK Hack vulnerability

KRACK Hack

What is Krack

Krack is said to be an abbreviation for Key reinstallation attack which tends to involve an attacker utilising a one-time key which has been provided to the device of a client intending to connect to Wi-Fi network.

According to KU Leuven’s Mathy Vanhoef the researcher who discovered the vulnerability, his discoveries had been reported by tech site Ars Technica recently. He states that in some of the instances, hackers tend to exploit Krack in order to inject malware like ransomware in websites.

Vanhoef, informs that on doing so, the hacker has the potential to decrypt information which has been swapped from the access point with the client device wherein the personal details such as credit card numbers, together with messages and password can be exposed. It is here that the process of the hack can take place as described on the website of Vanhoef.

This latest discovered vulnerability can permit attackers to seize sensitive data which is transmitted between Wi-Fi access point and a computer or a mobile device which can be encrypted. This error is known as Krack that affects WPA2 which is a security protocol extensively utilised in the up-to-date Wi-Fi devices.
 

Four-Way Process Handshake

 
When a device tends to connect with a protected Wi-Fi network, there is a four-way process handshake for Krack , which occurs wherein this handshake warrants that both the client and the access point have the precise login authorisations for the network.

This tends to generate a new encryption key in order to protect web traffic wherein the encryption key is installed at step three of the four-way handshake. However the access point at times tends to resend the same key if it considers that the message could have been misplaced.

 Research of Vanhoef has discovered that the attackers could force the access point in order to install the identical encryption key which the intruder could utilise to attack the encryption protocol and decrypt the data. Vanhoef cautions that any device that seems to support Wi-Fi could probably be affected by Krack though Linux-based devices together with Android devices running version 6.0 or higher of the Android operating system are likely to be in danger. Presently it would comprise of over 40% of Android devices.

 

Update Wi-Fi Devices

 
Proof of the concept had been displayed by Vanhoef portraying how exploitation utilising the Krack technique was possible. He cautioned on his website that he was not in a position to determine if such attacks had been actively utilised.

Vanhoef also mentioned that in order to protect the user from Krack attacked, it was essential to update Wi-Fi devices such as the smartphones, laptops and tablets no sooner the updates are made available. Users are also cautioned to update their firmware of router. A security update addressing the issue had also been released by Microsoft according to the reports of The Verge.

Wi-Fi Alliance which is a network of companies making Wi-Fi devices, defining Wi-Fi standards and programs had informed that platform providers have begun organizing patches for the purpose of addressing the problem.

Saturday, 29 July 2017

‘CopyCat’ Malware Infected 14 Million Google Android Devices

“CopyCat”, a harmful software campaign, affected millions of devices that run on the Android operating system by Google. In this defect, more than a million dollars were brought in through false and fake advertising and app installations, as stated by the researchers at the Israeli cybersecurity firm Check Point Software Technologies.

This operation peaked during April and May 2016. It infected about 14 million devices and raked in about $1.5 million in just a matter of two months. The outbreak seemed to have spread to devices through third party app stores and phishing attacks, instead of the official Google play app.

A mobile security researcher at Check Point named Daniel Padon informed Fortune that his team conveyed the operation to Google in March almost immediately after discovering it. By that time Google had controlled much of the problem.

When CopyCat infection was rampant everywhere, the malware got hold of “root” control for about 8 million devices and used that authority to supply more than 100 million fake ads and install 4.9 million apps on various devices, garnering considerable amount of revenues for cybercriminals. The malware was able to do this with the help of a few exploits to gain access to security holes in Android versions 5 and earlier and then later by taking over the "Zygote" which is a part of Android systems that handle app launches.

Check Point researchers stated that is this first malware discovered that utilises this technique. They also noted that this tactic was first used by Triada which was a money-stealing malware. Researchers have in fact traced the CopyCat operation back to a 3-year-old ad-tech start-up that was based in Guangzhou, China called MobiSummer. The infrastructure, remote services and code signatures were shared by the malware operators and the start-up, as told by the researchers, although they were not sure whether the company acted on this deliberately or unconsciously.

The CopyCat malware mainly harmed devices in Southeast Asia, countries such as India, Pakistan and Bangladesh although about 280,000 people in the United States were also impacted when it was at its peak. Researchers also observed that the adware deliberately avoided pursuing China-based users, thus deducing that the culprits might have been based there itself and functioned this way to avoid being caught by the local authorities.

Aaron Stein who is a Google spokesperson, stated that the company has been keeping an eye out for any variant of the CopyCat malware for the last few years. He also added that a security feature made official by the company in May called Google Play Protect that scrutinizes and abolishes harmful apps from devices, was now able to immunize phones against these attacks even if they are functioning on an earlier version of Android.

Stein also said that CopyCat is modified version of a larger malware family that they have been on the lookout since 2015. Every time a new variant makes an appearance, they upgrade their detection systems to safeguard their users. Play Protect defends users from the family of malware and any apps that were carrying the CopyCat malware have not been circulated via Play, Stein said. This tactic of fake advertising has become a profitable way for offenders to make some cash online, examples are the “Hummingbird” ad fraud scam which helped fraudsters make $300,000 per month and the most recent one being “Methbot” which robbed up to $5 million a day.

Thursday, 22 June 2017

Cyber Firms Warn of Malware That Could Cause Power Outages

Malware

Malicious Software – Modified with Ease Harming Critical Infrastructure

It was recently noted that malicious software had been uncovered by two cyber security firms which is presumed to have caused a December 2016 Ukraine power outage, cautioning that the malware could be modified with ease in harming critical infrastructure operations all over the world.

A Slovakian maker of anti-virus software – ESET together with Dragos Inc. a U.S. critical-infrastructure security firm had released information analyses of the malware called Industroyer or Crash override and had dispensed private alerts to governments as well as infrastructure operators to assist them in defending against the threat.

The U.S. Department of Homeland Security had mentioned that they were investigating the malware but it had not perceived any evidence to put forward that it had infected U.S. critical infrastructure. The two firms had stated that they were not aware of who had been behind the cyber-attack. Ukraine had put the blame on Russia but the officials in Moscow had denied the blame constantly.

The firms still cautioned that there could be added attacks utilising the same method by the group that built the malware or by imitators who alter the malicious software. ESET malware researcher Robert Lipovsky had stated in a telephone interview that the malware was easy to repurpose and utilise against other targets which was certainly alarming and could cause wide-scale destruction to organization systems that are dynamic.

System Compromised by Crash Override

That warning had been verified by the Department of Homeland Security stating that it was working to understand better the threat posed by Crash Override. The agency had mentioned in an alert post on its website that `the tactics, techniques and procedure described as part of the Crash override malware could be modified to target U.S dangerous information networks and systems’.

 The alert had posted around three dozen technical indicators that a system had been compromised by Crash Override and requested firms to contact the agency if they had doubted that their system had been compromised by the malware. Robert M. Lee founder of Dragos had stated that the malware had the potential of attacking power systems all over Europe and had the tendency to be leveraged against the United States with small modifications.

Risk to Power Distribution Organizations

Lee had further mentioned by phone that` it is able to cause outages of up to a few days in portions of a nation’s grid but is not strong enough to bring down an entire grid of a country’. Lipovsky had stated that through modifications, the malware could attack other kinds of infrastructure comprising of local transportation providers, gas and water providers.

A leader of Kroll’s cyber security practice, Alan Brill had mentioned in a telephone interview that power firms are concerned that there will be more attacks. He further added that they have been dealing with very smart people who came up with something and deployed it. It represents a risk to power distribution organizations everywhere.

Industroyer had been the only second piece of malware that has been uncovered till date which has the potential of disrupting industrial process to manually intervene, without the help of hackers. Stuxnet was first discovered in 2010 and is generally believed by security researchers to have been utilised by the United States as well as Israel for attacking nuclear program of Iran. The Kremlin and Federal Security Service of Russia had refrained from replying to their request for clarifications.

Friday, 2 June 2017

Network Traffic Provides Early Indication of Malware Infection

Malware - The Great Dangers on the Internet

The word malware is a combination of the two English words "malicious" and "software", which means roughly as much as malicious software. The dubious meaning and purpose of these types of programs is therefore clear: they are supposed to cause damage. This can take many forms. When defining it, it is important to point out that malware infection without the computer user's consent or has hidden functions that it hides, and then secretly performs its task. Software with which you can harm others without being disadvantaged by yourself does not usually belong to this group.

Security for networks in organizations need the planning and execution of an holistic idea. Furthermore tools such as scanners or firewalls, network monitoring is a helpful addition to security. The monitoring networks assists administrators to discover network abnormalities early enough and to find incipient attacks of Malware infection. It thus get along a strategically essential element in the IT security conception of companies.

Organizations would secure their IT base while the firewall worked dependably and the virus reviewer is up-to-date. Nevertheless, malware infection are often revealed late. An integrated system of monitoring networks, into the security conception, plays as an primal warning system if outset are designed accordingly. Full, suddenly happening CPU load alterations, out of the blue high traffic or an over utilization of hard disk capacities are crucial bespeak of undiscovered afflictions.

HARMFUL DRAFT


Malware infection, Viruses and trojan horses manipulate or delete data and are able to compromise entire computers - a threat to the entire network. Studies on IT security warn that the threat situation is still to be taken seriously for companies. Cybercriminals are increasingly developing more professional Malware infection that is more intelligent and thus more effective. For example, the number of drive-by downloads and denial-of-service attacks has steadily increased in recent years.

Network Monitor allows administrators to recognize a large part of such Malware infection to the enterprise network at an early stage. Signs are unexpected, unusual, and sudden changes in load, access times, and disk space that can not be explained by hardware defects.

PROVIDE IRREGULARITIES IMMEDIATELY

For the early perception of malware infection, it is achievable to find out bandwidths of chartered lines, networks or devices (switches, routers) etc. By the means of Network Monitoring, system executives acquire elaborate data on the actual state of their system. Additionally, we can observe usage crises, impendent bottlenecks and connection errors. Network executives can further measure the bandwidth and find out the activating IP addresses and protocols.

The network monitoring solution helps administrators to detect network irregularities at an early stage. It provides detailed real-time data about the current state of all integrated devices. In addition to the accustomed security means, to supervise network has considered as a time-tested method to observe early affliction from the outside. The chief reason for this is the time savings in the early perception of malware infection.

Saturday, 6 May 2017

FalseGuide Malware Victim Count Jumps to 2 Million

1

2 Million Android Users Infected By Malware, Learn How to Protect Yourself

Check Point researchers recently reported that millions have unintentionally downloaded a malware called FalseGuide hidden in over 50 apps downloaded from Google Play Store. Attacks like this have been made through Play Store before with the use of malwares like Vikinghorde and Dresscode. The botnet malware spread through the download of guide apps for games like FIFA, Pokemon Go, Subway Surfers, GTA San Andreas, Asphalt and others. The malware quickly spread and infected over 2 million android devices, compromising their internet security. Initially, a report published on 24th April had informed that the malware has affected only 600,000 users but since then Check Point has researched that the FalseGuide malware attack is far worse. FalseGuide was uploaded onto Play Store as early as November last year and has been sitting there ever since, generating more and more downloads. Find out whether you have been a victim of this attack and learn how you can boost your internet security to protect yourself from such attacks.

How does FalseGuide operate?

Hackers behind this attack developed these simple apps as guides for games are widely popular and are downloaded by people all around the world. They don’t require much maintenance and updates which makes the hacker’s job all the more easier. This is how FalseGuide malware infects your device-

  • After the installation of the game guide, FalseGuide asks for device admin permission from the user. 
  • If you have given it administrative permission, it cannot be deleted from the device. It can then use methods to hide its activities.
  • You will then be part of a botnet without your knowledge. The hackers will control your device for adware purposes and make an income through it. 
  • Then FalseGuide registered itself on a message topic of the same name on a cross-platform messaging service called Firebase Cloud Messaging. After subscribing to this topic, the attackers can send messages containing links to more malware, download and install them to your device. 
  • After restarting, a background service will start running and display illegal pop-up ads so the hackers can make money. 
  • Highly malicious coding has been found in these modules which can actually allow the attackers to root your device, launch a DDoS attack or infiltrate private networks.

Did the attack originate from Russia?

Check Point surmised that the malicious apps containing FalseGuide malware was submitted to Play Store by two fake developers with Russian names, Sergei Vernik and Nikolai Zalupkin. Later, they updated their post with the information that 5 more of such apps had been found and these had been developed by Anatoly Khmelenko (translated from a Russian name).

What to Do If You Are a Victim?

Google has already removed the apps from the Play Store but your device might still be infected. You must perform a factory reset on your device. If it still does not work, you must take your phone to a professional.
How to Protect Yourself from Similar Attacks

  • Only download apps from trusted sources and developers. 
  • Beware of installing apps that request administrative permission. 
  • Keep an updated antivirus on your device.

Wednesday, 23 September 2015

Poker Players Targeted By Card-Watching Malware

Poker

Malware Target Popular Online Poker Sites


Malware researchers at security firm ESET have come across a new Trojan which has been designed to cheat online poker by a sneak quick look at the cards of infected opponents. According to ESET’s security researcher, Robert Lipovsky, the malware is said to target PokerStars and Full Tilt which are two of the most popular online poker sites.

He has mentioned in his recent blog post that the attackers operate in a simple manner and after the victim has been affected successfully with the Trojan, the culprit then attempt to join the table where the victim tends to be playing with an unfair advantage by getting to know about the cards in their hands.

Malware, Win32/Spy.Odlanor, covers up as a benevolent installer for several general purpose programs like Daemon Tools or mTorrent. Lipovsky has mentioned that people tend to get infected while downloading some other useful application from some unofficial source.

In some instances, it tends to get loaded on to the user’s systems through several poker related programs which comprises of poker player databases as well as poker calculators like Tournament Shark, Smart Buddy, Poker Calculator Pro, Poker Office and much more.

Prowls in Software Created For Better Performance


The tricky malware has been discovered prowling in software created to support poker fans with better performance according to a security firm which discovered it. The software is also said to target other valuable information on a user’s computer like login names as well as passwords.

When a system is infected, the software observes the activity of the PC and operates when a victim has logged in to any of the two poker sites. Thereafter it begins taking screenshots of their activity and the cards they tend to deal with and send the screenshots to the culprits.

Lipovsky mentioned that later on the screenshots can be retrieved by the cheating culprits which reveal not only the hands of the infected opponent but the player ID as well.This according to ESET enables the criminals to search the sites for that play and join in their game. Both the targeted poker sites permit searching for players by their player ID and so the culprit can connect with ease at the table on which they tend to be playing.

Largest Detection of Spywares – Eastern European Countries


With the information gathered with regards to the victim’s hand, it provides significant advantage to the criminal. Lipovsky writes that he is not sure if the attacker tends to play the games manually or in some automated way.ESET have discovered that the Windows malware seem to be prowling in some of the well-known file-sharing applications, PC utilities and many other widely used poker calculators and player databases.

Lipovsky writes that the largest number of detection of spyware has been active for several months where most of the victims were from Eastern European countries. However, the Trojan tends to be a potential threat to any online poker player.

 Most of the victims were from the Czech Republic, Poland and Hungary. ESET had stated that they had discovered various versions of this malware dating back to March 2015. To make matters worse, new versions also tend to contain `general purpose data stealing functions’ with the abilities of siphoning passwords from several web browsers. As of September 16, several hundred users have been infected with Win32/Spy.Odlanor.

Tuesday, 14 July 2015

New Android Malware Sprouting Like Weeds


Android
If you own Android devices and looking for the way to minimize the risk of Android malware infection, so better to avoid the use of discount app stores. According to Andy Hayter, who is Security evangelist at G Data, “It’s recommended to not to download the apps from unknown app stores, but if you really trust them personally then you can go ahead”. The more he added that its recommended to install a malware scanner and on the same time check the permissions option (in settings of device) before installing any app.

As per the latest report of G Data Security Labs, All the information which are stored on an Android devices such as; smartphone and tablet are vulnerable to more than 4,950 new malware files. From past few years, Cybercriminals are taking much interest in the Android operating systems and according to Andy Hayter, Android devices are the bigger, easier and most profitable target for the bad guys in comparison of other platfroms. According to predication of G Data security Labs, There are more than 2 million new Android malware are about to surface in 2015.

Is it just starting? 

Android OS is a derivative of Linux, which considered as less targeted operating system by malware and viruses. But when it comes to Android devices then reality is absolutely different as Android OS is less secure and less rigorous in comparison of other mobile platforms, as per statement of Rob Enderle, Principal analyst of Enderle Group.

Latest reports as well as 2 million figure of G Data security Labs are realistic because in present much number of user’s are using the Android devices for online shopping and banking transactions. We all are aware about the fact that Android OS has more market share in comparison of iOS and Windows Phones and due to that Cybercriminals, security researchers and malware authors are more interested in Android OS. Last year, Google introduced premium SMS Checks and after that malware models started to spread in much faster way.

Android malware and Cybercriminals: 

If you will browse Google Play Store, so you will find that there are several paid and free apps are available and when it comes to install apps, so as normal user we prefer to use free Android apps. A developer of free Android apps depends on advertising to generate funds for further development, however; bad apps have ability and function to hide them in background. As per the repots of G Data security Labs, malware files are new financial foundation for Cybercriminals and in present more than 50 per cent Android devices are carrying SMS Trojans, Online shopping Trojans, Banking Trojans and other malware components.

In Europe 41 per cent and in US 50 per cent of consumers are using smartphones or tablets for banking transactions, however; 78 per cent internet users are making their purchase online through smartphones or tablets. Malware programs can install apps, steal your personal information or it can also steal your credit card or financial data for additional process.

Wednesday, 10 June 2015

Google’s Security News: Malware’s Down, and You’re Heeding More of Its Warnings


Malware
According to the Google’s security product manager, the company defines their success in simple term- invisibility. As per Stephan Somogyi they are targeting as the main outcome when we encountered a blank browser window appearing in front of him. He was able to give some insight on the status of the online security, during the Google’s I/O conference at the half-hour presentation called the Second annual Google Security update at I/O.

Phishing and Malware Sites: 

He gave some more details on the Safe Browsing service of the company. He calls them as a collection of systems that have the ability to hunt down the badness all across the net. It has the ability to protect the visitors who are searching the web using the Google search site or even Chrome, Safari as well as Firefox. This indicates the total reach to the audience amounting to 1.1 billion people.

According to the reports released by the company, they have located that the Malware is becoming is not a huge problem anymore. But they have also found that phishing sites that are able to fool the customers into entering their details like password and more financial details are increasing in numbers.

During the last week of Mat, they were able to detect nearly 14,977 malware sites and nearly 33,571 phishing sites using the safe browsing. The Malware has shown a big drop and Phishing has shown a bigger increase. Somogyi has given all the credit to the enhanced security in all their operating system in every device. Due to this the Malware authors are now more concentrating on the phishing sites and targeting the software’s.

The much needed push for encryption: 

Google has been among the first companies who were advocating the use of encryption to avoid people from snooping on users online. The acceleration to this push came in the form of the revelations made by Edward Snowden, who confirmed that NSA has been eavesdropping on their traffic from quite some time. He further expressed his anger pertaining to the effort that is being put forth by Google to get other emails providers to try and adapt the TLS, which is the Transport Layer security encryption. Through this all the third party companies care unable to reading the messages when they are transit.

The company is hoping to reach to larger companies that work in sending email and find out the reasons why they are unable to implement TLS. But from the perspective of the company, they do not want to resort to public shaming.

They are not ready to disclose the names of the company who have still not followed or implemented TLS. Compared to TLS, Google has been able to attain much more success in terms of encouraging different websites to implement HTTPS encryption to completely secure the user visit to websites. The company is making all effort to ensure that the users feel completely safe when spending their time online.

Monday, 13 October 2014

iOS Trojan –Malicious Software, Chinese Creation




iOS Trojan
The Lacoon Mobile security researchers’ team have identified one of its first Apple iOS Trojan attacks to oppose communication of pro-democracy Hong Kong activists. Initial investigation indicates that the Trojan has an impressive number of surveillance capabilities.

The malicious software discovered has been dubbed Xsser mRat which uses social engineering to rob valuable data from jail broken devices while the users unknowingly tap on an install link in phishing messages from unknown users.

The malicious software has been created by Chinese hackers wherein it can obtain various range of personal information which could include the iOS address book, call logs, GSM identities, SMS messages, as well as the approximate geographical location which could be determined by the cell tower ID, pictures on devices together with passwords and other authentication data available in the iOS keychains that are used by Apple ID mail accounts and the other services.

The spyware has the capabilities of obtaining additional data in the cloud like the iOS version, MAC address, device version and phone number, IMSI and IMEI. When it is installed on any device, the Trojan automatically runs on rebooting, updating itself dynamically.

Xsser mRat Targets iOS Devices 

According to Lacoon Mobile Security, the so called virus, Xsser mRat, targets the iOS devices related to Android spyware which have been distributed widely in Hong Kong. In a blog post, it is also mention by Lacoon that Xsser mRat is connected with Android spyware infecting mobile users in Hong Kong which seems to be designed in helping to coordinate Occupy Central Hong Kong protesters and then prepare an attack.

Lacoon has also stressed on the importance of a cross platform mobile attack.It is very rare where cross platform attack could target iOS as well as Android devices, which shows that it could be conducted by some large organization or a big state. Considering that the attack has been used against protesters and executed by Chinese speaking attackers indicates its first iOS Trojan which has been linked to Chinese government cyber function.

The Xsser code has been written in Chinese which has led Lacoon to believe that the attack could be from sophisticated Chinese attackers. There is one hitch wherein the iOS user should have a jail broken device and Android should have a third party app download enabled

First Fully Advanced Operational Chinese iOS Trojan

The Xsser mRat is important since it is the first and most fully advanced operational Chinese iOS Trojan which is presently found. It can cross border with ease and is probably operated by a Chinese entity to spy on foreign companies, individuals or an entire government.

It infects the users’ devices through WhatsApp depending on their geographical proximity to the site of protests and as per Lacoon, Xsser had send out it first message to the user which states `Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central’.

When the download link is clicked by the user, they download an apk file unknowingly which presents them with a list of permission that needs to be approved and finally the user is lead to agree to application updates which on doing so, the application gets updated and activates the hidden features of the mRat

Tuesday, 2 September 2014

25000 Co-opted Linux Servers Drop Malware, Spread Spam and Steal Credentials


Linux Servers
Recently a new report has been released by the security company ESET, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This research report was a joint effort by ESET, CERT-Bund, SNIC and CERN.

Over past some years, ESET has recorded around 25,000 malware-infectedservers, which have been significant in various functions like:
  • Spam Operations (averaging 35 million spam messages each and every day )
  • Infecting site visitor’s computer via drive-by exploits.
  • Redirecting the visitors to malicious websites.
The report says about two well-known organisations becoming the victims of Windigo. This ongoing operation was started in 2011, and has affected some high profile servers and companies like cPanel and Linux Foundation’s Kernel.org.

Easier with Single Factor Logins: 

There was a common thread that the Linux servers consisted of, and all were infected with Linux/Ebury. The Linux/Ebury is a malware that provides a root backdoor shell along with an ability to steal SSH credentials. The report also mentioned that there are no vulnerabilities on the Linux servers, which could be exploited, but only stolen credentials were leveraged. Thus in a sense helps explain the compromise made, as Linux servers are, for the most part, bulletproof.

Getting access to the credentials etc: 

The question arose in the minds of the Linux users was that, how the attackers got access the credentials, login and ultimately installing the malware.

A helping hand is offered by Pierre Marc Bureau,a security intelligence bureau named after the program manager of ESET Pierre Marc. They provided the Linux users with the answers that says that it takes to compromise one server in a network, whichmakes it easier there forth. Once the root is obtained by the attackers, they install Linux/Ebury on the compromised server and start to harvest the SSH-login credentials. Along with the additional login credentials, the attackers explore to see what the other servers can be compromised in that particular network.

Additional Malware: 

As mentioned above in this article, the infected servers are part of spam campaigns, they redirect the visitors to the malicious websites, or in case of vulnerable computers, it downloads malwares to the victim’s computer. In order to successfully accomplish this, the attackers install some additional malwares on the servers consisting of:

  • Linux/Cdorked: it provides a backdoor shell and are able to distribute Windows malware to end users via drive-by downloads.
  • Linux/Onimiki: it resolves the domain names with a particular pattern to any IP address, without any need to change further any server-side configuration.
  • Perl/Calfbot: it is a lightweight spam bot written in Perl.
Victims: 

The Windigo Report further adds that there are two types of victims, the Linux/Unix server operators and End-users who receive spam and or visit a website on a compromised server. In that respect, ESET has confirmed that the compromised servers try to download the following Windows Malware:
  • Win32/Boaxxe.G: A click fraud malware.
  • Win32/Glubtela.M: A general proxy that targets Windows computers.

Tuesday, 24 June 2014

How to Avoid Virus and Malware on Android


Android
Common sense is needed in keeping infected apps off the Android device which like any computer system, tends to get affected with malware and virus and Android too can get affected with it. Android has checks and balances which help to keep one safe most of which can be done with ease following the basic steps needed:

If you Don’t know what it is, Don’t Install it 

The first important step is if you don’t know about the app, do not install it. It is advisable to refrain from blindly installing Android application file which one may receive in email or linked to spam mail or even in various forums in the internet. Knowledge of the app is very essential before installation of the same.

Only install from Google Play or Reputed App Stores 

Caution should be exercised while installing app where most of them come in duplication which could be prone to viruses and malware. Apps should be installed from reputed app stores which can be done with safety and comfort. Random download from unreliable stores should be avoided which could save the device from virus and malware.

Uncheck `Install from Unknown Sources’

Android devices by default have access to Google Play ships with a lock which keeps application other than Google store from getting installed. This is one of the safest feature and with this locking system, the user gets a warning whenever an application makes an attempt in the installation from other app stores. Should the user have the inclination of installing an app, disabling the lock can be done by ticking of the `Unknown source’ in the security setting.

Read the Permission 

At the time of installing any app on the Android phone, either from Google Play or any other app stores, the app will declare permission to access to download on the phone and keyboard app need to record the keystrokes. Reputed app developers tend to lit the reasons in their listings of app though users also need to be somewhat vigilant

Most Trusted App Markets –Google Play/Amazon AppStore 

Malware and viruses on Android devices is something which the user should be aware of since they can send unwanted spam to anyone in your contacts in worst situations even rack up charged under the users’ accounts, though this can be easily avoided by making use of the tips mentioned above. Users should also be cautious while Sideloading apps especially of third party app stores.

 Downloading App files from locations besides Google Play Store and then manually installing them is known as Sideloading and is an essential step in accessing to apps which are not available. The recent hit game `Flappy Bird’, which is no longer avails in the Play Store can be manually sideloaded on the smartphones though at the time of installing the game from unknown sources, the user may tend to run the risk of infecting the phone with virus.

One should also a third party app store which promises free games along with other apps which normally come with a price. The most trusted app markets are Google Play and the Amazon AppStore. Installing anti-virus apps could also be helpful as an additional precaution which will occasional scan the device for malicious files, monitor the memory usage and provide alerts on any vulnerability in the system.

Monday, 7 April 2014

Android Oldboot B Malware, a predecessor of Oldboot A

Oldboot B
Android Oldboot B malware has been detected by Chinese researchers from `360 Mobile Security’ and appears from an evolution of its predecessor Oldboot A and as of today, the most complex bootkit which has infected millions of devices. Oldboot B has been considered to be the most sophisticated Android malware detected and has already infected millions of mobile devices.

Its predecessor, Oldboot A was detected in early 2014 by Doctor Web, a Russian security firm and Oldboot A’s principal capability is to infect the Smartphone after reboot irrespective of all its components deleted by the user. Bootkit is a category of malware that can infect the host at start up and is also capable in performing malicious activities which may include data stealing, communicate with a remote C&C server, disk encryption, and remove the application on the victim’s device. Moreover Oldboot B also implements a new type of advanced evasion techniques which can avoid its deletion to principal antivirus software as well automatic analysis systems.

Oldboot silently injecting malicious module 

The ability to silently installing Apps in the background, Oldboot B can also inject malicious modules into critical system process and prevent Apps from uninstalling, disable or uninstall mobile Anti Virus software and modify the browser’s homepage. The Oldboot is a well organized large Trojan family and every member has a clear division of labor which has been written by professional programmers and promoted by some commercial companies which evolves constantly and a new tool is specially used to effectively detect and defend this Bootkit.

Once the user’s Android mobile is infected, the Oldboot B malware waits for the command sent by C&C which is located at az.o65.org – IP 61.160.248.67 and makes use of stegnography to hide data within file exchanged with C&C and installs various malicious applications on the user’s mobile. The Oldboot B malware consisting of four principal components registers itself as services can also ensure the persistence to the malicious code.

Evasion Capabilities – Meaningless code and Random Behavior

The first being boot_tst is the component which is responsible for command reception as well as execution and uses a remote injection technique to introduce an SO file and a JAR file to the `system server’ to process the Android system. The second is adb_server which replaces pm script of the Android system with itself while its main function is to avoid malicious code uninstall.

The third is meta_chk which silently downloads and install Android Apps promoted in the background and is also capable of opening a backdoor for remote control. Besides, the component is also capable of removing itself leaving injected process in the memory by which antivirus software are unable to detect it since they are unable to perform a memory scan in the Android platform. Finally agentsysline runs in the background and receives command from C&C server, the possibility of deleting specific files within its ability, enable/disable network connection as well as uninstall antivirus software.

The most likely evasion capabilities which makes hard the detection of Oldboot B are that it adds some meaningless code and trigger some behavior randomly, checks for availability of SIM card in the device and not perform certain behavior if there is no SIM card, check for existence of antivirus software and probably uninstall the antivirus software before doing anything malicious. The possibility to avoid Oldboot B malware is to download and install app which are from official stores only and avoid unreliable custom ROMs. If a mobile is infected by Oldboot B, the free removing tool designed by antivirus firm 360 Mobile Security can be downloaded.

Wednesday, 7 August 2013

Tor confirmed malicious code that grabbed user identification



The Malicious code was distributed over the web host Freedom Hosting; malicious code actually serves to identify Tor users. This was confirmed by the anonymous project. The malicious code is injected via vulnerability in Firefox. In an analysis of the Tor team has now confirmed that yesterday only came to the knowledge. The malicious code is used for identifying users of the Tor network and the information is sent to a company that works together with the secret. The malicious code targeting to grab used in the Tor Browser Bundle version of Firefox 17.0.6 on Windows. That is now known as the magnetosphere malicious code detected by analysis of the host name and MAC address of the attacked computer and transmits the collected information to the IP address 65.222.202.53, which is hard-coded into the malware. The command-and-control server belongs to the company Science Applications International Corporation, which is close to the FBI and the intelligence community. The IP address belongs to the Autonomous System (AS) the NSA. Mozilla was the weak point in Firefox ESR 17.0.7 and Firefox 22.0 which was later resolved on 25 June 2013. Updated versions of Firefox had been rolled out the next day in the Tor Browser Bundle 2.3.25-10 and 2.4.15-1-alpha, 30 June 2013 and 8 in 3.0alpha2 July 2013 entered into 2.4.15-alpha-1. The vulnerability in the browser is also available in versions for Mac OS X and Linux, but the malware grab apparently only Windows machine, then writes the Tor team in a statement.

It assumes that the attacker has a list of Tor users who use the hidden services of the web host Freedom Hosting. Freedom Hosting uses Tor Hidden Services among others for the provision of anonymous websites. There, among other Web sites with pedophile content provided. In addition, the web hosts connections to reputed Silkroad online drug market. The Tor team, meanwhile, advises users urged to update their Tor Browser Bundle. In addition, users should disable Javascript. In future releases, there will be an easy-to-use interface that allows the use of Javascript can be configured. Since the future also other may be vulnerabilities in Firefox, CSS or SVG are expected to users should also consider using a random MAC address. This is possible, for example, in virtual machines like VirtualBox or VMware. The Tor team also advises to use a firewall to prevent such compounds to command-and-control servers. As an alternative to Windows recommend the Tor makers the live distribution tails. The team also asks for help in the implementation of sandboxes and virtualized solutions for the Tor Browser Bundle.