11 total posts
Latest on Police Ransomware - It Speaks!
From the Trendlabs Security Intelligence Malware Blog:
Yes, it does. And depending on where you are located, it can even speak in your mother tongue.
As discussed in our paper Police Ransomware Update, the people behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users' systems are "captured" and that they have to pay for a fee to have them back.
These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim's local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.
To level up the ante, we received a report that a new police Trojan variant even has a "voice". Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won't need a translator to understand what the malware is saying - it speaks the language of the country where the victim is located.
[Screenshot: Ransomware Warning Screen]
Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/latest-on-police-ransomware-it-speaks/
Chinese Espionage Attacks Against Ruskies?
Hardly a week goes by without news of a cyber espionage attack emanating from China that is focused on extracting sensitive data from corporations and research centers in the United States. But analysis of a recent malware campaign suggests that Chinese cyberspies may be just as interested in siphoning secrets from Russian targets.
Researchers at Milpitas, Calif. based security firm FireEye say they spotted an email attack of apparent Chinese origin that used Russian language lures to steal data from mostly Russian victims. The email malware campaign embedded a Microsoft Word exploit that displayed a decoy document containing news about a meeting of ASEAN, the Association of Southeast Asian Nations.
According to FireEye's Alex Lanstein, this campaign had its control infrastructure in Korea and Japan, but clues point to Chinese design and operation. The malicious Word document sample that kicked this off was authored from a Microsoft Windows system that was set to use the language pack "Windows Simplified Chinese (PRC, Singapore). The researchers also say they were able to gain access to the control server used in the attack, which revealed systems logging in from China to check on new victims.
Botnet hidden in the Tor network
The Security Street blog has found a botnet client, the operator of which is hiding behind the Tor network. This trick makes the work of security experts and criminal prosecutors much more difficult. The malicious botnet software, called "Skynet", is a trojan that Security Street found on Usenet. At 15MB, the malware is relatively large and, besides junk files intended to cover up the actual purpose of the download file, includes four different components: a conventional Zeus bot, the Tor client for Windows, the CGMiner bitcoin tool and a copy of OpenCL.dll, which CGMiner needs to crack CPU and GPU hashes.
Claudio Giarnieri and Mark Schloesser write that they recently stumbled on the unusual botnet and, at first, had problems figuring out its origin. Although they did notice parallels between Skynet and information posted by GData in September about a similar Tor botnet. An analysis of the client showed that it uses Tor hidden services, which were added to the Tor network to allow the use of internet services without letting their server IP addresses be tracked. This feature of the Tor network can protect whistleblowers, but it can also provide a sanctuary to botnet operators.
Continued : http://www.h-online.com/security/news/item/Botnet-hidden-in-the-Tor-network-1765530.html
Tor network used to command Skynet botnet
Researchers Discover Botnet Powered by TOR
Beware of Bitcoin miner posing as Trend Micro AV
Malware almost always comes in disguise, but some malware peddlers try to do a better job than others.
Trend Micro researchers have recently uncovered a piece of malware that tried to pass itself off as "Trend Micro AntiVirus Plus AntiSpyware": [Screenshot]
Unfortunately for whose who get fooled, the software in question is a Trojan that creates the process svchost.exe and downloads additional malicious components such as a Bitcoin miner application created by Ufasoft. This particular application will, unbeknownst to the victim, use the infected system's resources to create Bitcoins for the people behind this scheme.
"This attack is timely because of the news that Bitcoin Central has been approved by the law to function as a bank where exchange from Euro and Bitcoins are now possible," the researchers noted.
It is, therefore, likely that we'll soon see an uptick in Bitcoin-mining malware.
As always, users are advised to avoid downloading software from unknown websites and following links embedded in unsolicited emails.
Team Ghostshell Allegedly Dumps 1.6 M Aerospace, ...
... Nanotechnology Records
Hacktivist collective Team Ghostshell is claiming this morning to have spilled 1.6 million accounts from a handful of companies in the aerospace, nanotechnology, banking, law, education and government realm, a hack the group deems Project White Fox.
The group claims White Fox is its "final stand" this year in a lengthy diatribe posted to Pastebin. The post goes on about internet freedom, espionage and trolling before addressing the actual leak.
The leaked information was purportedly taken from the European Space Agency, NASA's Center for Advance Engineering and Bigelow Aerospace, along with about a dozen other companies. The divulged data appears to be a dump of names, passwords - some hashed, some plain text--resumes, admin logins, phone numbers and e-mail addresses, among other bits of information.
The group goes on to boast that it also sent a series of e-mails detailing vulnerable servers and general security flaws to the Washington and Seattle divisions of the FBI, ICS-CERT, and the Homeland Security Information Network, to name a few.
Continued : https://threatpost.com/en_us/blogs/team-ghostshell-allegedly-dumps-16-m-aerospace-nanotechnology-records-121012
Team GhostShell leaks 1.6M account details
GhostShell Hackers Leak 1.6 Million Records from over 30 High-Profile Sites
'Jacked frost' Facebook scam goes wild and doubles ..
.. over the weekend
From the Websense Security Labs Blog:
Last week we wrote a blog about a specific Facebook scam that appeared to spread rather aggresively. We have decided to nickname the scam "Jacked Frost." The Websense ThreatSeeker network detected that the scam has increased and multiplied over the weekend - particularly on Saturday where we saw the amount of unique URLs related to this scam double. This shows how cyber crooks time their attacks to times where users are more laid back and when the security community is less likely to alert users on this type of threat.
Here is the link to our blog that describes this in more detail. The scam spreads using click-jacking techniques and employs a mass number of varied scam hosts by using the infrastructure of the legitimate service at freedns.afraid.org.
A graph showing the volume of unique scam URLs vs. active URLs (available URLs) over the past few days: [Screenshot]
Screenshot of the scam's main page: [Screenshot]
Continued : http://community.websense.com/blogs/securitylabs/archive/2012/12/10/jackfrost-facebook-scam-going-wild-and-doubles-over-the-weekend.aspx
Only 15% of known malware caught by Android 4.2's verifier
One of the enhancements in Android 4.2 was a new app verification service that tested applications being installed against a Google service in the cloud to see whether the app was known to contain malware or not. If the results of Xuxian Jiang's research are correct, Google will need to do a lot more work on the feature to make it useful, as only 15 per cent of the known malware samples tested on the service were detected.
Jiang, an associate professor at NC State University, took Nexus 10 tablets running Android 4.2 and, using semi-automated installations, loaded 1260 malware samples from the Android Malware Genome Project onto the devices. Of the 1260 samples only 193 were detected as malware. The researcher also performed a test comparing Google's verification against a range of ten different existing anti-virus applications through VirusTotal, looking at randomly selected malware samples from each malware family. The anti-virus applications run by VirusTotal ranged in efficacy from 100% to 51%, but the Android App verification system scored only 20.4%; VirusTotal was acquired by Google in September 2012.
Complaint from BBB really contains malware attack
The Better Business Bureau (BBB) is well known in North America for championing consumer rights, so if you run a company in the United States or Canada and receive a complaint from the organisation chances are that you will want to take it seriously.
Which is precisely what the cybercriminals behind the latest malware attack being spammed around the world are banking on.
Email messages have been sent to addresses around the world, posing as a communication from the BBB.
Here's a typical example (click on the image below for a larger version): [Screenshot]
Here is the full text of the message:
Continued : http://nakedsecurity.sophos.com/2012/12/10/better-business-bureau-malware/
Aramco Says Cyberattack Was Aimed at Production
Saudi Arabia's national oil company, Aramco, said on Sunday that a cyberattack against it in August that damaged some 30,000 computers was aimed at stopping oil and gas production in Saudi Arabia, the biggest exporter in the Organization of the Petroleum Exporting Countries.
The attack on Saudi Aramco — which supplies a tenth of the world's oil — failed to disrupt production, but was one of the most destructive hacker strikes against a single business.
"The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals," Abdullah al-Saadan, Aramco's vice president for corporate planning, said on Al Ekhbariya television. It was Aramco's first comments on the apparent aim of the attack.
Hackers from a group called Cutting Sword of Justice claimed responsibility for the attack, saying that their motives were political and that the virus gave them access to documents from Aramco's computers, which they threatened to release. No documents have yet been published.
Continued : http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html
Saudi Aramco: Insiders Didn't Help Hackers Breach Our Systems
Saudi Aramco: Foreign hackers tried to cork our gas output
John McAfee: Let me go to the USA - or old Blighty
Former anti-virus mogul turned fugitive John McAfee has appealed to be allowed to return to the United States rather than deported from Guatemala to Belize.
Authorities in Belize want to question McAfee as a person of interest in the murder of his neighbour, Gregory Faull. McAfee went into hiding with his 20-year-old girlfriend Samantha following the start of investigations into Faull's murder on 11 November.
McAfee become the target of a bizarre* and highly publicised man hunt over the subsequent three weeks before finally surfacing in neighbouring Guatemala, where he was arrested for illegal entry to the country. McAfee's location just before his arrest was spilled by the metadata embedded in a photo published by the online lifestyle mag Vice. Reporters from Vice were traveling with McAfee around the time he crossed the border from into Guatemala.
Arrest last week failed to dampen McAfee's spirits. He was given access to a computer and an internet connection, allowing him to update followers of his blog (which he started on the run) to his assessments that the local jails were better than those in Belize and the coffee was "excellent". McAfee requested asylum in Guatemala but the request was turned down by Guatemala's foreign minister: however a judge granted a stay of execution against deportation. McAfee was subsequently rushed to hospital with what at first appeared to be a minor heart attack but turned out to be only the results of the 67 year-old losing consciousness due to dehydration and ill-advised chain smoking during which he fell against a wall and further injured himself.
Continued : http://www.theregister.co.uk/2012/12/10/john_mcafee_bizarre_press_conference/
Related : John McAfee Hosts Press Conference from Guatemala - Video