NEWS - August 16, 2012

The family of malware known as the BKA trojan has increasingly established an international presence. In Germany, where the malware is also known as the Ukash or Paysafe trojan after its preferred methods of payment, the ransomware blocks a user's computer with a message purporting to be from the Federal Police and demands a payment to unlock it again. Variants in the UK have been rebranding essentially the same threat with the logo of the Metropolitan Police. Now the trojan has surfaced in the US, pretending to be a message from the FBI, and in Portugal with fake branding of the Policia de Seguranca Publica Portuguesa.

The French web site botnets.fr has collected screenshots (French language link) of the different versions of the malware, which it calls Reveton. The FBI has also issued a warning about the threat, saying that the government's Internet Crime Complaint Center (IC3) has received a large number of complaints about the malware. According to the FBI, many victims actually pay up and only call for help when the trojan does not unlock their computer.

Continued : http://www.h-online.com/security/news/item/BKA-trojan-goes-on-an-international-holiday-1668547.html

Related:
Online Scammers Using 'FBI message' to Demand Money
FBI Warns Users of New 'Reveton' Scareware Scam

See: Inside a 'Reveton' Ransomware Operation

From BarracudaLab Internet Security Blog:

If you were in the business of distributing malware that steals computer credentials, wouldn't you want to get your payload installed on the computers of people with money - LOTS of money? Barracuda Labs recently detected a spam campaign that tries to do just that by targeting hedge fund managers.

The pitch is in a short and simple spam that offers advice about carried interest fees. [Screenshot]

Carried interest is a topic of particular interest to hedge and private equity funds. It is an accounting mechanism used to return income to funds and it's tax status has been the subject of some debate. For this reason, any email purporting to have information about carried interest fees is likely to raise the curiosity of financial professionals. Spammers rely on that curiosity to get their malware installed.

Opening and running the attachment (never run attachments!) loads and displays a PDF file which is actually relevant. [Screenshot]

Continued : http://www.barracudalabs.com/wordpress/index.php/2012/08/14/phishing-the-1-keylogger-spam-aims-at-hedge-funds

From the FireEye Malware Intelligence Lab Blog:

At FireEye we have been tracking a particular piece of malware we call Trojan.MyAgent for some time now. The malware is currently using email as its primary vector of propagation. From looking at the data in the FireEye Malware Protection Cloud (MPC), we can see that the malware is currently targeting the following industries:

• Defense
• Chemicals
• Technology
• Aerospace

We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called "Health Insurance and Welfare Policy." In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory. Both the dropper and the dropped executables have decent detection on VirusTotal (VT). Here are the detection links to both the binaries.

https://www.virustotal.com/file/dc79b2943ad797e39ea3830ada7dc33051b5c8c048653ed61e1ebdb8a0098f7d/analysis/ - Dropped (ABODE32.exe)

https://www.virustotal.com/file/d4d2814fbe94baca085392e44a5340370cf66738addb3f27860a2b539b148b41/analysis/ - Dropper

This is the PDF document that the executable opens: [Screenshot]

Continued : http://blog.fireeye.com/research/2012/08/email-malware-trojan-myagent.html

Saudi Aramco, the national oil company of Saudi Arabia, reported a serious security breach which may caused major disruptions in their network. A piece of malware caused a large infection within their network - the consequences are still unknown.

The company stated the following on their official Facebook page:

On Wednesday, Aug. 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network.

The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network. Saudi Aramco confirmed the integrity of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company's production operations.

The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems.

According to some unconfirmed reports via Twitter and Pastebin, the situation is much more serious.

Continued : http://www.net-security.org/malware_news.php?id=2228

A distributed denial-of-service attack aimed at AT&T's DNS (Domain Name System) servers has disrupted data traffic for some of the company's customers.

The attack began Wednesday morning West Coast time and eight hours later, did not appear to have been mitigated.

"Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers are experiencing intermittent disruptions in service," an AT&T spokesman told IDG News Service by email. "Restoration efforts are underway and we apologize for any inconvenience to our customers."

The attack appears to have affected enterprise customers using AT&T's managed services DNS product.

"Our highest level of technical support personnel have been engaged and are working to mitigate the issue," AT&T said in a message on a service status page.

But it added there is "no estimated time" for restoring the service.

Continued : http://news.techworld.com/security/3376313/us-telecoms-giant-att-hit-by-ddos-attack/