15 total posts
FBI could be shutting down 13800 UK internet connections
Early Monday morning, as previously announced, the FBI turned off the DNS server which has been handling the requests from machines that were compromised by DNSChanger. Around 13,800 users with unique UK IP addresses have been accessing the server, according to an anonymously published excerpt from the logfiles that suggests the information is accurate up to last Saturday. On that day there were still requests coming from some 250,000 different IP addresses in total.
It can be assumed that little has changed since the numbers were gathered. The first six months since the defeat of the DNSChanger botnets saw around a third of the originally affected systems being disinfected. In Germany, users were warned by their internet providers that they were infected, while globally, Google has been displaying a warning to users they detected as being infected.
If a user finds that they have apparently been suddenly disconnected from the internet, then the easiest way to recover is to set the affected system to use Google's DNS service on 126.96.36.199. DNSChanger was able, according to F-Secure, to modify DNS settings on Windows and Mac OS X computers and on D-Link, LinkSys, A-Link, Netgear, ASUS and SMC routers.
Continued : http://www.h-online.com/security/news/item/FBI-could-be-shutting-down-13800-UK-internet-connections-1635055.html
DarkComet RAT - It is the END!
From the Symantec Security Response Blog:
The official website of DarkComet remote administration tool (RAT), detected by Symantec as Backdoor.Breut, has published a statement, as shown below, explaining that the project has come to an end. The DarkComet RAT grabbed news headlines this year when it was used in the Syrian conflict to spy on regime supporters. The decision of the author to end the project comes on the heels of the apparent arrest of the Blackshades RAT project author, another similar remote administration tool that has also been used for nefarious purposes.
The DarkComet RAT statement clearly outlines that the reason for the author deciding to now end this project is the misuse of the free tool and the law deeming the author to be partly responsible for this misuse. While in the past authors of such tools believed that they were immune from prosecution by claiming that they were educational tools, arrests, starting with the alleged author of the infamous Mariposa botnet, have begun to wake up authors of such tools to the possibility that they could be breaking the law. These arrests are sending a message to the authors of such tools that they are not above the law and could face prosecution for their actions. The recent arrest of the Blackshades RAT project author and the end of this project may yet have further reverberations leading to the closure of other similar projects. Time will tell but any similar closures due to the risk of prosecution must be seen as a step in the right direction in combating the risk posed by such freely available tools. [Screenshot]
DarkComet RAT Flames Out
DarkComet RAT Author Terminates Project Because of the Misuse of the Tool
ENISA recommends "assume all PCs are infected"
The European Network and Information Security Agency (ENISA) recommends that banks assume that their customers' computers are infected with online banking trojans such as ZeuS. The recommendation comes as part of an analysis of the recent targeted "High Roller" cyber-attacks and specifically refers to the frequently cited ZeuS Tracker statistics page, which suggests that anti-virus programs only detect about 40% of ZeuS trojans.
ENISA has even included special "secure online banking devices" in its recommendation. Many of these systems work on the assumption that the customer's PC is not infected, said the agency, adding that, "Given the current state of PC security, this assumption is dangerous." ENISA explained that a basic two-factor authentication system does not prevent man-in-the-middle or man-in-the-browser attacks on transactions and recommended: "Therefore, it is important to cross-check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device." According to the agency, such a trusted channel can be established using stand-alone smartcard readers with their own display or even mobile phones and smartphones.
ENISA: High Roller Online Bank Robberies Reveal Security Gap
Many online banking systems dangerously rely on PCs being secure, but banks should instead presume customer PCs are infected, says the EU's cyber security agency ENISA in response to the reports about the "High Roller" cyber-attack.
The recent, targeted "High Roller" cyber-attacks on wealthy corporate bank accounts yielding tens of millions of dollars was analysed in a report recently published by McAfee and Guardian Analytics. The report describes the technical details and the impact of a series of cyber-attacks.
The old adage that "criminals go where the money is" today means that "bank robbers go online", as the Executive Director of ENISA, Professor Udo Helmbrecht states. It should come as no surprise that large organized crime groups are targeting online banking sites. Still, the attacks drew much attention, for three reasons:
1) Highly automated: The attackers reduced manual intervention to a minimum, relying mostly on automation. The attacks were also fast and easily missed by the user.
3) Targeted: Only PCs from users with corresponding high balances were targeted (e.g. around 5000 PCs in the Netherlands).
The cyber-attacks had three phases. First, targets were identified using online reconnaissance and (spear) phishing. Victims with access to high balance accounts (hence the name "High Rollers") were singled out. Secondly, malware (SpyEye, Zeus and Ice 9) was loaded onto the victim's PC - tailor customised for the victim's online banking websites.
Continued : http://www.infosecisland.com/blogview/21848-ENISA-High-Roller-Online-Bank-Robberies-Reveal-Security-Gaps-.html
Fake anti-piracy warnings hitting UK users w/ money requests
Much has been said and written about the UK's Digital Economy Act, but most Internet users still know just one thing about it: that it will eventually end with ISPs sending out notifications to Internet pirates, who will be forced to stop their illegal activities or suffer consequences.
This email campaign started only days after Ofcom - the regulator and competition authority for the UK communications industries - released its revised Initial Obligations Code proposal, which details how the aforementioned notification system is going to work.
Even though Ofcom stated that it expects the first notification letters to be sent in early 2014, online scammers bet on the fact that not many users keep close tabs on the situation and took it upon themselves to impersonate the enforcers of said act by sending out emails accusing the recipients of pirating various content and trying to make them pay a non-existent penalty: [Screenshot]
Continued : http://www.net-security.org/secworld.php?id=13212
Android Trojan leaves 100,000 users out of pocket
"MMarketPay buys content from China Mobile's app store"
Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile's Mobile Market.
Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps.
The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said.
Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile's official Mobile Market online store without informing the user.
It is able to intercept China Mobile's verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.
Continued : http://www.theregister.co.uk/2012/07/09/android_trustgo_china_mobile/
New Android virus 'MMarketPay.A' found on 100,000 Chinese smartphones and in 9 app stores
New Android Trojan secretly buys apps
Chinese Android trojan buys applications
Malware spammed out as report for "tomorrow's meeting"
Have you received an email telling you not to forget to bring a report to a meeting being held tomorrow?
Be on your guard.
SophosLabs is intercepting a malware campaign that has been widely spammed out across the internet, using just such a disguise.
Attached to the emails, which have a subject line of "Don't forget about a meeting tomorrow" is a file called Report.zip, which harbours the malware.
Here's what a typical email looks like: [Screenshot: Malicious meeting email]
Interestingly, the spelling of the email's message body can vary - presumably this was done in an attempt to avoid rudimentary email filters which might attempt to block messages.
Here are some of the variations we've seen:
Don't forget this report for meeting tomrorow.
See attached file.
Don't forget this report for meteing tmoorrow.
See attached file.
Don't forget this report for meeting toomrrow.
See attached file.
Don't forget this report for meeitng tomrorow.
See attached file.
Recipients might think the typos are the result of someone writing too quickly, or fumbling on their BlackBerry, rather than an attempt to bypass a company's email gateway protection.
Continued : http://nakedsecurity.sophos.com/2012/07/09/malware-tomorrow-meeting/
Facebook to Target Ads Based on App Usage
Facebook Inc. is launching a new type of mobile advertising that targets consumers based on the apps they use, pushing the limits of how companies track what people do on their phones.
The social network is tracking the apps that people use through its popular Facebook Connect feature, which lets users log into millions of websites and apps as varied as Amazon.com, LinkedIn and Yelp with their Facebook identity. The company then targets ads based on that data, said people familiar with the company's plans.
Facebook may also track what people do on the apps, though it hasn't made a final decision, said one of the people.
The new ads could stoke privacy concerns because they let Facebook go a step further than mobile-ad networks, which track what ads people have clicked on through a phone's Web browser. Those networks aren't aware of all the apps that a user has on their phone.
Continued : http://online.wsj.com/article/SB10001424052702304141204577510951953200634.html
Facebook Will Target Ads Based On The Apps On Your Phone—Here's Today's Ad Brief
Facebook to target ads based on what mobile apps we use
How to Break Into Security, Grossman Edition
I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.
A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).
BK: How did you get started in computer security?
Grossman: For me it was...I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don't know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn't go to college to be infosec pros, it just kind of happened. They followed opportunity.
BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?
Continued : https://krebsonsecurity.com/2012/07/how-to-break-into-security-grossman-edition/
July 4th fireworks fiasco in San Diego? Computer virus..
... gets the blame
As local media reported, hundreds of thousands of people gathered at San Diego Bay on July 4th to see what should have been one of America's biggest Independence Day firework spectacles.
But a computer malfunction meant that the planned 17 minute fireworks display was condensed into a 15 second firestorm.
Confused spectators waited for what they believed was going to be the rest of the show, but were told that the event was cancelled and sent home disappointed.
There are numerous videos of the "Big Bay Boom" event on YouTube, but this is my favourite because of one audience member's reaction at the end of the clip.
Some of the media reports have claimed that a virus was responsible for thousands of fireworks on four barges to be fired at the same time. [Screenshot]
Continued : http://nakedsecurity.sophos.com/2012/07/09/firework-fiasco-virus-blamed/
Not Your Normal Skype Download
From the F-Secure Antivirus Research Weblog:
We recently stumbled upon a website that supposedly provides the application Skype for Android devices.
When visiting the website using an Android device, it shows an APK file (skype52_installer.apk) for download: [Screenshot]
However, accessing the website using an iOS device yields to the screenshot below:
The new application is being verified and deployed: skype.ipa
Afterwards, it informs the user that the installation is "complete":
The new application skype is ready to install!
Enter your phone number to protect against illegal usage of this application, and follow instructions in a SMS message.
At this point, there are still no new application installed in the device. As expected, even after entering a number, nothing happens.
A free SMS message with confirmation request has been sent to you.
If visited using any other devices except for Android or iOS, it prompts for a JAR file (skype52_installer.jar):
Spring Cleaning for Your Security Toolbox
You have too much stuff. Those old clothes you can't bear to part with. How many t-shirts from tech conferences do you really need?
The stacks of magazines you are going to read "someday." Toys for the kids, half-way completed projects, and dozens of other things make your life unorganized, and more difficult to manage.
The exact same problem infests many of our security programs. Every time we add a new technology, be it installed in production, or as a proof of concept, we make our operating environment more complex.
Say it with me now... Complexity is the enemy of security. Having too many systems causes multiple problems:
• How many systems can you be a master of? You can be world-class at 1 thing, great at a few things, or mediocre at many things. That's the trade-off. You can't know about that newest neat feature that will save the company millions on every tool out there.
• When our resources are spread between too many systems, we only look at systems when lights go red. This means we're missing the small clues that things might be changing. Simply put, we are not receiving full value from our tools.
Continued : http://www.infosecisland.com/blogview/21857-Spring-Cleaning-for-Your-Security-Toolbox.html
Multi-platform Backdoor Lurks in Colombian Transport Site
From the F-Secure Antivirus Weblog:
We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.
Here is what is shown if visited using Windows: [Screenshot]
And using MacOS: [Screenshot]
The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform. [Screenshot]
All three files for the three different platforms behave the same way. They all connect to 188.8.131.52 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively. As of writing, the server has not given any code.
The files are detected as:
Continued : http://www.f-secure.com/weblog/archives/00002397.html
DNSChanger FAQ: The Internet Is Not Broken
You know things have gone sideways when NPR and local TV news are talking about the "Internet doomsday" or "Black Monday". We have DNSChanger to thank for this latest bout of Internet paranoia, and there's a ton of misinformation and craziness circulating about the malware. We're here to provide some actual information, luckily for you.
So, here's a short FAQ to help separate fact from fiction regarding DNSChanger.
What is DNSChanger and what can it do?
DNSChanger is a piece of malware that was used in a large click-fraud campaign known as Ghost Click. Once on a victim's machine, the malware would hijack search queries and send users' traffic through rogue DNS servers and on to sites that displayed ads for companies that were controlled by the gang behind the scam, earning them money for every click on those ads. The FBI helped take down the DNSChanger crew last year and at the time of the bust, estimated that there were several million PCs infected with the malware. That number is estimated to be around 300,000 infections now, a tiny fraction of the billions of IP-enabled devices on the Interwebs. When the FBI took down the gang behind this attack, it also took control of the rogue DNS servers and continued to operate them so that all of the infected users could still access the Internet.
What is a DNS server and why do I care which one my traffic goes through?
The DNS system is a global network of specialized servers that provide your computer with the IP address that corresponds to the URL you are trying to reach. So, for example, if you search for Threatpost on Alta Vista and then click on the link for Threatpost.com, your browser contacts a name server and says, "Hi, please give me the IP address for the URL Threatpost.com." The name server will respond with a an IP address that your browser understands, and then your browser connects to the address and you wind up here reading this FAQ. This works properly billions of times a day, but there are ways for attackers to mess with the system, as the DNSChanger crew did, and route your DNS requests through a name server that they control. In those attacks, your browser doesn't end up on the site you're trying to reach and instead can be redirected to malicious sites.
So the FBI owns the DNS system?
Continued : http://threatpost.com/en_us/blogs/dnschanger-faq-internet-not-broken-070912