11 total posts
Next-gen Trojan rewrites bank statements
Crooks loot $440K using uber-subtle stealth malware
By John Leyden
1st October 2009
Black hat hackers have created a new strain of Trojan that rewrites online bank statements to disguise fraud.
Victims of the URLZone Trojan would only realise their bank account has been looted after they check their balance with a bank branch or via an ATM.
The malware features a keystroke logger that captures bank login credentials and takes screenshots of activities on bank accounts, each of which were forwarded to a command and control server hosted in the Ukraine.
Continued here: http://www.theregister.co.uk/2009/10/01/next_gen_bank_trojan/
Botnet control server camouflages commands as JPEG images
1 October 2009
The command and control server for the Monkif botnet is reportedly using a rudimentary technique to mask network communication by camouflaging commands to its drones as JPEG images. According to monitoring by Websense, the Monkif C&C server, operating as a web server, responds to queries from bots with an HTTP packet in which the Content-Type header is set to "image/jpeg". The packet also includes a fake, but valid, JPEG header. Rather than an image, the rest of the packet contains an encoded command (XOR'd with 0x4).
Continued here: http://www.h-online.com/security/Botnet-control-server-camouflages-commands-as-JPEG-images--/news/114370
Botnet buries commands in image files
Stego backdoor hub
Security researchers have identified a botnet that borrows an idea from steganography by burying commands in jpg images.
The DlKhora botnet, which is primarily geared towards downloading other strains of malware, encodes instructions so that the command and control server appears to be serving up image files, SecureWorks reports.
The server sets the HTTP Content-Type header to ?image/jpeg? and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0
Twitter Abuse Growing Rampant
Social networks are rapidly becoming a primary channel to market for malware distributors and other cyber-criminals as the use of popular sites such as Twitter continues to take off, and the communications vehicles subsequently create new opportunities for attackers to hide their threats using features such as so-called link shorteners.
Attackers have been working to infiltrate and abuse social networks for years, but the issue is becoming truly pervasive nowadays as they shift even more of their efforts away from more traditional electronic messaging systems and distribute a greater share of their nefarious content over so-called Web 2.0 sites, in particular Twitter, according to Symantec security researcher Ben Nahorney.
The distribution of malware infection links over Twitter has become particularly problematic of late, Nahorney noted in a recent blog post. Since the 140 character limit for posts to made over micro-blogging platform has lead to widespread use of URL-shorteners obscure address details, and even savvy users of Twitter are likely taking bigger risks, the implication appears to be.
Continued here: http://securitywatch.eweek.com/twitter/twitter_abuse_growing_rampant.html
Google has Chrome Frame plug-in for Firefox up its sleeve..
"Google has Chrome Frame plug-in for Firefox up its sleeve, says Mozilla"
Source code points to possible 'browser-in-a-browser' plug-in for Firefox, Opera
By Gregg Keizer
October 1, 2009
Google may intend to produce a Chrome Frame plug-in for Firefox, Mozilla's chief engineer said.
"The code is certainly there," said Mike Shaver, Mozilla's vice president of engineering, referring to parts of the Chrome Frame source code that indicate Google could crank out a Firefox plug-in similar to what Google released last week for Microsoft's Internet Explorer (IE).
"But source code doesn't speak to intent," Shaver added Wednesday, saying he had no inside knowledge as to whether Google would, in fact, expand its browser-in-a-browser plug-in concept to Firefox.
More here: http://www.computerworld.com/s/article/9138740/Google_has_Chrome_Frame_plug_in_for_Firefox_up_its_sleeve_says_Mozilla
Fake antivirus overwhelming scanners
Criminals look for easy money.
By John E. Dunn
Published: 15:25 GMT, 01 October 09
Fake antivirus programs are multiplying at such a rate they could start to overwhelm the detection capabilities of signature-based scanners, the latest figures from the Anti-Phishing Working Group (APWG) have hinted.
Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008.
The reason for the growth in numbers is what is known in technical terminology as ?polymorphism', and old defence technique which involves changing the binary checksum of every copy (or download) of a piece of malware. This makes it much more difficult for antivirus programs to detect the programs.
More here: http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/
Malware worldwide grows 15 percent in September
By Lance Whitney
A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.
Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.
Facebook Hit With New Spyware Scam
Hackers bypassed the social networking site's captchas to create new accounts at will.
October 1, 2009
By Larry Barrett:
Facebook on Thursday was hit with yet another spyware attack.
This time hackers managed to crack the security captchas -- the words or letter combinations that users are asked to retype when registering -- to create new Facebook accounts designed to steal users' account and personal information.
Roger Thompson, chief of research at AVG Technologies, detailed this latest scam in a blog post Thursday morning. He said that this new tactic was "one of the first if not the first time" that hackers were able to compromise the Facebook captcha.
"We're seeing a lot of these, all from different profiles, but with the same picture and link," Thompson said. "I'm sure Facebook will deactivate all these accounts as quickly as they find them, but it can't be an easy thing for them to find."
Facebook spokesman Simon Axten told InternetNews.com the social-networking site is working to identify all the bogus accounts in order to disable them en masse.
Continued here: http://www.internetnews.com/security/article.php/3841921/Facebook+Hit+With+New+Spyware+Scam.htm
Automated Facebook Attack underway
October 01, 2009
Today our LinkScanner users started detecting rogue spyware attacks that seemed to be originating from Facebook. The first profile that we looked at looked like this ?
(See Screenshots within Article)
We're seeing rather a lot of these, all from different profiles, but with the same picture and link. Clearly, the Data Snatchers have found a way to automate the creation of Facebook accounts, which means they've found a way to bypass the Facebook Capcha (the image of letters which are required for a new account, which are supposed to ensure that a human is involved).
I'm sure Facebook will deactivate all these accounts as quickly as they find them, but it can't be an easy thing for them to find.
More here: http://thompson.blog.avg.com/2009/10/automated-facebook-attack-underway.html
One thumb up for MS Security Essentials in early tests
Detection fair but clean-up lacking, reports AV-Test.org
By John Leyden
1st October 2009
Independent testing lab AV-Test.org has published one of the first reviews of Microsoft Security Essentials, Redmond's freebie anti-virus package.
The software earned favourable comparison with other free packages, such as AVG and Avast. Detection rates were respectable and the product scored plaudits in avoiding false positives, a perennial problem for anti-virus scanner where legitimate files are detected as potentially malign and put into quarantine, sometimes hobbling systems in the process.
Most of the worst problems occur when anti-virus scanners decide that Windows systems files might be dodgy. Microsoft has an obvious advantage in been able to avoid such problems. Even so, minimising the risk of false positives is a big plus mark for Microsoft Security Essentials.
Continued here: http://www.theregister.co.uk/2009/10/01/ms_security_essentials_review/
Mozilla Tests More Secure Firefox
Versions of Firefox with enhanced cross-site scripting protection have been released for testing
By Thomas Claburn
October 1, 2009 05:20 PM
Mozilla on Wednesday posted preview builds of its Firefox browser with security enhancements designed to mitigate the risk of certain Web attacks.
In a blog post, Brandon Sterne, security program manager for Mozilla, asks security researchers and server administrators to help test the changes by downloading a build appropriate for their operating system.
The preview versions of Firefox implement a specification called Content Security Policy (CSP), which is designed to protect against cross site scripting (XSS) attacks.
CSP originally also addressed cross site request forgery (CSRF) attacks, but the anti-CSRF measures have been moved into a separate security specification called the Origin Header proposal.
XSS and CSRF attacks have been used for data theft, Web site defacement, and malware distribution. They're typically made possible by Web application coding errors.
More here: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=220300750
Targeted e-mails distribute malware in PayChoice breach
by Elinor Mills
October 1, 2009
Payroll processor PayChoice said on Thursday it is investigating a breach in which customers received targeted emails purporting to be from the company that were designed to trick people into downloading malware.
Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash and Adobe Reader, PayChoice said.
The emails were targeted to individuals and included their user names, login IDs and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.
In a statement, PayChoice did not say how many people received the e-mails, but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, New Jersey, provides payroll software and services to 125,000 businesses.
Continued here: http://news.cnet.com/security/?tag=hdr;snav