Spyware, Viruses, & Security forum

Alert

NEWS - September 14, 2012

Anonymous' Barrett Brown arrested by FBI during online chat

"Barrett Brown snagged during live online video chat hours after YouTube posting (see videos below)"

Dallas law enforcement authorities have arrested self-professed Anonymous spokesman Barrett Brown in what appears to have been a dramatic raid of his apartment late Wednesday night.

Barrett was having a live online video chat session with a few others when law enforcement officers can be heard storming into the room and shouting at him to comply with their commands to submit to his arrest.

Anonymous spokesman Barrett Brown was arrested by Dallas law enforcement authorities while in the middle of an online video chat.

Though a woman believed to be Brown's girlfriend who was with him at the time of his arrest shuts the camera off a few seconds into the raid, the audio continued to capture the events as a law enforcement officer orders a yelling Brown to put his hands down, presumably to be handcuffed.

Continued : http://news.techworld.com/security/3381272/anonymous-barrett-brown-arrested-by-fbi-during-online-chat/

Also:
Self-proclaimed Anonymous spokesperson under arrest after anti-FBI video
Former Anonymous Spokesman Taken Into Custody After Threatening FBI Agent
The Arrest of the Face of Anonymous Will of Course Be Televised

Related:
Updated: Anonymous retaliates for arrest of "spokesman" in Dallas, promising to release government credit card numbers and, er, pizzas
Anonymous Retaliates After Member Arrested
Discussion is locked
You are posting a reply to: NEWS - September 14, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - September 14, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
New technique in ransomware explained

In reply to: NEWS - September 14, 2012

Ransomware is malicious software that attempts to extort money out of unsuspecting users, normally by locking them out of their machines. This isn't the first time (or even the second) that we've seen such malware in the last few months, but lately there has been a trend of a more sinister type of ransomware.

Instead of simply employing tricks to lock you out of your computer, crypto-ransomware holds your files (documents, photos, music, movies, etc.) hostage by encrypting them. This makes remediation a lot more difficult than just removing the malicious infection, as your files also need to be decrypted.

Last week, SophosLabs saw new ransomware samples employing this technique. On infection, the malware searches for specific types of files (using a list of over 110 file extensions; .doc, .jpg, .pdf, etc), encrypts them, and renames the now unreadable file with a .BLOCKAGE extension. The following ransom message is then displayed to the user: [Screenshot]

Continued : http://nakedsecurity.sophos.com/2012/09/14/new-technique-in-ransomware-explained/

Collapse -
The various spam campaigns leading to Blackhole

In reply to: NEWS - September 14, 2012

At any given time, there is a considerable number of email spam campaigns that ultimately lead users to pages hosting exploit kits - more often then not the extremely popular Blackhole exploit kit.

Websense researchers warn about the ones that are currently hitting inboxes around the world: the first one takes the form of a voice mail notification from Microsoft Exchange servers, the second one poses as a ADP invoice reminder, the third one mimics a FDIC notification claiming the users' wire transfer ability was suspended, and the fourth one is a bogus thank you note that tries to trick the recipients into believing that they have somehow signed up for a premium service of accountingWEB.com: [Screenshot]

"A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters," the researchers point out.

The landing pages are different in all the attacks, but some look like they could have been set up since the recent advent of the new version of the Blackhole exploit kit.

http://www.net-security.org/malware_news.php?id=2267

From Websense: Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit

Collapse -
Huawei & ZTE Grilled by U.S. Committee Over Spying Concerns

In reply to: NEWS - September 14, 2012

China's Huawei and ZTE Grilled by U.S. Committee Over Spying Concerns

A U.S. congressional committee appeared to come away still in doubt about the security of networking equipment from Chinese firms Huawei Technologies and ZTE after holding a Thursday hearing in which the two companies tried to dispel allegations that they were tied to the Chinese government.

"I'm a little disappointed today. I was hoping for more transparency, more directness," said the Chairman of the U.S. House Intelligence Committee, Representative Mike Rogers. "There is a sphere of government influence in your companies of which you either can't identify their roles and responsibilities or won't. Either way, its unacceptable."

Thursday's hearing was held as part of an investigation launched by the U.S. House Intelligence Committee to find if Huawei and ZTE posed a security threat to the nation given the increasing cyber attacks allegedly coming from China. U.S. officials are concerned networking gear bought from Huawei and ZTE could in fact be used by the Chinese government to spy on U.S. activities and steal sensitive information.

Continued : http://www.pcworld.com/businesscenter/article/262310/chinas_huawei_and_zte_grilled_by_us_committee_over_spying_concerns.html

Also:
US Congress Slam Huawei and ZTE as Companies Deny Espionage Charges
Huawei, ZTE deny U.S. charges; House lawmakers unconvinced
Huawei and ZTE deny US spying charges at hearing
Collapse -
"Pre-loaded" PC malware leads to domain takeover

In reply to: NEWS - September 14, 2012

Microsoft has found that new computers purchased by its employees in Chinese cities already had malware installed on them. In August 2011, the company began an investigation to see if there was any evidence to back up claims that counterfeit software and malware was being placed onto PCs in the supply chain in China and sent employees to buy ten desktop and ten laptop computers from "PC Malls" in various cities in China. Four of the computers were found to already have malware on them.

As well as having malware which spread over USB flash drives on them, one of the four machines in particular attracted the researchers' attention because it was infected with the Nitol virus. Nitol installs a backdoor used for spam or DDoS attacks and the botnet it was connected to was hosted at 3322.org. Microsoft found that the hosting provider appeared to host around 500 different strains of malware on 70,000 sub-domains. This other malware, says Microsoft, included remote camera control and viewing backdoors and key loggers.

Continued : http://www.h-online.com/security/news/item/Pre-loaded-PC-malware-leads-to-domain-takeover-1708165.html

Related :
Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain
Microsoft Disrupts 'Nitol' Botnet in Piracy Sweep

Also:
Microsoft Finds Nitol Botnet Malware Pre-Installed On PCs At Factories
Malware being installed on computers in factories, warns Microsoft
Microsoft Unearths Nitol Malware Pre-installed on Chinese Computers

Collapse -
New PDF Attack Targets Aviation Defense Industry

In reply to: NEWS - September 14, 2012

FireEye reported today it had detected a new critical PDF attack targeting the aviation defense industry.

Malware Page exploits a stack-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader. An attacker would be able to execute code remotely via a crafted argument to the getIcon method of a Collab object, according to the CVE alert.

When a user opens the infected PDF, the exploit creates an executable file, which drops a DLL and opens a backdoor connection on TCP port 49163, FireEye said in its analysis. The malware opens connections to IP addresses in Germany and the Bahamas and maintains a detailed log of all network communications.

Simultaneously, the attack drops a decoy PDF document which is an invitation to an actual defense industry event.

https://threatpost.com/en_us/blogs/new-pdf-attack-targets-aviation-defense-industry-091312

Collapse -
Threats Get Trickier with Versatility and Social Engineering

In reply to: NEWS - September 14, 2012

Cybercriminals intending to take your data find various ways through social engineering. For example, in our investigation of what seemed to be a run-of-the mill spam run leading to a pharma site, we've uncovered the same points we have raised in our eguide, How Social Engineering Works.

The spam run starts as an email notification bearing the familiar Facebook blue lines, and the message itself wants the recipient to confirm their account. Such practice is nothing out of the ordinary, as most membership-based sites (even non-social networking ones) send users an email to confirm their membership. The problem in this case, however, is that the email address to which the message was sent to is not affiliated to any Facebook account. [Screenshot]

Further checking on the spam message, it turns out that clicking on the link leads to a fake pharma site: [Screenshot]

While this kind of spam run is certainly not new, further analysis has revealed that this run has the potential to lead to more "evil" kinds of payload.

Spam runs such as this one are versatile, and can lead to anything - from survey scams to the popular blackhole exploit kit, and can be changed from one to the other very quickly. So the fact that it loads a relatively "harmless" pharma site today, does not guarantee that it will do the same tomorrow.

Continued : http://blog.trendmicro.com/threats-get-trickier-with-versatility-and-social-engineering/

Collapse -
US schools track teens by putting chips into ID cards

In reply to: NEWS - September 14, 2012

US schools track teens by putting chips into students' ID cards

A Texas school district in the US is putting tracking chips into new, mandatory student IDs to keep tabs on students' whereabouts at all times.

The one-year pilot test is being rolled out in October for some 4,200 students in the John Jay High School and Anson Jones Middle School, which are two of the 112 schools in the district.

Students will be required to wear the cards on a lanyard around their necks and will be charged a fee for losing them.

Their location will be beamed out to electronic readers throughout the campuses, Northside Independent School District spokesman Pascual Gonzalez told FoxNews.com.

Some parents are protesting, comparing the tags to RFID chips used to track cattle.

Steven Hernandez, a father of a student who attends the Texas school and the only local parent to attend a protest late last month, told KSN News that the new badges amount to "a spy chip".

Continued : http://nakedsecurity.sophos.com/2012/09/14/us-schools-track-teens-by-putting-chips-into-students-id-cards/
Collapse -
Phishers Kick Off 2014 FIFA World Cup

In reply to: NEWS - September 14, 2012

Symantec Security Response Blog:

The next FIFA World Cup is scheduled to take place in June 2014 in Brazil and phishers have already taken the opportunity to promote the event. World Cups are a favorite of phishers, as observed in the phishing sites focused on the 2010 FIFA World Cup and the 2011 Cricket World Cup. In September 2012, phishing sites spoofed a popular Brazilian credit and debit card company using the 2014 FIFA World Cup as bait. [[urlhttp://www.symantec.com/connect/imagebrowser/view/image/2485521/_original=]Screenshot]

The phishing sites were in Brazilian Portuguese. A number of the phishing sites featured Brazilian footballer Neymar da Silva. Phishers utilized a recently registered domain, hosted on servers based in Brazil, to create the phishing site. [Screenshot]

A message given on the phishing page stated that the company offered $20,000 in prizes and a new car. It also offered zero billing charges on the customer's card for exclusive trips taken to the 2014 FIFA World Cup in Brazil. Customers were prompted to register for the offer by entering their personal data and credit card details.

The personal data requested included the customer's:

Continued : http://www.symantec.com/connect/blogs/phishers-kick-2014-fifa-world-cup

Collapse -
Blackhole 2.0 Beta Tests In The Wild?

In reply to: NEWS - September 14, 2012

TrendLabs Malware Blog:

Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)

We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.

The announcement explicitly called out changes in the URLs that BHEK uses:

In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.

Let's look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:

hxxp://{compromised domain}/achsec.html
hxxp://{landing page}/main.php?page=0f123fe645ddf8d7

[Screenshot: FDIC]

In contrast to this, both the eFax and ADP spam runs used the new URL format. eFax used the following format:

Continued : http://blog.trendmicro.com/blackhole-2-0-beta-tests-in-the-wild/

Collapse -
WhatsApp accounts almost completely unprotected

In reply to: NEWS - September 14, 2012

Tests performed by The H's associates at heise Security have found that popular texting alternative WhatsApp is easily hacked using freely available tools. Anyone using WhatsApp on a public Wi-Fi network risks having their data sniffed and their account used to send and receive messages. Once hacked, there is no way to restore account security - attackers will be able to continue to use the hacked account at their discretion.

Over the last week the lack of security inherent in WhatsApp's authentication has gradually become clear. Researchers have discovered that the client uses an internally generated password to log on to the server; this password is generated on Android devices from the device's serial number (IMEI) and on iOS devices from the MAC address of the Wi-Fi interface. The problem with this is that the information is anything other than secret - the IMEI can often be found on stickers inside of Android phones (usually under the battery) and can also be obtained using a shortcut key combination or by any app.

Sniffing this data is even easier when it comes to devices running iOS - the MAC address is visible to anyone within range of the Wi-Fi network being used. If this is a public Wi-Fi network, in a busy coffee shop, for example, data sniffers can even determine the user's phone number from the data packet transmitted by WhatsApp. Taking over the account is child's play - attackers don't even need to know who their victim is. The whole situation is even less understandable considering that there is already a shared secret between WhatsApp and the user in the form of a confirmation code sent by text message when the user first registers.

Continued : http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html

Collapse -
how

In reply to: WhatsApp accounts almost completely unprotected

how we can stop following WhatsApp data on facebook

Collapse -
(NT) Easy, Stop Using It/Remove App Till It's Fixed !!

In reply to: how

Collapse -
Beware of iOS Apps that Send Plaintext Passwords

In reply to: NEWS - September 14, 2012

From Bitdefender Labs "HotforSecurity" Blog:

"Passwords are the last, and sometimes only, line of defense against online criminals. The average computer users know not to leave their critical passwords lying around for all to see."

Some iOS app developers, however, are apparently less careful when handling users' vital information. Bitdefender Labs analyzed some highly-rated free iOS apps starting from the premise that they should handle credentials wisely, only to find out that some of them don't.

With 65,427 three-and-a-half customer-rated stars at the time of writing, Wi-Fi Finder By JiWire Inc. was found to broadcast passwords in plaintext. The app, which enables users to find free or paid Wi-Fi networks, does not seem to encrypt any broadcasted passwords, making it easy for someone with minimum spoofing knowledge to peek at them.

An iOS app that offers "to keep track of your expenses and personal finances on the go" also sends plaintext passwords. Texthog has more than 1,526 customer-rated stars, suggesting that it's quite popular. Auto sync with your texthog.com account could be risky if you're doing it over a Wi-Fi network while somebody is monitoring your traffic.

Continued : http://www.hotforsecurity.com/blog/beware-of-ios-apps-that-send-plaintext-passwords-3481.html

Collapse -
Researcher Charlie Miller Joins Twitter Security Team

In reply to: NEWS - September 14, 2012

Twitter quietly is assembling a serious security team, with the most recent addition being Charlie Miller, the security researcher known for finding a long line of bugs in the iPhone and other Apple products. Miller, a respected and prolific researcher, will join the social network's security team next week.

When he arrives, Miller will join a team that also includes Moxie Marlinspike, the security and privacy researcher who developed the SSLstrip attack as well as the RedPhone and WhisperCore security systems for Android phones. Twitter later acquired his company, Whisper Systems, and Marlinspike has been working on the company's internal team since.

Miller has worked on a wide variety of research topics, with his most recent one being a project funded by DARPA that looked at the security properties of NFC chips in various mobile phones. In the course of that research, Miller developed techniques that enabled him to force users' phones to connect to a given Web site or take complete control of the vulnerable phone.

Continued : https://threatpost.com/en_us/blogs/researcher-charlie-miller-joins-twitter-security-team-091412

Collapse -
IT Executive Revealed As PlugX RAT Malware Creator

In reply to: NEWS - September 14, 2012

"AlienVault identified the suspect by traces of his personal information scattered online"

Security experts at AlienVault have tracked down the creator of the PlugX Remote Access Tool (RAT), used in hacker attacks around the world. To their surprise, the brains behind the software was actually one of the directors of a Chinese IT company.

The sleuths analysed the traces of PlugX activity, and identified the suspected programmer, which led them to his address, photo and the name of the company he was working for - ChinaNSL Technology.

Digital detective work

AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence.

PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer.

The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations. The security experts were almost certain that the creator of the malware has been participating in the attacks himself.

Continued : http://www.techweekeurope.co.uk/news/plugx-rat-malware-creator-is-an-it-company-director-92780

Also:
AlienVault doxes the man behind the PlugX RAT
Is 'Virus Expert' Tied To PlugX RAT Malware?
AlientVault Tracks Down Developer of PlugX RAT

PlugX RAT related: PlugX: New Tool For a Not So New Campaign

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.