16 total posts
New technique in ransomware explained
Ransomware is malicious software that attempts to extort money out of unsuspecting users, normally by locking them out of their machines. This isn't the first time (or even the second) that we've seen such malware in the last few months, but lately there has been a trend of a more sinister type of ransomware.
Instead of simply employing tricks to lock you out of your computer, crypto-ransomware holds your files (documents, photos, music, movies, etc.) hostage by encrypting them. This makes remediation a lot more difficult than just removing the malicious infection, as your files also need to be decrypted.
Last week, SophosLabs saw new ransomware samples employing this technique. On infection, the malware searches for specific types of files (using a list of over 110 file extensions; .doc, .jpg, .pdf, etc), encrypts them, and renames the now unreadable file with a .BLOCKAGE extension. The following ransom message is then displayed to the user: [Screenshot]
Continued : http://nakedsecurity.sophos.com/2012/09/14/new-technique-in-ransomware-explained/
The various spam campaigns leading to Blackhole
At any given time, there is a considerable number of email spam campaigns that ultimately lead users to pages hosting exploit kits - more often then not the extremely popular Blackhole exploit kit.
Websense researchers warn about the ones that are currently hitting inboxes around the world: the first one takes the form of a voice mail notification from Microsoft Exchange servers, the second one poses as a ADP invoice reminder, the third one mimics a FDIC notification claiming the users' wire transfer ability was suspended, and the fourth one is a bogus thank you note that tries to trick the recipients into believing that they have somehow signed up for a premium service of accountingWEB.com: [Screenshot]
"A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters," the researchers point out.
The landing pages are different in all the attacks, but some look like they could have been set up since the recent advent of the new version of the Blackhole exploit kit.
From Websense: Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit
New PDF Attack Targets Aviation Defense Industry
FireEye reported today it had detected a new critical PDF attack targeting the aviation defense industry.
Malware Page exploits a stack-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader. An attacker would be able to execute code remotely via a crafted argument to the getIcon method of a Collab object, according to the CVE alert.
When a user opens the infected PDF, the exploit creates an executable file, which drops a DLL and opens a backdoor connection on TCP port 49163, FireEye said in its analysis. The malware opens connections to IP addresses in Germany and the Bahamas and maintains a detailed log of all network communications.
Simultaneously, the attack drops a decoy PDF document which is an invitation to an actual defense industry event.
Threats Get Trickier with Versatility and Social Engineering
Cybercriminals intending to take your data find various ways through social engineering. For example, in our investigation of what seemed to be a run-of-the mill spam run leading to a pharma site, we've uncovered the same points we have raised in our eguide, How Social Engineering Works.
The spam run starts as an email notification bearing the familiar Facebook blue lines, and the message itself wants the recipient to confirm their account. Such practice is nothing out of the ordinary, as most membership-based sites (even non-social networking ones) send users an email to confirm their membership. The problem in this case, however, is that the email address to which the message was sent to is not affiliated to any Facebook account. [Screenshot]
Further checking on the spam message, it turns out that clicking on the link leads to a fake pharma site: [Screenshot]
While this kind of spam run is certainly not new, further analysis has revealed that this run has the potential to lead to more "evil" kinds of payload.
Spam runs such as this one are versatile, and can lead to anything - from survey scams to the popular blackhole exploit kit, and can be changed from one to the other very quickly. So the fact that it loads a relatively "harmless" pharma site today, does not guarantee that it will do the same tomorrow.
Continued : http://blog.trendmicro.com/threats-get-trickier-with-versatility-and-social-engineering/
US schools track teens by putting chips into ID cards
US schools track teens by putting chips into students' ID cards
A Texas school district in the US is putting tracking chips into new, mandatory student IDs to keep tabs on students' whereabouts at all times.
The one-year pilot test is being rolled out in October for some 4,200 students in the John Jay High School and Anson Jones Middle School, which are two of the 112 schools in the district.
Students will be required to wear the cards on a lanyard around their necks and will be charged a fee for losing them.
Their location will be beamed out to electronic readers throughout the campuses, Northside Independent School District spokesman Pascual Gonzalez told FoxNews.com.
Some parents are protesting, comparing the tags to RFID chips used to track cattle.
Steven Hernandez, a father of a student who attends the Texas school and the only local parent to attend a protest late last month, told KSN News that the new badges amount to "a spy chip".
Continued : http://nakedsecurity.sophos.com/2012/09/14/us-schools-track-teens-by-putting-chips-into-students-id-cards/
Phishers Kick Off 2014 FIFA World Cup
Symantec Security Response Blog:
The next FIFA World Cup is scheduled to take place in June 2014 in Brazil and phishers have already taken the opportunity to promote the event. World Cups are a favorite of phishers, as observed in the phishing sites focused on the 2010 FIFA World Cup and the 2011 Cricket World Cup. In September 2012, phishing sites spoofed a popular Brazilian credit and debit card company using the 2014 FIFA World Cup as bait. [[urlhttp://www.symantec.com/connect/imagebrowser/view/image/2485521/_original=]Screenshot]
The phishing sites were in Brazilian Portuguese. A number of the phishing sites featured Brazilian footballer Neymar da Silva. Phishers utilized a recently registered domain, hosted on servers based in Brazil, to create the phishing site. [Screenshot]
A message given on the phishing page stated that the company offered $20,000 in prizes and a new car. It also offered zero billing charges on the customer's card for exclusive trips taken to the 2014 FIFA World Cup in Brazil. Customers were prompted to register for the offer by entering their personal data and credit card details.
The personal data requested included the customer's:
Continued : http://www.symantec.com/connect/blogs/phishers-kick-2014-fifa-world-cup
Blackhole 2.0 Beta Tests In The Wild?
TrendLabs Malware Blog:
Recently it was announced via posts in underground forums and Pastebin posts that a new version of the Blackhole Exploit Kit (BHEK), version 2.0, had been released. (The original announcement was in Russian; an English translation has been provided by researcher Denis Laskov and may be found here.)
We cannot confirm that BHEK 2.0 has been fully deployed by cybercriminals yet. However, intriguing evidence suggests that some parts of BHEK version 2.0 are already being beta-tested in the wild.
The announcement explicitly called out changes in the URLs that BHEK uses:
In version 1. * link to malicious payload unfortunately was recognizable for AV companies and reversers, she [sic] looked this kind,. /Main.php?Varname=lgjlrewgjlrwbnvl2. The new version of the link to the malicious payload you can choose yourself, here are some examples: /news/index.php,/contacts.php and so on, now for the moment no one AV can not catch.
Let's look at three recent BHEK spam runs to see where they fit here. One spam run, using the name of the Federal Deposit Insurance Corporation (FDIC), was a classic BHEK 1.x spam run with an infection chain of this format:
In contrast to this, both the eFax and ADP spam runs used the new URL format. eFax used the following format:
Continued : http://blog.trendmicro.com/blackhole-2-0-beta-tests-in-the-wild/
WhatsApp accounts almost completely unprotected
Tests performed by The H's associates at heise Security have found that popular texting alternative WhatsApp is easily hacked using freely available tools. Anyone using WhatsApp on a public Wi-Fi network risks having their data sniffed and their account used to send and receive messages. Once hacked, there is no way to restore account security - attackers will be able to continue to use the hacked account at their discretion.
Over the last week the lack of security inherent in WhatsApp's authentication has gradually become clear. Researchers have discovered that the client uses an internally generated password to log on to the server; this password is generated on Android devices from the device's serial number (IMEI) and on iOS devices from the MAC address of the Wi-Fi interface. The problem with this is that the information is anything other than secret - the IMEI can often be found on stickers inside of Android phones (usually under the battery) and can also be obtained using a shortcut key combination or by any app.
Sniffing this data is even easier when it comes to devices running iOS - the MAC address is visible to anyone within range of the Wi-Fi network being used. If this is a public Wi-Fi network, in a busy coffee shop, for example, data sniffers can even determine the user's phone number from the data packet transmitted by WhatsApp. Taking over the account is child's play - attackers don't even need to know who their victim is. The whole situation is even less understandable considering that there is already a shared secret between WhatsApp and the user in the form of a confirmation code sent by text message when the user first registers.
Continued : http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html
how we can stop following WhatsApp data on facebook
Easy, Stop Using It/Remove App Till It's Fixed !!
Beware of iOS Apps that Send Plaintext Passwords
From Bitdefender Labs "HotforSecurity" Blog:
"Passwords are the last, and sometimes only, line of defense against online criminals. The average computer users know not to leave their critical passwords lying around for all to see."
Some iOS app developers, however, are apparently less careful when handling users' vital information. Bitdefender Labs analyzed some highly-rated free iOS apps starting from the premise that they should handle credentials wisely, only to find out that some of them don't.
With 65,427 three-and-a-half customer-rated stars at the time of writing, Wi-Fi Finder By JiWire Inc. was found to broadcast passwords in plaintext. The app, which enables users to find free or paid Wi-Fi networks, does not seem to encrypt any broadcasted passwords, making it easy for someone with minimum spoofing knowledge to peek at them.
An iOS app that offers "to keep track of your expenses and personal finances on the go" also sends plaintext passwords. Texthog has more than 1,526 customer-rated stars, suggesting that it's quite popular. Auto sync with your texthog.com account could be risky if you're doing it over a Wi-Fi network while somebody is monitoring your traffic.
Continued : http://www.hotforsecurity.com/blog/beware-of-ios-apps-that-send-plaintext-passwords-3481.html
Researcher Charlie Miller Joins Twitter Security Team
Twitter quietly is assembling a serious security team, with the most recent addition being Charlie Miller, the security researcher known for finding a long line of bugs in the iPhone and other Apple products. Miller, a respected and prolific researcher, will join the social network's security team next week.
When he arrives, Miller will join a team that also includes Moxie Marlinspike, the security and privacy researcher who developed the SSLstrip attack as well as the RedPhone and WhisperCore security systems for Android phones. Twitter later acquired his company, Whisper Systems, and Marlinspike has been working on the company's internal team since.
Miller has worked on a wide variety of research topics, with his most recent one being a project funded by DARPA that looked at the security properties of NFC chips in various mobile phones. In the course of that research, Miller developed techniques that enabled him to force users' phones to connect to a given Web site or take complete control of the vulnerable phone.
Continued : https://threatpost.com/en_us/blogs/researcher-charlie-miller-joins-twitter-security-team-091412
IT Executive Revealed As PlugX RAT Malware Creator
"AlienVault identified the suspect by traces of his personal information scattered online"
Security experts at AlienVault have tracked down the creator of the PlugX Remote Access Tool (RAT), used in hacker attacks around the world. To their surprise, the brains behind the software was actually one of the directors of a Chinese IT company.
The sleuths analysed the traces of PlugX activity, and identified the suspected programmer, which led them to his address, photo and the name of the company he was working for - ChinaNSL Technology.
Digital detective work
AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence.
PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer.
The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations. The security experts were almost certain that the creator of the malware has been participating in the attacks himself.
Continued : http://www.techweekeurope.co.uk/news/plugx-rat-malware-creator-is-an-it-company-director-92780
AlienVault doxes the man behind the PlugX RAT
Is 'Virus Expert' Tied To PlugX RAT Malware?
AlientVault Tracks Down Developer of PlugX RAT
PlugX RAT related: PlugX: New Tool For a Not So New Campaign