CyberInsecure.com

Archive for the ‘Malware’ Category

Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan. The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago.

Apple’s new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.

Doctor Web, a Russian anti-virus vendor, conducted a research to determine the scale of spreading of Flashback Trojan in Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012.

The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.

It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.

Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.

In related news, Mozilla introduced changes in Firefox on Monday that will block older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. “Blocklisting” forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.

Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk.

Credit: The Register
Credit: news.drweb.com

Bitdefender experts came across a piece of scareware that makes victims believe that something may have happened to all the files and folders stored on their computers. The user is then requested to pay $80 (60 EUR) for a tool that allegedly addresses the problem.

Scareware or ransomware is not uncommon, many security solutions providers releasing advisories on how to handle threats which pose as law enforcement agencies that demand the payment of fines, accusing the user of copyright infringement. However, this Trojan relies on the fact that many computer owners panic if they see that all their personal files and folders have suddenly disappeared.

Identified as Trojan.HiddenFilesFraud.A, the rogue disk repair utility starts operating by informing the user of certain issues that affect the computer. Since many people are already accustomed to fake AV’s, this malicious application has an ace up its sleeve that makes everything look more realistic.

It changes the attributes of all files and folders, setting them as Hidden, so that the user may think that everything has been deleted from the hard drive. Certain key shortcuts are also disabled to induce more panic. Even worse, the worm that downloads HiddenFilesFraud.A, Win32.Brontok.AP@mm, ensures that the files’ attributes can’t be modified from Windows Explorer back to their original state.

After displaying the numerous “errors” that affect the system, the scareware advertises a repair utility that costs $80 (60 EUR). Of course, just as in the situations presented on other occasions, the so-called utility does absolutely nothing.

Brontok.AP@mm, the element responsible for installing Trojan.HiddenFilesFraud.A, quickly copies itself on removable media drives to ensure that it spreads without difficulty from one computer to another.

Scareware most often relies on the fact that users fail to keep their security software constantly up-to-date. That’s why internauts are always recommended to ensure that a decent, updated antivirus solution is always keeping an eye out for malicious elements.

Credit: Softpedia.com News

Security researchers warn that variants of a ZeuS spin-off trojan called Ice-IX are being distributed from osCommerce websites compromised during a recent mass injection attack. The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July.

The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 within a week and 8 million two weeks later. The attack even prompted the German Federal Office for Information Security (BSI) to issue an alert because many of the infected websites are German online shops.

The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer and Windows XP. If exploitation is successful, a trojan is installed on the victim’s computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX.

“Ice-IX (modified Zeus) is currently being distributed by Oscommerce mass compromise campaign,” the project warned via Twitter. Ice IX is a new banking trojan based on the ZeuS source code leaked earlier this year.

The Ice-IX builder is sold on the underground market for as much as $1,800. Like ZeuS, it injects itself into browser processes to steal information, but one particularly of samples seen so far is that they also steal Amazon AWS credentials.

Online shop owners who use osCommerce should upgrade to versions 2.3.1 or 3.0.2 of the platform as soon as possible. They are also advised to strengthen the security of their installations by implementing several recommendations described in a post on the osCommerce support forum.

Users should keep the software installed on their computers up to date and should run an antivirus solution capable of scanning web traffic.

Credit: Softpedia.com News

Microsoft is now providing customers with a standalone malware scanner running from bootable CDs, DVDs or USB drives, for use on systems that are infected with sophisticated threats. The tool, called Microsoft Standalone System Sweeper, might have been available for some time now, but Microsoft didn’t actively promote it to the masses. Instead, it asked its customer support staff to decide which cases warrant its use.

Computer malware comes in various forms and with different capabilities. Some threats are more sophisticated and resilient to removal than others. Many families of malware interfere with certain antivirus programs by preventing them from running on infected systems or stopping their services.

Others prevent access to security websites in order to prevent victims from downloading anti-malware programs or asking for help. One of type of persistent malware is rootkits. These register themselves as drivers which gives them low-level access to the operating system. In some cases they can even interact directly with the hard drive without relying on the Windows file system APIs and they can use this functionality to protect themselves.

One particularly nasty type of rootkits is capable of writing code into the master boot record (MBR). This allows them to control the boot process and start even before the operating system, reason for which they are referred to as bootkits.

All these threats pose various problems for traditional antivirus programs which can make properly cleaning a Windows installation while it’s running impossible. To solve this issue, some antivirus vendors have created so-called rescue discs, bootable CDs that start a separate operating system and can run their anti-malware products unrestricted. This is a very effective method, because the malware can’t interfere with the scanning process and everything is run from memory; nothing is installed on the hard drive.

It looks like Microsoft has decided to provide a similar solution in the form a tool called Microsoft Standalone System Sweeper. This tool is still in beta and depends on the Windows installation. The other antivirus vendors normally use Linux for their rescue discs.

Users can download a builder application which creates a bootable CD, DVD or USB drive. They have to choose between a 32-bit or a 64-bit version, depending on the architecture of the infected Windows system they want to clean.

The link to this tool is now available in our Free Anti-virus, Online Scan And Rescue CDs page.

Credit: Softpedia.com News

Security researchers from cloud security provider Zscaler warn that technology website geek.com was compromised and many of its pages are executing drive-by download attacks against visitors. Geek.com is one of the oldest technology news websites around, dating back to 1996, the dawn of the commercial World Wide Web.

Attackers have managed to inject rogue IFrames into different portions of the site, both within articles and the site’s main pages like home, about us, etc. According to Umesh Wanve, a senior security research engineer at Zscaler, there are multiple infections and the iframes take visitors to different malicious websites.

One example is the rogue code injected into a May 13 article about Call of Duty: Modern Warfare 3 details being leaked, which redirects visitors to an exploit kit. These kits perform various checks to determine what versions of certain program users have installed on their computers and then serve exploits for vulnerabilities in those products.

The most commonly used applications like Java Runtime Environment, Flash Player, Adobe Reader or the browser itself are usually targeted. “As this is first article is highlighted and ‘Call of Duty’ is a very popular game, one can assume that many people have fallen victim to this attack,” Mr. Wanve says.

Drive-by download attacks are currently one of the main malware distribution channels on the Internet. They are very dangerous because in most cases they are completely transparent to victims. “Unfortunately, we see hundreds of attacks such as this each and every day. Many legitimate websites are being compromised by taking advantages of poor coding practices in web applications,” the Zscaler security researcher says.

Users can protect themselves by keeping all of they software up to date, including the operating system itself, and running anti-virus products capable of scanning web traffic. Mozilla Firefox users can also use advanced extensions such as NoScript.

Credit: Softpedia.com News

Security researchers from Armorize warn that attackers have managed to inject visitor infecting code into the popular soccer news website goal.com. The rogue iframe has been inserted, probably through SQL injection techniques, into multiple goal.com pages including the main English one.

“From what we’ve collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com’s content,” the researchers write.

Furthermore, they believe the attacker was only testing his exploits which led to the compromise being picked up by the company’s automated scanners.

If this is true, it would make for a very odd behavior giving that goal.com is a pretty high-profile target to waste on simple tests. The website has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is very varied because it covers over 200 countries with content in 22 languages.

The injected iframe takes visitors through a series of redirects meant to determine the version of their browser, OS and other software.

The results influence what exploits are loaded. In this drive-by download attack, the cyber criminals are using a known exploit toolkit known as g01pack. An interesting feature of this pack is a fake admin/stats page intentionally protected with weak or default passwords to throw researchers off.

During their supposed testing, the attackers behind this compromise used exploits for Java (CVE-2010-1423), Windows (CVE-2010-1885, CVE-2006-0003) and Adobe Reader (CVE-2009-0927).

According to the Armorize analysts, the exploit code was “mutated,” a detection evasion technique used in addition to the regular obfuscation.

Fortunately, most domains involved in the attack were blacklisted by Google’s Safe Browsing service, which means that Firefox and Chrome users are protected. However, the AV detection rate for the installed malware remains pretty low (37%) at the time of writing this article.

Credit: Softpedia.com News

Security researchers have detected a malvertizing attack launched from the home page of Yahoo! Philippines in order to infect users with a trojan. Trend Micro detects this particular threat as TSPY_PIRMINAY.A, a trojan that collects sensitive data from computers and modifies the Windows HOSTS file to block access to The Pirate Bay, Mininova and other sites associated with them.

Even more intriguing is the fact that the malicious advertisement was for Yahoo! Philippines’ own Purple Hunt 2.0 competition. The original Purple Hunt was held in 2009 and involved users looking for clues online and offline in order to win prizes. The competition proved very popular so a second edition was organized for this year. The grand prize is a purple Hyundai i10 which is what the rogue ad displayed.

According to Maharlito Aquino, a threats analyst at Trend Micro who analyzed this latest attack, when clicked, the rogue ad served a file called com.com from randomly generated URLs.

COM is a binary executable format that dates back to the days of MS-DOS. It still works on many Windows systems today and has been used by malware pushers to trick users for a long time.

According to Mr. Aquino, the malicious ad was designed to offer the file for download only once to every user. To achieve this it probably kept a history of IP addresses that accessed it.

Yahoo’s ad security team was alerted and reacted quickly by blocking the malvertizement from infecting more users. However, the method used to put the rogue ad up on the site’s home page in the first place, was not revealed.

One common technique is tricking ad vetting employees to accept the ads by impersonating a legit advertising company. Another way is to compromise the ad server and inject the ad directly.

Credit: Softpedia.com News

Spotify users have fallen victim to a drive-by download attack instrumented via malicious ads displayed in the free version of the software. Spotify is a popular music streaming service with over 10 million registered users. It can be accessed via proprietary software available for most desktop and mobile operating systems. It’s estimated that around 9 million users have free accounts meaning they receive advertisements inside the software.

Starting yesterday people began seeing malware alerts from their antivirus programs when using the Windows version of the Spotify client. The problem was tracked back to malicious third-party advertisements displayed inside the application. Netcraft reports that at least one Java exploit was used to install malware on people’s computers.

Apparently the rogue ads loaded the Blackhole exploit pack, one of several drive-by download kits used by malware distributors. “We’re currently investigating and have pulled all third party display ads that could have caused the problem until we locate the specific advert,” Spotify told The Register.

Malicious advertising (malvertizing) is an increasingly common malware infection vector and one that has the potential to reach a large number of users very quickly. Malvertizing attacks are normally carried out in two ways, impersonation or ad server compromise. Impersonation involves attackers posing as legit advertisers in order to get their ads onto ad networks and then push malicious content through them.

On the other hand some websites maintain their own advertising servers, usually running OpenX software, which allows them to sell ad space directly. Attackers can exploit security holes in these servers if left unpatched and push their rogue ads onto websites.

In order to be protect themselves from drive-by downloads and malvertizing users are advised to keep all of their software, including the operating system, up to date. Browsing the Web with a capable antivirus product installed is also a must.

Credit: Softpedia.com News

Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses. Play.com is one of the UK’s largest online retailers of DVDs, CDs, books and consumer electronics gadgets.

The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users. These emails offered supposed software updates from Adobe but actually linked to sites serving up malware.

The offer of the latest version of Adobe Reader X out of the blue and via email is unlikely to have taken in many, since the ruse was neither timely, subtle nor salacious.

Play.com, which issued an apology to users via email on Tuesday morning, has since come forward with an official statement from chief exec John Perkins (below) that seeks to downplay the significance of the admitted breach. In particular the online retailer stresses that the snafu only affected email details, and not credit card details or other sensitive information.

On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com.

We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. We believe this issue may be related to some irregular activity that was identified in December 2010 at our email [marketing] service provider Silverpop.

Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email [marketing] service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.

We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained.

On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue.

Credit: The Register

Security researchers advise users to exercise caution when searching for information about the massive earthquake and tsunami waves that hit Japan, because they might end up on scareware pages.

The Internet is abuzz with updates on the devastating effects of the 8.9-magnitude earthquake that hit today 130 kilometers off the coast of Japan and triggered 10-meter-high tsunami waves. There are at least 500 confirmed deaths and over 110,000 people missing so far as a result of the catastrophe and their number keeps growing by the hour.

Unfortunately, cyber criminals are trying to exploit disasters like this for profit by poisoning search results with links leading to fake antivirus programs. Known as black hat search engine optimization (BHSEO), these attacks can be observed after every major event that manages to attract considerable interest from the public. We’ve seen BHSEO campaigns following the Haiti earthquake last year, the 2009 California wildfires, the recent floods in Australia, Brazil and the Philippines and even the New Zealand Christchurch earthquake last month.

Fake antivirus programs, also known as scareware or roguware, attempt to trick users into purchasing useless licenses by falsely claiming their computers are infected. Scareware distribution has been one of the most profitable cyber criminal businesses during the past several years and the generated income is commonly used to finance other types of illegal activities.

“Blackhat SEO leading to rogue antivirus is still very much a common Web attack. We recommend that our readers get the latest news from trusted media outlets to prevent being victimized by this blackhat SEO,” Trend Micro security researchers write.

The vast majority of BHSEO attacks have traditionally occurred on Google, but since the company has significantly improved its detection, attackers are increasingly targeting other search engines as well.

Credit: Softpedia.com News