Category: Malware

Trojan pr0n dialers make comeback on mobile phones

0
Posted by Tech Paranoia on January 14, 2010 – 11:00 am
Filed under Malware, Viruses
Tagged as ,

After taking a long hiatus, trojan dialers that can rack up thousands of dollars in charges are back by popular demand.

According to researchers at CA Security’s malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and cause infected handsets to send SMS messages to high-cost numbers, at great expense to the victim.

“As soon as the application is loaded, this malicious software starts to send premium text messages,” CA warned on Tuesday. “The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.”

Malware that automatically dials pricey premium numbers was all the rage a decade ago, when dial-up internet services required computers to connect to a phone line. With the growth of broadband connections the frequency of dialers waned.

The explosion of smart phone that can run software made by anyone has given malicious dialers a new lease on life. And as was the case in the days of yore, they mostly tap into porn services.

Source: The Register

Rogue phishing app smuggled onto Android Marketplace

0
Posted by Tech Paranoia on January 11, 2010 – 11:00 am
Filed under Malware
Tagged as ,

A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store.

Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.

The rogue Android application posed as a legitimate banking applet, but was actually designed to trick marks into handing over bank login details to fraudsters, an alert by credit union First Tech warns. The credit union, which said it wasn’t targeted by the attack, doesn’t even have an app for Android as yet.

Android fans who downloaded any of Droid09′s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.

The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.

Source: The Register

Aggressive phishing campaign spoofing Microsoft Office Outlook Web Access

0
Posted by Tech Paranoia on January 11, 2010 – 10:00 am
Filed under Malware, Privacy
Tagged as , ,

msphishing

An aggressive spear phishing email campaign inviting recipients to “apply a new set of settings” to their mailboxes because of a recent “security upgrade” of their mailing service.

An embedded link in the email connects users to a web site that appears to be a Microsoft Office Outlook Web Access page, including official Microsoft and Microsoft Office logos. On the page, users are directed to “download and launch a file with a new set of settings for your e-mail account.”

The executable is actually a Zbot Trojan virus similar to Trojans distributed in recent H1N1 and Facebook phishing attacks.

“This spear phishing campaign is unusual in that it is highly personalized and is targeting a very large number of domains with a customized message for each domain,” said Dr. Tom Steding, president and CEO of Red Condor.

“Spear phishing campaigns usually target a single organization or domain, but this attack broke the mold as the volume and targets are very high. Once again, this is a perfect example of scammers modifying their tactics to thwart traditional security systems and demonstrates the importance of having an advanced, real-time email security solution. For Red Condor customers, the messages were blocked immediately, and a new filtering rule was in place within a few minutes of detecting the campaign.”

A spear phishing campaign is a highly targeted form of phishing that typically targets a single organization. Emails appear as if they come from a trusted source, such as an employer who would normally send an email to the entire company or a well-known organization.

Source: Help Net Security

2009 was a record year for malware

0
Posted by Tech Paranoia on January 7, 2010 – 3:00 pm
Filed under Malware
Tagged as

A PandaLabs report claims that 2009 will go down as perhaps the most prolific in malware history. In 2009, malware creators tapped into search tools used by the majority of web surfers, and exploited current events and popular culture.

The impact of malware, the PandaLabs report suggests, has been more damaging in 2009 than in any other year to date. In 2009, hackers managed to squeeze more money out of their malfeasance than in any prior year, while supplying a near-endless stream of new malware samples. According to PandaLabs, 55 000 new samples of malware were discovered by information security organizations every day. The PandaLabs’ data indicate that indeed more new malware was developed in 2009 than during their 20 previous years of tracking computer viruses.

In what can be considered a troubling development, cybercriminals have tapped into SEO optimization techniques to scam the web’s most frequently used search engines in an effort to distribute malware. The past year saw a sharp increase in such attacks, as unsuspecting web surfers clicked on items listed in search engines such as Google, opening up their systems to malware attacks. PandaLabs noted that even individual users and organizations that employed proper and comprehensive security measures were not immune to the blossoming of widespread malware attacks. It cited a string of February 2009 attacks in which visitors to eWeek’s site initiated malware strikes via the launch of Google’s DoubleClick ad banners. Panda also referenced a similar attack in September of 2009 through the New York Times website, one of the most frequently visited and popular sites in the US.

Perhaps the most disturbing trend from 2009 involves the prevalence of malware on machines throughout the world. Panda cited data from ActiveScan 2.0, which provides a free online service whereby users can scan their computers to determine if it has been infected by malware. US computers clocked in at a 50% infection rate according to ActiveScan’s numbers. Not nearly as bad as the 62% of computers infected by malware in Taiwan, but far more than roughly 32% of computers infected by malware in Sweden, which came in at the bottom of the list. Still, if you take these figures into consideration, and you’re a US household with two computers, then it is likely that at least one of them is infected with malware.

Source: Infosecurity-US

Researchers Infiltrate Storm Botnet Successor

0
Posted by Tech Paranoia on January 7, 2010 – 12:30 pm
Filed under Malware, Viruses
Tagged as

In an undercover mission to learn more about the size and scope of the son of the infamous Storm botnet, Waledac, German researchers have discovered the spamming botnet is much bigger and more efficient than previously thought.

The University of Mannheim and University of Vienna team boldly infiltrated the Waledac botnet from Aug. 6 through Sept. 1 of last year using a cloned Waledac bot they built and code-named “Walowdac.” The phony bot injected the IP addresses of the researchers’ analysis systems into the botnet, and the researchers were able to collect detailed data on the botnet and its inner workings. They found Waledac runs a minimum of 55,000 bots a day, with a total of 390,000 bots — much larger than previous estimates of 20,000 or so bots.

The researchers also were able to measure success rates of various spam campaigns launched by Waledac, and were able to observe up close Waledac’s newer features, such as the ability to steal credentials from bot-infected machines. Their clone did not do any spamming, however. “We used an implementation of the bot that speaks all of the protocols and communicates like a bot would do. We had full control over it, and it didn’t send any spam…it just participated in the communications,” says Thorsten Holz, one of the researchers.

Read the full article at: DarkReading

Conficker infections drop overnight

0
Posted by Tech Paranoia on January 5, 2010 – 11:00 am
Filed under Malware
Tagged as ,

People have one more reason to celebrate the new year, according to the Shadowserver Foundation: Nearly a million Conficker-infected computers have oddly disappeared overnight.

On Jan. 1, the number of IP addresses showing signs of infection dropped by about 820,000, to 5.3 million, according to data from the Shadowserver Foundation and the Conficker Working Group. The drop continued the botnet’s waning during the latter days of December: On December 29, IP addresses showing signs of Conficker infections peaked at 6.5 million before dropping to 5.3 million at the start of the new year.

Andre’ DiMino, director and founder of the Shadowserver Foundation, said the group did not have enough data yet to determine the cause of the drop.

“Is it because of the holidays, because a large number of work PCs were turned off? Or did companies take the time to clean up the problem? We really don’t have any conclusions yet,” he said.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates. The Conficker Working Group has blocked the software from updating itself by pre-registering domains and provides resources to companies to help detect and remove infections.

Last month, the Shadowserver Foundation started publishing the names of the network owners who continued to have a large number of infected computers. Those numbers stayed fairly consistent during the month, between 6.0 million and 6.7 million IP addresses, until it started dropping on the 29th.

The drop may not be long lived, however. By Saturday, the signs of infection had already rebounded to 5.6 million.

“It’s starting to creep back up, but we are still a million off from where we were,” DiMino said. “It will really be interesting come Monday and Tuesday, when machines start coming back on. That will really tell us whether this was remediation or just a blip.”

Source: Security Focus

File-scanning services for malware writers

1
Posted by Tech Paranoia on January 4, 2010 – 10:00 am
Filed under Malware, Viruses
Tagged as ,

A lot of people are aware of and are using online file-scanning services when they want to check if a suspicious file they got as an attachment or have found on their computer is actually some kind of malware.

Services like VirusTotal and Jotti allow these files to be submitted and check them against a myriad of commercial anti-virus software. If the results come back positive, they are shared with the manufacturers of all those software so that they can integrate adequate signatures in their products.

This is the reason why these services are not particularly attractive to malware-makers, and also the basis of the business plan for two relatively new file-scanning services: Av-check and Virtest.

They promise not to share the malware with the security companies whose anti-malware solutions they use to check the file with (AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro – among others). They also offer (or plan to offer) advanced methods of malware testing, such as testing against firewall and anti-spyware programs, and testing if they can be deployed in a virtualized environment.

These services are not keeping secret the fact that they mean to cater to malware authors – even the payment for those services can be carried out only by using virtual currencies preferred by those who are at home in these murky waters. The price? A bargain – one dollar per file, or $40 per month.

Source: Help Net Security

FBI estimates losses of over $150 million to rogue anti-virus

0
Posted by Tech Paranoia on December 24, 2009 – 12:30 pm
Filed under Malware
Tagged as ,

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center (NW3C), reported that “the FBI is aware of an estimated loss to victims in excess of $150 million” from rogue anti-virus.

This threat typically presents itself in the form of a pop-up window which could appear on any type of website a user is visiting. The popup will suggest that the user’s computer is somehow infected and invites the user to download software on the pretense of removing it or further scanning the system for more.

Typically, such downloads will contain malware, as well as an invitation to pay the perpetrator a fee to remove it.

Source: Help Net Security

iPhone worms can create mobile botnets

1
Posted by Tech Paranoia on December 22, 2009 – 10:00 am
Filed under Malware
Tagged as ,

A detailed analysis of the most malign in a recent spate of iPhone worms points to future mobile botnet risks.

The IKee-B iPhone worm, released in late November, exploited default root passwords on jailbroken iPhones to turn the smartphones into botnet clients under the control of a server based in Lithuania. The worm affected iPhone users in The Netherlands, and specifically targeted customers of Dutch online bank ING Direct.

Security researchers at SRI International – noted for top notch work in dissecting the Conficker botnet – published an analysis of the iPhone botnet on Monday that warns users of Apple’s device and similar smartphones to expect more of the same in future. Warnings about mobile malware have been circulating for years. But it’s only since the advent of iPhones and other smartphones, allowing decent internet access with what’s essentially a mini-computer, that such risks have become tangible, rather than the stuff of anti-virus vendor PowerPoint slides, SRI warns.

Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet.

Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a lightweight smartphone application. iKee.B demonstrates that a victim holding an iPhone in Australia can be hacked from another iPhone located in Hungary, and forced to exfiltrate its user’s private data to a Lithuania C&C server, which may then upload new instructions to steal financial data from the Australian user’s online bank account. While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.

SRI’s researchers conclude that although the Ikee-B worm is simpler than its PC relatives, it comes with the potential to evolve in something even nastier.

The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Source: The Register

Scareware scammers exploit Brittany Murphy’s death

0
Posted by Tech Paranoia on December 21, 2009 – 10:00 am
Filed under Malware
Tagged as ,

Actress Brittany Murphy’s sudden death, just like Michael Jackson’s untimely demise before her, has quickly been exploited by scareware scammers.

A spike in searches on Murphy’s death has been taken as a theme for Black Hat SEO attacks, designed to push sites that have been hacked to redirect surfers to scareware portals into prominence in search engine results.

Windows users who click on links to poisoned search results get exposed to a fake anti-virus scan, designed to frighten users into buying rogue security software of little or no utility.

Net security firm F-Secure, which has a full write-up of the attack here, detects the strain of scareware involved in the attack as Fakevimes-T. More detail on how search results were poisoned can be found in a blog posting be WebSense here.

Source: The Register