Tag Archives: Malware

TSA Worker Tried to Sabotage Terror Database

0
Posted by Tech Paranoia on March 12, 2010 – 9:53 am
Filed under Hacks
Tagged as , ,

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network.

Duchak’s job was to update the CSOC database as new information arrived from these two sources. But on Oct. 15, he was given two weeks’ notice that his job would be terminated.

About a week later, on Oct. 22, Duchak allegedly transmitted the malicious code onto a CSOC server that stored data from the U.S. Marshal’s Service, according to the indictment. The next day, he allegedly loaded malicious code to a server containing the Terrorist Screening Database. The source involved in the case said the servers “are part of the system that contains the no-fly list” and added that the code, if it had gone undetected, could have traveled to a facility in another state that uses a similar computer system.

Duchak has been charged in the U.S. District of Colorado with two counts of attempting to cause damage to a protected computer. If convicted, he faces a possible prison sentence of 10 years and a $250,000 fine for each count.

Duchak’s attorney, David Lindsey, disputes the government’s charges and says that the system Duchak worked on was a beta system used for testing statistical analyses.

“It wasn’t connected to anything that had to do with security,” Lindsey said. “Before anything he had his hands on left, it went to another system before it got into any live system that did screening. As I understand it, it is a system that does statistical analyses on the systems that are up and running. And when the tests are run, those are done at one level and then [go to] a second level and then at a final level before the analyses are verified and passed onto anything you would call a live system.”

Lindsey said the CSOC servers that were allegedly targeted for sabotage were used for screening workers primarily and were only “remotely, remotely” related to passenger screening, though he could not elaborate.

“The government has been very misleading in the indictment and press release as to any potential harm [this might have caused] to the public,” he said, adding that the alleged malware was not a virus and will ultimately be shown to have been “nothing.”

Source: Wired

Trojan pr0n dialers make comeback on mobile phones

0
Posted by Tech Paranoia on January 14, 2010 – 11:00 am
Filed under Malware, Viruses
Tagged as ,

After taking a long hiatus, trojan dialers that can rack up thousands of dollars in charges are back by popular demand.

According to researchers at CA Security’s malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and cause infected handsets to send SMS messages to high-cost numbers, at great expense to the victim.

“As soon as the application is loaded, this malicious software starts to send premium text messages,” CA warned on Tuesday. “The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.”

Malware that automatically dials pricey premium numbers was all the rage a decade ago, when dial-up internet services required computers to connect to a phone line. With the growth of broadband connections the frequency of dialers waned.

The explosion of smart phone that can run software made by anyone has given malicious dialers a new lease on life. And as was the case in the days of yore, they mostly tap into porn services.

Source: The Register

Aggressive phishing campaign spoofing Microsoft Office Outlook Web Access

0
Posted by Tech Paranoia on January 11, 2010 – 10:00 am
Filed under Malware, Privacy
Tagged as , ,

msphishing

An aggressive spear phishing email campaign inviting recipients to “apply a new set of settings” to their mailboxes because of a recent “security upgrade” of their mailing service.

An embedded link in the email connects users to a web site that appears to be a Microsoft Office Outlook Web Access page, including official Microsoft and Microsoft Office logos. On the page, users are directed to “download and launch a file with a new set of settings for your e-mail account.”

The executable is actually a Zbot Trojan virus similar to Trojans distributed in recent H1N1 and Facebook phishing attacks.

“This spear phishing campaign is unusual in that it is highly personalized and is targeting a very large number of domains with a customized message for each domain,” said Dr. Tom Steding, president and CEO of Red Condor.

“Spear phishing campaigns usually target a single organization or domain, but this attack broke the mold as the volume and targets are very high. Once again, this is a perfect example of scammers modifying their tactics to thwart traditional security systems and demonstrates the importance of having an advanced, real-time email security solution. For Red Condor customers, the messages were blocked immediately, and a new filtering rule was in place within a few minutes of detecting the campaign.”

A spear phishing campaign is a highly targeted form of phishing that typically targets a single organization. Emails appear as if they come from a trusted source, such as an employer who would normally send an email to the entire company or a well-known organization.

Source: Help Net Security

2009 was a record year for malware

0
Posted by Tech Paranoia on January 7, 2010 – 3:00 pm
Filed under Malware
Tagged as

A PandaLabs report claims that 2009 will go down as perhaps the most prolific in malware history. In 2009, malware creators tapped into search tools used by the majority of web surfers, and exploited current events and popular culture.

The impact of malware, the PandaLabs report suggests, has been more damaging in 2009 than in any other year to date. In 2009, hackers managed to squeeze more money out of their malfeasance than in any prior year, while supplying a near-endless stream of new malware samples. According to PandaLabs, 55 000 new samples of malware were discovered by information security organizations every day. The PandaLabs’ data indicate that indeed more new malware was developed in 2009 than during their 20 previous years of tracking computer viruses.

In what can be considered a troubling development, cybercriminals have tapped into SEO optimization techniques to scam the web’s most frequently used search engines in an effort to distribute malware. The past year saw a sharp increase in such attacks, as unsuspecting web surfers clicked on items listed in search engines such as Google, opening up their systems to malware attacks. PandaLabs noted that even individual users and organizations that employed proper and comprehensive security measures were not immune to the blossoming of widespread malware attacks. It cited a string of February 2009 attacks in which visitors to eWeek’s site initiated malware strikes via the launch of Google’s DoubleClick ad banners. Panda also referenced a similar attack in September of 2009 through the New York Times website, one of the most frequently visited and popular sites in the US.

Perhaps the most disturbing trend from 2009 involves the prevalence of malware on machines throughout the world. Panda cited data from ActiveScan 2.0, which provides a free online service whereby users can scan their computers to determine if it has been infected by malware. US computers clocked in at a 50% infection rate according to ActiveScan’s numbers. Not nearly as bad as the 62% of computers infected by malware in Taiwan, but far more than roughly 32% of computers infected by malware in Sweden, which came in at the bottom of the list. Still, if you take these figures into consideration, and you’re a US household with two computers, then it is likely that at least one of them is infected with malware.

Source: Infosecurity-US

File-scanning services for malware writers

1
Posted by Tech Paranoia on January 4, 2010 – 10:00 am
Filed under Malware, Viruses
Tagged as ,

A lot of people are aware of and are using online file-scanning services when they want to check if a suspicious file they got as an attachment or have found on their computer is actually some kind of malware.

Services like VirusTotal and Jotti allow these files to be submitted and check them against a myriad of commercial anti-virus software. If the results come back positive, they are shared with the manufacturers of all those software so that they can integrate adequate signatures in their products.

This is the reason why these services are not particularly attractive to malware-makers, and also the basis of the business plan for two relatively new file-scanning services: Av-check and Virtest.

They promise not to share the malware with the security companies whose anti-malware solutions they use to check the file with (AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro – among others). They also offer (or plan to offer) advanced methods of malware testing, such as testing against firewall and anti-spyware programs, and testing if they can be deployed in a virtualized environment.

These services are not keeping secret the fact that they mean to cater to malware authors – even the payment for those services can be carried out only by using virtual currencies preferred by those who are at home in these murky waters. The price? A bargain – one dollar per file, or $40 per month.

Source: Help Net Security

FBI estimates losses of over $150 million to rogue anti-virus

0
Posted by Tech Paranoia on December 24, 2009 – 12:30 pm
Filed under Malware
Tagged as ,

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center (NW3C), reported that “the FBI is aware of an estimated loss to victims in excess of $150 million” from rogue anti-virus.

This threat typically presents itself in the form of a pop-up window which could appear on any type of website a user is visiting. The popup will suggest that the user’s computer is somehow infected and invites the user to download software on the pretense of removing it or further scanning the system for more.

Typically, such downloads will contain malware, as well as an invitation to pay the perpetrator a fee to remove it.

Source: Help Net Security

Decline in Web, increase in P2P attacks predicted for 2010

0
Posted by Tech Paranoia on December 23, 2009 – 10:00 am
Filed under Hacks
Tagged as ,

Cybercriminals have already begun shifting their focus from websites to file-sharing networks when it comes to dispensing malware, and will continue with this trend throughout 2010. Security researchers at Kaspersky Labs predict that malicious applications, such as fake antivirus programs, will be on the decline next year as attacks over P2P go up, while more criminals look to target victims via mobile platforms.

In its 2010 Cyberthreat Forecast, Kaspersky Lab said that it expects an increase in mass malware epidemics over P2P networks. 2009 saw a series of mass malware epidemics that were not caused by, but supported by files that were spread over P2P networks. “This method has been used to spread notorious threats such as TDSS and Virut as well as the first backdoor for Mac OS X,” the researchers said.

On the same note, Kaspersky says that there was a decline in gaming Trojans in 2009 and that it expects the same trend for fake antivirus programs in 2010. Not only have malicious programs become passé and are monitored by nearly every IT organization, the market is now saturated and “profits for cybercriminals have fallen.” Malicious software authors have apparently realized that it’s time to move onto greener pastures as more and more consumers become educated about safe software practices.

Finally, the researchers noted that an increase in cyberattacks on mobile platforms this year foreshadowed a growing trend for 2010. Both iPhone OS and Android saw a handful of worms in 2009—some malicious and some not—and more than one security firm agrees that this could just be the beginning. “The only iPhone users currently at risk are those with compromised devices; however the same is not true for Android users who are all vulnerable to attack,” wrote Kaspersky. Because both these platforms only continue to grow in popularity, these worms will only multiply as more users shift their focus from computers to smartphones.

The upside to all of these developments is that we may finally see the beginning of the end when it comes to malicious celebrity websites. Paris Hilton, Brad Pitt, Jessica Biel, Angelina Jolie, Michael Jackson, and numerous others have all been used to drive unwitting users to the dark corners of the Internet—while these sites may never go away entirely, it will be nice not having to help family members disinfect their computers after they get a little too excited searching for Justin Timberlake.

Source: ARS Technica

Beware of Christmas presents with non-volatile memory

0
Posted by Tech Paranoia on December 22, 2009 – 2:00 pm
Filed under Hardware
Tagged as

While everyone likes Christmas presents, recipients are well advised to supplement their joy with a small measure of distrust if they receive USB flash drives, MP3 players or digital photo frames. This applies to home as well as business users. These devices may contain malware – whether this was intended by the sender or not.

Although applications on USB flash drives can normally only be started by the user, connecting any external flash memory device to a Windows PC can potentially lead to infection, for example when the product is a USB Smart Drive with Autoplay/Autorun. For protection it’s best to generally disable Autoplay in Windows.

Misleading options displayed by the Autoplay function can trick users into inadvertently infecting their systems. Plugging in a Conficker infected USB drive results in a specially crafted icon appearing in the Autoplay dialogue which appears to be a folder; clicking on this folder icon activates the worm.

This trick no longer works in Windows 7 because Microsoft has completely removed the option for starting programs from the dialogue for writeable memory such as USB flash drives, memory cards and external hard disks. This change, however, does not apply to CDs and DVDs.

The Internet Storm Center recommends that users generally format any unsolicited mobile storage device they receive, even if it’s marked “Joe’s Bachelor Party Pictures” to arouse users’ curiosity.

Source: The H Online

iPhone worms can create mobile botnets

1
Posted by Tech Paranoia on December 22, 2009 – 10:00 am
Filed under Malware
Tagged as ,

A detailed analysis of the most malign in a recent spate of iPhone worms points to future mobile botnet risks.

The IKee-B iPhone worm, released in late November, exploited default root passwords on jailbroken iPhones to turn the smartphones into botnet clients under the control of a server based in Lithuania. The worm affected iPhone users in The Netherlands, and specifically targeted customers of Dutch online bank ING Direct.

Security researchers at SRI International – noted for top notch work in dissecting the Conficker botnet – published an analysis of the iPhone botnet on Monday that warns users of Apple’s device and similar smartphones to expect more of the same in future. Warnings about mobile malware have been circulating for years. But it’s only since the advent of iPhones and other smartphones, allowing decent internet access with what’s essentially a mini-computer, that such risks have become tangible, rather than the stuff of anti-virus vendor PowerPoint slides, SRI warns.

Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today susceptible to being probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the internet.

Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a lightweight smartphone application. iKee.B demonstrates that a victim holding an iPhone in Australia can be hacked from another iPhone located in Hungary, and forced to exfiltrate its user’s private data to a Lithuania C&C server, which may then upload new instructions to steal financial data from the Australian user’s online bank account. While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.

SRI’s researchers conclude that although the Ikee-B worm is simpler than its PC relatives, it comes with the potential to evolve in something even nastier.

The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Source: The Register

Scareware scammers exploit Brittany Murphy’s death

0
Posted by Tech Paranoia on December 21, 2009 – 10:00 am
Filed under Malware
Tagged as ,

Actress Brittany Murphy’s sudden death, just like Michael Jackson’s untimely demise before her, has quickly been exploited by scareware scammers.

A spike in searches on Murphy’s death has been taken as a theme for Black Hat SEO attacks, designed to push sites that have been hacked to redirect surfers to scareware portals into prominence in search engine results.

Windows users who click on links to poisoned search results get exposed to a fake anti-virus scan, designed to frighten users into buying rogue security software of little or no utility.

Net security firm F-Secure, which has a full write-up of the attack here, detects the strain of scareware involved in the attack as Fakevimes-T. More detail on how search results were poisoned can be found in a blog posting be WebSense here.

Source: The Register