Sweet Orange Exploit Kit

Dec 19, 2012 | comments

Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.

Sweet Orange Exploit Kit

BlackHole is the most famous and the most utilized exploit kit these days, but that doesn’t mean there aren’t others that have the potential to compete with it. One of them is the Sweet Orange exploit kit, which is presumably capable of some impressive things.

Developers of Sweet Orange boast that their creation has a small footprint, a high infection rate, and the ability to drive 150,000 unique daily visitors to a website.

They claim that around 10% to 25% of those who land on the malicious website will be infected, meaning that at least 15,000 bots should be added to the botnet each day.

So far, experts have managed to identify 45 different IP addresses and 367 domains utilized by Sweet Orange, which makes the 150,000 unique daily visitors forecast sound valid.

 



 

MyBB Security Release

Dec 15, 2012 | comments

The SQL Injection vulnerability, which affected all MyBB versions, affected the post editing section. The second flaw allowed brute-force access because the CAPTCHA system was not effective.

MyBB Security Release


An issue which prevented the editor from working in Firefox 16 and newer versions of the web browser has also been addressed.

Users are advised to immediately update their installations, but not before backing up their forum files and databases.

Those who identify similar vulnerabilities are advised to responsibly disclose them to the vendor via their contact page or via the Private Inquiries forum.
 

Facebook and Walmart Offer $1,000 Christmas Gift Cards Scam

Dec 14, 2012 | comments

On Facebook Some posts, claiming that the social media network has partnered up with Walmart and they’re giving away free $1,000 (764 Euro) gift cards.

 Facebook and Walmart Offer $1,000 Christmas Gift Cards Scam

“Hey friends, I got a $1000 Gift Card from WALMART as a Christmas Gift! Get it right away! -> bil.ly,” the malicious Facebook posts read.

Users who fall for it and click on the link are taken to a website where they’re presented with instructions on how to provide their authentication tokens.

Then they’re asked to install a bogus Walmart Facebook app and participate in all sorts of surveys. 






Walmart Scam Landind Page

 

By doing what the scammers ask of you, you’re actually allowing them to post on your Facebook timeline. Furthermore, by participating in the surveys, you’re helping them make a profit. 

If you did make the mistake of installing the Facebook application, then you could be spamming the message to your friends. Clean up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post). 

Trojan Upclicker: Using a Mouse To Evade Automated Analysis

| comments

We came across another sample, called Trojan Upclicker, that went one step further: using a mouse to evade automated analysis.

Trojan Upclicker


 Per the code in Figure , the function SetWinodwsHookExA is called with 0Eh as a parameter. Per MSDN the parameter 0Eh is used to hook a mouse. Pointer fn is the pointer to the hooked procedure in the code.

The Trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.


Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment.
When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.

Carberp : Trojan-Spy.AndroidOS.Citmo

| comments






For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.

In order to gain access to online banking accounts, the attackers need to get a hold not only of the victim’s username and password, but also of the mobile Transaction Authentication Number (mTAN) that’s used for two-factor authentication.  


But when the mobile version of Carberp Trojan appeared ,such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code .

The CitMo Android Trojan works in almost the same way as ZitMo. It is able to hide particular SMS messages and resend them to the attacker's command server. Some versions of ZitMo resend SMS messages to particular cell phone numbers in addition to various web servers. Known versions of CitMo and the Windows module of Carberp (Trojan-Spy.Win32.Carberp.ugu) work only with the remote server ‘bersta***.com’.



California Department of Health Care Mistakenly Publishes Details of 14,000 People

Dec 13, 2012 | comments

California Department of Health Care Mistakenly Publishes Details of 14,000 People


State of California has mistakenly published thousands of Social Security numbers on the Internet.
The list includes Medi-Cal providers in 25 California counties, including Amador, Calaveras, Colusa, Nevada, Placer, Sutter, Tuolumne and Yuba.

The information, belonging to Medi-Cal providers working for In-Home Supportive Services, had been posted on the Medi-Cal website for a period of nine days before someone noticed the error.

Individuals from 25 countries are affected by the breach. Those impacted will be receiving notification letters and they’re being offered one year of free credit monitoring services.

Additional measures are being deployed to avoid such incidents from occurring in the future.  


The confidential information was available on the state's Medi-Cal website for anyone to see for a period of nine days, before the mistake was discovered and the numbers removed.Social Security numbers are a key ingredient for identity theft.

This is the second time in the past 5 months when In-Home Supportive Services providers are affected by a data breach. Last time, a total of 750,000 people were exposed by a breach at the Department of Social Services.

Internet Explorer Can Track Your Mouse Cursor

Dec 12, 2012 | comments

Internet Explorer can track your mouse anywhere on the scree,even when you aren’t browsing

 

Internet Explorer Data Leakage vulnerability

 A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser is minimized. All supported versions of Microsoft’s browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10.

Explorer can track your mouse movements anywhere on the screen,even if the Internet Explorer window is minimized. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.. And Microsoft, which was informed of the massive potential security hole over two months ago, has no plans to fix it. Which means that as you explore the web, the web can explore you right back.

Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys.

Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y.


A demonstration of the security vulnerability may be seen here: iedataleak.spider.io/demo.

For the data to be useful, the attacker would have to know what website you are currently using. Given that it’s already being used by advertisers, however, this can’t be particularly hard to achieve. They can take note of where they place their malicious ads, and an attacker would of course know the layout of the malicious page they design, or the legitimate one they hijack for such a scheme.

Joomla And WordPress Bulk Exploit serving Fake Antivirus Malware

Dec 11, 2012 | comments

Many Joomla and some WordPress sites exploited and hosting IFRAMES pointing to bad places :

Joomla And WordPress Bulk Exploit



Fake antivirus threats display a fraudulent scanning result to intimidate users into “purchasing” the fake antivirus program.WordPress and Joomla exploits have existed for years, and cybercriminals have thus been exploiting them for a long time. Yet the situation may have gotten slightly more serious as of late, as there appears to be a bulk exploit tool being used in the wild, targeting sites running both popular content management systems, and having them serve up fake antivirus malware to visitors.

The biggest pain is around Joomla users, particularly with extensions which greatly increase the vulnerability footprint and the one thing helping WordPress is the really nice feature of 1-button upgrades (and upgrades which don't tend to break your website.

The IFRAMES seem to have rapidly changing FQDN's that it is using but the common element is /nightend.cgi?8.  Two of the bad IPs that seem to be frequent offenders are 78.157.192.72 and 108.174.52.38.  Ultimately it pulls FakeAV software to do it's badness.

In other words, if you use WordPress or Joomla, get on the latest version as soon as possible. It’s unclear how widespread this attack is, but there is no excuse for using an insecure release of your content management system.

Make sure all your software is up-to-date and kept that way on a regular basis.

Gmail Phishing Scam

| comments

Another phishing scam that relies on the old “account update” theme is currently making the rounds, attempting to trick Gmail users into handing over their usernames and passwords.

Gmail Phishing Scam
                                                                                          Image credits: Hoax Slayer
users who click on the links contained in the email are taken to a site that almost perfectly replicates the Gmail sign-in page.

Once they provide their usernames and passwords, victims are presented with a second phishing page on which they’re requested to enter their phone numbers, which are allegedly needed for verification purposes.

In the final part of the scheme, users are asked to provide an alternate email address.

Cybercriminals are leveraging the fact that it’s not difficult for internauts to click on a link and log in to their Gmail accounts. This is why it’s important for users to be suspicious of any notification that claims to come from Gmail, Facebook or any other popular website.
 

The message is not from Gmail and the claim that users will lose their accounts if they do not verify their information is a lie. The email is a phishing scam designed to steal login information for Gmail and other webmail accounts as well as trick victims into divulging their phone numbers to Internet criminals.

Beware Of Malware Receipt From Australian Power & Gas

| comments

Australian Power & Gas Payment Receipt  carry a piece of malware that’s disguised as a harmless-looking PDF file. 

Australian users should beware of emails entitled “Approved Payment Receipt” that purport to come from the “team” at Australian Power & Gas.

 

 Example :


Subject: Approved Payment Receipt
Australian Power & Gas Payment Receipt
Dear Customer,

We have recently received a credit card payment from you, for your Australian Power & Gas account. This payment has been successfully processed and receipt details are shown below in the attached file.
Transaction Details
Payment Time: Tue, 11 Dec 2012 07:43:54 +0900
Reference One: 2404390362
Reference Two: 01600833
Payment Receipt Number : 3530928186

Note: This payment will appear on your credit card statement with the merchant reference `Australian Power & Gas`.
Kind Regards,
The team at Australian Power & Gas

Australian Power & Gas representatives are aware of this spam campaign and they’ve even issued an alert on Facebook to warn their customers about it. 

The .zip file attachment harbours a malicious .exe file. Running the .exe file can install malware on the user's computer. If you receive one of these bogus emails, do not open any attachments or click on any links that it contains.

Hack Windows 8 To Get Free Games

| comments

A Nokia engineer who has previously pointed out security holes in Microsoft’s Windows 8 has now posted a detailed step-by-step explanation of how to hack Windows 8 games.

Hack Windows 8 To Get Free Games


Unfortunately his site is down now :
Hack Windows 8 To Get Free Games
Angel shows how to hack Windows 8 in not one, not two, and not even three ways … but no less than five different ways, showing users how to:
  1. get free in-app purchases by modifying encrypted IsoStore files
  2. crack trial apps and get paid versions for free
  3. remove in-app ads from free games
  4. reduce the cost of in-game paid items
  5. unlock paid levels by a script-injection techniques

#1: Compromising in-apppurchases by modifying IsoStore
 
The Win8 gameSoulcraftis atop game on Androidand is subjectively one of best examples of its genre onWindows 8. It’s a basic RPG where you play an archangelbattling the forces of evil in stylish 3D. You’ve got acharacter, its got equipment and you pay with gold withgold to buy better equipment. The gold has to bepurchased for real money using the platform’s in-app purchase. For example on Android here are the prices forgold:I’ve spent 20$+ on game gold forSoulcraft THDon myGoogle Nexus 7 so far. So I asked myself how does thatgame’s gold data gets stored on Windows 8, and whetheror not we can change it.Quick refresher from theprevious articleall Windows 8apps are stored on your local HD at:

C:\Program Files\WindowsApps
So for example all the assemblies for Soulcraft onWindows 8 will be stored at:
C:\ProgramFiles\WindowsApps\MobileBitsGmbH.SoulCraft_0.8.5.3_neutral__n3knxnwpdbgdc
 Also, all IsoStore files are stored at:
C:\Users\<username>\AppData\Local\Packages\
So on my machine Soulcraft’s IsoStore is at:
C:\Users\Justin\AppData\Local\Packages\MobileBitsGmbH.SoulCraft_n3knxnwpdbgdc\LocalState

When opening up these files in Notepad we can see someof these files are encrypted while others are not. So now the question becomes, can we decrypt the AccountData.xml file, edit the amount of gold ourcharacter has and simply run the game? Well, as it turnsout the answer is “Yes”. Normally encrypted files are badnews if you’re trying to tamper with apps. But we shouldremember this is all running on the local machine. Wehave the algorithm used for encryption, we have the hashkey and we have the encrypted data. Once we have all of those it’s pretty simple to decrypt - anything. 

 UsingdotPeek/ILSpy/ JustDecompileit’s possible to reverse engineer most of the Soulcraft source code andfind out how the AccountData.xml gets stored and how tochange it. Let’s assume we’ve done that and we knowwhich classes and assemblies are used to decrypt, editand encrypt this XML file. We’ll start off by create a newWin8 app and reference the appropriate DLLs from theSoulcraft game. 

Next, since these assemblies read files from IsoStore we’llcopy the encrypted game files to our own App2 IsoStore. Now we’ve staged a new app with the proper assembliesand populated IsoStore with Soulcraft’s Data. The nextstep is to reverse engineer the assemblies and figure outthe correct calling order for methods. For example thiscode would load up AccountData.xml, edit the amount of gold and save it again.Here’s the before and after of the XML file:  
Copying the file back to Soulcraft’s IsoStore and startingSoulcraft we can see a first level character with1,000,000 gold. At this point some of you must be thinking “so what? it’sfake game money”. True, but this fake in-game moneywould be worth over a thousand dollar on Android andiOS. Without a secure storage location for game state, wecan’t be surprised that 3rd party cracking will arise tomake consumers avoid in-app purchases.

#2: Cracking trial apps to paidversions for free
One of the top revenue streams for Windows 8developers is by shipping paid apps. At the same timeconsumers tend to be loss averse and are afraid to “lose”money on apps. The solution to that are Trial apps. Paidapps can offer a free version with limited functionality oron a time limited basis. That works fine unless consumersattempt to manipulate this tentative status-quo bycracking trial apps. To emphasize the impact of thisproblem we can look at the Windows Phone ecosystemwhere
45% of paid apps offer trials. 
 Let’s have a look atMeteor Madness. It’s a cool arcadeasteroid shooter game. Meteor madness costs 1.5$USDand offers a free trial with limited functionality. It alsohappens to beopen sourceso you can go check that outtoo. When downloading the app as a trial we can see that itoffers the options to buy the game and locks some gameoptions. Note the “Buy now” rock at the bottom left andthe locked “Arcade” game rock on the top right.
 
 In the previous section we’ve seen there’s a fundamentalproblem when storing game data on Windows 8. Storingencrypted data locally, alongside with the algorithm andthe algorithm key/hash is a recipe for security incidents.One of the problems with allowing offline execution of trial apps is that it mandates the “
trial flag
” to be storedlocally. And as we’ve seen, if it’s stored locally, we canfind it, read it and modify it.Specifically the License for Windows 8 apps is stored inthe following file:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\tokens.dat
 When we open this file up in Notepad we can find thelicense for Meteor Madness and where it says it’s a trialpurchase. Also, in the same file we can see there are other appsinstalled. Such as free apps, paid apps and preinstalledapps. Here for example if the “
Full
” installation of Bing. An educational WinForms app named
loads this file into memory, shows the License XMLs andmodifies it as a “Full Preinstalled” license. There’s a lot going on here other then simply reading and modifyingfiles.
WSService_crk 
has to decrypt the file, re-encryptit and then store it. All of that is documented with
WSService_crk 
as it’s distributed with full source code. When opening up
WSService_crk 
on my machine showsthe following list of installs apps. 
WSService_crk 
can then show the current license andeven modify it from a Trial to a Full Preinstalled License. When running Meteor Madness now we can see that it nolonger has any trial app functionality limitations.
#3: Removing in-app ads fromgames by editing XAML files
Another way developers monetize their apps is throughin-app advertising. Developers often take the path oleast resistance and it’s quite easy to add ads to yourapp. If apps are popular and the viewcounts are racking up it could become quite profitable. As a resultconsumers don’t have to pay for some great titles andsuccessful developers can get paid. That all works prettywell unless opportunistic consumers choose to keep thefree app but disable ads. To emphasize the importance of mobile app ads let’s mention that some3rd partyestimatesput the field at over 10B in overall yearlyrevenue. One app that is now (surprisingly) advertising supportedon Windows 8 is Microsoft’s Minesweeper. As we’ve seen previously the executable of all Windows 8apps can be located easily. Minesweeper is installedlocally at:
C:\ProgramFiles\WindowsApps\Microsoft.MicrosoftMinesweeper_1.1.0.0_x86__8wekyb3d8bbwe
In that folder we can find the file
MainPageAd.xaml
under the
\Common\AdsModule\View
folder. Alongsidewith other in-app ads used by Minesweeper.

We can make this ad disappear by simply adding the
Visibility=”Collapsed” 
property to the aforementionedroot user control. After we’ve made this small change, when we run theMinesweeper app we won’t be able to see the adanymore. By simply editing XAML files we can hide away in-appsads from Windows 8 ads.
#4: Reducing the cost of in-gameitems by editing game data files
 
Most games out there are composed of two distinctivepieces: a game engine and game data files used by theengine. For more on this dichotomy you can read thisgreat articleBattle for Wesnothfrom the creativecommons book The Architecture of Open SourceApplications. Let’s look at a real world example in theform of the windows 8 gameUltraviolet Dawn. The gameis my all time favourite ipad game is a cool 2D spaceshooter. Like other games players start-off with a certainamount of in-game currency and can buy items to improve their spaceship. If we go back to the dichotomy we’ve heard about earlierthen we can see how it applies to Ultraviolet Dawn. There’s a game engine that knows about “store items”and there’s going to be a list somewhere of what theyare. So one thing we could do is take advantage of Windows 8 on-disk storage and modify the game’s datafiles. As we’ve previously seen executables for windows 8apps can be located and modified. Specifically,Ultraviolet’s Dawn can be found here:
C:\ProgramFiles\WindowsApps\8DF9EE77.UltravioletDawn_1.0.0.37_x86__dd4ev9dvfndxm
We can open up the “
res_store_items.txt 
” file and edit theprice of in-game items. In our example we’ll edit all theweapons to be free. When we run Ultraviolet Dawn again we can see the priceof items in the store is now 0.
 We’ve just shown that using the simplest tools we can edit game files to compromise the experience of Windows8 games.
#5: Compromising In-apppurchase items by injectingscripts into the IE10 process
Even though we’ve already shown that in-app purchasesare comprisable I’d like for us to see an example of thatwith Windows 8 HTML & JS apps. Up until now we’ve seenexamples of C# and C++ apps, so let’s see that withWinJS apps. Let’s have a look at the massively popularand successful WInJS Windows 8 gameCut the Rope. Thegame follows a freemium model where the first few levelsare free and additional levels cost 4.99$ to unlock. As we know by now executables for Windows 8 gamescan be found on the local disk. Specifically
Cut the Rope
executeables can be found at:
C:\ProgramFiles\WindowsApps\ZeptoLabUKLimited.CutTheRope_1.1.0.9_neutral__sq9zxnwrk84pj
If we open up the
default.js
file in the
 js
folder we can seethe following code that obviously governs the in-apppurchasing logic. We can see there areIS_PAID_FULL_VERSION and SIMULATE_PURCHASES
variables set to false. One wonder what happens if wechange those values to true. We don’t really have to understand the specifics but wecan see there’s an
if-else
condition that determines in-app purchases. We can’t directly change Javascript filesas that’ll corrupt the Javascript package and Windows 8will refuse to open the app. So instead of changing thefiles on the local disk, we can inject JS scripts at runtimeinto IE10 process. Visual Studio 2012 has a built-in debugging mechanismfor any installed Windows 8 app. Even if that wasn’t therewe could still easily inject scripts to IE10, but since it isthere we can use that familiar tool. Let’s use VS2012 to
Debug Installed App Package
”. (Here are the Jacascriptdocs,C# docs and C++ docsto those unfamiliar with the feature) Next we’ll choose to Debug
Cut The Rope.
Make sure tocheck the “Stop at first Statement” checkbox since we’lluse it to navigate to
default.js
After we click start we can see we’re debugging the
Cut the Rope
app. This is the important bit, we’ve now got thefull force of VS2012 Javascript runtime debugging in aWin8 store app. This first breakpoint will always be thesame file at the same row: the first row of the
base.js
filefrom the WinJS framework. Using a smart combination of “Step over” and using theSolution Explorer we can set the following breakpointafter setting the variables we’ve previously seen. Stepping over this deceleration we can then see thefollowing values in our Locals window. And now using the Immediate Window we can executeany javascript we’d like. For the purpose of this demowe’ll set SIMULATE_PURCHASES=true. We could havesaved some time by setting IS_PAID_FULL_VERSION=true,but I’d like for us to see this runtime behaviour.
Now when we click the purchase button we can seeWindows 8 in-app purchase simulator. We’ll tell it that thepurchase was successful. And now we can see all game levels are unlocked. We’ve just shown how to inject arbitrary javascript into aWin8 store bought WinJS IE10 app and we’ve affected in-app purchase items inventory. 

Open Redirect Vulnerability Identified in Meebo

| comments

An open-redirect vulnerability Identified in the popular instant messaging platform Meebo.





Open-redirect vulnerabilities can be leveraged by cybercriminals to lure their victims to arbitrary domains. The user believes that he/she is visiting a legitimate, reputable site, when they’re actually seamlessly redirected to a malicious one.


The security hole has been reported to Google, which bought Meebo back in June, but the search giant’s security team told the expert that “the security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks.”

They’ve pointed him to the bug bounty page where they explain why such URL redirection vulnerabilities are not included in their reward program.

“Some members of the security community argue that open redirectors are a security issue,” reads the section on URL redirection.

“The common argument in favor of this view is that some users, when presented with a carefully crafted link, may be duped into thinking that they will be taken to a trusted page - but will be not be attentive enough to examine the contents of the address bar after the redirection takes place.”

It continues, “On the other hand, we recognize that the address bar is the only reliable security indicator in modern browsers; and consequently, we think that any user who could be misled by a URL redirector can also be tricked in other ways, without relying on any particular trusted website to act as a relying party. 

No Email Day 12-12-12

| comments

Tomorrow is No Email Day: Ignore your inbox and do something more useful instead

Looking at your ever-growing inbox and looking for a reason to ignore it? Tomorrow you have that excuse, as it will be the second annual No Email Day.


A year ago, UK-based Paul Lancaster declared a No Email Day and managed to get coverage for it everywhere from The Next Web to the Wall Street Journal. It’s easy to see why, too. Honestly, does anyone like email? I can’t remember the last time I didn’t view my inbox as a chore.
So what do you do on No Email Day? Simple – ignore your email. Don’t look at your inbox at all and see what else you can achieve. As Lancaster wrote in his original manifesto last year (embedded below), ”If you do need to contact someone on this day, emails should be strictly off limits – replaced instead by real life, face-to-face interaction, picking up the phone or perhaps even writing a letter (remember those) Better still, if you can spend time away from work to be inspired and re-connect with the offline world.”

Of course, it might be a bit naive to believe that it’s possible to get by entirely without email, even for a day. Here at The Next Web we’d miss important news tips we need to share with you, and we can hardly walk down the corridor to chat to the entrepreneurs and investors with communicate with every day – they’re based in all sorts of places around the world.

Then of course, once you come back to your email the following day you might have to spend the whole morning catching up with people wondering why you didn’t reply to their urgent missive.
Still, No Email Day is a useful reminder that there’s more to life than your unread messages count. Do you dare ignore  your email completely for 24 hours?

 

Fake Hotels Awaiting Unwary Guests

Dec 10, 2012 | comments


Cyber-criminals have prepared some dirty tricks for tourists looking for a room over the holidays. And it’s not the same old reception RATs, banking Trojans, wrong hotel transactions and social media baits. Now, they’ve created their own fake hotels and are awaiting unwary guests.

The fake websites usually leverage the names and reputations of famous brands. For instance, if the legitimate company’s domain is sheratonskyline.com, the crooks will likely set up their site on a domain that looks something like sheraton-skyline.com.

Most major companies have purchased all the variations of their domain names to protect themselves against typosquatters, but it’s likely that hotels haven’t taken such fraud sites into consideration.

Unlike phishing sites, these fraud websites aren’t promoted via email or social media spam. Instead, they’re kept secret to ensure that the domain will not be seized by authorities.

Also, such scammy webpages don’t necessarily replicate the design of the genuine hotel.

Users are advised to rely on common sense and a decent security solution to protect themselves against such threats.

The simplest way to identify fake hotel sites is by typing their names into a search engine followed by the words “scam” or “fraud.” In many cases, you’ll find professional advisories or posts published by other users. 

Exforel Backdoor Implemented At Network Driver Interface Specification level

| comments

Security researchers have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that’s somewhat different from other malicious elements of this kind.


The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.

Functionalities:
  • Uploading files
  • Downloading files
  • Executing files
  • Routing TCP/IP packets

This sample appears to be used for a specific attack targeting a certain organization.


Over 400 Indian Websites Defaced by Sizzling Soul and P@khTuN72

| comments





Over the weekend, a total of over 400 domains and subdomains have been defaced by a couple of hackers calling themselves Sizzling Soul and P@khTuN72. Most of the sites appear to be owned by various Indian businesses.

Since the hacktivists haven't defaced the targeted sites’ homepages, most of their owners are probably still unaware of the fact that the websites are displaying the hackers’ logo.

                                      Targeted Sites List 1

                                      Targeted Sites List 2 

New Police Ransomware Can Even Speak In Your Mother Tongue

| comments

These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim’s local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.

New Police Ransomware
 People behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users’ systems are “captured” and that they have to pay for a fee to have them back.

As always, users are advised to avoid downloading software from unknown websites and following links embedded in unsolicited emails.
 

Bitcoin Miner Malware Posing as Trend Micro AV

| comments (1)

Beware of Trojan Disguised as Trend Micro Component Drops Bitcoin-Mining Malware,almost always comes in disguise, but some malware peddlers try to do a better job than others.

Malware Posing as Trend Micro AV
Malware writers have devised lots of social engineering tactics to lure users into their scheme. This time around, we saw a Trojan passing itself off as a Trend Micro component as a way to trick users into downloading and executing it.

Trend Micro researchers have recently uncovered a piece of malware that tried to pass itself off as "Trend Micro Anti Virus Plus Anti Spyware.

Unfortunately for whose who get fooled, the software in question is a Trojan that creates the process svchost.exe and downloads additional malicious components such as a Bitcoin miner application created by Ufasoft. This particular application will, unbeknownst to the victim, use the infected system's resources to create Bitcoins for the people behind this scheme.

As always, users are advised to avoid downloading software from unknown websites and following links embedded in unsolicited emails.

Necurs : A Multipurpose Trojan

| comments

Necurs a multipurpose trojan is a prevalent threat in the wild at the moment - variants of Necurs were reported on 83,427 unique machines during the month of November 2012.





Necurs is mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole.

Necurs Trojan is capable of:

  • Modifying the computer's registry in order to make itself start after every reboot.
  • Dropping additional components that prevents a large number of security applications from functioning correctly, including the ones manufactured by Avira, Kaspersky Lab, Symantec and Microsoft. According to Microsoft's researchers, Microsoft Security Essentials' real time protection option is often turned off after an infected computer has been rebooted.
  • Disabling the running firewall
  • Contacting a remote host for command and control instructions via HTTP port 80, and sometimes downloading and installing additional malware (mostly rogue AVs) and loading a malicious DLL component that allows attackers to send out spam via Gmail.
  • Creating a permanent backdoor into the system, which allows attackers to gain complete control of the affected computer.
In addition Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software. Nefariousness aplenty.Necurs uses MD5 and SHA1 to encrypt its network traffic data when sending or receiving, and contains a regularly updated driver that protects every Necurs component from being removed .


 
Support : INDIATRIKS
Copyright © 2011. INDIATRIKS - All Rights Reserved
Template Edited By Indiatriks
Proudly Powered By Blogger