Hackers use refrigerator in cyber attack

Call it the attack of the zombie refrigerators.

Computer security researchers say they have discovered a large "botnet" which infected internet-connected home appliances and then delivered more than 750,000 malicious emails.

The California security firm Proofpoint, which announced its findings, said this may be the first proven "internet of things" based cyber attack involving "smart" appliances.

Proofpoint said hackers managed to penetrate home-networking routers, connected multimedia centres, televisions and at least one refrigerator to create a botnet — or platform to deliver malicious spam or phishing emails from a device, usually without the owner's knowledge.

Security experts previously spoke of such attacks as theoretical.

But Proofpoint said the case "has significant security implications for device owners and enterprise targets" because of massive growth expected in the use of smart and connected devices, from clothing to appliances.

"Proofpoint's findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the internet of things and transform them into 'thingbots'", to carry out the same kinds of attacks normally associated with personal computers.

The security firm said these appliances may become attractive targets for hackers because they often have less security than PCs or tablets.

Proofpoint said it documented the incidents between December 23 and January 6, which featured "waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide".

More than 25 per cent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single device, making the attack difficult to block based on location

"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," said David Knight at Proofpoint.

"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."

read more

Android malware discovered, most advanced yet claims researchers

Security researchers have discovered what is claimed to be the most sophisticated Android malware ever seen.

Android malware discovered, most advanced yet claims researchers

Dubbed Obad, the malware can send texts to premium rate numbers, download and install additional malware and remotely execute console commands. It also uses complex obfuscation techniques to evade detection.

The malware was unearthed by researchers working for IT security firm Kaspersky said that once the smartphone is infected, the malware quickly gains access to privileges on the phone and starts working in the background. The Trojan then attempts to spread through Wi-Fi and Bluetooth networks sending malicious files to other phones.

Obad also exploits vulnerabilities in the Android OS. It can gain administrator privileges, making it virtually impossible for a user to delete it off a device. Another flaw in the Android OS relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application’s structure, define its launch parameters.

"The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability," said Roman Unuchek, Kaspersky Lab Expert. "All of this made it extremely difficult to run dynamic analysis on this Trojan."

It also interferes with DEX2JAR code on the device, this converts APK files into JAR files. The disruption complicates analysis of the Trojan.

The Trojan collects large amounts of data from the device, which it passes back to hackers through a command and control (C&C) server, according to Unuchek. The collected information is sent to the server in the form of an encrypted JSON object.

This information is sent to the current C&C server every time a connection is established. In addition, the malicious program reports its current status to its owner: it sends the current table of premium numbers and prefixes to which to send text messages, the task list, and the list of C&C servers. During the first C&C communication session, it sends a blank table and a list of C&C addresses that were decrypted as described above. During the communication session, the Trojan may receive an updated table of premium numbers and a new list of C&C addresses.

Unuchek said that the malware "looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits."

"This means that the complexity of Android malware programs is growing rapidly alongside their numbers," he said.

read more

New Android Virus Forwards Messages To Hackers

A new Trojan malware infecting Android phones is capable of intercepting inbound text messages and forwarding them to hackers. The malware, called Android.Pincer.2.origin, is particularly troubling because it can easily thwart the two-step verification systems employed by online banking, email and social media accounts.

The malware, discovered by Russian antivirus company Doctor Web, spreads as a fake security certificate that tricks users into thinking they need to install it on their Android phones. After installation, users will get a notification that installation was successful, but the malware won’t do any other noticeable activities. It will instead run in the background, connecting to a remote server to send information about the user's Android device, including model and serial number, carrier information, phone number and operating system.

A new virus infects Android phones, forwarding text messages to hackers.

A new virus infects Android phones, forwarding text messages to hackers.

A new virus infects Android phones, forwarding text messages to hackers.

Once connected, hackers can send the malware instructions to intercept and forward messages from specific phone numbers, send new text messages, display a message on the Android device’s screen, and other deceptive activities.

The ability to specify a phone number from which to intercept messages allows a hacker to use the malware for targeted attacks, stealing only specific messages that contain valuable information. For example, the hacker could set the malware to forward texts received from banking services.

Two-step verification systems often use cellphone messaging to verify a user’s identity. The user registers his or her phone number with the service, and when they attempt to log in to their account, the service sends a text message with the password. The user must then use this password to complete the login.

The system, which Kim Dotcom claimed Thursday to have invented, is designed to protect against phishing scams that use malware to send hackers the login information. When an account requires a second password that is randomized each time and sent to a device that only the user has access to, not even a hacker with access to the primary user name and password can access it. Twitter announced a two-step verification system on Wednesday after hackers compromised several high-profile Twitter accounts.

But if a hacker has access to cellphone messages and can set the malware to forward every message sent from Twitter or a bank, they could get that password and access to the account. Stay on the lookout and be careful to install software only from trusted sources.

read more

Chinese malware campaign 'Beebus' target US defense industries

A Chinese malware campaign called 'Beebus' specifically targeting the aerospace and defense industries has been uncovered by FireEye security researchers. Beebus is designed to steal information, and begins its infiltration, as so many attacks do, with spear-phishing emails.

Operation Beebus very related to Operation Shady RAT and was first detected in April 2011. The attacks carried out by spear phishing attack and drive-by downloads as a means of infecting end users. malicious Whitepapers or PDFs were mailed to targets and by using known flaws, malware was able install Trojan backdoors on vulnerable systems. The malware communicates with a remote command and control (CnC) server.

FireEye discovered the attacks on some of its customers in the aerospace and defence last March and the Vulnerability in the Windows OS known as DLL search order hijacking was used to drops a DLL called ntshrui.DLL in the C:\Windows directory.

It has modules to capture system information like processor, disk, memory, OS, process ID, process start time and current user information and another module to download and execute additional payloads and updates.

The original PDF was modified using the Ghostscript tool for making weaponized PDF. Researchers believes that Beebus is a Chinese campaign because of its similarities to Operation Shady RAT.

The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack. Researchers believe that to group called "Comment Group" or "Comment Team," associated with the Chinese government is behind the Operation Beebus campaign.

read more

DNS Changer malware mastermind pleaded guilty

Remember the DNS Changer malware that infected at least four million computers in more than 100 countries, including 500,000 in the United States, with malicious software or malware ?

Valeri Aleksejev, 32 years old from Estonia, is the first of the seven individuals to enter a plea, admitting his guilt for his role in the global scam that netted approximately $14 million. He faces up to 25 years in prison, deportation and the forfeiture of $7 million.

 

 

 

 

 The other six individuals have been named as Anton Ivanov, Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Konstantin Poltev, and Andrey Taame. Alekseev was the first large-scale Internet fraud criminal case came to trial.

The scam had several components, including a click-hijacking fraud in which Malware was delivered to victims' PCs when they visited specially crafted websites or when they downloaded phony video codec software.

The malware changed the DNS settings of the infected computers, and even in cases could change the DNS settings of the routers they were connected to.

 

read more

Three indicted for making, spreading Gozi Trojan

Three alleged cyber criminals from Russia, Romania and Latvia charged for spreading a computer virus called "Gazi" to more than a million computers worldwide and steal tens of millions of dollars.

Nikita Kuzmin, 25, Deniss Calovskis, 27, and Mihai Ionut Paunescu, 28, are accused of creating "one of the most financially destructive computer viruses in history."

Gozi virus was spread largely via PDF file attached with spam emails. Once user open the attachment, the malware infects the victim system.

The malware steals user names, passwords, and other security information

read more

NBC website was Hacked

Several NBC websites were hacked on Sunday (04-11-2012) by a Hacktivist group calling itself "pyknic" and suggesting a possible link to the cyber-attack group Anonymous.

It appeared that the "defacement" of the affected sub-sites was cleaned up in a couple of hours. NBC and its various websites

Appeared to be functioning normally as of Sunday evening Eastern time. However, older versions maintained by search engines such as Google and Bing still bore the message "hacked by pyknic" a possible reference to an obscure hacker or "hacktivist" group.

The message said "REMEMBER, REMEMBER THE FIFTH OF NOVEMBER, THE GUNPOWDER TREASON AND PLOT. I KNOW OF NO REASON WHY THE GUNPOWDER TREASON SHOULD EVER BE FORGOT."

Additionally, the site's attackers claimed to have stolen user names and passwords from NBC's site, but NBC hasn't officially verified the these claims, nor suggested which of its users might be affected if the attackers' claims are actually true.

 

 

read more

Virus Threat Hit Israeil Foreign

A number of Israel’s government offices have fallen victim to a cyber attack over the past week, one apparently aimed at slipping a « Trojan horse » into the computer servers at these ministries.

Israeli police immediately pulled the national computer network from the civilian Internet after this cyber threat . A Trojan horse has been sent as files attached to emails bearing the name of the IDF Chief of Staff Benny Gantz in the subject line.

 According to the reports from haaretz, A senior government clerk stressed that the threat facing the police was being investigated by experts. It is also not clear that either breach involved a wide-scale cyber-attack, or a virus infecting only a few computers.

Government employees were advised not to open their emails or Facebook messages if such strange activity was noticed. Dozens of identical emails were sent Wednesday to Israel embassies abroad and to Foreign Ministry employees in Israel.

The intelligence tip did not indicate the culprit behind the attack, but it appeared to be an external organization. The police are still trying to identify the source.

 

read more

Malware Circulations via skype

"LOL is this your new profile pic" is the malicious Skype message clubbed together with a shortened URL for circulating spiteful software through Skype message. This malicious content was clicked for over 480,000 times within 2 hours, claimed Kaspersky Lab Threat Analyst, Dmitry Bestuzhev, as reported in the website cso.com.au on October 11, 2012.

The compact URL is still receiving a few clicks and till now, it has racked up over 1 Million clicks in four days, starting from October 6, 2012.

According to Bestuzhev, almost half the clicks generated within 48 hours of the release of this malware, indicating that a huge number of contacts must have been infected during this term.

Nevertheless, the most pathetic part of it is that initially, only 2 of the present 44 antivirus engines identified the threat, but currently the number has increased to 27, which is still quite low. However, it also indicates that about 1 Million users must have clicked o the links and greeted infection on the links.

To strengthen the whole campaign, the malware distributors further translated the message into other languages including Latvian and Spanish ensuring that many Internauts are also included in this scheme.

Besides, the malware detected in this campaign is identified as Trojan.Win32.Bublik.jdb by Kaspersky, which is capable of controlling the affected machine. Beside the issue of Ransomware and click-fraud, ability to steal passwords associated with adult websites, file lockers, online banking and social media, including PayPal, Yahoo, Facebook, Netflix, The Pirate Bay, GoDaddy, and eBay is also raising concern in this case, added the security expert.

The Trojan also has the functionality of Autorun for spreading via USB devices. It has the ability of spreading through MSN Messenger and locally saved Skype passwords in the similar infected machine, thus switching automatically amid the available accounts.

As a recommendation, Kaspersky concluded that to safeguard oneself from this malware, don't click on links that are offered through Skype or through any other instant messaging service. Also, never download unknown archives and extract zip files for opening files, especially if you are unaware of the content

read more

French Android Malware Creator Arrested for Stealing $653,700

A French hacker was arrested this week after he spread a money stealing virus through various fake smartphone applications. The malware allowed the hacker to steal tiny sums of money from more than 17,000 Android phone owners.

By the time his skimming scam was discovered the 20-year-old had taken €500,000 ($653,700).

According to the hacker his smartphone scam was not motivated by greed but rather his love of technology and his desire to eventually become a software engineer. In reality his scam was driven by money, enough so that he kept the hack going for nearly one year before he was caught.

Working out of his parents basement, yes we know that’s a cliche, in Amiens, France, the man wrote free apps that were meant to look like commercial offerings. After users installed the apps a text message was sent without the user’s permission or knowledge. That text message went to a paid number the man had setup to receive mobile payments.

The sophisticated hack also sent user credentials from gaming and gambling websites the victims had visited and used.

News of the hack comes just three months after security firm BT claimed that one-third of all Android based cell phones suffer from some sort of malware infection.

Malware found via Google Android devices are typically the result of users who download apps from stores outside of Google Play. In many cases apps are not properly vetted and are allowed to be placed for sale despite included malware and other viruses, code issues that Google would normally find and remove.
 

read more

New THC attack tool targets Web servers using secure connections

THC the German based hacker’s have released a program they assert will allow a single computer to take down a Web server using a secure connection.

The THC-SSL-DOS tool, which was released 2 days before, purportedly exploits a flaw in SSL renegotiation protocol by overwhelming the system with multiple requests for secure connections. SSL renegotiation allows Web sites to create a new security key over an already established SSL connection.

A German group called as Hackers Choice said it released the exploit to bring attention to flaws in SSL, which allows sensitive data to flow between Web sites and an individual user's computer without being intercepted.

The exploit also works on servers that don't have SSL renegotiation enabled, the group said, but requires some modification and more computers. The group said the exploit will allow a single IBM laptop to take down the average server over a standard DSL connection

Download

read more

New TDL4 rootkit successfully hiding from Antivirus

A new variant of TDL4 has been identified, and it is now ranked as the second most prevalent malware strains within two months since detection.

The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioral analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.

Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware had been identified and categorised by commercial antivirus products operating at the host or network levels.

HitmanPro, however, has detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.

This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.

Joseph Souren, Vice President and GM Wave Systems EMEA, has provided the following commentary:

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.

Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.

The best protection is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before the antivirus initiates.

By utilizing TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software. The IT manager is alerted when unwanted changes are detected.

It’s undoubtedly not the last we will hear of these types of Advanced Persistent Threats (APT) and activating and managing embedded hardware security is the only way to detect these attacks early enough to prevent damage to the network.

read more