Skip navigation
Help

malware

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.
Original author: 
Dan Goodin

greyweed

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Read 6 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Cory Doctorow


Brian Krebs offers an in-depth look at a "cashout" service used by ransomware crooks to get money from their victims. Ransomware is malicious software that encrypts your personal files and demands that you pay a ransom for the key to decrypt them; the crooks who run the attacks demand that their victims buy prepaid MoneyPak cards and send the numbers for them by way of payment. But converting MoneyPaks to cash is tricky -- one laundry, which pipes the money through a horse/dog-track betting service -- charges a 60% premium.

* The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.

* The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.

* The guy(s) running this cashout service.

* The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.

How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:

“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price. The price is now 0.6. And also, I explained the rules for returns many times, we return only cheques which return on my side if you cash them out after then we lock the account! There are many clients who don’t return anything, and I will work only with these people now. I warn you.”

Cashout Service for Ransomware Scammers     

0
Your rating: None
Original author: 
Dan Goodin

Aurich Lawson / Thinkstock

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of "Darkleech," a mysterious exploitation toolkit that exposes visitors to potent malware attacks.

The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet's most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren't ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.

Researchers also don't know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don't access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.

Read 14 remaining paragraphs | Comments

0
Your rating: None

CrySyS Lab

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

Read 5 remaining paragraphs | Comments

0
Your rating: None


One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Kaspersky Lab

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments

0
Your rating: None

Aurich Lawson

Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009.

Stuxnet 0.5 is the oldest known version of the computer worm and was in development no later than November of 2005, almost two years earlier than previously known, according to researchers from security firm Symantec. The earlier iteration, which was in the wild no later than November 2007, wielded an alternate attack strategy that disrupted Iran's nuclear program by surreptitiously closing valves in that country's Natanz uranium enrichment facility. Later versions scrapped that attack in favor of one that caused centrifuges to spin erratically. The timing and additional attack method are a testament to the technical sophistication and dedication of its developers, who reportedly developed Stuxnet under a covert operation sponsored by the US and Israeli governments. It was reportedly personally authorized by Presidents Bush and Obama.

Also significant, version 0.5 shows that its creators were some of the same developers who built Flame, the highly advanced espionage malware also known as Flamer that targeted sensitive Iranian computers. Although researchers from competing antivirus provider Kaspersky Lab previously discovered a small chunk of the Flame code in a later version of Stuxnet, the release unearthed by Symantec shows that the code sharing was once so broad that the two covert projects were inextricably linked.

Read 24 remaining paragraphs | Comments

0
Your rating: None

Aurich Lawson

Some say we're living in a "post-PC" world, but malware on PCs is still a major problem for home computer users and businesses.

The examples are everywhere: In November, we reported that malware was used to steal information about one of Japan's newest rockets and upload it to computers controlled by hackers. Critical systems at two US power plants were recently found infected with malware spread by USB drives. Malware known as "Dexter" stole credit card data from point-of-sale terminals at businesses. And espionage-motivated computer threats are getting more sophisticated and versatile all the time.

In this second installment in the Ars Guide to Online Security, we'll cover the basics for those who may not be familiar with the different types of malware that can affect computers. Malware comes in a variety of types, including viruses, worms, and Trojans.

Read 35 remaining paragraphs | Comments

0
Your rating: None

Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed.

The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.

"It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation."

Read 3 remaining paragraphs | Comments

0
Your rating: None

Enlarge

Kaspersky Lab

Researchers have uncovered an ongoing, large-scale computer espionage network that's targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

Operation Red October, as researchers from antivirus provider Kaspersky Lab have dubbed the highly coordinated campaign, has been active since 2007, raising the possibility it has already siphoned up hundreds of terabytes of sensitive information. It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.

"This is a pretty glaring example of a multiyear cyber espionage campaign," Kaspersky Lab expert Kurt Baumgartner told Ars. "We haven't seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven't seen before at this level."

Read 13 remaining paragraphs | Comments

0
Your rating: None

In "Credibility ranking of tweets during high impact events," a paper published in the ACM's Proceedings of the 1st Workshop on Privacy and Security in Online Social Media , two Indraprastha Institute of Information Technology researchers describe the outcome of a machine-learning experiment that was asked to discover factors correlated with reliability in tweets during disasters and emergencies:

The number of unique characters present in tweet was positively correlated to credibility, this may be due to the fact
that tweets with hashtags, @mentions and URLs contain
more unique characters. Such tweets are also more informative and linked, and hence credible. Presence of swear words
in tweets indicates that it contains the opinion / reaction of
the user and would have less chances of providing informa-
tion about the event. Tweets that contain information or
are reporting facts about the event, are impersonal in nature, as a result we get a negative correlation of presence of
pronouns in credible tweets. Low number of happy emoticons [:-), :)] and high number of sad emoticons [:-(, :(] act
as strong predictors of credibility. Some of the other important features (p-value < 0.01) were inclusion of a URL in
the tweet, number of followers of the user who tweeted and
presence of negative emotion words. Inclusion of URL in a
tweet showed a strong positive correlation with credibility,
as most URLs refer to pictures, videos, resources related to
the event or news articles about the event.

Of course, this is all non-adversarial: no one is trying to trick a filter into mis-assessing a false account as a true one. It's easy to imagine an adversarial tweet-generator that suggests rewrites to deliberately misleading tweets to make them more credible to a filter designed on these lines. This is actually the substance of one of the cleverest science fiction subplots I've read: in Peter Watt's Behemoth, in which a self-modifying computer virus randomly hits on the strategy of impersonating communications from patient zero in a world-killing pandemic, because all the filters allow these through. It's a premise that's never stopped haunting me: the co-evolution of a human virus and a computer virus.

Credibility Ranking of Tweets during High Impact Events [PDF]

(via /.)

0
Your rating: None