Skip navigation
Help

Kaspersky Lab.

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.
Original author: 
Dan Goodin

greyweed

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Read 6 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years.

The companies infected by the malware primarily market so-called massively multiplayer online role-playing games. They're mostly located in South East Asia, but are also in the US, Germany, Japan, China, Russia, Brazil, Peru, and Belarus, according to a release published Thursday by researchers from antivirus provider Kaspersky Lab. The attackers work from computers with Chinese and Korean language configurations. They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists.

So far, there's no evidence that customers of the infected game companies were targeted, although in at least one case, malicious code was accidentally installed on gamers' computers by one of the infected victim companies. Kaspersky said there was another case of end users being infected by the malware, which is known as "Winnti." The company didn't rule out the possibility that players could be hit in the future, potentially as a result of collateral damage.

Read 4 remaining paragraphs | Comments

0
Your rating: None

CrySyS Lab

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

Read 5 remaining paragraphs | Comments

0
Your rating: None


One of the Twitter feeds MiniDuke-infected machines use to locate a command-and-control server.

Kaspersky Lab

Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

Read 11 remaining paragraphs | Comments

0
Your rating: None

Aurich Lawson

Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009.

Stuxnet 0.5 is the oldest known version of the computer worm and was in development no later than November of 2005, almost two years earlier than previously known, according to researchers from security firm Symantec. The earlier iteration, which was in the wild no later than November 2007, wielded an alternate attack strategy that disrupted Iran's nuclear program by surreptitiously closing valves in that country's Natanz uranium enrichment facility. Later versions scrapped that attack in favor of one that caused centrifuges to spin erratically. The timing and additional attack method are a testament to the technical sophistication and dedication of its developers, who reportedly developed Stuxnet under a covert operation sponsored by the US and Israeli governments. It was reportedly personally authorized by Presidents Bush and Obama.

Also significant, version 0.5 shows that its creators were some of the same developers who built Flame, the highly advanced espionage malware also known as Flamer that targeted sensitive Iranian computers. Although researchers from competing antivirus provider Kaspersky Lab previously discovered a small chunk of the Flame code in a later version of Stuxnet, the release unearthed by Symantec shows that the code sharing was once so broad that the two covert projects were inextricably linked.

Read 24 remaining paragraphs | Comments

0
Your rating: None

Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed.

The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.

"It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation."

Read 3 remaining paragraphs | Comments

0
Your rating: None

Enlarge

Kaspersky Lab

Researchers have uncovered an ongoing, large-scale computer espionage network that's targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

Operation Red October, as researchers from antivirus provider Kaspersky Lab have dubbed the highly coordinated campaign, has been active since 2007, raising the possibility it has already siphoned up hundreds of terabytes of sensitive information. It uses more than 1,000 distinct modules that have never been seen before to customize attack profiles for each victim. Among other things, components target individual PCs, networking equipment from Cisco Systems, and smartphones from Apple, Microsoft, and Nokia. The attack also features a network of command-and-control servers with a complexity that rivals that used by the Flame espionage malware that targeted Iran.

"This is a pretty glaring example of a multiyear cyber espionage campaign," Kaspersky Lab expert Kurt Baumgartner told Ars. "We haven't seen these sorts of modules being distributed, so the customized approach to attacking individual victims is something we haven't seen before at this level."

Read 13 remaining paragraphs | Comments

0
Your rating: None

An overview of a chosen-prefix collision

Marc Stevens

Flame

The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said.

"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications."

"Collision" attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn't until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Weger, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.

Read more | Comments

0
Your rating: None



Security researchers have disabled the latest botnet created with Kelihos malware, stopping a 116,000-bot-strong operation devoted to Bitcoin hacking and other crimes. Announced today, the operation took place last week and was run by Kaspersky Lab, CrowdStrike, Dell SecureWorks, and the Honeynet Project.

While the first Kelihos botnet (also known as "Hlux") was taken down last September, an entirely new botnet using the same code was identified earlier this year.

In addition to spamming and distributed denial-of-service attacks, this latest botnet was capable of both stealing Bitcoin wallets from infected computers, and BitCoin mining, which uses the resources of victimized computers to make new Bitcoins.

Read the rest of this article...

Read the comments on this post

0
Your rating: None



Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users' Facebook profiles.

According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google's own servers contained hidden code that "can gain complete control" of the user's Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.

The company distributing this malicious extension was unnamed in the report as was the specific app. Assolini said Google personnel removed the malicious extension shortly after Kaspersky reported it to them. "But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game," he warned. He didn't elaborate on the number of extensions or how long he's been observing them other than to say the malicious app Kaspersky discovered had 932 users.

Over the past few years, the openness of Google's Android Market has represented one of the more conspicuous ways its users are attacked. As the software equivalent of a Wikipedia-like bazaar to which anyone may contribute, it has repeatedly been seeded with applications that take liberties with end users' phones and data. Kaspersky's report suggests similar attacks are exploiting Google's Chrome Web Store.

"It is against the Chrome Web Store Content Policies to distribute malware," a Google spokesman wrote in an email. "When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances. We've already removed several of these extensions, and we are improving our automated systems to help detect them even faster."

Last month, Google unveiled a cloud-based service called Bouncer that scours the Android Market for malicious smartphone apps.

Read the comments on this post

0
Your rating: None