Computer Viruses, Anti Virus Programs, Cleaners, Tools and News

Cybercrooks siphon $800,000 from US fuel distribution firm

v2r — Fri, 24 May 2013 16:49:52 +0000

Thieves drained $800,000 from a fuel distribution company in the US state of North Carolina earlier this month - a loss that the company attributes to its bank's having recently upgraded security systems. Unfortunately, its insurance policy won't come close to covering its losses.

Worm Creates Copies in Password-Protected Archived Files

v2r — Fri, 24 May 2013 16:33:18 +0000

Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR FX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

Figure 1. WINRAR command file

During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.

Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

With additional insights Threat researchers from Dexter To and Joseph Jiongco.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Worm Creates Copies in Password-Protected Archived Files

Vermont slaps patent troll with first-ever suit of its kind

v2r — Fri, 24 May 2013 14:09:49 +0000

Vermont's State Governor has signed the United States' first-ever anti-patent trolling law. Which could be bad news for the patent troll who sent thousands of letters demanding payment from small businesses who - get this - used scanners.

Tax Returns: Slovakian spyware campaign

v2r — Fri, 24 May 2013 12:08:10 +0000

ESET’s Security Research Lab has been monitoring a malware-spreading campaign based around the March deadline for tax returns in Slovakia. Whilst this was mostly a local attack, the case demonstrates how effective and dangerous such social engineering attacks can be in general when trending topics, or other credibility-adding-tricks, are used.

The Spreading Campaigns

The attack vector in the two campaigns that we discovered were e-mails purporting to be from the Slovak Tax Office (equivalent to the Internal Revenue Service in the US, or the UK’s HM Revenue and Customs). Screenshots of the HTML-formatted e-mails used are shown below.

The translated subject of the emails read: Notification of real estate tax changes and the text, written in proper Slovak, states that payment instructions are to be found in the included attachment. It is interesting to note that this social engineering approach was made more credible by the fact that each taxable entity in the Slovak Republic must use a unique bank account for tax payment. The attacker was not just fluent in Slovak but also well-enough acquainted with local tax legislation to devise such a believable scam.

The attacker modified the delivery method slightly in between the two spam campaigns, but the malware served up in the campaign remained the same.

The first wave of emails offered the “attachments” as download links (on a popular file-sharing service) to one of two files, each in a different format: an RTF file that masqueraded as a Microsoft Word document or an executable file. The RTF file contained an exploitation of CVE-2010-3333 which, if successful, also delivered the malicious executable. The good news was that, according to the file-sharing download statistics, the success rate of the exploit downloading the malware was less than 10%. Unfortunately, many people still opted to download the executable directly from the second (backup) link in the email, perhaps after seeing a garbled-looking document.

The second campaign was more straightforward and, according to download statistics, more successful. The hypertext link in the email pointed to an executable file (with a .SCR extension), without explicitly mentioning the file format.

The Malware

The malware used in these attacks was an ordinary credentials-stealing Trojan, which was already detected prior to these campaigns. ESET’s software detects it as Win32/Sazoora.A.

Win32/Sazoora.A is designed to steal a victim’s logon credentials from web browsers. Specifically, the Trojan contains libraries for injecting into Internet Explorer, Mozilla Firefox or Google Chrome. Win32/Sazoora implements several data-stealing techniques:

Intercept any information entered into HTML forms in the aforementioned browsers
Extract stored credentials from the browsers
Inject fraudulent HTML code into webpages in order to steal credit-card related data

The stolen data is then periodically sent to a remote server (the URLs of which are hard-coded in the binary). The following screenshots show the HTML web-injects used to lure the victim into entering his credit-card credentials.

The last screenshot – of a payment form for Microsoft Windows Updates – is particularly interesting. Note that none of the above mentioned techniques are novel at all, and are commonly used by banking Trojans such as the infamous Zeus and SpyEye families. But unlike those families, Win32/Sazoora.A features configuration options that are less dynamic as regards both the Command & Control server addresses and the web-inject HTML hard-coded in the analyzed binary.

ESET LiveGrid® detection rates for Win32/Sazoora indicate that the Trojan was mostly seen in Slovakia (over 60% of all detections), undoubtedly as a result of these campaigns. The country with the second highest number of detections is Switzerland, but it is important to note that Sazoora is a generic information stealing Trojan, not customized in the Slovak attacks in any way, except for the C&C server address, so the Swiss detections may just indicate that the actual author of the malware has sold it to multiple clients.

The Victims

Our telemetry indicates that many of the targets successfully infected through malware-spreading emails weren’t accidental or purely random. The emails were mass distributed using a generic list of hopefully-Slovak e-mail addresses. And as it turned out, some of the victims identified so far include physicians, accountants and several institutions. These were considerably more likely to click on the links, as the content of the e-mail was relevant to their profession (and also the upcoming tax deadlines made it even more likely for them to check the content).

We have also performed a detailed analysis of one victim’s infected computer at their request after they noticed suspicious activity relating to their bank account. It turned out that they received one of the aforementioned emails, were infected by Win32/Sazoora.A and had their online banking credentials stolen. The most interesting thing about this infection, however, was the fact that the attacker was prevented from stealing any money from the victim’s account by the bank account’s grid-card protection, a kind of multifactor authentication. The attacker then sent the victim a phishing email passed off as some kind of client verification by the bank, in which they asked for a specified code from the grid-card. The victim was not fooled by this attempt.

Other victims may not have been so fortunate. This case again confirms the necessity for employee education with regard to phishing (and information security in general), especially when the employees handle sensitive corporate or customer data.

Kudos to Peter Košinár, David Gabriš and Miro Babiš for their work on the case.

The post Tax Returns: Slovakian spyware campaign appeared first on We Live Security.

Twitter’s 2FA: SMS Double-Duty

v2r — Fri, 24 May 2013 11:37:53 +0000

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.

We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".

Then the attacker can enable the account's 2FA.

Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)

And then click "Yes".

That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.

The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so.

On 24/05/13 At 12:40 PM

Mac Spyware Bait: Lebenslauf für Praktitkum

v2r — Fri, 24 May 2013 11:37:53 +0000

As a follow up to yesterday's Kumar in the Mac post… have you received e-mail attachments such as this?

Attachments:

  •  Christmas_Card.app.zip
  •  Content_for_Article.app.zip
  •  Content_of_article_for_[NAME REMOVED].app.zip
  •  Interview_Venue_and_Questions.zip
  •  Lebenslauf_für_Praktitkum.zip (Translates as: CV for Internship.)

If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.

Here's a list of binaries signed by Apple Developer "Rajinder Kumar".

Detected as Trojan-Spy:OSX/HackBack.B:

  •  1eedde872cc14492b2e6570229c0f9bc54b3f258
  •  6737d668487000207ce6522ea2b32c7e0bd0b7cb
  •  a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0
  •  505e2e25909710a96739ba16b99201cc60521af9
  •  45a4b01ef316fa79c638cb8c28d288996fd9b95a
  •  290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.

Detected as Backdoor:OSX/KitM.A (includes screenshot feature):

  •  4395a2da164e09721700815ea3f816cddb9d676e

Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.

Be vigilant.

More information:
Mac Spyware Found at Oslo Freedom Forum
Big Hangover

On 23/05/13 At 10:12 AM

Mac Spyware: OSX/KitM (Kumar in the Mac)

v2r — Fri, 24 May 2013 11:37:53 +0000

There's another case of Backdoor:OSX/KitM.A in the wild.

A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)

So, that brings us to this bit of advice for those of you who might be targets.

This is the default "Gatekeeper" security setting:

Mac App Store and identified developers

This is the setting that you want, unless you're actively installing software:

Mac App Store

This is the prompt that results when OSX/KitM attempts to install with the stricter setting:

If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

SHA1: 290898b23a85bcd7747589d6f072a844e11eec65

On 22/05/13 At 12:45 PM

Big Hangover

v2r — Fri, 24 May 2013 11:37:53 +0000

The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.

Yesterday, the folks from Norman released their Hangover Report.

HANGOVER REPORT (tot.114pg): Indian APT group hacked Telenor, others; related to the MacOS trojans found at OFF blogs.norman.com/2013/security-…
— Snorre Fagerland (@SnorreFagerland) May 20, 2013

Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.

Also related, from the folks at ESET: Targeted information stealing attacks in South Asia use email, signed binaries

Apple has reportedly revoked the Developer ID used by KitM.A.

On 21/05/13 At 01:35 PM

BBC News: LulzSec Hacker Interview

v2r — Fri, 24 May 2013 11:37:53 +0000

BBC News has a 13 minute report that's worth a view.

LulzSec hacker: 'Internet is a world devoid of empathy'

On 17/05/13 At 12:54 PM

Mac Spyware Found at Oslo Freedom Forum

v2r — Fri, 24 May 2013 11:37:53 +0000

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.

The launch point:

It dumps screenshots into a folder called MacApp:

Functions:

There are two C&C servers related to this sample:

securitytable.org

docsforum.info

One C&C doesn't currently resolve, and the other:

Forbidden

Our detection is called: Backdoor:OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)

On 16/05/13 At 12:29 PM