Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Wednesday, 23 September 2015

Poker Players Targeted By Card-Watching Malware


Malware Target Popular Online Poker Sites

Malware researchers at security firm ESET have come across a new Trojan which has been designed to cheat online poker by a sneak quick look at the cards of infected opponents. According to ESET’s security researcher, Robert Lipovsky, the malware is said to target PokerStars and Full Tilt which are two of the most popular online poker sites.

He has mentioned in his recent blog post that the attackers operate in a simple manner and after the victim has been affected successfully with the Trojan, the culprit then attempt to join the table where the victim tends to be playing with an unfair advantage by getting to know about the cards in their hands.

Malware, Win32/Spy.Odlanor, covers up as a benevolent installer for several general purpose programs like Daemon Tools or mTorrent. Lipovsky has mentioned that people tend to get infected while downloading some other useful application from some unofficial source.

In some instances, it tends to get loaded on to the user’s systems through several poker related programs which comprises of poker player databases as well as poker calculators like Tournament Shark, Smart Buddy, Poker Calculator Pro, Poker Office and much more.

Prowls in Software Created For Better Performance

The tricky malware has been discovered prowling in software created to support poker fans with better performance according to a security firm which discovered it. The software is also said to target other valuable information on a user’s computer like login names as well as passwords.

When a system is infected, the software observes the activity of the PC and operates when a victim has logged in to any of the two poker sites. Thereafter it begins taking screenshots of their activity and the cards they tend to deal with and send the screenshots to the culprits.

Lipovsky mentioned that later on the screenshots can be retrieved by the cheating culprits which reveal not only the hands of the infected opponent but the player ID as well.This according to ESET enables the criminals to search the sites for that play and join in their game. Both the targeted poker sites permit searching for players by their player ID and so the culprit can connect with ease at the table on which they tend to be playing.

Largest Detection of Spywares – Eastern European Countries

With the information gathered with regards to the victim’s hand, it provides significant advantage to the criminal. Lipovsky writes that he is not sure if the attacker tends to play the games manually or in some automated way.ESET have discovered that the Windows malware seem to be prowling in some of the well-known file-sharing applications, PC utilities and many other widely used poker calculators and player databases.

Lipovsky writes that the largest number of detection of spyware has been active for several months where most of the victims were from Eastern European countries. However, the Trojan tends to be a potential threat to any online poker player.

 Most of the victims were from the Czech Republic, Poland and Hungary. ESET had stated that they had discovered various versions of this malware dating back to March 2015. To make matters worse, new versions also tend to contain `general purpose data stealing functions’ with the abilities of siphoning passwords from several web browsers. As of September 16, several hundred users have been infected with Win32/Spy.Odlanor.

Tuesday, 14 July 2015

New Android Malware Sprouting Like Weeds

If you own Android devices and looking for the way to minimize the risk of Android malware infection, so better to avoid the use of discount app stores. According to Andy Hayter, who is Security evangelist at G Data, “It’s recommended to not to download the apps from unknown app stores, but if you really trust them personally then you can go ahead”. The more he added that its recommended to install a malware scanner and on the same time check the permissions option (in settings of device) before installing any app.

As per the latest report of G Data Security Labs, All the information which are stored on an Android devices such as; smartphone and tablet are vulnerable to more than 4,950 new malware files. From past few years, Cybercriminals are taking much interest in the Android operating systems and according to Andy Hayter, Android devices are the bigger, easier and most profitable target for the bad guys in comparison of other platfroms. According to predication of G Data security Labs, There are more than 2 million new Android malware are about to surface in 2015.

Is it just starting? 

Android OS is a derivative of Linux, which considered as less targeted operating system by malware and viruses. But when it comes to Android devices then reality is absolutely different as Android OS is less secure and less rigorous in comparison of other mobile platforms, as per statement of Rob Enderle, Principal analyst of Enderle Group.

Latest reports as well as 2 million figure of G Data security Labs are realistic because in present much number of user’s are using the Android devices for online shopping and banking transactions. We all are aware about the fact that Android OS has more market share in comparison of iOS and Windows Phones and due to that Cybercriminals, security researchers and malware authors are more interested in Android OS. Last year, Google introduced premium SMS Checks and after that malware models started to spread in much faster way.

Android malware and Cybercriminals: 

If you will browse Google Play Store, so you will find that there are several paid and free apps are available and when it comes to install apps, so as normal user we prefer to use free Android apps. A developer of free Android apps depends on advertising to generate funds for further development, however; bad apps have ability and function to hide them in background. As per the repots of G Data security Labs, malware files are new financial foundation for Cybercriminals and in present more than 50 per cent Android devices are carrying SMS Trojans, Online shopping Trojans, Banking Trojans and other malware components.

In Europe 41 per cent and in US 50 per cent of consumers are using smartphones or tablets for banking transactions, however; 78 per cent internet users are making their purchase online through smartphones or tablets. Malware programs can install apps, steal your personal information or it can also steal your credit card or financial data for additional process.

Wednesday, 10 June 2015

Google’s Security News: Malware’s Down, and You’re Heeding More of Its Warnings

According to the Google’s security product manager, the company defines their success in simple term- invisibility. As per Stephan Somogyi they are targeting as the main outcome when we encountered a blank browser window appearing in front of him. He was able to give some insight on the status of the online security, during the Google’s I/O conference at the half-hour presentation called the Second annual Google Security update at I/O.

Phishing and Malware Sites: 

He gave some more details on the Safe Browsing service of the company. He calls them as a collection of systems that have the ability to hunt down the badness all across the net. It has the ability to protect the visitors who are searching the web using the Google search site or even Chrome, Safari as well as Firefox. This indicates the total reach to the audience amounting to 1.1 billion people.

According to the reports released by the company, they have located that the Malware is becoming is not a huge problem anymore. But they have also found that phishing sites that are able to fool the customers into entering their details like password and more financial details are increasing in numbers.

During the last week of Mat, they were able to detect nearly 14,977 malware sites and nearly 33,571 phishing sites using the safe browsing. The Malware has shown a big drop and Phishing has shown a bigger increase. Somogyi has given all the credit to the enhanced security in all their operating system in every device. Due to this the Malware authors are now more concentrating on the phishing sites and targeting the software’s.

The much needed push for encryption: 

Google has been among the first companies who were advocating the use of encryption to avoid people from snooping on users online. The acceleration to this push came in the form of the revelations made by Edward Snowden, who confirmed that NSA has been eavesdropping on their traffic from quite some time. He further expressed his anger pertaining to the effort that is being put forth by Google to get other emails providers to try and adapt the TLS, which is the Transport Layer security encryption. Through this all the third party companies care unable to reading the messages when they are transit.

The company is hoping to reach to larger companies that work in sending email and find out the reasons why they are unable to implement TLS. But from the perspective of the company, they do not want to resort to public shaming.

They are not ready to disclose the names of the company who have still not followed or implemented TLS. Compared to TLS, Google has been able to attain much more success in terms of encouraging different websites to implement HTTPS encryption to completely secure the user visit to websites. The company is making all effort to ensure that the users feel completely safe when spending their time online.

Tuesday, 2 September 2014

25000 Co-opted Linux Servers Drop Malware, Spread Spam and Steal Credentials

Linux Servers
Recently a new report has been released by the security company ESET, Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign. This research report was a joint effort by ESET, CERT-Bund, SNIC and CERN.

Over past some years, ESET has recorded around 25,000 malware-infectedservers, which have been significant in various functions like:
  • Spam Operations (averaging 35 million spam messages each and every day )
  • Infecting site visitor’s computer via drive-by exploits.
  • Redirecting the visitors to malicious websites.
The report says about two well-known organisations becoming the victims of Windigo. This ongoing operation was started in 2011, and has affected some high profile servers and companies like cPanel and Linux Foundation’s

Easier with Single Factor Logins: 

There was a common thread that the Linux servers consisted of, and all were infected with Linux/Ebury. The Linux/Ebury is a malware that provides a root backdoor shell along with an ability to steal SSH credentials. The report also mentioned that there are no vulnerabilities on the Linux servers, which could be exploited, but only stolen credentials were leveraged. Thus in a sense helps explain the compromise made, as Linux servers are, for the most part, bulletproof.

Getting access to the credentials etc: 

The question arose in the minds of the Linux users was that, how the attackers got access the credentials, login and ultimately installing the malware.

A helping hand is offered by Pierre Marc Bureau,a security intelligence bureau named after the program manager of ESET Pierre Marc. They provided the Linux users with the answers that says that it takes to compromise one server in a network, whichmakes it easier there forth. Once the root is obtained by the attackers, they install Linux/Ebury on the compromised server and start to harvest the SSH-login credentials. Along with the additional login credentials, the attackers explore to see what the other servers can be compromised in that particular network.

Additional Malware: 

As mentioned above in this article, the infected servers are part of spam campaigns, they redirect the visitors to the malicious websites, or in case of vulnerable computers, it downloads malwares to the victim’s computer. In order to successfully accomplish this, the attackers install some additional malwares on the servers consisting of:

  • Linux/Cdorked: it provides a backdoor shell and are able to distribute Windows malware to end users via drive-by downloads.
  • Linux/Onimiki: it resolves the domain names with a particular pattern to any IP address, without any need to change further any server-side configuration.
  • Perl/Calfbot: it is a lightweight spam bot written in Perl.

The Windigo Report further adds that there are two types of victims, the Linux/Unix server operators and End-users who receive spam and or visit a website on a compromised server. In that respect, ESET has confirmed that the compromised servers try to download the following Windows Malware:
  • Win32/Boaxxe.G: A click fraud malware.
  • Win32/Glubtela.M: A general proxy that targets Windows computers.

Monday, 7 April 2014

Android Oldboot B Malware, a predecessor of Oldboot A

Oldboot B
Android Oldboot B malware has been detected by Chinese researchers from `360 Mobile Security’ and appears from an evolution of its predecessor Oldboot A and as of today, the most complex bootkit which has infected millions of devices. Oldboot B has been considered to be the most sophisticated Android malware detected and has already infected millions of mobile devices.

Its predecessor, Oldboot A was detected in early 2014 by Doctor Web, a Russian security firm and Oldboot A’s principal capability is to infect the Smartphone after reboot irrespective of all its components deleted by the user. Bootkit is a category of malware that can infect the host at start up and is also capable in performing malicious activities which may include data stealing, communicate with a remote C&C server, disk encryption, and remove the application on the victim’s device. Moreover Oldboot B also implements a new type of advanced evasion techniques which can avoid its deletion to principal antivirus software as well automatic analysis systems.

Oldboot silently injecting malicious module 

The ability to silently installing Apps in the background, Oldboot B can also inject malicious modules into critical system process and prevent Apps from uninstalling, disable or uninstall mobile Anti Virus software and modify the browser’s homepage. The Oldboot is a well organized large Trojan family and every member has a clear division of labor which has been written by professional programmers and promoted by some commercial companies which evolves constantly and a new tool is specially used to effectively detect and defend this Bootkit.

Once the user’s Android mobile is infected, the Oldboot B malware waits for the command sent by C&C which is located at – IP and makes use of stegnography to hide data within file exchanged with C&C and installs various malicious applications on the user’s mobile. The Oldboot B malware consisting of four principal components registers itself as services can also ensure the persistence to the malicious code.

Evasion Capabilities – Meaningless code and Random Behavior

The first being boot_tst is the component which is responsible for command reception as well as execution and uses a remote injection technique to introduce an SO file and a JAR file to the `system server’ to process the Android system. The second is adb_server which replaces pm script of the Android system with itself while its main function is to avoid malicious code uninstall.

The third is meta_chk which silently downloads and install Android Apps promoted in the background and is also capable of opening a backdoor for remote control. Besides, the component is also capable of removing itself leaving injected process in the memory by which antivirus software are unable to detect it since they are unable to perform a memory scan in the Android platform. Finally agentsysline runs in the background and receives command from C&C server, the possibility of deleting specific files within its ability, enable/disable network connection as well as uninstall antivirus software.

The most likely evasion capabilities which makes hard the detection of Oldboot B are that it adds some meaningless code and trigger some behavior randomly, checks for availability of SIM card in the device and not perform certain behavior if there is no SIM card, check for existence of antivirus software and probably uninstall the antivirus software before doing anything malicious. The possibility to avoid Oldboot B malware is to download and install app which are from official stores only and avoid unreliable custom ROMs. If a mobile is infected by Oldboot B, the free removing tool designed by antivirus firm 360 Mobile Security can be downloaded.

Wednesday, 7 August 2013

Tor confirmed malicious code that grabbed user identification

The Malicious code was distributed over the web host Freedom Hosting; malicious code actually serves to identify Tor users. This was confirmed by the anonymous project. The malicious code is injected via vulnerability in Firefox. In an analysis of the Tor team has now confirmed that yesterday only came to the knowledge. The malicious code is used for identifying users of the Tor network and the information is sent to a company that works together with the secret. The malicious code targeting to grab used in the Tor Browser Bundle version of Firefox 17.0.6 on Windows. That is now known as the magnetosphere malicious code detected by analysis of the host name and MAC address of the attacked computer and transmits the collected information to the IP address, which is hard-coded into the malware. The command-and-control server belongs to the company Science Applications International Corporation, which is close to the FBI and the intelligence community. The IP address belongs to the Autonomous System (AS) the NSA. Mozilla was the weak point in Firefox ESR 17.0.7 and Firefox 22.0 which was later resolved on 25 June 2013. Updated versions of Firefox had been rolled out the next day in the Tor Browser Bundle 2.3.25-10 and 2.4.15-1-alpha, 30 June 2013 and 8 in 3.0alpha2 July 2013 entered into 2.4.15-alpha-1. The vulnerability in the browser is also available in versions for Mac OS X and Linux, but the malware grab apparently only Windows machine, then writes the Tor team in a statement.

It assumes that the attacker has a list of Tor users who use the hidden services of the web host Freedom Hosting. Freedom Hosting uses Tor Hidden Services among others for the provision of anonymous websites. There, among other Web sites with pedophile content provided. In addition, the web hosts connections to reputed Silkroad online drug market. The Tor team, meanwhile, advises users urged to update their Tor Browser Bundle. In addition, users should disable Javascript. In future releases, there will be an easy-to-use interface that allows the use of Javascript can be configured. Since the future also other may be vulnerabilities in Firefox, CSS or SVG are expected to users should also consider using a random MAC address. This is possible, for example, in virtual machines like VirtualBox or VMware. The Tor team also advises to use a firewall to prevent such compounds to command-and-control servers. As an alternative to Windows recommend the Tor makers the live distribution tails. The team also asks for help in the implementation of sandboxes and virtualized solutions for the Tor Browser Bundle.