Posts Tagged ‘Malware’

wifi

Today almost all household and commercial environments are equipped with Wi-Fi Networks. The heart of such a network is the Wireless access point. When it comes to households and small commercial environments Wireless routers playing a major role than the Wireless Access points. Bootstrap programs and the instructions of these devices located in a special type of memory known as ”Firmware”. Recently researchers found that there is a malware in the wild which focusing on those special memories on ‘Linksys” wireless routers, and it can replicate to similar devices by itself. This happens by exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers. The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and the researches confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device. Linksys’s parent company has confirmed that HNAP implementation has a security flaw whose exploit code is publicly available on the Internet.

‘To what extent this worm can be dangerous’ is yet a question.

You can use the following command to verify that your device is vulnerable or not.

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080. Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Source : THN, SANS

Advertisements

Cyber criminals are taking advantage of the widespread popularity of the mobile messaging app ‘WhatsApp’. A malware expert at the Kaspersky Lab revealed a large-scale spamming campaign, advertising a fake PC version of the WhatsApp, to spread a banking trojan.

According to the report, unaware users have received an email written in Portuguese language, it also tries to deceive the recipient with a social engineering tactic in which cyber criminals composed the malicious email informing that victims already have 11 pending friend invitations.

If users click on the “Baixar Agora” (Download Now) link in the spam email, they will be redirected to aHightail.com URL to download the Trojan. Hightail is a cloud storage service, the malicious component deployed on it then downloads the malware via a server in Brazil.

The file stored on Hightail server looks like a 64-bit installation file bundled with 2.5 megabyte MP3 file. According to Virus Total engine, only 3 out of 49 anti-malware softwares are able to detect it.
“This Downloader has some anti-debugging features like: UnhandledExceptionFilter() and RaiseException() and once running, it downloads a new Trojan that is banker itself. This time the malware comes from a server in Brazil and has a low VT detection 3 of 49. The recently downloaded banker has the icon of an mp3 file. Most users would click on it, especially after seeing it is about 2.5MB in its weight.”
During execution of the malicious code, it communicates with the command & control servers to provide infection statistics and system console through the local port 1157. The Malware sends back the stolen information in the Oracle DB format. The malicious code is also able to download another payload on the infected system.

There are some interesting consideration to do:

• The technique used by the attacker could result very effective in areas where the application is mostly used i.e. Latin America and Europe. The WhatsApp has more than 430 million users and 30 million added in just the last month.

• Researchers identified a “classic style of a Brazilian-created malware” pattern, the malicious agent targeted Brazilian population much inclined to the use of WhatsApp. The language used and the fact that the Trojan is downloaded from a Brazilian server confirm the hypothesis.

This isn’t the first spam email campaign that abused the WhatsApp brand, cyber criminals leveraged the service in the past November to push malware via email by tricking users into thinking they had a new voicemail message.

Source : THN

Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system*. To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.

This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures.

For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.

Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.

Microsoft recommends best practices to protect your PC such as:

  • Using modern software that has advanced security technologies and is supported with regular security updates,
  • Regularly applying security updates for all software installed,
  • Running up-to-date anti-virus software.

Our goal is to provide great antimalware solutions for our consumer and business customers. We will continue to work with our customers and partners in doing so, and help our customers complete their migrations as Windows XP end of life approaches.

Source: Technet.com

As Windows 8 in conjunction with an antivirus solution can block rootkit-based malware via ELAM technology and the SafeBoot option stops bootkit interference, Trojans and worms are the most likely to work out of the box if not detected when they get copied on the computer.

With every new operating system release since Windows Vista, Microsoft has sought to preserve backwards compatibility with previous operating systems. This compatibility extends to malicious software that, ever since the introduction of User Account Control, has been designed to run in user-accessible locations such as the temporary folder, the Application Data directory or even the Desktop and the Downloads folders.

The test on Windows 8 confirmed that most Trojans, once they reach the PC, can run without any compatibility issues. Among the most dangerous applications that ran smoothly on Windows 8 were backdoors and password-stealing applications.

Source : http://www.hotforsecurity.com

A new cyber surveillance virus has been found in the Middle East that can spy on banking transactions and steal login and passwords, according Kaspersky Lab, a leading computer security firm.

After Stuxnet, Duqu, and Flame, this one seems to mainly spy on computer users in Lebanon. It’s been dubbed Gauss (although Germanic-linguistic purists will no doubt be complaining that it should be written Gauß).
Gauss is a complex cyber-espionage toolkit, highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:

  • Intercept browser cookies and passwords.
  • Harvest and send system configuration data to attackers.
  • Infect USB sticks with a data stealing module.
  • List the content of the system drives and folders
  • Steal credentials for various banking systems in the Middle East.
  • Hijack account information for social network, email and IM accounts.
The researchers at Russia-based Kasperky Labs who discovered it have christened it Gauss, and say it is aimed at pinching the pocketbooks of its intended targets, whoever they may be, by stealing account information of customers of certain banks in Lebanon, but also customers of Citibank and of PayPal.
An analysis of the new malicious software shows it was designed to steal data from Lebanese lenders including the Bank of Beirut (BOB), BomBank and Byblos Bank, Kaspersky said. Gauss has infected 2,500 machines, while Flame hit about 700.

Two groups Russian-based Kaspersky Labs, which first published information on Gauss and Flame, and the Hungarian research lab Crysys are detecting the malware by looking for a font that shows up on infected machines called Palida Narrow.Roel Schouwenberg, senior researcher at Kaspersky Labs, said that researchers still don’t know why Gauss’s creators included the font file.

Have a look on  relationship between Flame, Gauss, Stuxnet and Duqu:

Flame,+Gauss,+Stuxnet+and+Duqu

One of the firm’s top researchers said Gauss also contains a module known as “Godel” that may include a Stuxnet-like weapon for attacking industrial control systems. Kaspersky researchers said Gauss contained a “warhead” that seeks a very specific computer system with no Internet connection and installs itself only if it finds one.

Security researchers working for F-Secure have found a web exploit that detects the operating system of the computer and drops a different trojan to match.The attack was first seen on a Columbian transport website which had been hacked by a third party. This malware is known as GetShell.A and requires users to approve a Java applet installation.

It detects if you’re running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform. The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249.

Karmina Aquino, a senior analyst with F-Secure said “All three files for the three different platforms behave the same way. They all connect to 186.87.69.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux and Windows, respectively.”

The Windows one sends the following information back to the remote attacker’s CPU details, Disk details, Memory usage, OS version, and user name. The Trojan can also download a file and execute it, or open a shell to receive commands. ‘Graviton‘ is a combination of pure ‘C’ and ‘asm’.

Results of the latest comparative test illustrating the level of protection against bankers, data stealers and other financially motivated malware. The test also included the specialized business solution Trusteer Rapport, designed to protect communication channels between banks and clients and not providing protection from other types of threats.