Antivirus Test conducted by Cyber Security & Privacy Foundation

Cyber Security & Privacy Foundation(CSPF) has got members who have more than 30 man years of experience in Antivirus industry. Recently, due to popular demands from its members, CSPF decided to test good antivirus products. 

CSPF chose Avast antivirus and ESET NOD32 for testing from the various antivirus product available. 

Among all the products, CSPF chose ESET NOD32 best suited for Indian environment. ESET NOD32 has also shown consistency in various international testing for last few years.

To access the test report, you can follow the link :
http://securityresearch.cysecurity.org/?p=493

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money. 

BJP website blocked for Pakistan over repeated hacking attacks

The repeated hacking attacks against Bharatiya Janata Party(BJP) websites have forced the authorities to block the access to its official website in Pakistan.

"The owner of this website (bjp.org) has banned your IP address on the country or region you are accessing it from." This is error which is currently being displayed whenever someone tries to access the bjp.org from Pakistan.

At the time of writing, even the BJP's PM candidate Narendra Modi's website(narendramodi.in) has also been blocked for Pakistan and showing some error message.

This move comes after Pakistan hackers targeted BJP related website and defaced BJP's Leader LK Advani's website and Bihar BJP websites in last two days.

The website can be still accessed by users from Pakistan by using proxies to mask their IP addresses.  If the website is secure against all attacks, then there will be need for such wide range of IP blocks except in cases of DDOS attacks. Even then, only individual IPs usually need to be blocked.

Arvind Gupta, BJP IT Cell Heaad, told NewsWeek that the site had been blocked in Pakistan "automatically" as a security measure and they had request CERT-India to unblock the sites.

31 Security bugs fixed in Google Chrome 34

Google has announced the stable release of Chrome 34, an update brining number of fixes, functionality improvements and security updates.

In total, 31 security vulnerabilities have been patched in this latest version 34.0.1847.116 which includes medium to high severity bugs.

The list of high severity bugs are UXSS in V8, OOB access in V8, Integer overflow in compositor, Use-after-free in web workers, Use-after-free in DOM, Memory corruption in V8, Use-after-free in rendering, Url confusion with RTL characters and Use-after-free in speech.

The medium severity bugs include Use-after-free in speech, OOB read with window property and Use-after-free in forms.

A total of $29,500 has been awarded to researchers who reported the above security vulnerabilities.

Indian Election Commission-Google tie up may impact National Security


Thanks to Our Indian Election Commission for tie up with the "US Based" Internet Giant Google, Now NSA can easily get the info of every Indian citizen.

According to Times of India, Google and Election Commission have entered into an agreement under which Google will help EC to manage online registration of new voters and facilitation services ahead of the 2014 elections.

The registered voters can check the address at which they are registered and get directions to the nearest polling station.

Cyber Security experts says the EC'S move will impact national security and democracy itself.

"It is shocking that in a country like India which is called world's software superpower, Election Commission, instead of an Indian company, has chosen a foreign company like Google, which has colluded with American intelligence agencies like NSA (National Security Agency) for global cyberspying, to provide electoral registration and facilitation services by providing them the whole database of registered voters in India," TOI quoted the Indian Infosec Consortium as saying.

The group said it will pose a potential risk to India, as the data could possibly misused by Google and US agencies for cyber espionage.

Rajsekhar Murthy, another member of the consortium, said the poll panel should have spoken to Indian companies such as Infosys or TCS before jumping into such a decision. "Cost wise it is not much," he said.

WoW players targeted with Fake version of Curse Client containing malware


Blizzard yesterday warned World of Warcraft(Wow) players regarding a new malware disguised as Curse client that attempts to hijack victim's accounts.

The fake version of the Curse Client is served in a fake version of Curse Client website.  The fake website is appeared in the search results when users search for the Curse client in major search engines.

If you believe you are one of the victim or want to make sure yourself, you can download the updated MalwareBytes software.  It is currently detecting and removing the malware in question.

If you are good at technical, you can also follow a manual removal method posted by one of the user in their support forum. 

There are 20 out of 48 antivirus detect the malware in virus total.  However, some of the major antivirus failed to detect the malware.

Users are always advised to download the softwares from official website or trustworthy third-party websites such as softpedia, cnet.

Exclusive: Most of the Malware Exploit kits running in Vulnerable nginx server


Bad guys always attempt to exploit the vulnerabilities in victim's system and infect their system with a malware.  It's our turn, Let us hack them back and break into their box.

Malware Must Die(MMD) Team has discovered that most of the malware exploit kit servers, malware page redirection server and malicious proxy servers are using vulnerable version of nginx server.

The team has released poc codes "that was coded & released in Full Disclosure by KingCope" that will be helpful to break into the malicious server and gain access to them by exploiting the known vulnerabilities.

It can be found here: http://pastebin.com/eX69Db7B

The vulnerability allows the security researchers to take control of the server and obtain the infection source codes.  In some cases, it also helps to track the cyber criminals.

Hackers penetrated into website of anti-abortion group "Youth Defence"


Defaced page
An unknown hacker has penetrated into the website belong to the Irish Anti-abortion organization "Youth Defence".

Hacker has managed to replace the homepage with an article titled "This is not the hate-filled truth-distorting website you’re looking for".

""Youth Defence is not what you think it is.  Youth Defence is an extremist group who actively hide their links to shady right-wing connections and where their funding comes from.  Let's blow the lid." The defacement message reads.

The Hacker also managed to post a link that contains more than 5600 email addresses which is said to be the email IDs of Organization's newsletter subscribers.  No individual or group has claimed responsibility for the security breach.

Following the security breach, Youth Defence has made a complaint to the Garda Síochána, as reported by IrishTimes.

Hacking the Hackers :Carberp Panel vulnerable to Remote Code Execution

Recent Carberp source code leak gave an opportunity for researchers to investigate the bootkit and other components of the Trojan.  While everyone are looking at the source code of malicious parts, a security researcher has shown an interest in investigating the Panels source code.

Steven K, a security researcher from France, who is running the xylibox blog, has discovered a two security vulnerabilities in the Carberp's Panel -  IP Spoofing and Remote Code Execution.

Remote Code Execution is one of the critical security bug that allows hackers to inject and execute commands in the vulnerable server.

Vulnerable code

Researcher found the "data" parameterer in the post request is vulnerable to Remote Code Execution vulnerability.  He has also made a Proof-of-concept code to exploit the vulnerability.

He successfully exploited the bug and compromised the Database Username, password and Auth Key.  The bug also allows you to run the "wget" command to download the backdoor.

The code apparently shows the cybercriminals who is behind the Carberp Trojan are not good in secure web application coding compared to Malware coding.

Gamarue malware abuses SourceForge to host malicious files

 
One of the leading source code repository SourceForge is found to be abused cybercriminals to host their malicious files which is later being used by the Gamarue malware.

In their malware analysis report, TrendMicro researcher said they found a new variant that download malicious components from the SourceForge website.

The report says the malicious files were hosted under a SourceForge project called "tradingfiles". The cybercriminal who created the project has also created two other projects that were also used to host the malicious components of Gamarue : ldjfdkladf and stanteam.

Once it infects the victim's machine, the malware allows cybercriminals to control the system and use it to launch attacks on other victims. It is also designed to steal the information.

The malware finds a way into the victim system through infected USB drives or infected webpage that serves exploit kit.

Handheld Malware Scanner made with Raspberry Pi


We learned earlier this year that U.S based power plant systems were infected with a malware after an employee used his infected USB drive to update software. Last year, the notorious Stuxnet worm was delivered to Iranian nuclear plant on USB stick.

We also learned last year that cybercriminals attempt to infiltrate the multinational chemicals firm DSM by leaving the malware loaded USB sticks in company car park.

The notorious targeted malware such as Stuxnet, Flame and more contained code to propagate via USB flash drives.One employee inadvertently using the infected usb drive puts the entire system at risk.

To bring end to this and boosts the security, Icarus Labs , a private research labs under the Cyber Security & Foundation, have created a program that would turn the Raspberry Pi, a small computer running Linux into a handheld malware scanner.

Users can plug their USB drive that is to be scanned.  It is said that the Pi will scan all the files in the drive and "check the signatures of 44 different antivirus providers to see if the file is malicious or not".

"This device can be deployed at entry points where it will be used to scan the USBs that are allowed in. This will prevent malicious software from getting in. "

It is also said that once the program is started, no further maintenance is required.  The device is designed in a such way that can be used by even non-technical person like security guards.

New backdoor abuses Encrypting File System to Prevent Forensic Analysis


A new malware spotted by Symantec is said to have a new technique that abuses the Encrypting File System (EFS) to prevent security researchers from accessing the contents of malicious files.

EFS is a feature provided by windows that let any files or folders be stored in encrypted format. The encryption is specially designed to protect confidential data from attackers but it appears cybercriminals find it as best feature to protect their data.

According to Symantec's Malware report, the malware creates a folder in temp folder and then calls the EncryptFileW API to encrypt all its folders and files. Then it copies itself as wow.dll in the folder.

Since the files are encrypted with EFS, it is not possible for a security researcher to access the wow.dll with the help of another OS such as Linux loaded in removable drive.

However, researcher manually executed the threat on a test computer and gathered the contents of the malicious files.

The malware currently detected as Backdoor.Tranwos by Symantec antivirus is capable of downloading more malware onto the victim's system.

New Android Trojan makes the Two-step authentication feature insecure


Two-Step authentication feature become insecure system when your android device got infected with a new malware which is capable of intercepting your messages and forwarding them to cybercriminals.

The Trojan, discovered by the Russian antivirus company Dr.Web , spreads as a security certificate that tricks users into thinking it must be installed onto their device.

Once installed, the malware does nothing other than displaying a message stating "Certificate installed successfully and your device is protected now."

But in background, the malware collects your phone information including Device's serial number, IMEI, model, carrier , phone number, OS.  Once the data has been gleaned, it attempts to send the info to the remote server.

After successfully sending the info, the malware awaits instructions from its master.  The cybercriminal behind the malware can now send instructions and control the malware to do the following : intercept and forward sms from specified numbers, send ussd message, show message and more.

This malware makes the Two-step authentication feature insecure because it can read the message sent to your mobile. It means the trojan can get the temporary password sent from Bank or any other sites using the 2-step authentication feature.

ATM Hacker Boanta invents "Secure Revolving System(SRS)" to prevent ATM thefts


"The only person who know how to secure your system is the person who know how to break- Hacker." BreakTheSec.

A Romanian cybercriminal , who is six months into a 5-year sentence for supplying gadgets that conceal ATM skimmers has invented a new device that prevents ATM thefts, Reuters reported.

Valentin Boanta, 33-year-old, who was arrested in 2009 said his arrest made him happy because it helped him to get of his Blackhat hacking addiction.

"Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction." Reuters quoted as Boanta saying. "So that the other part, in which I started to develop security solutions, started to emerge."

Secure Revolving System-SRS:SRS device, funded by a technology firm called MB Telecom, can be installed in any existing ATM that prevents the operation of skimming devices.

EC-Council hacked by Godzilla for creating cyber security awareness


Yes, it is Cyberspace, here no one can assure 100% Security but it doesn't mean that you can ignore the security holes.  Godzilla the hacker who breached the Pakistani Government websites few months ago has claimed to have identified multiple security flaws in EC-Council website(eccouncil.org).

EC Council is best known for its professional certifications for the IT security field, especially 'Certified Ethical Hacker(CEH)'.

The hacker claimed to have gained access to admin desk and accessed the course materials for CEHV8, CHFIV4, ECSS,ECSA_LPT4.

Talking to EHN, the hacker said "This could take a very deadly turn if played by the cyber terrorist.They are the same org who train DOD, CIA, NSA ,NASA etc."


"If a cyber terrorist infects this material with Trojans and malware the same content will be accessed by the defense people. And this is the easy way to enter into the network of defense. They should concentrate on security and in future should avoid such situation."

" Consider it as a security alarm for USA and Defence network, you will never know in cyber space who is knocking your door."

The hacker didn't mention the type of vulnerability that gave the access to these materials.  But it appears his motive is to create cyber security awareness.

*Update *

EC-Council responded to the hacking claim by saying the hacker obtained the files due to a "human error" that allowed "Directory viewing". 

"This configuration allows a visitor to view the contents of a web directory much like visiting a web page, however instead of a webpage, the user is able to see links to files in web directories."

" This was not a breach and no systems were affected. The files contained in the listed directories were encrypted binary .Resource files; primarily DRM (Digital Rights management) protected documents that EC-Council makes available for download to paying students and organizations globally and some other non confidential files that were already in public circulation. No sensitive data or personal information was compromised."

Chrome and Firefox Browser Extensions hijack facebook accounts


Security researchers from Microsoft warn users of new piece of Trojan in the form of Mozilla add on and chrome extension that can hijack your facebook profile.

The threat was first discovered in Brazil , Microsoft detect it as "Trojan:JS/Febipos.A."

The Trojan monitors checks if the user is logged in to facebook.   Then, it attempts to download a configuration file that includes a list of commands.

According to the Malware Protection center report, the malware is capable of doing the following with your facebook account: Like a page, share, post, Join a group,Invite friends to a group, Chat to friends, Comment on a post.

" There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time."Microsoft concluded. "In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. "

Hacker arrested by Taiwan Police for hacking classic music website


The China Posts reports that Taiwan police has arrested an individual suspect surnamed Shih on May 1 for hacking into a popular local classic music website.

The police raided the apartment of Shih and seized his computer which is found to be used in his hacking attempts.

The hacker admitted that he hacked into the website's customer database and made unauthorized changes to customer data by exploiting the SQL Injection vulnerability.

Criminal Investigation Bureau (CIB) stated the investigation was launched after it received a report from the web site's operator who said their site had been been hacked in March.

CVE-2013-2028 : Buffer Overflow vulnerability fixed in nginx 1.5.0, 1.4.1


A security researcher Greg MacManus from iSIGHT Partners Labs discovered a critical security flaw in several recent version of NGINX - an open source web server.

"A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution"

The security flaw now identified with CVE id "CVE-2013-2028" affects nginx version 1.3.9 - 1.4.0. NGINX developers released patch for fixing this security vulnerability.

The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt

Subdomain of US Department of Labor website hacked and serves malware

Site Exposure Matrices (sem.dol.gov), the sub-domain of the United States Department of Labor website is found to be hacked and infected with malicious code. 

The Malware analysts at AlientVault Labs analyzed the page and found one of the javascript file is infected and loads malicious external javascript code.

The external script is designed to collect the following information from the victim's computer: Java version, Microsoft Office version, Adobe Reader version, flash version running on the system.

The script is also able to check the presence of the following antivirus : Avira, BitDefender, Mcafee, AVG, NOD32, Dr.Web,Microsoft Security Essentials, Sophos, Kaspersky and F-Secure.

The collected information is being send to the remote server and it serves the malicious code that attempts to exploit the Use-after-free vulnerability in Internet Explorer(CVE-2012-4792).

According to their report, some of the techniques used in the attack resembled the previous exploit identified in the Thailand NGO website.

Alleged leader of LulzSec hacking group arrested by Australian Police



The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.

The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.

According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.

The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.