Dorkbot is a IRC based worm that spreads via instant message programs, social networks that can steal login credentials and blocks security updates.
The malware has been uploaded with '.JPG' extension in file sharing website mediafire. Once the malware compromised the victim's system, it sent links to the malware to the victim's friends via chat service, according to Computer world report.
Researchers said the malware is capable of spying on users’ browsing activities and stealing their personal details.Bitdefender discovered links to the malware circulating in the United States, India, Portugal, the UK, Germany, Turkey and Romania.
Security researchers from Microsoft warn users of new piece of Trojan in the form of Mozilla add on and chrome extension that can hijack your facebook profile.
The threat was first discovered in Brazil , Microsoft detect it as "Trojan:JS/Febipos.A."
The Trojan monitors checks if the user is logged in to facebook. Then, it attempts to download a configuration file that includes a list of commands.
According to the Malware Protection center report, the malware is capable of doing the following with your facebook account: Like a page, share, post, Join a group,Invite friends to a group, Chat to friends, Comment on a post.
" There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time."Microsoft concluded. "In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. "
Security researchers from Webroot have come across few font installing apps hosted on Google Play that install Android spyware called "iKno".
The apps look like a legitimate font app and allow users to install new font on their android device.
The researcher analyzed the app and identified malicious code that downloads and executes ikno.apk file from a website.
iKno is android spyware developed by Technoreap solutions that monitors call logs, text messages, location.
It appears the malicious apps and developer's account have been removed from the Google play.
Site Exposure Matrices (sem.dol.gov), the sub-domain of the United States Department of Labor website is found to be hacked and infected with malicious code.
The Malware analysts at AlientVault Labs analyzed the page and found one of the javascript file is infected and loads malicious external javascript code.
The external script is designed to collect the following information from the victim's computer: Java version, Microsoft Office version, Adobe Reader version, flash version running on the system.
The script is also able to check the presence of the following antivirus : Avira, BitDefender, Mcafee, AVG, NOD32, Dr.Web,Microsoft Security Essentials, Sophos, Kaspersky and F-Secure.
The collected information is being send to the remote server and it serves the malicious code that attempts to exploit the Use-after-free vulnerability in Internet Explorer(CVE-2012-4792).
The Malware analysts at AlientVault Labs analyzed the page and found one of the javascript file is infected and loads malicious external javascript code.
The external script is designed to collect the following information from the victim's computer: Java version, Microsoft Office version, Adobe Reader version, flash version running on the system.
The script is also able to check the presence of the following antivirus : Avira, BitDefender, Mcafee, AVG, NOD32, Dr.Web,Microsoft Security Essentials, Sophos, Kaspersky and F-Secure.
According to their report, some of the techniques used in the attack resembled the previous exploit identified in the Thailand NGO website.
Trend Micro has uncovered a new piece of malicious software that appears to be using the note-taking service Evernote as Command and Control(C&C) Server.
The Trojan , dubbed as VERNOT, can perform several backdoor commands such as downloading , executing and renaming files. It harvests information of affected system .
Here is the interesting part, the malware receives malicious instructions from the Evernote accounts and at the same time, it stores the harvested information in the Evernote accounts.
"Misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers." Researchers pointed out.
This is not the first time that a popular legitimate service is being abused as C&C server - In the past, Google Docs, Sendspace, Twitter, and other services have been used by Cyber Criminals to send instructions to malware.
Slovenian Police performed 12 house searches and arrested five cyber criminals who are believed to be responsible for the malware attacks that steals money from companies bank accounts.
It all started last year when the Slovenian national Computer Emergency Response Team(SI-CERT) started receive reports regarding a malware attacks.
The victims received emails pretending to be coming from a local bank and state tax authority with a Trojan horse attached.
The malware installs the Remote Administration tool that steals victim's e-banking credentials and send it to the cyber criminals.
"With stolen credentials and in the case where the victim did not remove the smart card containing the bank-issued certificate from the reader after use, the doors to the company's bank accounts were left open to the criminal gang." SI-CERT's report reads.
The attackers cleverly planned their attacks to happen on Fridays or the day before national holidays, so that the companies wouldn't immediately notice the theft.
According to the report, the criminal group used 25 money mules to transfer around 2 million Euros.
Salem State University(SSU) found one of the college's computer servers is infected by a malware. The university sent notification to 25,000 current and former employees whose information stored on the affected server.
The security breach affects people who have received a paycheck from the university - from full-time staff to students who were employed on campus, according to The Salem News report.
Tom Torello, vice president of marketing and communications at Salem Stated "we don’t know if anyone’s information has been used in any type of illegal way, so we don’t know if anyone’s information is out there."
The University has offered one year of ID protection services through Experian for those affected employees.
The Reserve Bank of Australia has been infected by a piece of malicious software that allegedly developed in China, Reuters report says.
The bank was targeted by a suspicious emails purporting to be send from a senior bank staff member regarding "Strategic Planning FY2012 on November, 2011, according to Documents released by RBA.
The cyber criminals embedded a link to virus payload instead of attaching the malware in the email. The link leads to a zip file that contains a Trojan , the antivirus used by the Bank fails to detect this malware.
To Bypass the existing security controls, the cybercrimanl included a legitimate signature, plausible subject &content and had no attachments in the email.
"It was also found that six users had clicked on malicious link , potentially compromising their workstations". the report noted.
The Bank said the affected PCs didn't have local admin rights, this prevented the virus from spreading around the network. Bank spokesperson told Reuters that nothing was stolen.
JustSystems Corporation, the developer of one of the top Japanese word processor Ichitaro, announced that Arbitrary code execution vulnerbility in Ichitaro is being exploited in the wild.
When an user open a malicious document that exploits this vulnerability, the malware will be dropped in the victim's machine. The malware can delete your data , warns JustSystems.
In a report, Symantec said they have seen the exploitation in the wild since mid-January. The attack targets Japan users.
 |
| Malicious Attachment - Image Credits:Symantec |
When the .jtd document is opened on a vulnerable computer, it executes the modified JSMISC32.DLL that further launches the malicious DLL file with the .jtd file extension.
Ichitaro users are advised to download and apply the patch from JustSystems, to protect against this exploit.
"Human is one of the worst vulnerable system". The recent report from Houston Chronicle is an example for this quote, several offshore oil rigs computers infected by malwares after employees downloaded porn and Pirated contents.
According to the report, the malware attacks have occurred at several offshore rigs and platforms and knocked some offline. A facility in the Gulf of Mexico has their systems locked up due to the malware.
Cyber Security professionals said a typical malware infection on energy infrastructure would likely cause no serious problems. But a tailored attack to target a facility through widely distributed malware, could cause extreme damages.
Experts described a worst-case scenario that could lead to catastrophic. "A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives."
Experts recommended companies to prevent a malicious infection by updating software and reducing access to control system.
Social Network giant Facebook has announced that its computer systems were targeted in a Sophisticated Java zero-day attack last month. Fortunately, Facebook figured out the existence of the malware before further damage was done.
According to Facebook security blog post, the attack occurred when a handful of employees visited a mobile developer website that was compromised.
They found no evidence that Facebook user data was compromised. Federal authorities are investigating this cyber attack.
Facebook says it was not alone and that several other companies were also attacked.
Recently, Twitter reported a cyber attack. The New York Times and Wall Street Journal newspapers have also said they were attacked and blame Chinese Hackers.
Google reportedly blocked popular websites on Monday including Reuters, The Guardian, Zdnet, The New York Times, National Post and many others, after online advertising provider NetSeer gacjed and infected with malware.
Google users were given warnings that the website they were visiting may be infected with malware.
“Content from cm.netseer.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware,” the alert said.
“Malware is malicious software that causes things like identity theft, financial loss, and permanent file deletion.”
According to Zdnet report, NetSeer spokesperson confirmed the successful hacking attempt at around 5:30 a.m. PT, but noted that it did not affect its advertising network infrastructure.
A Botnet called "Poker Agent" identified about a year ago, which designed to steal Facebook account credentials, also stealing payment information linked to Facebook account and Zynga Poker.
According to the ESET analysis, the threat was mostly active in Israel. 800 computers were infected, over 16,000 Facebook credentials stolen.
Once the malware infect a system, it gets commands from remote C&C Server to log into Facebook accounts and collects the information including Zynga Poker Stats and Number of payment methods (i.e. credit cards) saved in the Facebook account.
The Trojan publish phishing link in the victims' wall in order to compromise more Facebook accounts credentials.
The Cybercriminals seemed to have ceased actively spreading the Trojan mid-February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.
According to the ESET analysis, the threat was mostly active in Israel. 800 computers were infected, over 16,000 Facebook credentials stolen.
Once the malware infect a system, it gets commands from remote C&C Server to log into Facebook accounts and collects the information including Zynga Poker Stats and Number of payment methods (i.e. credit cards) saved in the Facebook account.
The Trojan publish phishing link in the victims' wall in order to compromise more Facebook accounts credentials.
The Cybercriminals seemed to have ceased actively spreading the Trojan mid-February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.
Security Researchers from WebRoot has found that cyber criminals compromising the legitimate websites for spreading their malwares. One of the popular Bulgarian websites for branded watches has been compromised and redirects to malicious page.
The malicious page serves the premium rate SMS Android malware when user visits from their android devices.
The same cyber criminals also involved in few other campaigns. In one of the campaign, they lure Russian-speaking users into installing fake Adobe Flash player.
The other campaigns include fake Android browser as a social engineering theme and fake Google Play.
When the malicious app is being executed, the malware collects information such as IMEI, brand, operator, IMSI and sends it back to remote server.
 |
| List of malicious apps hosted by apkdeveloper |
Once again, Malicious android apps have been found in Google Play. A developer named "apkdeveloper" hosted a number of android malware in the Google Play.
The malware author used popular app names for his malicious apps by adding "super" at the end of the name . He also posted fake reviews to lure innocent users into downloading the malware .
"Obviously faked from the app either by asking people to give 5 stars to unlock the game (quite a common trick) or the people that made the app have found a way to publish reviews to the play store automatically. Wouldn't surprise me to be honest." One of the Reddit user's comment reads.
According one of the Reddit comment, the fake apps asked permissions for 'approximate location', 'percise location', 'full network access', 'read phone calls', 'mod or delete data on your sd card', 'find accounts', 'control vibration', ladies, 'run at startup', 'test access to protected storage'.
The malware author has been banned from google Play, after a Reddit post drew attention to the malware infested apps.
We are not sure how many users have been affected by this malicious app. Make sure you didn't install one of these malicious app.
The Russian antivirus firm Doctor Web has discovered a new Android Trojan that helps Cyber criminals to launch Distributed-denial-of-service(DDOS) attacks. It is also capable of sending sms based on the command received from the hacker.
According to the report, the malware "Android.DDoS.1.origin" likely spreads via Social engineering attacks and disguises itself as a legitimate application from Google.
 |
| Fake Google Play icon |
Once the malware is launched, it transmits the victim's phone number to cybercriminal and then waits for further SMS instructions.
From now onwards, the Cyber criminal can launch DDOS attack against any server by sending a command message containing the server and port details. After receiving the instructions, the malware starts to send packets to the specified address.
The malware reduces the performance of the infected device. The victim will get unexpected bills for accessing Internet and SMS.
Fake Antivirus (scareware) also referred as Rogue Security software, is one of the most frequently encountered malware threats which pretends to be legitimate security software.
Fake AV attempts to scare victims into believing their system is infected with malwares that do not really exist. It will continue to display annoying fake virus warnings and asks victims to pay money to clean up the non-existent malwares.
The recent research from Zscalar researchers shows that more than 70% legitimate Antivirus application(12/43) fails to detect the fake AV. Three years back, the detection ratio of Fake Av is 6/41.
Fortunately, Google Safe browsing and Internet Explorer (Smart Screen Filters) blocked the malicious page which serves the Fake Av.
According to the researchers, the malware disable the Firewall and existing AV solutions, disables AV updates, disables security warnings and sets itself as the default AV solution.
The malware further downloads and runs the file called 'data.exe' from a malicious domain which is blocked by Google Safe browsing, but the exe is detected by only 9/46 AV.
It seems like cybercriminals believed that the world is not going to end Today(December 21,2012). While everyone buzzing about the end of the world predictions, the cyber criminals started to spread their own Powerpoint presentation regarding the world end. Unfortunately, the ppt hides a malware.
Sophos Lab has discovered a ppt file titled "Will the world end in 2012?" which contains Visual Basic macro code that drops an executable file called VBA[X].exe
Similar to the Excel Sudoku generator malware, this particular presentation also requires the user to enable macros.
According to researchers, the EXE file extracts another Windows PE file which downloads a picture of an owl, then contacts a command and control server. It is designed to download another payload it will rename as Wmupdate.exe.
You believe world will end in December 21,2012 ?! Today we are still here..
SophosLabs have come across a Microsoft Excel based Sudoku generator spreadsheet that tricks victim into running the malware.
"if you want to generate a puzzle to solve, you have to enable macros. It sounds perfectly reasonable, doesn't it? Generating Sudoku puzzles requires a program; to run the program requires macros." Researcher said in the nakedsecurity.
Once you enabled the macros, in the background a rather less amusing macro is installing and running some malware.
The malware collects system information using standard commands: ipconfig to get network information, tasklist for a list of all the programs and services you are running, and systeminfo to find out about your hardware, operating system and patches.
Once the data is collected, the malware starts to send data to an aol.com address.
Recently, The Iranian CERT reported that a new piece of malware targets Iranian computers that capable of wiping the files from the infected computers.
SophosLabs have analyzed the new sample and confirmed that the malware attempt to erase the contents of any files on D, E, F, G, H and I drives.
The malware is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe that drops three executable files: juboot.exe, jucheck.exe and SLEEP.EXE.
The 'justboot.exe' is a DOS BAT file that has been converted to PE format that uses 'SLEEP.exe' to wait for few seconds before it adds a registry entry that ensures that 'jucheck.exe' is executed each time the computer restarted.
The primary function of the malware is wiping the files from hard drive, but it does so only within few specific date ranges, each about two days long.
After deleting the data , the malware runs chkdsk in order to trick the victim into believing that the files have been corrupted because of software or hardware failure.
