Researchers detect a new Android Trojan targeting users from china

Photo Courtesy: Dr. Web

Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.

Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device  with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.

The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.

According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect,,,, 1.dat,,, substrate_signed.apk and cInstall.

“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.

Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.

“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.

The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.

Researchers detect Malvertising in PlentyOfFish

Photo Courtesy: Malwarebytes

Researchers from Malwarebytes Unpacked, a security firm, have detected a malvertising, which derived from “malicious advertising" uses online advertising to spread malware and it involves malware-laden advertisements into legitimate online advertising websites, in the PlentyOfFish, a Vancouver-based online dating service which makes money from advertising.

The researcher have warned the users not to click on the adverts as they are automatically targeted by using an attack that detects if their computer can be infected (via outdated software), and launches directly that way.

Soon after the flaw detected, they have contacted the company concerned to make them aware of this issue.

According to the researchers, the attack chain uses the Google URL shortener as intermediary to load the Nuclear exploit kit.

“While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment,” the researcher wrote in a blogpost. The ad network involved in the malvertising campaign ( was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.”

The sample was collected from the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.

According to a news report published in The Register, the attack against PlentyOfFish comes against the backdrop of the fallout from the data dump by hackers who breached cheaters’ hook-up website Ashley Madison, and the earlier attack against AdultFriendFinder.

 There’s nothing to link the three attacks directly, however it’s fair to say that dating and adult hook-up websites are very much in the firing line of hackers, so extra precautions ought to be applied.

Beware of “unbreakable” Cryptolocker virus

Photo Courtesy: ABC

Many people are becoming victims of an encryption virus dubbed Cryptolocker which hijacks computer files and demands a ransom, if anyone wants to restore them.

A report in ABC confirms that now, Australians are paying thousands of dollars to overseas hackers to rid their computers of Cryptolocker, which comes in a number of versions and the latest capitalizing on the release of Windows 10.

The deputy chairperson of the Australian Competition and Consumer Commission (ACCC), Delia Rickard, said over the past two months, the number of victim of the scam had been increasing. They have received 2,500 complaints this year and estimates about $400,000 has been paid to the hackers.

As per the report, the "ransomware" infects computers through programs and credible-looking emails, taking computer files and photographs hostage. It can arrive in an email disguised as an installer of the new operating system in a zip file.

Experts have found it more complicated than other viruses.

Josh Lindsay, IT technician, told ABC that he had been repairing computers for 15 years but the current form of the virus was "unbreakable".

It is said that the hackers have been offering computer owners a chance to retrieve data but only if they pay a ransom using the electronic currency Bitcoin.

Michael Bailey from Tasmanian Chamber of Commerce and Industry (TCCI) said when his organization was hit by the overseas hackers, his company paid a ransom equivalent to $US350.

Fake Android Virus alert says "Your Mobile compromised by Chinese Hackers"

Fake virus alert is the technique used by the Cyber criminals to trick users into thinking their system have a virus then tell them to install or buy fake applications, sometimes redirect them to spam websites.

A New fake virus alert spotted by Malware Bytes team says users that their device infected by a dangerous virus created by Chinese Hackers.

"whoever put this one together is watching all those APT news stories with glee and weaving them into their efforts below." Malware Bytes blog post reads.

Anyone passing through the page paulgrenwood[dot]com/US/smart/index[dot]html, receives the following message:

Warning! Your phone is attacked by severe virus that can steal your privacy which created by Chinese hackers on [date].
Please clear this virus immediately.

There is another fake warning message on the next page with “Android App on Google Play” button underneath the message and list of infections.

A rotator URL (clmbtrk(dot)com/?a=17990&c=81777&s1= )  is being used to send visitors to a variety of random adverts depending on geographical location.

Visiting the URL with a standard desktop setup would, more often than not, lead to a blank page. The bulk of the pages seen were dating sites with a lot of flesh on display, and even one hardcore pornography site

There’s no infection, so no need to panic.

Cyber Criminals abuse Yahoo's advertising network to spread malware

Cyber Criminals are targeting Yahoo’s advertising networks to deliver malware directly to the computers of users who is viewing the ads.

Security firm Malwarebytes, who discovered the attack on July 28, says that Yahoo is a victim of malvartising attacks in which exploit kits are used to redirect victims to the malware website.

The malvertising attack which does not require any user interaction, is believed to be one of the biggest in recent times due to the massive amount of traffic in Yahoo. 

In one of the campaigns, the attackers used the Angler Exploit Kit - This exploit kit usually infect victim's machine with annoying software and malware that forces victims to pay the money to unlock their system.

The security firm said that it had informed Yahoo about the attack the very same day. Yahoo said that the malware campaign has been stopped and that the company is investigating the matter.

Although it is not yet possible to determine exactly how many people have been affected by the hack, but it could be large as Yahoo gets 6.9 billion visits a month.

Attackers exploit the Privilege Escalation 0-day in Mac

Adam Thomas, a researcher from Malwarebytes, has discovered a new adware installer that exploits of a zero vulnerability in Apple's DYLD_PRINT_TO_FILE variable in the wild which helps to uses to install unwanted programs including VSearch, a variant of the Genieo package, and the MacKeeper junkware.

The vulnerability which is being exploited by this adware was first uncovered by a researcher Stefan Esser a month ago. However, this researcher did not first report about the flaw to the company concerned.

The adware was able to change the Sudoers file - s a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how.

 The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

According to a post by MalwareBytes, if anyone installs VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

However, Apple has still not turned up to fix the problem. 

Russian APT attackers control the Hacked Machines using Twitter, Github

Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.

The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.

The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.

However, the signature of the backdoor has been added to Dr.Web virus databases. So, its Linux users are under reliable protection.

“It clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic at the moment, not all of the program's components work as they should,” the researchers wrote in a blog.

The researchers have claimed that backdoor is supposedly of Chinese origin. They have said that the virus makers tried to create a multi-component malicious program encompassing a large number of functional properties.

“For example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on,” they added. “However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.”

According to the researchers, the backdoor checks the folder from which it is run for the configuration file containing all operating settings. The file has three addresses of command and control servers. One of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64.

Once the backdoor gets activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.

“Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity,” the researchers explained.

Researchers have said that then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off.

‘Android games on Google Play steal Facebook credentials,’ say researchers

This may come as a shock to many of the game lovers that Cowboy Adventure, a popular Android game on Google Play store, because researchers, from ESET, have revealed that the game has compromised the Facebook login credentials of over a million users who downloaded that Android game.

According to a post by the researcher on July 9, the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.

With 500,000 – 1,000,000 installs, the developer of the Cowboy Adventure app also used it as a tool to harvest Facebook credentials.

However, the Google has taken down both of the apps from their app store and also warns against their installation on Android devices.

“It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess,” according to a report on Welivesecurity.

The report said that unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

It is said that the latest version of the app at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated.

“We are not sure how many users had their Facebook credentials compromised,” the report read.

 “Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically,” the report read.

The researchers have said always download apps from the official Google Play store than from alternative app stores or other unknown sources and always check the ratings and user comments.  

“Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out,” the researchers added.

Researchers detect a threat that abuses Android accessibility feature to steal data

Researchers from LookOut, a San Francisco-based mobile security company that provides security to both private and business mobile devices, have detected a malware dubbed “AndroRATIntern” that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

“After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat,” the researchers wrote in the blog.

According to the researchers, AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is sold commercially as “AndroidAnalyzer”.

“The threat is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data,” the blog read.

According to them, the malware targets the Japanese market. It can collect a broad amount of data from infected devices, including LINE’s, which allows users to make voice and video calls and send messages and most popular communications apps in Japan, messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location.

The researchers said that the AndroRATIntern must be locally installed which requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.

It steals SMS messages, contact data, and other files are not uncommon. However, it is difficult to steal messages from LINE as the application runs in a sandbox.

The malware bypasses the security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

The researcher pointed out some tips which can keep people safe:

-         - Keep a pass-code on your device. it will be significantly harder for someone to download and install anything to your phone if it’s locked
-          -Download security software that can tell you if malicious software is running on your device

New Trojan that hides in PNG images affects healthcare organizatons

A new Trojan named the Stegoloader Trojan has been reported. The most victims claimed by this trojan are based in healthcare organizations in the US.

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Dangerous Android malware steals money from Your Bank

Researchers from Doctor web security have identified a banking trojan called Android.BankBot.65.origin which has been specially created for Android devices.

Cyber criminals are adding the malicious code with the legitimate online banking applications and planting them in various third-party android markets and other websites.

"Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices."  After that the Trojan starts accessing the system information and do nasty stuff.

After the installation of malicious software Android.BankBot.65.origin generates special kind of configuration file containing operating parameters for the Trojan. The trojan usually receive commands from host server and then exploit all the device vulnerability causing cyber criminals to steal money by intercepting and modifying SMS.

It may intercept incoming SMS messages and send texts to numbers listed by cyber criminals. It can add various texts to the list of incoming SMS messages. Using these methods, cyber criminals steal money from users' bank accounts by sending messages to transfer money from the victim's account to the account of cyber criminals or by intercepting messages containing verification codes or by implementing other fraudulent methods .

Messages like “pre-approved Credit card asking personal information” are example of fraudulent schemes which may lead user to fall into trap and they may share their banking credentials which leads to online banking stealing . And Thus its important to download mobile banking applications from authentic sources only .

Think twice before you open email attachments from unknown senders

Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.

Linux Moose: A new malware which turns routers into social networks bots

Linux/Moose overview

A  new worm, which is capable of spreading past firewalls, is now targeting routers and modems to boost visibility of profiles on various social networking sites including Twitter, Facebook, YouTube, Instagram, Vine and SoundCloud, researchers said.

Olivier Bilodeau and Thomas Dupuy, security researchers at ESET, an IT security company based in Bratislava, Slovakia, said in a technicalpaper, which was issued on 26 May, that new threat, which is called Linux/Moose, targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers.

The researchers said that the new malware is infecting Linux-based routers and other Linux-based devices to commit social networking fraud in order to ‘like’ posts and pages, ‘view’ videos and ‘follow’ other accounts.

“During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” Then we realized that there is a market for follows, likes, views and whatnot. It is pretty clear that this is what is going on here,” the researchers wrote in the paper.

“First, there are attempts at stealing cookies from these sites. However, the cookies cannot be stolen if the traffic is HTTPS and now most of these sites are HTTPS-only, so it’s unclear how effective these attacks are in this respect. Second, attempting to commit fraud upon these sites needs a reputable and disposable IP address,” the researchers added.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention. To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers,” said the researchers.

They said that the task of the malware operators is to increase the number of followers, views and likes on social media websites, which the operators target.

According to the researchers, Moose does not exploit any vulnerability to compromise the device and instead accesses them by trying out weak or default login credentials, like other threats targeting routers. Then it starts scanning for other devices to infect, either on the network or on the Internet.

Moreover, it looks for other nefarious process and terminating the devices activity in order to protect those devices.

The technical paper has revealed that the routers are used to drive traffic to certain social network profiles. An infected device would send more than 500 requests in a day.

The researchers have observed one of the Instagram accounts, which maintained the zero-followers numbers but the number of followers increased from three to 40 in one day.

While the researchers were checking the followers, they found out an account with a large number of fans (3,430). Within a week, the number of followers increased to 11,672.

They also observed that devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone were affected by Moose.

Fake Minecraft game apps trick users into activating a premium-rate SMS subscription

Google Play store has over 30 scareware application available for download as a cheat for the Minecraft game, more than 600.000 Android users have installed it.

The malicious applications was discovered by ESET Mobile Security. According to the  security website, “all of the discovered apps were fake, in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a “dangerous virus”. Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them 4.80 EUR per week.”

The apps were uploaded by different developer account, but there was no difference in their functionality, the only difference is in the names and icons of the applications.

The app has  only three buttons  – Start, Options, Exit. After installing the app, the whole screen is covered by flashy advertisement , and the language of the advertisements are based on geographic location.

Clicking on any of the buttons or on the numerous banners will lead to an alert window  saying that your device is infected by virus and need attention, and giving you many options to remove it.

Researcher Lukas Stefanko, ESET, wrote “The scareware prepares an SMS in the system default SMS application. The text of the SMS appears as an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely relies tricking the user to do it manually by social engineering. If the user falls for the scam, it will cost him 4.80 € per week.”

To avoid downloading any kind of malicious apps, refrain from downloading apps from unofficial sources and keep security software on your Android up to date.

'Rombertik' malware which destroys the system if detected

Researchers have discovered a new malware ‘Rombertik’ which destroys the system if it realizes that it is being analyzed.

"Security researchers are constantly looking for ways to better detect and evade each other. As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples,” Ben Baker and Alex Chiu from Cisco Systems' Talos Group wrote in a blog post.

“Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis,” the blog post added.

Similar to Dyre, Romberik, which has multiple layers of obfuscation and anti-analysis functions, is a complex malware which can be hooked into the user’s browser to read credentials and other sensitive information for ex-filtration.

However, Dyre targets banking information unlike Rombertik which collects information from all websites in an indiscriminate manner.

Researchers said Romberik arrives on any computer through a phishing campaign or through an email attachment. It tries to check to see if it is running within a sandbox. After that, it decrypts itself and launches on the user’s computer. Once this process gets completed, a second copy of itself launches and is overwritten with the spying functionality.

Before Rombertik begins spying on the system, it does a final check to see if it is running in the system’s memory.

It destroys the computer’s master boot record, leaving the system inoperable. If it cannot destroy then it targets all files in the user’s home folder, by encrypting each one with random RC4 keys. It contains plenty of dummy code, which include 75 images and 8,000 functions which is to hide the malware’s functionality.

If the malware is not detected, it checks the browser activities, reading credentials and private information, before sending its findings back to the attacker’s server.

The researchers said that in order to prevent ones’ computer from Rombertik, people have to follow security basics like up-to-date security software, ignore attachments from unknown senders and solid security policies for businesses will all help avoid the malware.

Updated Dyre malware successfully avoiding sandboxing

The Dyre banking trojan, which lead to stealing of over a million from the corporate banks in April has got a new update which renders it undetectatble by anti-sandboxing techniques.

The malware checks how many processor cores the machine has and if it has only one, it terminates. Since sandboxes are configured with only one processor with one core as a way to save resources, this is an effective evasion technique -  most of the computers now come with multiple cores.

Seculert's check for Dyre's evasion of analysis with four commercially available sandboxes revealed that the malware has been successful in fooling the systems.

In addition Dyre has switched user agents to avoid detection by signature-based systems. The Upatre downloader which is working in conjunction with Dyre also has new changes to avoid signature-based detection. Upatre now uses two user agents and different download communication pathway. The communication path naming convention is obscure and not based on identifiable characteristics.

These progress in malware technologies reveal that sandboxing alone cannot be an effective way to deal with vulnerabilities. The ability to detect evasive malware needs to include machine learning and the analysis of outbound traffic over time.

New malware in online banking causes problem in Japan

A new online banking malware, which was found in Operation Emmental, has now been causing problems in Japan.

TROJ_WERDLOD, a new detected malware, has been causing problems in the country since December 2014. More than 400 systems were affected by the new malware.

According to Hitomi Kimura, a security specialist at TrendMicro, the malware can change two settings which allow information theft at the network level.

It does not require a reboot or any memory-resident processes on the affected systems.

Kimura wrote on a blog that one of settings gets modifies in the system’s proxy settings. The attackers controls the way from Internet traffic to a proxy. And the second is the additional malicious root certificate to the system’s trusted root store. It allows malicious site certificates which are added in man-in-the-middle attacks to be used without triggering alerts or error messages.

He wrote that the TROJ_WERDLOD harms users via spam mails with an attached .RTF document. The document said to be an invoice or bill from an online shopping site. If anyone opens the .RTF file, the user gets instruction to double-click the icon in the document in order to execute the TROJ_WERDLOD in the system.
Spam mail which leads to TROJ_WERDLOD. Photo Courtesy:TrendMicro

According to him, the hackers used a fake certificate and proxy in Operation Emmental. They also used fake mobile apps in order to steal SMS messages from online banks. It seems that the same behavior may be seen in the future in Japan, although Japanese banks rarely use SMS authentication.

Kimura suggested that in order to restore an infected PC to its normal condition, the following steps should be taken:
-        1. Remove the proxy automatic setting in Windows and Firefox and if anyone has an option provided by the ISP and/or system administrator, he/she can change it back to the previous setting.
           2. Remove the malicious root certificate installed by TROJ_WERDLOD which was stored in Windows and Firefox. This malicious root certificate has the following signature:
·         A134D31B 881A6C20 02308473 325950EE 928B34CD

Fake adult site infecting your phone with SMS Trojan

People at Zscalar Research have found out that, a chinese porn site has been masquerading, and in reality is making your phone infected with malware.

When you visit the page, and try to play a video, the website asks you to download a piece of software to view the video, which in reality is a trojan.

The trojan installs itself in your phone and becomes a Broadcast Receiver, and intercepts all the SMS communications that happen on your phone. This is used by hackers to do fraudulent transactions on affected phones.

The payload filename is dynamically generated by the website so as no blacklisting of the malicious malware can be done.

Interpol coordinated to take down Simda botnet

The Simda botnet has been taken down on April 9 in a collaborative effort between international law enforcement bodies and private security and technology companies coordinated by Interpol's Global Complex for Innovation.

The botnet, known for spreading banking malware and establishing backdoor for many malware, has exploited more than 770,000 computers in 190 countries. The take down has resulted in seizure of 14 command-and-control servers in the Netherlands, United States, Poland, Luxembourg, and Russia.

According to the researchers, Simda is a mysterious botnet used by cyber criminals for distributing several types of unwanted and malicious software. Due to constant functionality and security updates, it rarely appears on the KSN radars despite a large number of hosts every day.

It uses hardcoded IP addresses to notify the keeper about the various stages of execution. It can modify the system hosts file by downloading and running additional components from its own updated servers, and to point to malicious IP’s, it adds unexpected records for and

The Kaspersky Lab report says that, “This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”

To analyse the spread of the infection the Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Trend Micro, Kaspersky Lab, and Japan's Cyber Defense. The researcher team also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Federal Bureau of Investigation in the US, and the Russian Ministry of the Interior's Cybercrime Department "K".

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said “This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cyber crime. The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”