New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

"Xsser mRAT", an Advanced iOS spyware targets Hong Kong protesters


Security researchers from Lacoon Mobile Security company identified an advanced iOS Trojan targeting protesters in Hong Kong.

The trojan dubbed as 'Xsser mRAT", is related to similar Android malware found last month targeting the protesters.

The android version of this malware is distributed via whatsapp messages disguised as an application to help coordinate Occupy Central protest.

"The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity." the company wrote.

The malware is capable of stealing text messages, contact list, call logs, location information, photos and other information.  It also steals passwords from the iOS keychains.

The good news is that the malware can run only if the user's device is jailbroken.  You can find lot more information and technical information in their blog post.

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware


Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.

Alleged Author of Android "Heart App" virus arrested

 
An Android Virus spotted by security researchers at Sophos Labs spreads by sending SMS containing a download link to the first 99 contacts of victims.

The malware goes by the name XXshenqi in Chinese and being called as "Heart App" in English.

After sending SMS to the first 99 entries of victim's contact list, the malware sends a confirmation message to the attacker's number.

The malware also asks victims to register and asks them to enter their personal details including Resident Identity card number, Full name. Once the victim clicks the register button, the data entered by victim will be SMSed to the attacker's number.

It also tricks victims into installing a secondary component (com.android.Trogoogle) that doesn't show up on the regular "Apps" page.  Trogoogle is capable of reading your incoming messages.

An unnamed 19 year old Software engineering student was arrested by by police in Shenzhen accused of being author of the "Heart App" malware.

To remove this virus completely, go to "Settings -> Apps -> Downloaded" and Uninstall both 'com.android.Trogoogle' and 'XX神器'

New Crypto-Ransomware variants spotted


Security Researchers have come across a new variants of the Crypto-Ransomware that is designed to encrypt files on infected machines.

One of the variants spotted by Trend Micro, dubbed as CryptoBlocker, infects only files smaller than 100Mb in size and will not infect system and application files. 

TrendMicro said this new variant does not use CryptoAPIs and uses Advanced Encryption Standard(AES) to encrypt files instead of RSA.

Researchers believe the author of this variant might be new to creation of ransomware because the compiler notes haven't been removed from this binary.

Another variant spotted by both Symantec and TrendMicro Researchers uses GnuPG, an open source implementation of the OpenPGP standard, to encrypt files.

"The threat downloads the 1024-bit RSA public key and imports this key through an option in GnuPG. The malware then encrypts the victims’ files by using GnuPG’s Encrypt Files option with the public key." Symantec researchers wrote.

The victims won't be able to decrypt the encrypted files without the private key which is in the hands of cyber criminals.  The malware asks users to pay about $200 to get the key.

One more variant of the Ransomware spotted by TrendMicro as Critroni or Curve-Tor-Bitcoin (CTB) Locker, uses TOR to mask its command and control server(C&C) communications.

New variant of Android Ransomware 'SimpLocker' spotted


A New variant of the Android Ransomware known as 'SimpLocker' has been spotted by Security researchers at ESET.

This new variant has a few significant improvements including the language in which the fake warning message is written, it is now in English rather than Russian.

The malware is masquerading as a flash player for the Android and tricks users into installing it with administrator privileges .

Once the device is infected, it will show a ransom message saying that your device is locked because you were doing illegal things and demands you to pay around $300.

One of the variant attaches the photo of the victim taken by the front camera in the ransom message.  This trick will definitely scare victims into paying the ransom.

One of the worst features added to this variant is now it encrypts the compressed files such as ZIP, RAR and 7ZIP.  It means even your backup files are being encrypted by this trojan.

ESET has released a tool to decrypt the files that have been encrypted by Simplocker.  The say prevention is better than cure, so better focus on prevention - Be careful while installing apps from unknown sources.

Kronos: A new Banking Trojan for sale in Underground forums

Researchers from Trusteer have discovered a new Banking Trojan dubbed as "Kronos" which is being sold in the Underground forum.

The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.

Researchers say GameOver malware is back

Last month, DOJ announced that International law enforcement agencies disrupted the Game Over Botnet.   However, Researchers at Sophos say the GameOver malware is back.

Researchers spotted several spam campaign and analyzed a few samples of the new version.

The new version has few modifications.  One of them is removing Necurs rootkit part from the malware.

The second modification is using Domain generation algorithm(DGA) as the primary command and control mechanism instead of Peer-to-Peer protocol.

"We do not know if it is being operated by the same people that were indicted last month, or a subset of them, or indeed a different group altogether that has obtained the Gameover source code." researcher said.

Dailymotion website visitors redirected to malicious web page


Attackers managed to compromise the popular video sharing website dailymotion and redirected visitors to malicious web page that installs malware in victim's machine.

On June 28, Symantec researchers identified an iframe in Dailymotion.com which sends users to different website hosting Sweet Orange Exploit kit.

Sweet Orange Exploit Kit is a malware toolkit used by attackers to infect victim's machine with malware by exploiting software vulnerabilities on their machine.

The vulnerabilities that Sweet Orange attempts to exploit are : Java Vulnerability(CVE-2013-2460), Adobe Flash Player vulnerability(CVE-2014-0515), Internet Explorer Vulnerability(CVE-2013-2551).

If the user's machine is vulnerable, then Trojan.Adclicker was downloaded onto the victim’s computer.

"This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers" the symantec researchers said.

South Korean Bank Customers targeted by Android Malware


A Mobile software company Cheetah Mobile has identified a malicious piece of Android malware that replaces the legitimate banking apps with fake versions.

According to the Cheetah Mobile report, the Trojan disguises itself as popular game or application on third party android application markets in Korea and tricks users into installing the app.

Once it is installed, the Trojan searches for the official online banking applications of south Korean Banks including Nong Hyup Bank, Sinhan Bank, Woori, Kookmin, Hana N Bank, Busan Bank and Korean Federation of Community Credit Cooperatives.

If one of these banking apps is found to be installed on the victim's device, the malware displays an alert saying that the banking app needs to be updated.  Once the update is approved,  the legitimate banking app will be replaced with the fake one.

The fake version then asks victims to enter the password to their security certificate(which is required by the South Korean government in order to access many online services).

The app then asks victims to provide their bank account number, passwords and bank security number.

At the end, the malware simply displays a fake error message informing victims that there is no Internet connection.  The malware then deletes itself from the device.

"With the information that they stole, the hackers can apply for a new certificate, which they then use to freely access the victim's bank account."says Cheetah Mobile.

The company said more than 3,000 devices have been infected in the last week alone.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.


It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Game Over for GameOver Zeus and Cryptolocker malware that stole millions

Image Credits: Symantec

The U.S Department of Justice announced that FBI and other international Law enforcements have disrupted two of the world's most notorious botnets: GameOver Zeus and Cryptolocker ransomware.

Game Over Zeus is one of the most notorious botnets which first emerged in September 2011 responsible for millions of infections worldwide.  It is based on the original Zeus malware, attempts to steal financial information from the victim.

According to the United States Department of Justice report, the cybercriminals behind the GameOver Zeus have stolen more than $100 million.

Evgeniy Mikhailovich Bogachev, 30-year-old Russian, has been charged for his alleged role as an admin of the Gameover Zeus botnet.

Cryptolocker is a particularly nasty piece of malware that encrypts all files on the infected machine, then demands a ransom to unlock it.  If the files are important one and no backup is there, victims don't have choice other than paying ransom to get a key to unlock.

DOJ report suggests that more than 200k computers have been infected by this ransomware as of April.  The malware appeared in September 2013, within two months cyber criminals collected more than $27 million.

Symantec has also released a tool to remove GameOver malware completely from your computer.  You can download it from here.

Be careful when You Browse Adult contents in your Android phone

CryptoLocker Ransomware which is so far making trouble for Desktop users by scaring them into pay a fine to unlock their locked hard devices is now started to target Android users.

BitDefender have identified a new mobile version of the Ransomware which is being sold by the same group responsible for the Desktop version of Ransomware malware.

The malware dubbed as 'Android.Trojan. Koler.A' is being served to the mobile devices, when the users are browsing certain adult content websites.

The malware disguise itself as badoink, a video player that needs to be installed to get premium access to porn and tricks users into installing the app.

Once installed, the malware finds the location of victims and shows a fake warning message in their local language.

"Attention! Your Phone has been blocked up for safety reasons listed below.  All the action peformed on this phone are fixed.  All your files are encrypted.  Conducted Audio and Video" The fake message reads.

The warning message informs the victims that their files have been encrypted and they have to pay $300 ransom in order to unlock their device. 

But, No Need to Panic ! The files stored on the device are not actually encrypted as the warning message claims.  By pressing Home button, you can return to Home screen. You will have 5 seconds to Uninstall the app from your device.

Safe Mode to Remove the malicious app:
This malicious app is Not Sophisticated one, you can uninstall the app by booting the device in Safe Mode.

"The group behind this exploit is falsely and egregiously using the BaDoink
brand and logo, a brand that adult consumers have trusted for 8 years, to
spread this Ransomware."In an email sent to EHN, the company behind the legitimate version of Badoink, has clarified that they've nothing to do with this ransomware.

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money. 

Bitcoin-Mining android malware found on Google Play Store

No matter how much Security mechanism Google try to implement to keep the malware from getting placed in Google Play store, Cyber Criminals are still able to upload their malicious apps.

We recently learned a 'fake' android anti-virus application found on Play Store and tricked more than 10,000 users into buying it.  But, Google which doesn't want to lose its reputation gave refund and $5 promo credit to those individuals scammed by this app.

Now, Researchers from Security firm LookOut have spotted another set of malicious apps on Google's Play store which turns the infected devices into a distributed bitcoin mining system.

Dubbed as 'BadLepricon', the malware disguise itself as a Live wallpaper app for android.  These five malicious apps had been downloaded between 100-500 times before Google removed them.

It seems like cybercriminals' interest in using the infected android devices to mine cryptocurrencies is increasing day by day.

Last month, LookOut reported that CoinKrypt malware hijacked mobile phones in order to use it to generate digital currency.  Few days back, TrendMicro also discovered a Java RAT which is capable of abusing the android devices to mine Litecoin.

New variant of Java RAT can use your Android device to mine Litecoin

A new variant of old Java RAT "UNRECOM" is being distributed via spam emails, detected by TrendMicro.

One such spam mail is pretending to be from American Express, informs recipients that their account have been suspended due to suspicious activity.

"Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk free environment" The spam mail reads.

The attachment is none other than the Java Remote Access Trojan.


So, What is New ?
We aware this Java RAT can run on multiple platforms.  Now, it is capable of running on Android Devices. It has also Litecoin-mining plugin.  Other than that, it can capture screenshots and display messages.

In addition, the malware has also APK binder component, means it can be used to take legitimate android apps and turn them into malware.

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Malware uses Your Phone to generate virtual currency for cybercriminals


Is your android mobile phone often overheating or the battery draining faster than normal? There are chances that your mobile phone is infected with a malware that will use your phone to generate money for cyber criminals.

Researchers at Lookout have spotted a new piece of malware targeting android devices on some spanish forums that distributes pirated software.

This malware, referred as 'CoinKrypt', is not designed to steal any information from the infected devices.  However, that doesn't mean that it is not harmful.  It will use the maximum computation power of your device to generate virtual currencies.

It will result in the infected device getting overheated and will affect the battery life.

The malware appears to be targeting only newer virtual currencies such as Litecoin, Dogecoin, Casinocoin.  Since, one will need high computing power to generate the popular and most valuable virtual currency 'Bitcoin', the cyber criminals didn't include the bitcoin mining process in this malware.

At this time, it is almost one million times easier to mine Litecoin than Bitcoin and over 3.5 million times easier to mine Dogecoin. Even though these newer coins are not as valuable as Bitcoins(1BTC is around $650, 1LTC is reaching $20), cyber criminals are probably hoping that one day they will reach high value like Bitcoins.

Variant of Zbot makes money for cybercriminals via pay-per-click ads


Zeus(ZBot) is the notorious trojan known for stealing login credentials associated with online banking, continues to evolve.

A new variant spotted by TrendMicro security researchers is doing totally different task than other variants.  This variant displays websites containing advertisements..

Every time user try do something on the infected machine, these websites will get occupied on the entire screen preventing user from accessing other windows or files.

Even though victim can access the desktop by pressing the 'show desktop' shortcut(win+d),  but the websites still being displayed in the background.

"It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines." researcher said.

"Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle."

Interestingly, this variant doesn't include a module to steal banking credentials.  However, it achieves the main goal of stealing credentials - making money for cyber criminals.