Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.

However, the signature of the backdoor has been added to Dr.Web virus databases. So, its Linux users are under reliable protection.

“It clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic at the moment, not all of the program's components work as they should,” the researchers wrote in a blog.

The researchers have claimed that backdoor is supposedly of Chinese origin. They have said that the virus makers tried to create a multi-component malicious program encompassing a large number of functional properties.

“For example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on,” they added. “However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.”

According to the researchers, the backdoor checks the folder from which it is run for the configuration file containing all operating settings. The file has three addresses of command and control servers. One of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64.

Once the backdoor gets activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.

“Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity,” the researchers explained.

Researchers have said that then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off.

‘Android games on Google Play steal Facebook credentials,’ say researchers


This may come as a shock to many of the game lovers that Cowboy Adventure, a popular Android game on Google Play store, because researchers, from ESET, have revealed that the game has compromised the Facebook login credentials of over a million users who downloaded that Android game.

According to a post by the researcher on July 9, the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.

With 500,000 – 1,000,000 installs, the developer of the Cowboy Adventure app also used it as a tool to harvest Facebook credentials.

However, the Google has taken down both of the apps from their app store and also warns against their installation on Android devices.

“It was one of two games spotted by ESET malware researchers that contained this malicious functionality, the other one being Jump Chess,” according to a report on Welivesecurity.

The report said that unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud. The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers’ server.

It is said that the latest version of the app at the time Google took it down from their official market last week was 1.3. This trojanized game had been available for download from Google Play since at least April 16, 2015, when the app was updated.

“We are not sure how many users had their Facebook credentials compromised,” the report read.

 “Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone’) is loaded from the server dynamically,” the report read.

The researchers have said always download apps from the official Google Play store than from alternative app stores or other unknown sources and always check the ratings and user comments.  

“Even though Google Play is not 100% malware free, they do have strong security mechanisms to keep trojans out,” the researchers added.

Researchers detect a threat that abuses Android accessibility feature to steal data

Researchers from LookOut, a San Francisco-based mobile security company that provides security to both private and business mobile devices, have detected a malware dubbed “AndroRATIntern” that abuses the accessibility service in Android to steal sensitive data from infected smartphones.

“After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat,” the researchers wrote in the blog.

According to the researchers, AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is sold commercially as “AndroidAnalyzer”.

“The threat is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data,” the blog read.

According to them, the malware targets the Japanese market. It can collect a broad amount of data from infected devices, including LINE’s, which allows users to make voice and video calls and send messages and most popular communications apps in Japan, messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location.

The researchers said that the AndroRATIntern must be locally installed which requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.

It steals SMS messages, contact data, and other files are not uncommon. However, it is difficult to steal messages from LINE as the application runs in a sandbox.

The malware bypasses the security mechanism by abusing the text-to-speech accessibility feature in Android. This feature is designed to aid visually impaired users, but the malware developers are leveraging it to capture LINE messages when they are opened by the victim.

The researcher pointed out some tips which can keep people safe:

-         - Keep a pass-code on your device. it will be significantly harder for someone to download and install anything to your phone if it’s locked
-          -Download security software that can tell you if malicious software is running on your device
  

New Trojan that hides in PNG images affects healthcare organizatons

A new Trojan named the Stegoloader Trojan has been reported. The most victims claimed by this trojan are based in healthcare organizations in the US.

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Dangerous Android malware steals money from Your Bank


Researchers from Doctor web security have identified a banking trojan called Android.BankBot.65.origin which has been specially created for Android devices.

Cyber criminals are adding the malicious code with the legitimate online banking applications and planting them in various third-party android markets and other websites.

"Due to the fact that a compromised application looks and operates as a legitimate one, potential victims are very likely to install it on their mobile devices."  After that the Trojan starts accessing the system information and do nasty stuff.

After the installation of malicious software Android.BankBot.65.origin generates special kind of configuration file containing operating parameters for the Trojan. The trojan usually receive commands from host server and then exploit all the device vulnerability causing cyber criminals to steal money by intercepting and modifying SMS.

It may intercept incoming SMS messages and send texts to numbers listed by cyber criminals. It can add various texts to the list of incoming SMS messages. Using these methods, cyber criminals steal money from users' bank accounts by sending messages to transfer money from the victim's account to the account of cyber criminals or by intercepting messages containing verification codes or by implementing other fraudulent methods .

Messages like “pre-approved Credit card asking personal information” are example of fraudulent schemes which may lead user to fall into trap and they may share their banking credentials which leads to online banking stealing . And Thus its important to download mobile banking applications from authentic sources only .

Think twice before you open email attachments from unknown senders


Security researchers of Checkpoint have discovered a new ransom threat dubbed Troldesh, which is also known as Encoder.858 and Shade.

The Troldesh, which was created in Russia, has already affected numerous users across the world. The Troldesh ransomware typically encrypts the user’s personal files and extorts money for their decryption.

“Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. It is spread initially via e-mail spam,” Natalia Kolesova, anti-bot analyst at the Check Point, wrote in a blog.

She said that they found a distinctive characteristic in Troldesh besides the typical ransom features. 

The inventors of Troldesh directly communicate with the user by providing an email address, which is used to determine the payment method.

According to Kolesova, once a corrupted email is opened, the malicious threat is activated. Then, it will start encrypting the user’s files with the extension .xbtl.

Along with the files, users’ names are also encrypted. Once the encryption process is done, the affected user is displayed a ransom message and is being redirected to a ‘readme’ text for further information.

In a bid to stay safe, users are advised not to open anything suspicious by unknown senders.

“Many cases have been reported by the users paying the ransom without having their files decrypted. In order to avoid ransomware, it is important to back up important data previously on an external storage device or in a cloud,” she wrote.

The researcher said that the affected users have to download a powerful anti-malware tool to scan the system and remove the ransomware.

The researcher said she contacted the hackers via an email and asked for a discount.

“I was very interested to learn more about the ransom and tried to start a correspondence with the attackers. As required, I sent the specified code to the e-mail address provided, one that is registered on the most famous Russian domain,” the researcher wrote.

The crooks had demanded 250 euros to decrypt all of the files.

However, after the researcher asked to reduce the amount, the criminals agreed to lower the ransom to €118 / $131, payable via QIWI money transfer system.