Interpol coordinated to take down Simda botnet

The Simda botnet has been taken down on April 9 in a collaborative effort between international law enforcement bodies and private security and technology companies coordinated by Interpol's Global Complex for Innovation.

The botnet, known for spreading banking malware and establishing backdoor for many malware, has exploited more than 770,000 computers in 190 countries. The take down has resulted in seizure of 14 command-and-control servers in the Netherlands, United States, Poland, Luxembourg, and Russia.

According to the researchers, Simda is a mysterious botnet used by cyber criminals for distributing several types of unwanted and malicious software. Due to constant functionality and security updates, it rarely appears on the KSN radars despite a large number of hosts every day.

It uses hardcoded IP addresses to notify the keeper about the various stages of execution. It can modify the system hosts file by downloading and running additional components from its own updated servers, and to point to malicious IP’s, it adds unexpected records for google-analytics.com and connect.facebook.net.

The Kaspersky Lab report says that, “This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”

To analyse the spread of the infection the Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Trend Micro, Kaspersky Lab, and Japan's Cyber Defense. The researcher team also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Federal Bureau of Investigation in the US, and the Russian Ministry of the Interior's Cybercrime Department "K".

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said “This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cyber crime. The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”

‘Trojan.Laziok’ Malware targets energy sector in Middle East

Image Credits: Symantec
Symantec detected a Trojan.Laziok, which acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.

Between January and February, Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, and the focus  was on the Middle East Countries.

According to the blog post of Symantec’s Christian Tripputi, the attack starts  with spam emails from the moneytrans[.]eu domain,  which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These mails include a  malicious attachment that contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The code is executed, If the users opens the attachment, which is Excel file. It leaves Trojan.Laziok on the computer.

To hides itself Trojan creates folder names in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, and rename itself with well-known file names such as:

%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe

By collecting system configuration data such as Computer name, Installed software, GPU details, CPU details, Antivirus software, RAM size, Hard disk size, Trojan.Laziok begins its reconnaissance process.


After receiving the system configuration data, attackers infected  the computers with additional malware, and distribute the customized copies of Trojan.Zbot and  Backdoor.Cyberat which are specifically tailored for the compromised computer’s profile.

Symantec and Norton products have protections against this campaign.

Malware infections through spam campaigns can be avoided by not clicking on links in unsolicited, unexpected, or suspicious emails; avoid opening attachments in unsolicited, unexpected, or suspicious emails; use comprehensive security software, such as Symantec Endpoint Protection or Norton Security, to protect yourself from attacks of this kind; take a security layered approach for better protection; keep your security software up to date; apply patches for installed software on a timely basis.

The 64 bit version of NewPosThings malware is here

A new 64 bit version of NewPosThings, a point of sale malware, has come to light. The 32 bit version of NewPos Things was discovered by Arbor systems in September last year.

The recent developments were brought to light by Trend Micro's threat analyst, Jay Yaneza. They found the malware targeting 64 bit and higher systems, rather than the original 32 bit systems that were being affected initially.

According to SC Magazine, Taneza said, “Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote. “These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

Researchers have noticed recently that the malware has been evolving continuously affecting more and more security based function in a POS machine.

Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.

Gift from Amazon, beware it can be Malware


In recent times, if you received this message, "Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here", on your phone, if yes, then you have became the victim of one of the single largest messaging-initiated mobile malware, as discovered by AdaptiveMobile.

This malware access all your contacts  on the phone and sends a spam message to each of them with the URL that promises an Amazon gift card if you install an APK file hosted on the page.

Thousands of people around the world have installed this malware and been a victim, alone in North America, there is around 4K devices that are infected  by this malware. According to VirusTotal, none of the Anti Virus engines detect this malware, but can be easily removed by using standard Android app uninstall utilities.

The shortened URL account of this malicious URL was actually connected to a FB account, which seems to be owned by a real person. It seems that this spam campaign is not new for the owner of the profile. Previous WhatsApp spam can be related to this, as there was a link which redirects users to a scam page, which shows close link between the author of both the spams.

AdaptiveMobile is the  mobile security protecting  company, that protects all services on both fixed and mobile networks through in-network and cloud solutions.

New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.