Guardian's Article on Cyber Crime spreads Malware

A cybercrime article from 2011 named as “Cybercrime: is it out of control?"  on the website of Guardian has been found to be serving up the Angler Exploit Kit.

The Angler Exploit Kit is a Web-based utility toolbelt that hackers use to test the defenses of a user's computer.

The problem was discovered by FireEye Labs on December 01 which noticed that this instance of Angler infection this not come from a tainted ad but visiting the Guardian’s article about cybercrime.

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page.

This particular vulnerability enables a "God Mode" on infected PCs, giving attackers control over every face of the user's machine.

Angler exploit kit also scans for the Flash-based CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645 vulnerabilities which are less powerful intrusions, compared to the Windows OLE one, but dangerous nevertheless.

These vulnerabilities have been fixed by Microsoft and Adobe, and users who keep their systems up to date have nothing to fear while reading the article on Guardian.

Meanwhile, Guardian has assured to fix the contaminated links on its website.

This news came days after Angler was found serving malvertising to visitors of video site DailyMotion.

Malware detected in Martel’s cameras used by police department

iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.

The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.

After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

Researchers find new POS malwares

Researchers have now discovered two new and different strains of point of sale (POS) malware including one that has gone largely undetected for the past five years.

Researchers have described Cherry Picker, a set of PoS malware which in one form or another has been targeting businesses that sell food and beverage since 2011.

The malware is reportedly said to be used in a recent breach at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a threat for retailers.

The Federal Bureau of Investigation (FBI) has released a warning to keep guards against the malware as it can infect any Windows-based POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent. 

The malware has managed to stay covert since many years by using a combination of configuration files, encryption, obfuscation, and command line arguments. 

During his research Eric Merritt, the primary researcher who observed the malware found a file on a system infected by Cherry Picker that helped cover the malware’s tracks all these years, too. The file contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” before going on to shred a list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

With this reaserchers have also discovered the existence of another type of POS malware known as Abaddon. This is relatively newer to Cherry Picker.

Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader which in turn, downloaded another downloader which downloaded shellcode that turned into Abaddon.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Kevin Epstein, Vice President of Threat Operations at the firm.

In addition, security firm Trend Micro is warning of a new malware called Malum POS which targets the Oracle Micros POS system.

Attackers are going to have several choices when it comes to POS malware this season.

18,000 Android apps found with malicious code that steals messages

Researchers from Palo Alto Networks, has confirmed that Taomike, a Chinese mobile advertising company, has been distributing a malicious Software Development Kit (SDK) that allows Android developers for implementing in-app purchases (IAPs) for Android apps.

The SDK, which can be downloaded for free via Taomike, steals all messages on infected phones and sends them to the Taomike controlled server.

The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.

Palo Alto Networks posted in a blog stating since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain the library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.

Taomike provides the SDK and services to help developers display rich advertisements with a high pay rate. Although, it has not previously been associated with malicious activity, a recent update to their software added SMS theft functionality.

According to a report published in MNR Daily, there has been an increment in the number of cases of Chinese advertising company's developing malicious SDKs and APIs being used by developers to develop their own apps.

But, these apps built using the malicious SDKs and APIs have been found to steal private information and data from the handsets on which the infected apps have been installed.

They have been providing datas, which include device login and password details, to the companies who have developed the SDKs and APIs.

“Among these malware, we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill,” they added.

The researchers suggested that when developers incorporate the libraries into their apps they needed to carefully test them and monitor for any abnormal activities.

“Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users,” they concluded. 

Kemoge mobile malware infecting in more than 20 countries

If you are Android user and you have an app  Talking Tom 3, Smart Touch, Privacy Lock then you should be vary.

FirmEye, a Security and cyber-attack firm tracked  down a new mobile malware that is threat in more than 20 countries worldwide.

Kemoge, an Android-affecting malware which you can install via ads,  poses a security threat. The apps are duplicates of software that can be found on the Google Play Store; the key difference is that they attack the user's device after installation.

On its blog, FireEye says, "The attacker uploads the apps to third-party app stores and promotes the download links via websites and in-app ads. Some aggressive ad networks gaining root privilege can also automatically install the samples. On the initial launch, Kemoge collects device information and uploads it to the ad server, then it pervasively serves ads from the background. Victims see ad banners periodically regardless of the current activity (ads even pop up when the user stays on the Android home screen)."

Your data such as the phone's IMEI, IMSI, and storage information are then remotely sent to a third-party server.

FireEye said that “Kemoge has self-preservation features, and can uninstall other software including anti-virus applications. Google has been notified of the threat, and everyone else is advised not to download dodgy looking things from third-party websites.”

FireEye suggest Android users not to click on the suspicious links from emails/SMS/websites/advertisements, don’t install apps outside the official app store, Keep Android devices updated to avoid being rooted by public known bugs.

New Malware forces you to change your Wifi's default password

Ifwatch, a custom-built vigilant malware software changed the Wi-Fi passwords of  nearly 10000 routers to make it more secure.

According to researchers at the cyber security firm Symantec, the software is actually used to defend the machine from the hackers and provides solution for the other malware infections.

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”

Ifwatch software infect the routers with a mysterious piece of “malware” through Telnet ports, which are often protected by default security credentials that could be easily for accessed for malicious attack, and then prompts the users to change their Telnet passwords.

The software is spreading quickly around the world but found mostly in China and Brazil. It was first discovered by an independent researcher in 2014.

“We have no idea who is behind this — or what their full intention is,” Saengphaibul said.