Search This Blog

Showing posts with label Virus Attack. Show all posts

During ransomware attack, student's GCSE coursework seized

Sir John Colfox Academy, in Bridport, was the target of hackers, believed to be from China, after a member of staff mistakenly opened an email that contained virus and infected the school’s entire computer network. The email claimed to be from a teacher at another Dorset school.

Hackers seized pupil’s GCSE courework of the secondary school and demanded cash or returning it.

The Sir John Colfox Academy has about 1,000 pupils. The coursework was from one subject submitted by Year 11 students, which was saved on the school' system.

Head teacher David Herbert said: "We are liaising with the relevant exam boards about this specific issue."

Police have launched an investigation into the cyber attack.

Neither police nor the school have said how much money was demanded for the return of the coursework, but police say no money has been paid.

Researchers discover Malware Samples Designed to Exploit CPU Vulnerabilities

As of late scientists have found more than 130 malware samples intended to misuse the recently disclosed Spectre and Meltdown CPU vulnerabilities that enable pernicious applications to sidestep memory isolation mechanisms in order to gain access to passwords, photographs, archives, mails, and other sensitive data.

Experts have cautioned that there could soon be remote attacks, not long after Spectre and Meltdown were unveiled on January 3, and to top that a JavaScript-based Proof of-Concept (PoC) misuse for Spectre had likewise been made accessible.

On Wednesday, January 17 an antivirus testing firm AV-TEST, announced that it has obtained 139 samples from different sources, including researchers, analysers and antivirus companies and had likewise observed 77 malware tests apparently identified with the CPU vulnerabilities making the number fairly rising to 119 by January 23. However, the experts do believe that the prevailing malware samples are still in the "research phase" and assailants are in all likelihood searching for approaches to extract more information from computers especially via the means of web browsers



“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” says Andreas Marx, CEO of AV-TEST , further adds “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which is likewise known for dissecting a significant number of the samples, affirmed that a larger part of them depended on accessible PoC code.

Processor and operating system vendors have been dealing with microcode and software alleviations for the Meltdown and Spectre attacks, yet the patches have regularly caused issues, prompting organizations ending refreshes and disabling alleviations until the point that such issues are settled.


Marx, in addition to the installing of the operating systems and BIOS updates, further proposed a couple of more suggestions that have a solid shot of reducing the attacks, two of them being: turning off the PC when it's not required for over an hour, and closing the web browsers amid work breaks. He is certain that by adjusting to these strategies the attack surface would diminish a considerable measure and furthermore save quite some energy.

Passteal : password-stealing malware disguised as keygen and ebooks

Password stealing malwares

Passteal, the malware that steals passwords stored in the browser using a password recovery tools, disguised as Key generators and Ebooks.

This indicates that the malware targets users who frequently use Torrent and other file hosting website to get hold of illegal copies of software.

While older variants use the password recovery tool "PasswordFox", the new variant uses 'WebBrowserPassView' tool to steal credentials stored in major browser apps such as Internet Explorer ver. 4.0-8.0, Mozilla Firefox 1.x-4.x, Google Chrome, and Apple Safari.

Once the malware extracts the data, it stores the stolen credentials in an .XML file and send the file to a remote FTP server.

According to TrendMicro malware report, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS).

Japan's Search and Destroy Computer Virus : Endhiran film Style

Computer Virus Against Cyber Attack
Japan Govt developing a "Search and Destroy" computer virus capable of tracking, identifying and disabling sources of cyber-attacks. Fujitsu reportedly is working on the cyberweapon for Japan's Defense Ministry under a 178.5 million yen ($2.32 million) project initiated in fiscal 2008 by the ministry's Technical Research and Development Institute.


According to the yomiur's report , the program can identify the source of a cyber-attack to a high degree of accuracy for distributed denial of service (DDoS) attacks, as well as some attacks aimed at stealing information stored in target computers. In DDoS attacks, hackers send target websites enormous volumes of data, eventually forcing them to shut down.

CyberWeapon is developed for  defense only, however, Security experts fear the implications of such a tool falling into the wrong hands.


Endhiran Style:  In Endhiran film, hero develop a robot to help military that can search and destroy the bombs ,also enemies.   Unfortunately, in the middle of the film, the robot hacked by villan and turned to be malicious robot, it will destroy the city.

Likewise, BlackHat hackers can get this CyberDefense tool and modify it for malicious uses.

"Even a 'good' virus uses system resources such as disk space, memory and CPU time. On a critical system a 'good' virus could cause unexpected side effects." Sophos Security Researcher said.

"A "good" virus may trigger false positives from security software, costing time and money as IT departments respond to the alerts. " he added.

Rik Ferguson, a researcher for the security firm Trend Micro, said launching a virus designed to hunt down an attack could, in effect, have the exact opposite effect.

"If it's designed to spread autonomously, then system owners will have no opportunity to test whether its supposedly altruistic activities will have any negative impact on a running system," Ferguson wrote. "It will also consume bandwidth, disk space, memory and processor cycles, all adding to the load, just as a malicious worm does effectively creating a Denial of Service condition."

"Finally," he added, "it really wouldn't take much effort for criminal groups to take these white-hat tools and modify them for more malicious use, blurring the line even more between the 'good' and the bad and putting professional grade carrier mechanisms in the hands of criminals."

Possible Virus attack on Citibank Transactions : Man-in-Middle attack

Yash from Red Force Labs found have developed a Proof-of-concept malware almost a year back to attack Online banking using Man-in-Middle attack method. Recently he released a public video that demonstrates the MITM attack on Citibank India.

When a consumer transfers fund to A, this malware modifies the transaction to make sure it goes to B in real-time without user knowledge.

Man in Middle attack or Man in Browser attack is well known in the Internet Banking. Zeus is well known malware of this kind, which has stolen more than 200 US Million $ in many users accounts without the knowledge of consumers. Many Blackhat users have used Zeus Kit or Sources available and customized for different backs to steal money, this malware has capability to defeat two factor authentication based on Mobile. Few years back these types of attacks are not known, that does not mean it was not possible to perform this type of attacks, it was waiting to happen like many attacks are still waiting to happen in e-commerce world.

The demo explains how malware redirects the fund transfer to different Bank, different account number, increase amount. This malware is configurable, where attacker can mention any bank account as attacker account.This types of attacks are possible on many banks across the world and it is very sophisticated attacks, where malware does not need to steal authentication information of user


Backdoor R2D2 ~Government Trojan discovered by Chaos Computer Club

The Famous European hacker club, Chaos Computer Club(CCC) discovered the backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.

For some years, German courts have allowed the police to deploy a Trojan known colloquially as "Bundestrojaner" ("State Trojan") to record Skype conversations, if they have legal permission for a wiretap.

But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

The malware has the following of functionality as per the Sophos's analysis:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.

A CCC spokesperson expressed the group's concern at the discovery:

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state - and so far, the German authorities aren't confirming any involvement.

The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.

What we can say is that the phrase "0zapftis" has raised some eyebrows amongst the German speakers at SophosLabs. It's a play on a Bavarian phrase "The barrel is open", said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.

Everymonth number of Botnets increased in millions~ Report from Kaspersky


“Hundreds of thousands of machines are joining botnets every month. Most of these botnets are used to propagate spam or distribute malware that can be used in cyber espionage. Some of them are used in DDoS attacks or as proxies to commit other cybercrimes.",Vitaly Kamluk, Chief Malware Expert, Global Research and Analysis Team, Kaspersky Lab

According to Kamluk, the largest botnet is Conficker, with more than 8 million infected hosts, followed by TDSS with more than 5.5 million, Zeus with more than 3.6 million, and Koobface with more than 2.9 million.

"One could think that laws should be able to help us. Indeed, there is a law that prohibits unauthorized access to remote systems, i.e., third parties cannot use the resources of the other’s machine. However, cybercriminals successfully bypass this law. They utilize and exploit systems in any way they want – to commit crime, earn money, etc. At the same time we researchers come up against the same law – but in our case it prevents us from fighting botnets

As an example of what could be done but cannot even be contemplated, there are over 53 000 command and control (C&C) centers on the Internet (source: www.umbradata.com). In many cases we know where the C&C centers of these botnets are, so in theory we could contact the owner’s Internet Service Provider and ask it to take it down or to pass control of the center to us. This would be the right decision if we didn’t want to leave all those thousands of infected machines online - continuing to attack other machines. We could issue a command for a bot to self-destroy itself from within the botnet infrastructure (starting from the command center) and then take it down. But unfortunately this represents unauthorized access, and we are not allowed to issue such a command",Kamluk.

He recommended that law enforcement consider taking the following steps to help investigators in fighting botnets:

  • Carrying out mass remediation via a botnet;
  • Using the expertise and research of private companies and providing them with warrants for immunity against cybercrime laws in particular investigations, so they can collect more evidence, or bring down a malicious system when it cannot be accessed physically;
  • Using the resources of any compromised system during an investigation - so that we can place traps on compromised machines to get the source IP addresses of the attackers, and to bypass the mechanisms they use to hide their identities;
  • Obtaining a warrant for remote system exploitation - only in the cases when no other alternative is available. Of course this could result in cyber espionage. But if it is done properly – if the warrant is given for particular system, in a particular case, for particular timespan – this could bring positive results. Indeed, it could significantly change the cyber-threat landscape.”

MySQL.com is hacked and infected by Malware ~ Exploits Visitor's Broswer



MySQL.com is hacked and infected by Malware ,detected by HackAlert 24x7 Website malware monitoring platform. If you visit the website , your system will be infected by malware without your knowledge and crash your flash player,java.



 

Infection Process:
if you visit , you will run the malicious javascript code.

This code generates this Iframe
http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

and Throws out a 302 redirect to

http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php



This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

Trend Micros said:
"We recently found an interesting post in a Russian underground forum in the course of our research. People exchange information about their illegal activities in these kinds of forums. We found a user in the forum with the handle ‘sourcec0de‘ and ICQ number ’291149′ who is currently offering root access to some of the cluster servers of mysql.com and its subdomains.

The price for each access starts at $3,000 USD, with the exchange of money/access being provided by the well known garant/escrow system, whereby a trusted third party verifies both sides of the transaction."


The mysql.com website is as of now, still serving this exploit and malware.

armorize.com trying to contact mysql.com