Linux Malware Mines for Cryptocurrency Using Raspberry Pi Devices

A Linux trojan detected under the generic name of Linux.MulDrop.14 is infecting Raspberry Pi devices with the purpose of mining cryptocurrency.

According to Russian antivirus maker Dr.Web, the malware was first spotted online in the second half of May in the form of a script that contains a compressed and encrypted application.

Experts say the initial infection takes place when Raspberry Pi operators leave their devices’ SSH ports open to external connections.

Once a Raspberry Pi device is infected, the malware changes the password for the “pi” account to:

\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1

Read the full article here

New Attack Method Delivers Malware Via Mouse Hover

Mouseover’ technique relies on users hovering over hyperlinked text and images in Microsoft PowerPoint files to drop Trojan.

Researchers have found a new form of attack that abuses the action of hovering over hyperlinked text and images in a Microsoft PowerPoint presentation.

Trend Micro researchers discovered the “mouseover” technique, used by a Trojan downloader also found in a spam campaign hitting EMEA businesses in the manufacturing, education, pyrotechnics, logistics, and device fabrication industries. The downloader they analyzed delivers a version of the OTLARD banking Trojan, also known as GootKit.

“This is the first occurrence of malware using the ‘hover’ method to initiate a download that we know of,” says Mark Nunnikhoven, Trend Micro’s VP of cloud security.

“While GootKit is known malware, businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document,” he explains. This is novel because it abuses the previously safe user practice of hovering over a link before clicking.
Continue reading New Attack Method Delivers Malware Via Mouse Hover

Home Depot is latest to confirm Data Breach

The home improvement retailer confirms its customers’ payment card data was breached in an incident that is believed to have begun in April, likely compromising millions of card accounts.

One of North America’s largest retailers has confirmed that it was successfully compromised in a months-long campaign by attackers, resulting in what is believed to be the compromise of millions of customer payment cards.

In a long-awaited statement issued late Monday, Home Depot acknowledged that its payment card-processing system was breached, affecting payment card data belonging to customers of stores in the U.S. and Canada.

The Atlanta-based home improvement retailer said its investigation is focusing on April 2014 forward, indicating that the breach event may have been months long, spanning from April through August or early September.

“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in the statement. It did not reveal the number of payment card accounts that may have been compromised.

It first learned of the breach via reports from banking partners and law enforcement on the morning of Sept. 2, according to the statement, and began its investigation immediately.

The company said that following the discovery of the breach, it has taken “aggressive steps to address the malware and protect customer data,” which included hiring security vendors Symantec Corp. and FishNet Security Inc. to investigate the breach.

Investigative security journalist Brian Krebs was first to report the Home Depot breach a week ago after multiple banks informed Krebs that they had identified stolen card data purportedly originating from Home Depot retail locations for sale on a popular black market website.

Krebs reported Sunday that a source close to the Home Depot investigation revealed that the breach was at least partially caused by a new variant of the Kaptoxa or BlackPOS point-of-sale malware used in last December’s massive Target Corp. data breach, causing speculation that the same attacker or group of attackers may be behind both breaches.

While Home Depot said there is no evidence that customers’ debit and PIN numbers were compromised, Krebs reported late Monday that banks have seen a spike in debit card fraud. He wrote digital criminals are using the data stolen from Home Depot to contact banks in an effort to reset customers’ debit card PIN numbers and in turn withdrawn cash from ATMs using fabricated debit cards.

Early indications suggest the Home Depot breach may dwarf the Target data breach, particularly if a four-plus-month breach event affected nearly all of the retailer’s more than 2,200 stores across the U.S. and Canada.

By comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives.

Original Article

 

Thousands of Apple devices being infected with AdThief malware

Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as “spat,” the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.

iOS/AdThief!tr
iOS/AdThief!tr hijacks advertisement revenues and redirects them to accounts owned by the attackers.

A publisher ID is used to identify a publisher’s account on an ad platform, which helps track revenue generated by said publisher. By being able to swap the publisher’s publisher ID with his own, the malware creator was able to hijack revenue from about 22 million ads. In effect, when clicking on an ad, an infected user would generate ad revenue for the attacker instead of the developer of the application or website.

  • Infected devices: ~75k
  • Total activate times: ~22m
  • Daily activate times (around 3/20/2014): ~22k

The malware was designed to target ad kits from 15 ad networks, including Google-owned AdMob and Google Mobile Ads, both representing a large share of mobile advertising at least here in the US. Other American companies targeted by AdThief are AdWhirl, MdotM, and MobClick. The remaining targeted ad networks were all from China or India.

TARGETED ADKITS

A list of mobile adkits targeted by the malware is provided in a report: YouMi, Vpon, MobClick, Umeng, AdSage/MobiSage, MdotM, InMobi, Domob, AdWhirl, AdsMogo, Google Mobile Ads SDK, AderMob, Weibo, MIX SDK and Poly SDK. The majority of these are Chinese, four are based in the US, and two in India.

In his report, Xiao remarks that Weibo is a popular social network in China, but is unable to attribute MIX SDK and Poly SDKmore precisely. In fact, Sina Weibo, introduced in 2013, is an advertisement SDK, so that solves one mystery.

MIX SDK can be attributed to GuoHeAD. It probably refers to the GuoHe MIX platform for cross-promotion of mobile games. This is also backed up by the name of a source file found in the malware: /Volumes/MacOsStore/Project/IOS/SpAd/SpAd/AD_GuoHe.xm.

Finally, Poly SDK is not a new adkit: it corresponds to AderMob. This is confirmed when downloading the AderMob iOS SDK.

Hijacked advertisements in iOS/AdThief

AderMob http://adermob.renren.com/ China
AdMob and Google Mobile Ads http://www.admob.com/ USA
AdsMogo http://www.adsmogo.com/en China
AdSage/MobiSage http://www.adsage.com/mobiSage China
AdWhirl http://www.adwhirl.com USA
Domob http://domob.cn China
GuoHeAD http://www.guohead.com China
InMobi http://www.inmobi.com India
Komli Mobile http://www.komlimobile.com/index India
MdotM http://www.mdotm.com USA
MobClick http://www.mobclix.com USA
UMeng http://www.umeng.com China
Vpon http://vpon.com China
Weibo http://us.weibo.com China
YouMi http://www.youmi.net China

Implementation details of adkit hooks found in iOS/AdThief.A!tr

Adkit source Filename Typical class names
AderMob AD Ader.xm AderSDK*
AdMob and Google Mobile Ads SDK AD AdMob.xm GAD*
AdsMogo AD AdsMongo.xm AdMoGo*
AdSage ? MobiSageAd*
AdWhirl AD Adwhirl.xm AdWhirl*
Domob AD DoMob.xm DM*
GuoHeAD AD GuoHe.xm MIXView*
InMobi AD InMobi.xm IMAd*
Komli Mobile AD KomliMobile.xm APIManager*
MdotM AD MDotM.xm MdotM*
MobClick ? MobClick*
UMeng AD UMeng.xm UMUFP*
Vpon AD Vpon.xm VponAdOn*
Weibo AD Weibo.xml DXAdHWB*_
YouMi AD Youmi.xm YouMi* – delegated to Google Ads

Conclusion

iOS/AdThief is a technical and malicious piece of code which hijacks revenue from 15 different adkits. It is built on top of the Cydia Substrate platform, available for jailbroken devices, which provides it with an easy way to modify advertisement SDKs. With Substrate, the malware needs only to focus on the call and implementation of each hook.

At first, the identification of every adkit the malware targets was difficult because the code mentions only class names used by each adkit SDK. However, the fact that the malware author did not strip out debugging information helped us to identify all 15 adkits. In particular, this is how support for Komli Mobile and GuoHeAD was detected.

Links

  • Get the bulletin here
  • Read Claud Xiao’s report here

Checking if a site is safe to visit

If you want to make sure that a site you are about to visit is safe, do the following:

Add the url you want to visit to the end of this url:

http://www.google.com/safebrowsing/diagnostic?site=

Google will then return four sets of security information about that page.

  1. The current listing status of a site and also information on how often a site or parts of it were listed in the past.
  2. The last time Google analyzed the page, when it was last malicious, what kind of malware Google encountered and so fourth.
  3. Did the site facilitated the distribution of malicious software in the past?
  4. Also, has the site has hosted malicious software in the past?

How Not to Go Phishing

What is phishing?

Phishing is the act of trying to secure information from someone by impersonating someone else in an electronic communication, such as email. It is common for attackers to send out emails with links or attachments that attempt to secure information from you or even take control of your computer.

Why should I care about phishing?

By email, attackers use phishing to get access to your sensitive and confidential information.  It is common practice for the attackers to impersonate a trusted person or company in an attempt to collect enough information to steal your identity or confidential information from your employer. These emails can also include attachments that can contain malware that can affect your computer when clicked on.

Attackers are very sophisticated these days and can easily set up bogus websites that steal your information without you even realizing it or you realize it too late. For example, an attacker can send you a link to a very real looking but “fake” website, prompting you for information (ie. name, address, telephone, bank account information, credit card information, social security number) that they can use for personal gain.

List of phishing techniques

  • Phishing
    • Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
  • Spear Phishing
    • Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
  • Clone Phishing
    • A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original.
    • This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
  • Whaling
    • Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

How can I spot a phishing attempt via email?

  • Determine who is sending the email. Is it from a trusted source? Or is it from an address that you don’t recognize?
  • Is the sender asking you to click on a link? Or open an attachment? Scrutinize it before taking any action!
    • If links are provided, hover over it to determine where you will be directed to. If the email is from a known entity but the link is taking you to somewhere else, do not click on it. This will let the sender know that they reached an active email address and may continue to target you in future phishing attacks.
    • If an attachment is included, only open it if you trust the sender. You can always scan for viruses prior to opening it, to ensure that it does not contain a virus.
  • Pay close attention to the email of the body. If you spot misspellings or bad grammar, be cautious.

 What to do?

  • Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don’t ask for this information via email or text.
  • The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond.
  • Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
  • Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a “refund.” But a local area code doesn’t guarantee that the caller is local.
  • If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.

Report Phishing Emails

Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the email. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

If you might have been tricked by a phishing email:

  • File a report with the Federal Trade Commission at www.ftc.gov/complaint.
  • Visit the FTC’s Identity Theft website. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.
Enhanced by Zemanta

New iOS malware highlights threat to Apple mobile devices

A newly-discovered malware dubbed  Unflod Baby Panda is stealing Apple ID credentials from jailbroken iPhones and iPads, warn security researchers.

Unflod hooks into the SSLWrite function of an infected device’s security framework, according to a blog post by German security firm SektionEins.

The malware is designed to listen for outgoing connections. Once it recognises an Apple ID and password, it sends these unencrypted IDs and passwords to the cyber criminals behind the malware.

The Unflod malware also highlights the risks of installing unknown apps on jailbroken iPhones.

Reports of the malware targeting Apple iOS emerged in posts on reddit by iOS users hit by repeated system crashes after installing iOS customisations that were not part of the official Cydia market.

A developer for the Cydia market, an alternative to the Apple App Store, has responded to news by in a reddit comment, saying that the probability of Unflod coming from a default Cydia repository is fairly low.

However, he added: “I don’t recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer”. Continue reading New iOS malware highlights threat to Apple mobile devices

Point-of-sale malware infecting Target found hiding in plain sight

Independent security journalist Brian Krebs has uncovered important new details about the hack that compromised as many as 110 million Target customers, including the malware that appears to have infected point-of-sale systems and the way attackers first broke in.

According to a post published Wednesday to KrebsOnSecurity, point-of-sale (POS) malware was uploaded to Symantec-owned ThreatExpert.com on December 18, the same day that Krebs broke the news of the massive Target breach. An unidentified source told Krebs that the Windows share point name “ttcopscli3acs” matches the sample analyzed by the malware scanning website. The thieves used the user name “Best1_user” to log in and download stolen card data. Their password was “BackupU$r”.

Complete Story