GLOBAL SECURITY ADVISOR RESEARCH BLOG

Hoax Lottery emails from Mark Zuckerberg

Wed, 02 May 2012 12:38:27 GMT

Scam lotteries have been a frequent issue in the past and they continue to exist following the media trend. Total Defense Intelligence Service (Research ISI Team) today caught an interesting email pretending to come from Facebook’s CEO Mark Zuckerberg. The email clearly informs of a fake lottery win, getting the user to contact a Mr. Douglas Price as a fiduciary agent who will handle the...

Ransomware exploits Microsoft Windows Update Center Service

Fri, 27 Apr 2012 14:03:16 GMT

Our first indicators of ransomware were trojanised emails masquerading as police warnings against end users. (Ransomware Exploits the Italian Police) and now it seems to have evolved into leveraging a Fake Windows Update system. It is the result of an aggressive campaign originating in Germany where users receive emails similar to the following:

Beware of False E-Commerce Websites

Fri, 27 Apr 2012 10:49:19 GMT

It is a very common habit of internet users to download the videos or unknown software from the reputed video sharing websites. There is nothing un-common in doing so, but there could be a chances of luring the users in the form of presenting advertisements to the types of interesting draw contests of false websites which in turn loss of money if attempted to purchase. I have come across the...

Digital Resurrections - malicious links piggybacking on trending videos

Fri, 20 Apr 2012 11:56:09 GMT

News trending on most major, and a few tech websites, is the re-animated emergence of a digital avatar resembling a long deceased musician. 2Pac videos have gone viral, and as expected it’s almost too good an opportunity for the malware guys to pass up. It must be mentioned that the video format itself is not immune to embedded malicious links, but this time, the links are far more...

OSX/SabPub - New Backdoor Malware Threat for Mac OS X

Wed, 18 Apr 2012 11:19:30 GMT

Another new malware has been discovered that exploits the CVE-2012-0507 Java Vulnerability, the same vulnerability that OSX/Flashback used. The latest variant of this threat have been found using the same exploit that OSX/MS09-027!exploit used. This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which...

Fraud Wiki Repair Guide

Tue, 17 Apr 2012 14:50:30 GMT

Nowadays, there are a lot of Wiki pages on the internet that contains useful information on a wide range of topic that usually a community of people populate. But not all information that can be found can be trusted. One particular example is the Wiki that distributes the Fraud “PCCleaner Pro 2012”. Upon accessing the main page, it shows a lot of common error that people...

Malware Targeting Windows and MAC OSX

Thu, 12 Apr 2012 13:45:45 GMT

Malware is getting more and more sophisticated as the days goes by. Windows platform is the usual target for infection of malware authors but this time they add one more target platform, Mac OSX. Recently, another Tibetan-themed malware has been discovered which takes advantage of a patched Java Vulnerability (CVE-2011-3544). When a user unknowingly visits malicious website, the attack will...

Mac OS X Threat Flashback is Back!

Thu, 12 Apr 2012 13:09:38 GMT

OSX/Imuler is not the only Mac OS X threat that has resurfaced this year. OSX/Flashback has been making its rounds again. As you can remember, OSX/Flashback has appeared last year and disguised as Adobe Flash Player Installer. The previous variants connects to remote host to download its component files and installing backdoor that injects to web browsers and other applications in order to steal...

Mac OS X Threat Masquerading as Image Files

Wed, 11 Apr 2012 17:30:47 GMT

Last year, a variant of OSX/Imuler has been discovered and masquerades as an innocent PDF Document. Recently, a new variant of OSX/Imuler has been discovered and masquerading as image files of the popular Russian model Irina Shayk. The malicious application is placed inside a ZIP archive together with other various image files taken from the FHM magazine. By default, MAC OS X doesn’t...

MS09-027 Target: Mac OSX & Tibetan NGOs

Wed, 11 Apr 2012 16:42:21 GMT

Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found. A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as...

Family Ties Between Android Malware

Fri, 30 Mar 2012 13:55:44 GMT

While sorting the recent mobile malware collections, I stumbled on a sample which was submitted today. The sample has neither any new break-through payload nor any advanced functionality. However, what makes this interesting is the fact that it has included features seen in couple of different malware families. So, What does it do? It is a typical SMS Trojan that sends SMS to premium message...

Rogue Security Software keeps on hitting Internet users

Wed, 28 Mar 2012 16:39:03 GMT

We thought the rogue security software trend went down this year, but in truth we are witnessing two new reported incidents by users and customers of rogues. According to data obtained, in only one month of monitoring the process of Winwebsec we have seen an impressive number of reported incidents which, in terms of numbers, translates into almost 7,000 issues.

Android Malware adopts reflections

Mon, 12 Mar 2012 09:54:41 GMT

In our earlier blogs, we have highlighted how Android Malware authors are quickly adopting various tricks from the age-old and vast pool of desktop Malware tricks. In this blogpost, we will talk about one such trick which is an adoption from desktop malware. While processing a recent bunch of malware collections, we have noticed heavy use of reflections in quite a few Android samples. It is...

Tax refund spams are back

Wed, 07 Mar 2012 00:00:00 GMT

It's that time of the year when people in some parts of the world are filing their tax returns, and what better time for cyber crooks to trick them into falling prey for phishing attacks via emails. India has been reported in recent malware threat reports as one of the regions with high spam activity and this blog will briefly discuss a very convincing social engineering spam I ran into...

Android Social Engineering Threats in the Spotlight

Mon, 27 Feb 2012 11:08:45 GMT

In all of our earlier blogs about the Android threats, we have highlighted the fact that user awareness is one of the most important factors to fight against the social engineering threats. Yesterday, a familiar Android threat was making news powered by a sound social engineering trick. This blog looks at the differences/similarities of the different variants of this particular bunch of...

FTC investigating privacy disclosure practices of popular mobile apps

Fri, 17 Feb 2012 20:12:02 GMT

In a staff report released yesterday the FTC investigates the level to which App vendors are disclosing the types of data they collect on children and how that information is used. The report is worth a good review as it highlights the general lack of notice provided to parents in the majority of Apps reviewed. A total of 960 Apps specifically targeting children were...

Password Best Practices

Tue, 24 Jan 2012 18:17:51 GMT

Often the disclosure of a password is no fault of our own but rather the result of a website or application compromise. Use these tips to develop a password management strategy that will dramatically decrease your overall risk if any one of your passwords is compromised. Hopefully the next time you have to create a strong password it won't take nearly as long to think up something secure.

Ransomware Exploits the Italian Police

Mon, 19 Dec 2011 23:12:31 GMT

Today, Total Defense Research Team was informed of new ransomware circulating among Italian users pretending to be an official statement by the Italian Police. This malware is spread by drive-by-download through websites compromised with malicious JavaScript code.

Detailed analysis of malware sample removed from android market

Tue, 13 Dec 2011 00:00:00 GMT

Earlier yesterday, a few SMS Trojans were found in Android Market and subsequently removed from the market place. In this blog post, we will be demonstrating some of the interesting behaviours uncovered through dynamic analysis.

The woes of a Physical Security breach

Fri, 09 Dec 2011 00:00:00 GMT

This blog is written to emphasize the importance of physical security in this current day and age. I myself am a victim to a recent physical security breach that happened with Lucky Superstores in the United States, which has resulted in the theft of debit card details of many of its customers. It has been confirmed that more than 20 stores are affected through the 500 or more self-checkout...

New Zero-Day Attack in Adobe Products (CVE-2011-2462)

Thu, 08 Dec 2011 00:00:00 GMT

Recently, Adobe has released a new security advisory, APSA11-04, alerting users about a critical vulnerability in Adobe Reader and Acrobat. The U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. This means that the malicious files could be downloaded or dropped on the affected system. Adobe is in the...

‘Duqu’ 0-day exploit gets a temporary fix

Tue, 08 Nov 2011 00:00:00 GMT

Not long ago, the malware called Stuxnet made its foray into the world of Internet capturing people's attention. This was the first malware of its kind which embodied payload that impacted not only software running on infected machines but also affected attached Industrial processes. This malware's impact was very unique, targeted and revolutionary in nature. In September 2011, a new malware...

Analysis of an Android Malware family doing multi impersonations

Mon, 03 Oct 2011 00:00:00 GMT

Last week, we have blogged about an Android malware that was impersonating as a popular browser (http://totaldefense.com/securityblog/2011/09/23/The-SMSer-Trojan-Returns-as-Fake-Browser-Again.aspx). This time we present the analysis of another interesting Android malware to highlight its noteworthy features that users need to be aware of. This sample shows how easily such kind of impersonating...

Mac OS X Threat Disguises as Adobe Flash Player Installer

Wed, 28 Sep 2011 00:00:00 GMT

Another new Mac OS X Threat has been discovered and disguises as Adobe Flash Player Installer. Like other malware, it also uses social engineering tricks to lure users to download the malware. Once the user unknowingly visited a malicious website to watch a video, it will prompt the user that the Adobe Flash plugin has crashed

Mac OS X Threat Masquerading as a PDF Document

Tue, 27 Sep 2011 00:00:00 GMT

A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity. When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and...

The SMSer Trojan returns as Fake Browser Again.

Fri, 23 Sep 2011 00:00:00 GMT

A few months ago, we blogged about an increasing trend of SMSer Trojans disguising themselves as popular browser applications targeting the users of smart phones with support for J2ME. For the past few days, we have been observing a similar trend in the influx of SMSer Trojans posing as browser applications in our sample processing channels. However this time, they are actually targeting Android...

The Case of Spitmo, Analysis with Andbug and Profiler.

Tue, 13 Sep 2011 21:44:02 GMT

A few weeks ago, we have witnessed Zitmo arriving to Android landscape http://totaldefense.com/securityblog/2011/08/29/ZBot-Targeting-Android-Users.aspx. As it was widely predicted earlier, fellow researchers at Trusteer discovered that now Spitmo emerges for the Android platform. We, like the worldwide research community, have taken the the growth of Android malware very seriously.

Free Facebook t-shirts at the cost of your Personal Information?

Fri, 09 Sep 2011 16:06:41 GMT

Free Facebook t-shirts at the cost of your Personal Information? Just like the many other social-engineering spam attacks observed on Facebook, the recent one which offers victims free t-shirts as its 7th Anniversary special gift, seem to have gained quite a bit of popularity. If stats are to be believed, [Figure 1, courtesy hacker9] quite a few people have fallen victim to this like-jacking...

Stay Safe With Your Twitter Account.

Fri, 09 Sep 2011 00:00:00 GMT

Twitter is a nice social network that allows you to send very quick messages to your colleagues and friends alike indicating what you are doing, where you are located and so on. The main feature of this social network is the so-called “Following Tweets,” which is a way to inform you that somebody is following your tweets. Twitter is a powerful platform because it easily allows you to...

How to mitigate the “Supercookies”

Mon, 22 Aug 2011 00:00:00 GMT

"Supercookies" (Local Shared Object), or flash cookies as they are otherwise commonly called, and their implication on the privacy of Internet users have been a hot topic in the security- news blogs lately. "Cookies", as most of you already know, are small text files that are used to keep small pieces of browsing information stored on a computer to track and retain user preference information...

China’s Black Market: an Analysis

Mon, 15 Aug 2011 00:00:00 GMT

The Black Market is not new at all, and we know it exists because illegal products or services are readily available, such as drugs, sex, stolen goods, etc. These days I have been impressed by the increase in the number of emails targeting Italian users with offers of electronic goods sold at very interesting prices. Everyday my personal inbox is stuffed with emails coming from people pretending...

New SDK, Old tricks - SillyDl repackaged!

Thu, 04 Aug 2011 00:00:00 GMT

Routine processing of our large volume collections has unearthed a sample that seems noteworthy to be mentioned. Digging deeper revealed it was indeed a simple variant descending from a very old and familiar family of Java based Trojans [Java/SillyDl] Intricacies of its execution This sample's payload is same as what the age old downloader agents are known to do. By Design, It downloads...

SpyEye Behind Cyber-fraud

Thu, 04 Aug 2011 00:00:00 GMT

SpyEye is now very well known within all security communities and security blogs of the world. The latest version of the SpyEye tool includes very powerful capabilities, specifically designed to steal sensitive data from Windows users conducting monetary transactions over the Internet. The Trojan tool is sold on the underground market and in cybercrime forums to be used by cybercriminals....

A Trojan spying on your conversations

Mon, 01 Aug 2011 00:00:00 GMT

We have been recently blogging about many Android malware as the threat landscape has been witnessing an increasing trend in targeting the mobile platforms and today we have received an Android package to our collection and observed that this piece of malware walks an additional mile by having a neat configuration and has a capability to record the telephonic conversation the infected victim...

LulzStorm hits Italian Universities

Tue, 19 Jul 2011 00:00:00 GMT

Lulz team seems to have their signature on the Security page almost on a weekly basis. Just today, “The Sun” newspaper’s online home-page has been defaced, playing on the recent Murdoch issue but the most recent and interesting case certainly remains the attack to Italian Universities. On its Twitter page LulzStorm posted a supposed dump of the databases of 18 Italian...

UNIFORM TRAFFIC TICKET Not from New York State Police

Mon, 11 Jul 2011 00:00:00 GMT

The first thing that most computer users do in the morning is to check their email. So recently just as usual I too checked my Inbox and spam folder. However there was one email [Figure 1] in my Spam folder that got my attention. It seemed suspicious and I did not want to fall into a trap so I carefully reviewed it. This blog details my findings. The email is disguised as a "Traffic Ticket"...

ZBot Targeting Android Users

Fri, 08 Jul 2011 00:00:00 GMT

Earlier this week, in the security researcher forums there have been a round of discussions regarding Zbot attacking Android users and today fellow researchers from Fortinet have managed to find a sample that actually does it. Though this sample has been in the wild for some time, it was found now that it is actually the one that Zbot uses to target its victims. In this blog, we will...

Dynamic Analysis of Golddream.A Trojan

Thu, 07 Jul 2011 00:00:00 GMT

This is a recent malware that targets the Android platform. This Trojan like many typical social engineering Trojans, comes bundled with a game. The credit for discovering it goes to Prof.Xuxian Jiang. Since we have published static analysis of such Trojans in our earlier blogs, this blog covers the dynamic analysis of the Trojan in a controlled environment. Please note that this blog post...

Rootkit Infection: MBR wanted!

Thu, 30 Jun 2011 00:00:00 GMT

We recently witnessed another rootkit infection which raised the attention of the press and Microsoft users. It is again a high profile malware whose target is the hard drive’s master boot record (MBR) corrupting the bootstrap of the Windows Operating System. Once run the malware follows the steps below:Open file: \\.\PhysicalDrive0Create File: hello_tt.sys The first step of the malware is...

QR Code: a channel to spread malware?

Mon, 14 Feb 2011 00:00:00 GMT

Not everyone knows what a QR Code is or how they can be used. A QR Code is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode reader. There are many QR Code Reader apps available today for camera phones. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, like a URL, or other data.