GLOBAL SECURITY ADVISOR RESEARCH BLOG

Viruses Paradise: The romance between hackers and online computer games.

Wed, 22 May 2013 10:37:41 GMT

Games, especially online games, are fertile ground for spreading viruses and malicious software. Here’s how it works and what can you do in order to protect yourself. You could say that I was a gamer for too many years and experienced most generations of PC games since I got my first Commodore64 in 1986. Just like many others, I became a collector of 5.25” floppy disks containing...

China broke the "ceasefire" cyber war with the U.S.

Tue, 21 May 2013 13:13:57 GMT

Multiple attacks on U.S. companies and probably also on government systems. It seems China's hacker army resumed its attacks after 3 months of silence. The exact identity of targets hit by latest assault is not fully known, but it seems to be in many companies and government bodies that were also hit by the prior assault in February by a group called "Unit 61398" that was also attributed to...

Ragebooter: DDoS attacks sponsored by the FBI?

Mon, 20 May 2013 09:27:40 GMT

Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether. Introducing : Ragebooter Site called Ragebooter.net allows users to pay for removal of sites from the network, using DDoS attack. Unlike other existing sites that offer similar services, the Ragebooter have particularly interesting back door...

Russian Girls Spam

Mon, 20 May 2013 09:20:05 GMT

Recently a new kind of spam emails appeared. The email body is always short and looks like love letter: The moment you kissed me at my doorstep, I know I am yours forever. With loads of hugs and kisses, Akilina. The email body text is highly variable and therefore resistant to spam filters (except of the dating site URL). There are never any attachments, font styles and colors, modified words...

An alarming surge in the number of Android malware.

Mon, 20 May 2013 09:03:32 GMT

During the first quarter of 2013 there has been a very high growth rate ever seen of new malware penetration into the market. The trend indicates a growing number of professional malware vendors that work systematically to find loopholes in the operating systems. The number of malware activities which threaten smart phones and tablets surged in the first quarter of 2013 and climbed rapidly,...

New Facebook Trojan will do Shares and Likes on your behalf.

Mon, 13 May 2013 08:40:49 GMT

A new Trojan is infecting Facebook and distributes itself by sharing links on your behalf. This new malware attack focuses on the users' Facebook profile. The malware is a Trojan Horse transmitted through a browser plugin, detected so far in Firefox and Chrome. Tracking shows that the Trojan horse was first identified in Brazil, and its main activity is monitoring and testing whether the...

Fake email supposedly sent by Delta Airlines.

Thu, 09 May 2013 08:43:03 GMT

If you get an e-mail from the American airline - ‘Delta’ where you are asked to confirm the purchase of a ticket you allegedly purchased using your credit card, it is quite possible that this is a cyber-attack designed to tempt you into clicking a link, which in turn will infect your computer with malware. The malware, is a variant of the malicious Zeus, which is known for...

Playing the Blame Game

Tue, 07 May 2013 11:30:43 GMT

Whose fault is it? New zero-day vulnerability announced and race is on for the application vendor to plug it. Take the case with Microsoft’s recent IE8 zero-day admission (http://technet.microsoft.com/en-us/security/advisory/2847140), apparently being used by Chinese hackers to target nuclear researchers using Windows XP, sounds like something out of a Robert Ludlum novel, but...

NewFake Anti-Virus: Secure Bit.

Tue, 07 May 2013 11:15:05 GMT

Another imposter anti-virus software calling itself ‘Secure Bit’ is trying to fraudulently get users' money after it convinces them that their computer is infected with viruses. If the user is not cooperating with the demands, the software locks the screen. This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that...

Smartphone as a security breach to our private lives.

Tue, 07 May 2013 11:06:49 GMT

Today, we do almost everything with our smartphone, but on the way we forget it is a computer in every way and our personal information may be in danger. The first mistake of the average smartphone user is the belief that these devices are safer from your home PC and in most cases they are not aware of the tremendous amount of personal and business information that is stored on their device....

Zeus for Sale

Fri, 03 May 2013 08:20:08 GMT

The veteran Trojan Horse named ‘Zeus’ , which is active since 2007 and managed to knock many enterprise networks now returns thanks to a Facebook page that was set up for it. While in the meantime the page in question has been removed from the social network, there have been a variety of botnet updates on various security loopholes and various updates added to Zeus making...

Boston Marathon - malicious emails

Thu, 25 Apr 2013 10:26:48 GMT

The things that Virus Writers are doing are always bad and unwanted. But sometimes they are even disgusting. Using very sad events such as wars or terror acts are making this difference. People spend their time to get rid of unwanted emails all the time and now Virus Writers are using Boston Marathon tragedy for their "social engineering tricks".

Mobile devices malware detection by Cross-Feature Analysis

Tue, 23 Apr 2013 08:36:40 GMT

A new method for identification of mobile devices malware, which usually are not detected by the common detection methods, and uses advanced methods of machine learning. Cellular phones security is an intensively studied area by security companies and research institutions around the world since the release of G1 devices Android based operating system in 2009.

New malicious spyware in Google Play

Mon, 22 Apr 2013 09:34:10 GMT

New malicious spyware spreading around in Google Play, threatening millions of Android users. The good news is that you're only infected if you downloaded a funny Russian app, intended to transcribe other common applications. The bad news is it's probably popular applications since millions of users have already been infected. The spyware received the non-surprising name ‘bad...

Hackers vs. Researchers: Evasion methods

Thu, 18 Apr 2013 13:37:49 GMT

Innovations that appeared in cyber-crimes over the past years, proving that the ‘trickle-down’ effect, known in marketing and economics, is not just about access to products like tablet devices and space tourism. Just like in the real world, evasion techniques, once the exclusive property of the elite programmers, is flowing at an ever increasing rate and becoming public...

Traffic control: The man in the middle

Wed, 17 Apr 2013 13:23:56 GMT

Data sent by GPS applications such as Google maps and Waze can be altered hence control navigation routes of other drivers and even cause traffic jams. That is, if hackers would be interested in it, they would be able to affect the real-time traffic in order to trick users in travelling to the busiest traffic centers, rather than to open road, or to any track or spot they desire. Both...

Would you like some payment advice?

Mon, 15 Apr 2013 09:34:56 GMT

Sometimes, our customers (from various geographical areas) are getting fake emails from HSBC banking with such a subject. The sender address may vary but this would be definitely spoofed email address. And the text of the email’s body may vary, then the main purpose is to confuse the recipients.

WordPress Bloggers?

Mon, 15 Apr 2013 09:25:56 GMT

Got an account at WordPress.com? You should replace your password. Over the weekend an unidentified group of hackers raised a huge offensive attack against blogs that use this popular content management system. Growing number of attacks, during which hackers try to break into websites with the user name ‘Admin’ and a long chain of common passwords (Brute Force method) and using...

PlainSploit: Control the Plane

Mon, 15 Apr 2013 09:18:17 GMT

If the danger of using electronic devices on flights is not enough, what would you say about bringing down an aircraft using a simple Android? The horror scenario, where any terrorist with Android could kill hundreds of people, not because of Android, God forbid, but because of a serious loopholes in the commercial flights security protocol and flight management software is now real.

Shodan: Unstoppable search engine

Wed, 10 Apr 2013 13:25:42 GMT

If until today you were afraid from Google search engine, think again. Meet the Shodan search engine. Unlike Google that runs various scans on network sites, Shodan concentrates on "the back of the network”, and scans servers, network cameras, printers, routers and everything that is connected to the Internet. The engine, running 24 hours a day, 7 days a week, gathers information on...

Join my network on LinkedIn

Wed, 10 Apr 2013 13:14:27 GMT

Have you ever got a “Join my network on LinkedIn” email? Do you know how to distinguish the real from fake? It is easy to see the differences between real email from LinkedIn and a fake one.

Happy birthday: 31 years to the computer virus

Wed, 10 Apr 2013 13:04:16 GMT

Thirty-one years ago, in a suburb of Pittsburgh, Pa. , a boy in the ninth grade, Richard Skrenta decided it is not enough for him to put glue on lockers of friends or pick on some weaker kid. No, not Skrenta. He wanted to take his antics to a different level. To understand what was the trick he invented, and how this stunt affects us today, you need to understand the times in which he lived....

False security: Mac users are exposed.

Tue, 09 Apr 2013 13:06:01 GMT

Mac users have always been (and remain) safe for the most part as they use computers with an operating system immune to hacking and viruses, and rightly so, OSX is one of the most secure operating systems available on the market. But it was the security of Mac users and their immunity to viruses that expose them to attacks via social networks, phishing sites, and cross platform software like...

Win32/Gys.A Trojan

Mon, 08 Apr 2013 13:12:22 GMT

I got an email with the subject - "Your private photos are there for anyone to see. why??" The e-mail message was - "Sorry to disturb you. Someone sent me thee pictures they seem to be from you and your boyfriend I'm really troubled by this why do you send your private naked photos around?? this is beyound my understanding. It's in attachment".

Got BitCoin?

Mon, 08 Apr 2013 13:03:45 GMT

New malware spreading on the Skype network trying to use your computer to harvest BitCoins. It looks like victims from European countries: Italy, Russia, Poland, Spain, Germany and the Ukraine as well as Costa Rica have suffered a rapid spread of malware . After the download, the computer starts to harvest BitCoins using its processing power, which increases the level of CPU usage...

Facebook virus: Distribution brings the solution

Thu, 04 Apr 2013 16:40:51 GMT

A Facebook attack started yesterday evening spread throughout the world. Still not clear what was its goal, but it's probably another attempt to create a computer network attack for a wider future assault. Reason for optimism: The high explosive might of the virus will eventually bring the solution. A likely scenario is possible for the virus circulated last tonight in Facebook is an attempt...

'Red October'

Tue, 02 Apr 2013 15:42:49 GMT

For the last couple of months we have encouneterd multiple attacks coming in from a new cyber-spying group, which calls itself Rocra, AKA 'Red October'. The findings are a bit worrisome, as evidence that this is a group that works for at least five years behind the scenes and without the knowledge of security companies, during which time they collected massive amounts of classified...

The largest cyber-attack in history

Thu, 28 Mar 2013 10:14:14 GMT

You may not feel it, but during the recent hours the largest cyber-attack in history is occurring. Multiple DDOS type attacks take place between two of the largest European network organizations and so much traffic is going around that it causes a huge load on the global World Wide Web.

Theola!

Wed, 27 Mar 2013 18:31:22 GMT

Please note that recently we have discovered a malicious plugin for Google Chrome browser that monitors the activity of the user. Total Defense Labs has identified this new fraud activity in the Netherlands, Norway, Italy, Denmark, Czech Republic and Israel.

Japan get ready - Zeus is coming!

Wed, 13 Feb 2013 13:21:04 GMT

Zeus, called after the Greek deity, now establishing new point of interest: Japan Internet banking Consumers Zeus along with other financial Trojans are already a huge headache to internet banking consumers around the globe for a long time. Specific nations for instance the japanese have escaped assaults from financial Trojans, possibly as a result of language barrier and perhaps other unfamiliar...

USB Autorun Attack

Wed, 13 Feb 2013 13:09:15 GMT

New malware emerged recently attacking Android and Windows platforms. Main capabilities: Steals information and downloads files File size: 330,984 bytes File type: APK This malware comes up being a system solution that assists with accelerating your system. Right after set up, it displays an image launcher. After the harmful application is launched, the user will discover its homescreen. The...

CVE-2013-0422

Wed, 23 Jan 2013 17:30:09 GMT

Another Java zero-day exploit discovered by Total Defense Labs recently. The authors, known for their previous exploit kits "Nuclear Pack" and "Black Hole", stated about this new zero-day, aka CVE-2013-0422.

Ransomware

Thu, 13 Dec 2012 17:38:52 GMT

Ransomware Trojan horse is hitting over again, prevents you from accessing your computer. The latest one discovered lately covers the entire desktop with a message that appears to be from the local authorities, which asks for a fine payment in order to unlock your system. This threat identifies your country by your IP and display relevant image in your language and the relevant authority logo.

Win32/SillyAutorun

Wed, 05 Dec 2012 15:29:29 GMT

We still encounter customers getting infected by Win32/SillyAutorun worm. This worm exploits Microsoft's 'Link' and 'Autorun' files automatic execution and spreads through mapped, removable and file-sharing applications. It connects to a remote site and downloads additional components to the compromised computer, then it creates multiple additional 'Link' files to further spread into other ...

'Tis the Season

Tue, 20 Nov 2012 00:00:00 GMT

The holiday season is quickly approaching. Research data taken over last few years shows this period of time to have the largest spike in malware infections. The "bad guys" know that lots of people will search the internet for good deals and the hottest holiday items. They take advantage of this by populating the internet with phony web sites and links that trick folks into downloading...

Your computer has been locked!

Tue, 20 Nov 2012 00:00:00 GMT

Today hackers run malware-spreading campaigns that distribute and promote virus messages claiming to be from the Federal Bureau of Investigation. An example of such malware is the FBI Greendot Moneypak Virus. The message says "Your computer has been locked!" and the malware program is actually locking the system. The hacker wants to hide the actual plans and disguise the malware as a warning...

Fake Antivirus: Win 8 Security System

Mon, 24 Sep 2012 10:45:57 GMT

Microsoft is planning to release Windows 8 towards October end and malware authors already started with their development of Win8 Rogue Antivirus called Win8 Security System. Win8 Security system is of Rogue Braviax family. What makes it special is the fact that its removal is extremely difficult. Win8 Security system drops a rootkit of Nercus family into drivers folder and run as a service...

Zero-Day Exploit Attack [Microsoft Security Advisory 2757760]

Tue, 18 Sep 2012 22:20:49 GMT

Another exploit based on MS Security Advisory 2757760 is being used to actively install malware on vulnerable Internet Explorer versions 6 through 9. Basically all Windows versions up-to Windows 7 are affected. Windows 8 is safe. The exploit is based on memory corruption that allows an attacker to execute arbitrary code within Internet Explorer memory space. Up until now we know of one Trojan...

Rising trend of using professional obfuscations for protecting Java samples

Thu, 12 Jul 2012 00:00:00 GMT

Usage of commercial grade software protectors/cryptors/obfuscators is a very common trend in desktop malware landscape. They are mainly used to make the analyst’s life tough by adding extra layers of protection. Similarly, there have been quite a few open source obfuscators and professional obfuscators used in the malware families implemented in Java as well for a long...

DNSChanger FAQ - FBI to turn off rogue DNS servers

Fri, 06 Jul 2012 20:26:52 GMT

The FBI will turn off the rogue DNS servers on Monday July 9th, 2012. Please review the following FAQ to better understand this threat. What is DNSChanger? DNSChanger, also known as Alureon, is a high profile piece of Malware that modifies the DNS settings on the victim PC to divert Internet traffic to malicious web sites. The Malware also acts as a robot or “Bot” for short and...

Dissecting Fake Youtube Plugin which scams Facebook users

Fri, 15 Jun 2012 10:53:53 GMT

Introduction We have been coming across many facebook scams. This sample which is taken from one of such scams has an interesting feature in it. It checks for the location of affected victim, and based on the country where the victim is located, additional scripts are injected. The victim is redirected to many other sites that uses Facebook API, post scam on Victim's friends' pages and additional...

DNSChanger FAQ

Wed, 30 May 2012 14:42:37 GMT

What is DNSChanger? DNSChanger, also known as Alureon, is a high profile piece of Malware that modifies the DNS settings on the victim PC to divert Internet traffic to malicious web sites. The Malware also acts as a robot or “Bot” for short and can be organized into a BotNet and controlled from a remote location. DNSChanger has received significant attention due to the large number of...

Hoax Lottery emails from Mark Zuckerberg

Wed, 02 May 2012 12:38:27 GMT

Scam lotteries have been a frequent issue in the past and they continue to exist following the media trend. Total Defense Intelligence Service (Research ISI Team) today caught an interesting email pretending to come from Facebook’s CEO Mark Zuckerberg. The email clearly informs of a fake lottery win, getting the user to contact a Mr. Douglas Price as a fiduciary agent who will handle the...

Ransomware exploits Microsoft Windows Update Center Service

Fri, 27 Apr 2012 14:03:16 GMT

Our first indicators of ransomware were trojanised emails masquerading as police warnings against end users. (Ransomware Exploits the Italian Police) and now it seems to have evolved into leveraging a Fake Windows Update system. It is the result of an aggressive campaign originating in Germany where users receive emails similar to the following:

Beware of False E-Commerce Websites

Fri, 27 Apr 2012 10:49:19 GMT

It is a very common habit of internet users to download the videos or unknown software from the reputed video sharing websites. There is nothing un-common in doing so, but there could be a chances of luring the users in the form of presenting advertisements to the types of interesting draw contests of false websites which in turn loss of money if attempted to purchase. I have come across the...

Digital Resurrections - malicious links piggybacking on trending videos

Fri, 20 Apr 2012 11:56:09 GMT

News trending on most major, and a few tech websites, is the re-animated emergence of a digital avatar resembling a long deceased musician. 2Pac videos have gone viral, and as expected it’s almost too good an opportunity for the malware guys to pass up. It must be mentioned that the video format itself is not immune to embedded malicious links, but this time, the links are far more...

OSX/SabPub - New Backdoor Malware Threat for Mac OS X

Wed, 18 Apr 2012 11:19:30 GMT

Another new malware has been discovered that exploits the CVE-2012-0507 Java Vulnerability, the same vulnerability that OSX/Flashback used. The latest variant of this threat have been found using the same exploit that OSX/MS09-027!exploit used. This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which...

Fraud Wiki Repair Guide

Tue, 17 Apr 2012 14:50:30 GMT

Nowadays, there are a lot of Wiki pages on the internet that contains useful information on a wide range of topic that usually a community of people populate. But not all information that can be found can be trusted. One particular example is the Wiki that distributes the Fraud “PCCleaner Pro 2012”. Upon accessing the main page, it shows a lot of common error that people...

Malware Targeting Windows and MAC OSX

Thu, 12 Apr 2012 13:45:45 GMT

Malware is getting more and more sophisticated as the days goes by. Windows platform is the usual target for infection of malware authors but this time they add one more target platform, Mac OSX. Recently, another Tibetan-themed malware has been discovered which takes advantage of a patched Java Vulnerability (CVE-2011-3544). When a user unknowingly visits malicious website, the attack will...

Mac OS X Threat Flashback is Back!

Thu, 12 Apr 2012 13:09:38 GMT

OSX/Imuler is not the only Mac OS X threat that has resurfaced this year. OSX/Flashback has been making its rounds again. As you can remember, OSX/Flashback has appeared last year and disguised as Adobe Flash Player Installer. The previous variants connects to remote host to download its component files and installing backdoor that injects to web browsers and other applications in order to steal...

Mac OS X Threat Masquerading as Image Files

Wed, 11 Apr 2012 17:30:47 GMT

Last year, a variant of OSX/Imuler has been discovered and masquerades as an innocent PDF Document. Recently, a new variant of OSX/Imuler has been discovered and masquerading as image files of the popular Russian model Irina Shayk. The malicious application is placed inside a ZIP archive together with other various image files taken from the FHM magazine. By default, MAC OS X doesn’t...

MS09-027 Target: Mac OSX & Tibetan NGOs

Wed, 11 Apr 2012 16:42:21 GMT

Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found. A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as...

Family Ties Between Android Malware

Fri, 30 Mar 2012 13:55:44 GMT

While sorting the recent mobile malware collections, I stumbled on a sample which was submitted today. The sample has neither any new break-through payload nor any advanced functionality. However, what makes this interesting is the fact that it has included features seen in couple of different malware families. So, What does it do? It is a typical SMS Trojan that sends SMS to premium message...

Rogue Security Software keeps on hitting Internet users

Wed, 28 Mar 2012 16:39:03 GMT

We thought the rogue security software trend went down this year, but in truth we are witnessing two new reported incidents by users and customers of rogues. According to data obtained, in only one month of monitoring the process of Winwebsec we have seen an impressive number of reported incidents which, in terms of numbers, translates into almost 7,000 issues.

Android Malware adopts reflections

Mon, 12 Mar 2012 09:54:41 GMT

In our earlier blogs, we have highlighted how Android Malware authors are quickly adopting various tricks from the age-old and vast pool of desktop Malware tricks. In this blogpost, we will talk about one such trick which is an adoption from desktop malware. While processing a recent bunch of malware collections, we have noticed heavy use of reflections in quite a few Android samples. It is...

Tax refund spams are back

Wed, 07 Mar 2012 00:00:00 GMT

It's that time of the year when people in some parts of the world are filing their tax returns, and what better time for cyber crooks to trick them into falling prey for phishing attacks via emails. India has been reported in recent malware threat reports as one of the regions with high spam activity and this blog will briefly discuss a very convincing social engineering spam I ran into...

Android Social Engineering Threats in the Spotlight

Mon, 27 Feb 2012 11:08:45 GMT

In all of our earlier blogs about the Android threats, we have highlighted the fact that user awareness is one of the most important factors to fight against the social engineering threats. Yesterday, a familiar Android threat was making news powered by a sound social engineering trick. This blog looks at the differences/similarities of the different variants of this particular bunch of...

FTC investigating privacy disclosure practices of popular mobile apps

Fri, 17 Feb 2012 20:12:02 GMT

In a staff report released yesterday the FTC investigates the level to which App vendors are disclosing the types of data they collect on children and how that information is used. The report is worth a good review as it highlights the general lack of notice provided to parents in the majority of Apps reviewed. A total of 960 Apps specifically targeting children were...

Password Best Practices

Tue, 24 Jan 2012 18:17:51 GMT

Often the disclosure of a password is no fault of our own but rather the result of a website or application compromise. Use these tips to develop a password management strategy that will dramatically decrease your overall risk if any one of your passwords is compromised. Hopefully the next time you have to create a strong password it won't take nearly as long to think up something secure.

Ransomware Exploits the Italian Police

Mon, 19 Dec 2011 23:12:31 GMT

Today, Total Defense Research Team was informed of new ransomware circulating among Italian users pretending to be an official statement by the Italian Police. This malware is spread by drive-by-download through websites compromised with malicious JavaScript code.

Detailed analysis of malware sample removed from android market

Tue, 13 Dec 2011 00:00:00 GMT

Earlier yesterday, a few SMS Trojans were found in Android Market and subsequently removed from the market place. In this blog post, we will be demonstrating some of the interesting behaviours uncovered through dynamic analysis.

The woes of a Physical Security breach

Fri, 09 Dec 2011 00:00:00 GMT

This blog is written to emphasize the importance of physical security in this current day and age. I myself am a victim to a recent physical security breach that happened with Lucky Superstores in the United States, which has resulted in the theft of debit card details of many of its customers. It has been confirmed that more than 20 stores are affected through the 500 or more self-checkout...

New Zero-Day Attack in Adobe Products (CVE-2011-2462)

Thu, 08 Dec 2011 00:00:00 GMT

Recently, Adobe has released a new security advisory, APSA11-04, alerting users about a critical vulnerability in Adobe Reader and Acrobat. The U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. This means that the malicious files could be downloaded or dropped on the affected system. Adobe is in the...

‘Duqu’ 0-day exploit gets a temporary fix

Tue, 08 Nov 2011 00:00:00 GMT

Not long ago, the malware called Stuxnet made its foray into the world of Internet capturing people's attention. This was the first malware of its kind which embodied payload that impacted not only software running on infected machines but also affected attached Industrial processes. This malware's impact was very unique, targeted and revolutionary in nature. In September 2011, a new malware...

Analysis of an Android Malware family doing multi impersonations

Mon, 03 Oct 2011 00:00:00 GMT

Last week, we have blogged about an Android malware that was impersonating as a popular browser (http://totaldefense.com/securityblog/2011/09/23/The-SMSer-Trojan-Returns-as-Fake-Browser-Again.aspx). This time we present the analysis of another interesting Android malware to highlight its noteworthy features that users need to be aware of. This sample shows how easily such kind of impersonating...

Mac OS X Threat Disguises as Adobe Flash Player Installer

Wed, 28 Sep 2011 00:00:00 GMT

Another new Mac OS X Threat has been discovered and disguises as Adobe Flash Player Installer. Like other malware, it also uses social engineering tricks to lure users to download the malware. Once the user unknowingly visited a malicious website to watch a video, it will prompt the user that the Adobe Flash plugin has crashed

Mac OS X Threat Masquerading as a PDF Document

Tue, 27 Sep 2011 00:00:00 GMT

A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity. When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and...

The SMSer Trojan returns as Fake Browser Again.

Fri, 23 Sep 2011 00:00:00 GMT

A few months ago, we blogged about an increasing trend of SMSer Trojans disguising themselves as popular browser applications targeting the users of smart phones with support for J2ME. For the past few days, we have been observing a similar trend in the influx of SMSer Trojans posing as browser applications in our sample processing channels. However this time, they are actually targeting Android...

The Case of Spitmo, Analysis with Andbug and Profiler.

Tue, 13 Sep 2011 21:44:02 GMT

A few weeks ago, we have witnessed Zitmo arriving to Android landscape http://totaldefense.com/securityblog/2011/08/29/ZBot-Targeting-Android-Users.aspx. As it was widely predicted earlier, fellow researchers at Trusteer discovered that now Spitmo emerges for the Android platform. We, like the worldwide research community, have taken the the growth of Android malware very seriously.

Free Facebook t-shirts at the cost of your Personal Information?

Fri, 09 Sep 2011 16:06:41 GMT

Free Facebook t-shirts at the cost of your Personal Information? Just like the many other social-engineering spam attacks observed on Facebook, the recent one which offers victims free t-shirts as its 7th Anniversary special gift, seem to have gained quite a bit of popularity. If stats are to be believed, [Figure 1, courtesy hacker9] quite a few people have fallen victim to this like-jacking...

Stay Safe With Your Twitter Account.

Fri, 09 Sep 2011 00:00:00 GMT

Twitter is a nice social network that allows you to send very quick messages to your colleagues and friends alike indicating what you are doing, where you are located and so on. The main feature of this social network is the so-called “Following Tweets,” which is a way to inform you that somebody is following your tweets. Twitter is a powerful platform because it easily allows you to...

How to mitigate the “Supercookies”

Mon, 22 Aug 2011 00:00:00 GMT

"Supercookies" (Local Shared Object), or flash cookies as they are otherwise commonly called, and their implication on the privacy of Internet users have been a hot topic in the security- news blogs lately. "Cookies", as most of you already know, are small text files that are used to keep small pieces of browsing information stored on a computer to track and retain user preference information...

China’s Black Market: an Analysis

Mon, 15 Aug 2011 00:00:00 GMT

The Black Market is not new at all, and we know it exists because illegal products or services are readily available, such as drugs, sex, stolen goods, etc. These days I have been impressed by the increase in the number of emails targeting Italian users with offers of electronic goods sold at very interesting prices. Everyday my personal inbox is stuffed with emails coming from people pretending...

New SDK, Old tricks - SillyDl repackaged!

Thu, 04 Aug 2011 00:00:00 GMT

Routine processing of our large volume collections has unearthed a sample that seems noteworthy to be mentioned. Digging deeper revealed it was indeed a simple variant descending from a very old and familiar family of Java based Trojans [Java/SillyDl] Intricacies of its execution This sample's payload is same as what the age old downloader agents are known to do. By Design, It downloads...

SpyEye Behind Cyber-fraud

Thu, 04 Aug 2011 00:00:00 GMT

SpyEye is now very well known within all security communities and security blogs of the world. The latest version of the SpyEye tool includes very powerful capabilities, specifically designed to steal sensitive data from Windows users conducting monetary transactions over the Internet. The Trojan tool is sold on the underground market and in cybercrime forums to be used by cybercriminals....

A Trojan spying on your conversations

Mon, 01 Aug 2011 00:00:00 GMT

We have been recently blogging about many Android malware as the threat landscape has been witnessing an increasing trend in targeting the mobile platforms and today we have received an Android package to our collection and observed that this piece of malware walks an additional mile by having a neat configuration and has a capability to record the telephonic conversation the infected victim...

LulzStorm hits Italian Universities

Tue, 19 Jul 2011 00:00:00 GMT

Lulz team seems to have their signature on the Security page almost on a weekly basis. Just today, “The Sun” newspaper’s online home-page has been defaced, playing on the recent Murdoch issue but the most recent and interesting case certainly remains the attack to Italian Universities. On its Twitter page LulzStorm posted a supposed dump of the databases of 18 Italian...

UNIFORM TRAFFIC TICKET Not from New York State Police

Mon, 11 Jul 2011 00:00:00 GMT

The first thing that most computer users do in the morning is to check their email. So recently just as usual I too checked my Inbox and spam folder. However there was one email [Figure 1] in my Spam folder that got my attention. It seemed suspicious and I did not want to fall into a trap so I carefully reviewed it. This blog details my findings. The email is disguised as a "Traffic Ticket"...

ZBot Targeting Android Users

Fri, 08 Jul 2011 00:00:00 GMT

Earlier this week, in the security researcher forums there have been a round of discussions regarding Zbot attacking Android users and today fellow researchers from Fortinet have managed to find a sample that actually does it. Though this sample has been in the wild for some time, it was found now that it is actually the one that Zbot uses to target its victims. In this blog, we will...

Dynamic Analysis of Golddream.A Trojan

Thu, 07 Jul 2011 00:00:00 GMT

This is a recent malware that targets the Android platform. This Trojan like many typical social engineering Trojans, comes bundled with a game. The credit for discovering it goes to Prof.Xuxian Jiang. Since we have published static analysis of such Trojans in our earlier blogs, this blog covers the dynamic analysis of the Trojan in a controlled environment. Please note that this blog post...

Rootkit Infection: MBR wanted!

Thu, 30 Jun 2011 00:00:00 GMT

We recently witnessed another rootkit infection which raised the attention of the press and Microsoft users. It is again a high profile malware whose target is the hard drive’s master boot record (MBR) corrupting the bootstrap of the Windows Operating System. Once run the malware follows the steps below:Open file: \\.\PhysicalDrive0Create File: hello_tt.sys The first step of the malware is...

QR Code: a channel to spread malware?

Mon, 14 Feb 2011 00:00:00 GMT

Not everyone knows what a QR Code is or how they can be used. A QR Code is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode reader. There are many QR Code Reader apps available today for camera phones. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, like a URL, or other data.