June 27, 2017

Confusion over Lords of Dharmaraja Hackers

(LiveHacking.Com) – The hacking group calling itself “Lords of Dharmaraja” came into the spotlight a few days ago when it claimed it had a copy of the source for Norton Antivirus. Symantec, the makers of Norton Antivirus, quickly clarified the situation and confirmed that the hackers had a) only access to some API documentation and b) did have some source code, but it was for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 which are both more than five years old.

What isn’t really appreciated is that this little known hacking group first came to the attention of authorities last year when it began posting documents including a memo that triggered a U.S. investigation into a possible cyber-attack by Indian military intelligence. It now appears as if that memo was fake, but the security breach was not.

Reuters has obtained a large digital cache what emails that were posted by the group before being taken down by sites like PasteBin. Many of these emails, which were sent between April and October of last year, were addressed to Bill Reinsch, a member of an official U.S. commission monitoring economic and cyber-security relations between the US and China. It now seems that the hackers created these memos simply to draw attention to their work, or to taint relations between India and the United States.

It is still unclear how Symantec’s source code ended up with the Lords of Dharmaraja.

Hackers Steal Source Code to Norton AntiVirus?

(LiveHacking.Com) – Symantec, the company behind Norton AntiVirus, has confirmed that a group of hackers has stolen portions of source code for two of its security products. The hackers, who call themselves The Lords of Dharmaraja, have posted at least twice to Pastebin claiming to have access to the source code for Norton Antivirus:

“Now we release confidential documentation we encountered of Symantec corporation and it’s Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.”

But according to a statement released from Symantec the information released is just a document from 1999, that describes an application programming interface (API) for the virus Definition Generation Service. “This document explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present,” Cris Paden, senior manager of corporate communication for Symantec told SecurityWeek.

Both posts have now been removed from Pastebin, which is quite unusual as it is normally a safe haven for hackers to post anything from stolen credit card numbers to cracked passwords.

The latest news from from Symantec, via SecurityWeek, is that the products in question are Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, and not any of its consumer products under the “Norton” branded. Further in a statement relased on Facebook Symantec said “The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers. Symantec’s own network was not breached, but rather that of a third party entity.”

Many governments require companies such as Symantec to submit their source code for inspection to prove they are not spying on the government. This is where the hackers could have got hold of the code. Comments posted by Yama Tough on Google+ and Pastebin seem to confirm this idea in that they suggest that the Symantec code was taken from an Indian government server.

Windows 8 Will Come With Built-in Anti-virus Software

(LiveHacking.Com) – It has been revealed that Microsoft will ship Windows 8 with built-in anti-virus software. This doesn’t come as too much of a surprise as Microsoft has been making a free anti-malware suite, called Microsoft Security Essentials, for a couple of years now. But it didn’t ship with Windows, you had to download it separately.

Since Windows Vista, Microsoft has bundled Windows Defender with the OS, but Defender is only detects and removes spyware. it is not an anti-virus or anti-malware application.

At the company’s BUILD conference, where Windows 8 is being shown to developers, Michael Angiulo – Corporate Vice President of Windows Planning and Ecosystem – demonstrated an early version of Windows 8 that automatically scanned an infected USB flash disk from which a tablet was booting.

Steven Sinofsky, president of Microsoft’s Windows and Windows Live division, said with Microsoft “have taken Defender and we’ve actually built a whole new range of protection, all the way up though anti-malware, anti-virus.” This means that Windows 8 users will be getting out-of-the-box protection against malware, as well as a firewall and parental controls.

Intel and McAfee Unveil DeepSAFE

(LiveHacking.Com) – As part of the Intel Developer Forum in San Francisco, Intel and McAfee have unveiled DeepSAFE, a new technology that is sandwiched between the OS and the CPU allowing anti-malware programs to gain an additional vantage point in the computing stack to better protect systems.

With DeepSAFE, McAfee and Intel are working to combine the power of hardware and software to create more sophisticated ways to prevent attacks. The new technology was demonstrated on stage. A system running the DeepSAFE technology was able to detect and stop a zero-day (i.e. a previously unknown) rootkit called Agony from infecting a system in real time. This technology is expected to launch in products later in 2011.

Todd Gebhart, co-president of McAfee said:

“This is a tremendous shift for McAfee and one of the biggest innovations in the security industry’s history. McAfee DeepSAFE uses hardware features already in the Intel processors to provide security beyond the OS. From this unique vantage point, DeepSAFE can apply new techniques to deliver a whole new generation of protection in real time to prevent malicious activity and not just detect infections.”

Cybercrime Bigger Than Global Black Market in Marijuana, Cocaine and Heroin combined

(LiveHacking.Com) – The new Norton Cybercrime Report has put the cost of cyber crime to the world’s economy at $388bn annually, a figure that is greater than the combined global market for marijuana, cocaine and heroin ($288bn). Another startling statistic is that cybercrime costs are more than 100 times the annual expenditure of UNICEF ($3.65 billion).

The report, which was compiled using data from 24 countries, says that 431m adults experienced cybercrime in the last year. That is more than a million victims every day or 14 adults every second.

In terms of viruses and malware, the report notes that:

  • 4 in 10 adults surveyed do not have an up-to-date security software suite to protect their personal information online
  • 54% of online adults have experienced viruses or malware on their computers
  • 6 in 10 users of free AV software reported viruses and malware attacks
With regards to protection against viruses and malware, the report says that inadequate security software exposes people unnecessarily to the dangers of computer viruses and malware. With many failing to do the single easiest thing to prevent cyberattacks – i.e. install a full security suite – adults globally are going online, for considerable amounts of time, unprotected against the most common types of cybercrime.
And it is this last part which possibly reveals the true nature of the report. Although I don’t doubt the facts and figures, highlighting things like “6 in 10 users of free AV software reported viruses and malware attacks” and that the “single easiest thing to prevent cyberattacks” is to “install a full security suite” reminds us that this report is published by Norton/Symantec who want to sell you their security software.

Adobe Flash Player Responsible for 7 of Top 10 Vulnerabilities

(LiveHacking.Com) – Kaspersky Lab has published its malware report for the second quarter of 2011 and it has found that seven of the current top ten vulnerabilities are in Adobe Flash Player and the other three in Java. This means that for the first time Microsoft products have disappeared from this list. Kaspersky put this down to “improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.”

According to the report, navigating the web remains the riskiest activity on the Internet, with malicious URLs that serve exploit kits, bots, ransomware Trojans, etc. being the most frequently detected objects online.

In terms of geography, every second computer in India was at risk of local infection at least once in the past three months.

“Over the last few years, India has been growing steadily more attractive to cybercriminals as the number of computers in the country increases steadily. Other factors that attract the cybercriminals include a low overall level of computer literacy and the prevalence of pirated software that is never updated,” explains Yury Namestnikov, Senior Virus Analyst at Kaspersky Lab. “Botnet controllers see India as a place with millions of unprotected and un-patched computers which can remain active on zombie networks for extended periods of time.”

Whereas the five safest countries in terms of the level of local infections are: Japan, Germany, Denmark, Luxembourg and Switzerland.

The report also warns users about fake antivirus programs. During the second quarter of 2011, the number of fake antivirus programs detected globally by Kaspersky Lab began to increase: the number of users whose computers blocked attempts to install counterfeit software increased 300 per cent in just three months.

Windows XP is Petri Dish For Rootkit Infections

(LiveHacking.Com) – A six month study, by the AVAST Virus Lab, has found that 74% of rootkit infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

Window XP is the most common PC operating system with around 49% of avast! antivirus users running it compared to the 38% with Windows 7 and the 13% with Vista.

And the problem seems to be that there are a large number of pirate copies of XP which don’t run automatic updates as they can’t be validated by the Windows Genuine Advantage validation process. This leaves the out-of-date and upatched OS open to all kinds of attack, even old ones long patch by Microsoft.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.

Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.
The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

Experts from AVAST Software will be attending the upcoming Blackhat events in Las Vegas on August 3-7, 2011.

ClamAV Version 0.97.2 Released

ClamAV Logo(LiveHacking.Com) – The ClamAV development team has released version 0.97.2 of its open source anti-virus. This update includes fixes for problems with the bytecode engine, Safebrowsing detection, hash matcher, and other minor issues.

ClamAV is an open source cross-platform anti-virus engine designed for detecting Trojans, viruses, malware and other malicious threats. ClamAV 0.97.2 is available to download for Linux and Unix distributions from the project’s web site.

The ClamAV team have also announced a new service called “Third Party web interface”. It will allow selected individuals/organizations to publish ClamAV Virus Databases (CVD) through the ClamAV mirror network.

ClamAV source code is released under the GNU General Public License (GPL).

Bohu Trojan is Designed to Disable Cloud-Based Antivirus

A recent blog entry from the Microsoft Malware Protection Center details information about a new malware (called Win32/Bohu.A) which is specifically designed to disable and mislead cloud-based antivirus software.

Cloud-based antivirus software differs from traditional antivirus software in that the antivirus client (running on the PC) sends important threat data to a server for backend analysis, and subsequently receives further detection and removal instruction.

The Bohu Trojan originates in China where there is a predominate use of cloud-based antivirus software. Once a Windows based machine is infected the malware installs different network level filters to disrupt and block the antivirus client accessing the backend antivirus services on the Internet.

As well as writing random data at the end of its key payload components to avoid hash-based detection, Bohu also installs a Windows Sockets service provider interface (SPI) filter to block the antivirus network traffic as well as a Network Driver Interface Specification (NDIS) filter. The NDIS filter then stops the antivirus client from uploading data to the server by looking for the server addresses in the data packets.

Trend Micro’s Chairman Says iOS is More Secure Than Android. But Is He Right?

Trend MicroThe chairman and one of the founders of Trend Micro, the Japanese Security and Anti-Virus company, has revealed in a recent interview that he believes that the Android platform is more susceptible to attacks than Apple’s iOS.

Speaking to Bloomberg Chang said “Android is open-source, which means the hacker can also understand the underlying architecture and source code”. Which seems to be the exact opposite of what Google have found with its Chrome web browser and its reward program.

In contrast Chang says that Apple’s sandbox in iOS “isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners”.

His comments come just after the launch of Trend Micro’s Mobile Security for Android. The $3.99 app can block viruses, malicious programs and unwanted calls. Are Chang’s comments just good marketing or does he have a point? Leave your comments below.