February 22, 2012

You are here: Home / Archives for Malware

McAfee Says Malware Surpassed 75 Million Samples in 2011

February 22, 2012 By Leave a Comment

(LiveHacking.Com) – McAfee has released its Q4 2011 Threat Report (a PDF) and it shows that last year McAfee collected over 75 million unique malware samples! It also shows that 2011 was by far the busiest periods for mobile malware with Android the number one target for writers of mobile malware.

The most common type of Android malware is the for-profit SMS-sending Trojans, which earn cyber-criminals significant amounts of money by sending messages to premium services. The rooting Android devices is getting easier and easier and there are now apps which combine vulnerability exploits to root phones with the click of a button. However the downside of this is that malware writers can repackage the very same root exploits apps with malware.

There is a sliver of good news in that the overall growth of PC malware is on the decline and is much lower that this time last year. The report also noted a continued decline in Fake AV malware with AutoRun and password-stealing Trojan malware showing only slight declines. However the context of this is that McAfee’s cumulative number of unique malware samples exceeded the 75 million samples.

In Q4 2011, the most common type of remote attack was via vulnerabilities in Microsoft Windows remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting attacks. The result is that the number of reported data breaches has more than doubled since 2009 with more than 40 breaches publicly reported in Q4 alone.

“Although the release of new malware slowed a bit in Q4, mobile malware continued to increase and recorded its busiest year to date,” Dave Marcus, Director, Security Research at McAfee said in a blog post.

Filed Under: Android, Antivirus, Malware Tagged With: , ,

Google’s Bouncer to Try and Keep Malware Out of the Android Market

February 6, 2012 By

(LiveHacking.Com) – One of the weakest aspects to Google’ Android eco system is that it is far too easy for hackers to submit apps which contain malware. Until now Google seemed to largely ignore the issue and only removed malicious apps if someone complained. However that could all be changing. Google has announced a new service codenamed Bouncer, which scans the Android Market for potentially malicious apps without requiring developers to go through an Apple-like application approval process.

The Bouncer does two things. First it performs a set of analyses on newly submitted apps (as well as on applications already in Android Market), and secondly it keeps an eye on developer accounts to help prevent malicious and repeat-offending developers from coming back.

Once an application is uploaded, the Bouncer starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. To do this Google run every application in a simulator to see how it will run on an Android device to look for hidden, malicious behavior.

It seems that the Bouncer has been running for at least the last six months as Google reporting that between the first and second halves of 2011, it saw a 40% decrease in the number of potentially-malicious downloads from Android Market.

“No security approach is foolproof, and added scrutiny can often lead to important improvements. Our systems are getting better at detecting and eliminating malware every day, and we continue to invite the community to work with us to keep Android safe.” said Google.

Filed Under: Android, Google, Malware Tagged With: , , ,

Same Platform Used to Create Stuxnet, Duqu and Other Yet Unknown Malware

January 2, 2012 By

(LiveHacking.Com) – Researchers from Kaspersky Labs have discovered that Stuxnet and Duqu were created on the same platform which may have been developed long before the Stuxnet scandal of 2011. Known as “Tilded”, because of the common use of files that start with the tilde symbol (~), it is used by just one team to create modular malware that can be adapted to specific targets.

Kaspersky Labs came to this conclusion by analyzing the drivers used for infecting systems with Duqu and Stuxnet. More worrying is that one of the internal driver files used was compiled in January 2008 and that seven types of drivers with similar characteristics exist in the wild.

“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

This leads to the conclusion that Duqu and Stuxnet are separate projects, but that they were created on a single platform – Tilded. It appears that Tilded was developed around the end of 2007 and the beginning of 2008. In 2010 the platform was developed further to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.

The full version of the report of Alexander Gostev and Igor Sumenkov is available at Securelist.

Filed Under: Malware, News, Security Tagged With: , , ,

FTC To Give Refunds to 300,000 Victims of Scareware

December 15, 2011 By

(LiveHacking.Com) - Following a settlement with Innovative Marketing and other parties involved in the Winfixer, Drive Cleaner, and XP Antivirus scareware schemes, the Federal Trade Commission is to start giving refunds to the victims.

The settlement, which is worth more than $8 million, was reached after the defendants agreed to hand over the money they gained from scaring users with deceptive ads making them think their computers were infected with malware. Once hooked the users then bought bogus software to fix their non-existent problem.

Approximately 320,000 checks, for an average of $20, will be mailed by the FTC’s settlement administrator, Epiq Systems. Consumers have 60 days to cash the cheques.

Microsoft have published a list of product names (as detected by their antimalware programs) that are linked to the Winfixer family:

Program:Win32/AdvancedCleaner 
Program:Win32/Antivirus2008
Program:Win32/Antivirus2009
Program:Win32/SpywareIsolator
Program:Win32/WinFixer
Program:Win32/WinSpywareProtect
Trojan:Win32/Antivirusxp

As well as paying out $8,272,962, Marc D’Souza (owner of Innovative Marketing) is permanently banned from marketing and selling computer security software or any software which fiddles with web browser homepages or security settings.

Filed Under: Malware, News Tagged With: , , , ,

Beware of Fake iTunes Vouchers this Thanksgiving and Black Friday

November 24, 2011 By

(LiveHacking.Com) - Reports are emerging (post in German) about a wave of fake iTunes vouchers which are sent by email telling unsuspecting users that they have received a gift of $50. The emails, which have the subject line: iTunes Gift Certificate, tell the user that the certificate is in the attachment. But the attached .zip in fact contains the BredoZp-B malware.

Thanksgiving and the subsequent Black Friday are often used as bait for spammers and those trying to spread malware. Thanksgiving is a prominent US holiday and Black Friday marks the start of the Christmas shopping season when major stores and brands offering reductions and sales.

During this holiday weekend it is important to remain vigilant against fake emails and attractive offers. USA Today has posted a list of things to watch out for during this time, here is our modified summary:

Bogus emails.  Be very skeptical of emails asking you to enter any account usernames or passwords, credit card numbers or any personal information such as Social Security number and date of birth.

Personalized warnings. Phishers often send emails that warn of urgent action that needs to be addressed in connection with an IRS, Social Security or Department of Motor Vehicles matter. The scammer may even use private information culled from a simple online search or from a social network to get you to submit information or click on a viral Web link.

Innocent messages. An e-mail from a co-worker that says to open a file to see vacation or baby pictures could be a threat. The most effective phishing scams are the ones consumers least expect.

Free gifts. Like the iTunes voucher scam, emails which tell you to open and attachment or follow a link to get your gift need to be checked and double checked.

 

 

Filed Under: Malware Tagged With: , ,

Android Now Most “Popular” Platform for New Malware

November 22, 2011 By

(LiveHacking.Com) - McAfee have released their Third Quarter 2011 Threats Report and it shows that Android is now the most “popular” platform for new malware. Android targeted malware grew by nearly 37 percent since last quarter and stunningly nearly all new mobile malware in Q3 was targeted at Android.

The most common method for spreading Android malware continues to be maliciously modified apps. One of the most lucrative (for the malware author) forms of malware are the premium-rate SMS-sending Trojans. According to McAfee the Android/Wapaxy, Android/LoveTrp, and Android/HippoSMS families are new versions of premium-rate SMS Trojans that sign up victims to subscription services. These Trojans are also getting smarter as they delete all the subscription confirmation messages received. This menas that the victim remains unaware of the what the malware is doing.

The Symbian OS (for Nokia handsets) still remains the platform with the all-time greatest number of malware, but Android gaining fast.

Apart from the increase in Android malware, McAfee also noted the following trends:

  • Fake Anti-Virus (AV), AutoRun and password-stealing Trojans have bounced back strongly from previous quarters.
  • Mac malware also continues to grow, following a sharp increase in Q2.
  • Web sites are still a common way for attackers to spread malware, however the number of dangerous site dropped slightly, from an average of 7,300 new bad sites in Q2 to 6,500 new bad sites in Q3. The vast majority of new malicious sites are located in the United States.

With regards to the increase in OS X threats, McAfee point out that as OS X grows in popularity, malware authors will increasingly make use of it to target victims.

From a global point of view the top 5 malware threat are:

  1. Malicious Iframes
  2. Malicious Windows Shortcut Files
  3. Parasitic File Infector
  4. USB-Based AutoRun Parasitic Malware
  5. Web-Based File Infectors

“This has been a very steady quarter in terms of threats, as both general and mobile malware are more prevalent than ever,” said Vincent Weafer, senior vice president of McAfee Labs. “So far this year, we’ve seen many interesting yet challenging trends that are affecting the threat landscape, including heightened levels of sophistication and high-profile hacktivist attacks.”

Filed Under: Android, Malware Tagged With: , ,

Stolen Certificate Used to Sign Malware

November 15, 2011 By

(LiveHacking.Com) -  A certificate stolen from the Malaysian Agricultural Research and Development Institute, which was taken “quite some time ago”, has turned up as the digital signature used on a piece of malware known as Trojan-Downloader:W32/Agent.DTIW.

The malware, which spreads via malicious PDF files that install it after exploiting holes in Adobe Reader 8, downloads additional malicious components from a server called worldnewsmagazines.org.

By using a private signing certificate that belongs to the Malaysian government the malware is able to bypass the warnings issued by Windows about untrusted software.

According to F-Secure, who discovered the malware signed with the a stolen certificate:

It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.

The use of digital certificates and the role of Certificate Authorities (CA) continues to be a hot topic following several well publicized security breaches (Diginotar and Comodo) and the subsequent revoking of fraudulently issued certificates.

Filed Under: Cryptography, Malware Tagged With: , , , ,

CrySyS Releases Duqu Detector

November 14, 2011 By

(LiveHacking.Com) - The lab that participated in the discovery of the Duqu trojan has developed a detector toolkit that can find Duqu infections on a computer or in a whole network. The toolkit, released by the Laboratory of Cryptography and System Security (CrySyS), uses signature and heuristics methods to find traces of Duqu infections even when bits of the malware have already been removed from a PC.

The toolkit searches for a range of different Duqu related suspicious files and known indicators to detect the current or past presence of the trojan. However, as with all anomaly detection tools, it is possible that it generates false positives.

Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

The toolkit, which includes the source code, can be downloaded from here.

Recently NSS Labs also released its a Duqu detector. Their solution is based is Python script which uses pattern match to scan the system drivers. The script, which is published under BSD-licensed, is available from the their GitHub repository.

Filed Under: Malware, Tools Tagged With: ,

Microsoft Releases Security Advisory And ‘Fix it’ to Combat Duqu

November 4, 2011 By

(LiveHacking.Com) - It was revealed a couple of days ago that the new Duqu malware (which many see as related to the infamous Stuxnet trojan) spreads via a zero day vulnerability in the Windows kernel. Microsoft have now issued a security advisory and “fix it” workaround.

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

The vulnerability is in every supported version of Windows including the desktop versions (XP, Vista and Windows 7) along with the server variants (Windows Server 2003 and Windows Server 2008). The vulnerability affects both 32 bit and 64 bits systems.

The vulnerability can be exploited in multiple ways including  providing documents or convincing users to visit a Web page that embed specially crafted TrueType fonts. The vulnerability is caused when a Windows kernel-mode driver fails to properly handle the TrueType font type.

Workaround

A temporary workaround is to block access to t2embed.dll. Blocking access to this dll does not correct the underlying issue but it will help block known attack vectors before Microsoft issue a security update.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for users to install, Microsoft has released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

No fix for November’s Patch Tuesday

Microsoft have said that a fix for this vulnerability will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Filed Under: Malware, Microsoft, Microsoft, Vulnerability Tagged With: , ,

Duqu Spreads Using Windows Zero Day Vulnerability

November 2, 2011 By

(LiveHacking.Com) - It has been discovered that the new Duqu trojan (which is thought to be related to Stuxnet) infects PCs by exploiting a zero day Windows kernel vulnerability via a specially crafted Microsoft Word file.

Duqu, which was spotted in the wild a little under two weeks ago, has parts which are nearly identical to that of Stuxnet but the payload carried by the worm is not intended to sabotage industrial control systems, instead it grants general remote access to a remote command-and-control (C&C) server.

Although the analysis of the worm shows no code related to industrial control systems, the executables have been found in organizations involved in the manufacturing of industrial control systems.

It is important to underline that the vulnerability used by Duqu is in Windows itself and not Word. This means that this flaw could be exploited through other delivery mechanisms.

“We are working diligently to address this issue and will release a security update for customers,” Microsoft said on Tuesday in a short twitter statement.

Explotation of zero-day vulnerabilities in Windows by malware programs are not that common. Microsoft’s recent Security Intelligence Report (SIR) showed that none of the malware infections cleaned by the MSRT (Malicious Software Removal Tool) used zero-day exploits.

Filed Under: Malware, Microsoft Tagged With: , ,
« Older Posts