A newly disclosed bug in widely-used OpenSSH software allows attackers to make thousands of password guesses in a short space of time.
The post Open SSH bug opens brute force attack window appeared first on We Live Security.
Tag Archives: Malware
Porn clicker keeps infecting apps on Google Play
A recently identified trojan porn clicker is still infecting apps on Google Play.
The post Porn clicker keeps infecting apps on Google Play appeared first on We Live Security.
Google cracks down on ad-injectors
The reality of the web is that not every site is secure. However, most of us get by just fine by sticking to well-known websites from trustworthy companies. Antivirus plays its part by scanning websites and letting you know ahead of time whether or not a site is trustworthy.
While this helps protect against most browser based threats, one area that is commonly exploited is ad-injection. Unlike the bulk of a page’s content, ads tend to be loaded from an external ad server or Content Delivery network (CDN).
Image source
Attackers have found a way to insert malware into the advertising code, which in some cases can circumvent the web page’s security and serve malicious code to the visitor.
In an effort to combat ad-injection malware, Google’s Safe Browsing team announced that when Chrome detects a possible ad-injection on a site that it will serve its famous “red screen” advising the user that the site is potentially unsafe to visit.
How to activate Google Safe Browsing
Activating Google Safe Browsing is simple.
In Google Chrome, select the drop down menu in the top right hand corner.
Select “Settings”
Ensure that the “Enable phishing and malware protection” button is checked.
Bartalex Variants Spotted Dropping Pony, Dyre Malware
Some strains of Bartalex malware, a macro-based malware that first surfaced earlier this year, are dropping Pony malware and the Dyre banking Trojan.
Hackers demo Jeep security hack
Hackers have demonstrated an exploit that can take remote control of a Jeep, to the extent of cutting the transmission and controlling the throttle.
The post Hackers demo Jeep security hack appeared first on We Live Security.
Hacking Team Claims It Always Sold ‘Strictly Within the Law’
Hacking Team officials are disputing reports that the company sold its surveillance and intrusion software to oppressive regimes in countries that were under sanction. The company said it sold its products “strictly within the law and regulation as it applied at the time any sale was made.” The new statement from Hacking Team comes after two […]
Creators of Dubsmash 2 Android Malware Strike Again
Malware Writers Can’t Keep Their Hands Off Porn
In April, we reported on a porn clicker app that slipped into Google Play posing as the popular Dubsmash app. It seems that this malware has mutated and once again had a short-lived career on Google Play, this time hidden in various “gaming” apps.
For your viewing pleasure
The original form of this porn clicker ran completely hidden in the background, meaning victims did not even notice that anything was happening. This time, however, the authors made the porn a bit more visible to their victims.
The new mutation appeared on Google Play on July 14th and was included in five games, each of which was downloaded by 5,000-10,000 users. Fortunately, Google reacted quickly and has already taken down the games from the Play Store.
The selection of “gaming” apps affected by Clicker-AR malware on the Google Play Store.
Once the app was downloaded, it did not really seem to do anything significant when opened by the user. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed.
May I?
This new mutation, which Avast detects as Clicker-AR, requested one important permission that played a vital role in helping the app do its job. The app requested permission to “draw over other apps”, meaning it could interfere with the interface of any application or change what victims saw in other applications. This helped the malware put its adult content in the forefront of users’ screens.
Let’s play “Clue”
We did not immediately realize that the group behind Clicker-AR was comprised of the same folks from Turkey behind the fake Dubsmash app. Then, our colleague Nikolaos Chrysaidos dug a bit deeper and was able to connect some clues to figure out who was behind this piece of malware. He noticed that the fake Dubsmash app and the new apps shared the same decryption base64 code for the porn links. We then noticed that they shared the same function with the same name “bilgiVer”, which means “give information” in Turkish. Finally, the old and new apps used the same DNS from Turkey. Not only did they have a server in Turkey, but they also now made use of an additional server in the U.S. – it seems they made some investments using their financial gain from April!
Bye bye, porn!
As mentioned above, these malicious apps have already been removed from Google Play and Avast detects the malware as Clicker-AR. The following games are infected with Clicker-AR: Extezaf tita, Kanlani Titaas, Kapith Yanihit, Barte Beledi, and Olmusmi bunlar. If you have any of these apps installed on your device, we suggest you remove them (unless you, um, enjoy them) and make sure you have an antivirus app, like Avast Mobile Security, installed to protect yourself from mobile malware.
Follow Avast on Twitter where we keep you updated on cybersecurity news every day.
Android malware Fobus now targeting users in the U.S., Germany and Spain
Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.
Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.
Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.
The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.
Number of users who have encountered Fobus
Geographical reach expanded from the East to the West
Previously, we predicted that we would probably see a steady growth in the number of encounters users have with this malicious application. A review of the results, however, beats all of our predictions. At the beginning, this malware mainly targeted mobile users in Russian speaking countries. As our detections got smarter and we discovered new mutations of Fobus, we discovered that many other countries are affected as well. Now Fobus, although it still mainly targets users in Eastern Europe and Russia, is also targeting our users in the USA, Germany, United Kingdom, Spain, and other countries around the world.
The above graph shows the number of unique users (user IDs) encountering Fobus per day. The graph is also geologically divided by country codes as reported by the users’ connection location.
Number of times users encountered Fobus by country (as of July 21, 2015):
- Russia: 87,730
- Germany: 25,030
- Spain: 12,140
- USA: 10,270
- UK: 6,260
- Italy: 5,910
There are two great leaps visible in the graph, which mark the days when new versions of Fobus were discovered and new detections protecting our users were released. These three detections seem to be particularly effective at their task. The high impact in countries outside of Russia and English speaking regions, which can be seen in the graph, is a little surprising. Especially considering that the malware typically is only in Russian and English and even the English version contains some strings in Russian. Seems like the authors were too lazy to translate their own app properly…
World map showing the percentage of users who encountered Fobus
An app, built just for you
Now, let’s dig into the analysis. We will look at the certificates used to sign some of the Fobus samples. We already mentioned the problems connected with generating unique applications for each victim (server-side polymorphism). This does not only apply to rebuilding, repackaging and obfuscating each instance of the app itself, but also extends to their signing certificates. To back this up, we analyzed around 4,000 samples and data and inspected the usage of these certificates. We verified that each build of the malicious app is typically seen by one user only, even though its signing certificate can be used to sign multiple apps. Virtually all of the samples we have are very low prevalent, meaning that different users only very rarely see an app instance multiple times. As for the signing certificates, we believe that they are being regenerated on a timely basis. We were able to pick a few examples of such certificates from our statistics.
As you can see from the screenshots above, these certificates are dated the 28th and 30th May 2015 and the time differences in the beginning of the validity period between these certificates are in the order of minutes, sometimes even seconds. We have also found some samples that have certificates with randomly generated credentials altogether.
The above provided screenshot is an example of such randomly generated certificates.
To conclude, we would like to encourage you to think twice about the apps you install on your phone. Especially if the apps you download are from third party stores and unknown sources. If you download apps from the Google Play Store you’re on the safe side. Requiring nonstandard permissions – especially permissions that don’t seem necessary for the app to properly function – may be a sign that something fishy going on. You should be very suspicious of an app that requests device administrator access and think twice before downloading it.
Acknowledgement
Special thanks to my colleague, Ondřej David, for cooperation on this analysis.
Free Tool Looks for HackingTeam Malware
UPDATE–Researchers at Rook Security have released a new tool that looks for HackingTeam malware on target systems, and also have published a set of indicators of compromise to help organizations look for signs of an infection from the intrusion software.
BGP Security Alerts Coming to Twitter
At Black Hat, researchers from OpenDNS are expected to launch a new Twitter feed called BGP Stream that will send out alerts on possible BGP and DNS hijacking attacks.