Tag Archives: Malware

AVG

Banking Trojan Vawtrak: Harvesting Passwords Worldwide

Over the last few months, AVG has tracked the rapid spread of a banking Trojan known as Vawtrak (aka Neverquest or Snifula).

Once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials.

While Vawtrak Trojans are not new, this particular sample is of great interest.

 

How and where is it spreading?

The Vawtrak Trojkan spreads in three main ways:

  • Drive-by download – in the form of spam email attachments or links to compromised sites
  • Malware downloader – such as Zemot or Chaintor
  • Exploit kit – such as Angler

Based on our statistics, the Czech Republic, USA, UK, and Germany are the most affected countries by the Vawtrak campaigns this year.

Countries most affected by the spreading of Vawtrak in Q1 2015.

 

What are the features of this Vawtrak?

This Vawtrak sample is remarkable for the high number of functions that it can execute on a victim’s machine. These include:

  • Theft of multiple types of passwords used by user online or stored on a local machine;
  • Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
  • Surveillance of the user (key logging, taking screenshots, capturing video);
  • Creating a remote access to a user’s machine (VNC, SOCKS);
  • Automatic updating.

Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.

Moreover, the communication with the remote server is done over SSL, which adds further encryption.

This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside.

 

Detailed analysis

Our complete analysis of this malware is too long to publish in full on this blog so we have prepared a detailed white paper that describes this infection, its internals and functions in detail.

 

You can also download the report here

 

Stay Safe

While this Vawtrak Trojan is very flexible in functionality, it’s coding is mostly basic and can be defended against. At AVG, we protect our users from Vawtrak in several ways:

  • AVG LinkScanner and Online Shield provide real-time scanning of clicked links and web pages containing malicious code.
  • AVG Antivirus for generic detection of malicious files and regular scans.
  • AVG Identity Protection, that uses a behavioral-based detection, will detect even the latest versions of such infections.
  • AVG Firewall prevents any unsolicited network traffic, such as communication with a C&C server.

Avast

Don’t click on the porn video your Facebook friend shared

Fake Flash Player updates fool Facebook users.

facebook-fake-flash-small

Facebook users get malware from clicking on fake Flash Player updates.

Facebook users have fallen victim to a recycled scam, and we want to make sure that all of our readers are fore-warned. Cybercrooks use social engineering tactics to fool people into clicking, and when the bait comes from a trusted friend on Facebook, it works very well.

Here’s how the scam works – your friend sends you an interesting video clip; in the latest iteration you are tagged and lots of other friends are also tagged – this makes it seem more trustworthy. The video stops a few seconds in and when you click on it, a message that your Flash Player needs to be updated for it to continue comes up. Since you have probably seen messages from Adobe to update your Flash Player, this does not raise any red flags. Being conscientious about updating your software, as well as curious about what happens next in the video, you click the link. That’s when the fun really begins.

The fake Flash Player is actually the downloader of a Trojan that infects your account. Security researcher Mohammad Faghani, told The Guardian, …” once it infects someone’s account, it re-shares the clip while tagging up to 20 of their friends – a tactic that helps it spread faster than previous Facebook-targeted malware that relied on one-to-one messaging on Facebook.”

How to protect yourself from Facebook video scams

Don’t fall for it. Videos that are supposedly sensational or shocking are also suspect. Be very cautious when clicking.

Does your friend really watch this stuff? If it seems out of character for your friend to share something like that with you, beware. Their account may have been infected by malware, and it’s possible they don’t even know this is being shared. Do them a favor and tell them about it.

Be careful of shortened links. The BBB says that scammers use link-shortening services to disguise malicious links. Don’t fall for it. If you don’t recognize the link destination, don’t click.

Use up-to-date antivirus software like Avast Free Antivirus with full real-time protection.

Report suspicious activity to Facebook. If your account was compromised, make sure to change your password.

Panda Security

Cyber safety: one of the major companies concerns

shaking hands

I’m sure you have read about Sony’s latest leaks, the cyberattacks to Medias like The New York Times and the chaos created when cybercriminals paralyzed some banks payment networks. Nevertheless there are many other silent virtual crimes: both big corporations and small and medium businesses can suffer breaches in their data without anyone noticing anything, not even the workers.

Nowadays most banking transactions are conducted online, and almost every company has a web platform where they manage their documents and emails. That makes me wonder why computer security remains an outstanding issue in many organizations. Are they aware of the risks they are taking? Or, is it just that the new types of malware surpass their security measures?

This is not a trivial issue as we saw in the World Economic Forum (WEF), which took place last January in Davos (Switzerland). Many analysts, politicians and CEOs showed their concern and warned the public about this issue.

world economic forum

John Chambers, Cisco’s CEO, could not have said it better: “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” Putting into words the issue’s significance at the WEF.

Moreover the situation is echoed by the 2015 Global Risks Report, elaborated by the WEF, and includes the cyberattacks as the futures more pressing dangers. “Innovation is critical to global prosperity, but also creates new risks. We must anticipate the issues that will arise from emerging technologies, and develop the safeguards and governance to prevent avoidable disasters.” said the President of Global Risk and Specialties at Marsh.

Technological Risks according to the Global Risks Report 2015 at the World Economic Forum

Cyber safety is now one of the major companies concerns. The forum had already published another analysis dedicated solely to this issue: “Risk and Responsibility in a Hyperconnected World” in collaboration with McKinsey & Company.

According to the experts, the technology sector, which includes big data analysis and cloud storage, could produce between 9.6 and 21.6 billion dollars of global profits.

Cybersecurity is precisely one of the barriers that ensure the favorable indicators. But if the sophistication of the attacks surprises the defensive capabilities of the equipment, the altercation would cause serious damages. In addition, the implementation of new regulations and limits for the corporations would slow down the economic and technological innovation and progress.

binary code

The report states that in order to protect companies and society in general from the negative effects a collaboration framework between public and private sectors should be stablished. Global cooperation from the authorities in order to develop new strategies that replace the traditional obsolete ones is needed.

The cost of the attacks can conceal the possible profits. Stephen Catlin, president of Lloyd (insurance market) recently claimed that the losses caused by cybercriminals can reach so important sums of money that the governments should take responsibility.

Also, companies need funds in order to research new types of malware and develop new methods that prevent cybercrimes. Chambers ended his speech at the forum expressing his fear of what is about to happen: “In 2014 the issues related to cybersecurity have deteriorated, and 2015 would be much worse.”

So, try our corporate antivirus for best corporate endpoint protection!

The post Cyber safety: one of the major companies concerns appeared first on MediaCenter Panda Security.

Avast

Ransomware holds eSports players hostage

Dreaded ransomware, the malware that locks your files and demands payment for the key to unlock them, is now targeting gamers.

New ransomware targets gamers.

 

In the first report of gamers being targeted by ransomware, more than 2o different games, including World of Warcraft, League of Legends, Call of Duty and Star Craft 2, various EA Sports and Valve games, and Steam gaming software are are on the list.  This variant of ransomware looks similar to CryptoLocker according to a report from a researcher at Bromium Labs.

What is CryptoLocker?

CryptoLocker is “ransomware” malware that encrypts files on a victim’s Windows-based PC. This includes pictures, movie and music files, documents, and certain files, like the gamer’s data files, on local or networked storage media.

A ransom, usually paid via Bitcoin or MoneyPak, is demanded as payment to receive a key that unlocks  the encrypted files. In previous cases, the victim has 72 hours to pay about a relatively small amount of money, usually in the low hundreds of dollars, but after that the ransom rises to over thousands of dollars. We have seen reports that says the gamers are demanded a ransom of about $1,000 via PayPal My Cash Cards or 1.5 bitcoins worth about $430.

“There’s mostly no way to get the data back without paying the ransom and that’s the reason why bad guys focus on this scheme as it generates huge profit, “ said  Jiri Sejtko, Director of Avast Software’s Virus Lab Operations last year when ransomware was making the news. “We can expect some rise in ransomware occurrences,” predicted Sejtko. “Malware authors will probably focus on screen-lockers, file-lockers and even on browser-lockers to gain money from victims.”

That prediction came true, and now ransomware authors are targeting narrower audiences.

How do I get infected with CryptoLocker?

Infection could reach you in various ways. The most common is a phishing attack, but it also comes in email attachments and PDF files. In the new case targeting gamers, the Bromium researcher wrote, “This crypto-ransomware variant has been getting distributed from a compromised web site that was redirecting the visitors to the Angler exploit kit by using a Flash clip.” There is a detailed analysis in the report.

How do I protect myself against ransomware?

Ransomware is continuing to evolve, most recently CryptoWall ransomware, and even mobile ransomware called Simplocker.  The most effective way to protect yourself is to back up your files and store them on an external hard drive, as the new malware could also attack other drives and even cloud storage like Dropbox.

“Outdated software makes you more vulnerable for ransomware, so keep your system and applications up-to-date, especially  Java, PDF Reader, Browsers, and Flash,” said Sejtko. The Avast Software Updater feature in all of our products, shows you an overview of all your outdated software applications, so you can keep them updated and eliminate any security vulnerabilities.

By all means, avoid paying the ransom. Even if you do – you’re dealing with cybercriminals – how can you trust them to give you the key?

Avast has an Android app called Avast Ransomware Removal that will eliminate the malware from an infected device. Get it free for your Android smartphone and tablet from the Google Play Store.

List of targeted games and software

Single User Games

Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin’s Creed, S.T.A.L.K.E.R., Resident Evil 4, and Bioshock 2.

Online games

World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2.

Gaming Software

Steam

Company Specific Files

Various EA Sports, Steam, and Bethesda games

Game Development Software

RPG Maker, Unity3D, and Unreal Engine

Panda Security

New threats for Android phones, how do they work? Beware of your battery!

smartphone battery charging

When buying a smartphone one of the first things we do is choosing an unlock pattern, trusting that by doing this our WhatsApp conversations will be protected from our nosy surroundings. If you are one of those who think that just one finger is able of drawing a complicated route on the screen, you are mistaken! Hacking an Android’s phone lock is easier than what you thought!

Digital thieves can reach even more. Not only can they get physically inside your phone, but they can also do it virtually or, using the phone’s microphone. Now they can even spy on you when the phone is turning off.

Those who trust that clicking on their smartphones “off” switch is enough to stop their contact with the outside world are in trouble. Virtual spies are able to remotely pull the strings, even so when the owner and his phone were sleeping. Security researchers have demonstrated how a Trojan for Android phones can make the users believe that they have turned it off as they usually do.

PowerOffHijack, the new malware, succeeds a very particular task: Hijacks the users’ shutdown process. When pressing the on/off button a fake dialog box appears making the users believe that their phone is turning off. Meanwhile, the malware is manipulating the operating system “system server” file.

smartphone and computer

The owner rests peacefully, even though the device is not at ease: the Trojan can make outgoing calls (even to foreigner numbers), make pictures and many other things without notifying the user. In China there have been more than 10.000 devices infected by this malware; it seems it expands via some apps.

In order to avoid this mocking Trojan we recommend you to pull out your battery so it doesn’t raise your phone bill to unsuspected limits. As much as the spies try, they are still not capable of controlling the phones without lithium. Another tip is to uninstall the apps that may have caused these silent thieves entry.

Although taking the battery off and putting it back on can resolve the Power Off Hijack issue, some hackers are using the battery’s internal information to spy mobile phones. Researchers of Stanford University together with a group of Israelis experts have developed Power Spy, a new technology that gathers the Android phone’s geolocation, even when the GPS is turned off. How? Tracking the phone’s power consumption over time.

WiFi and GPS connections need the user’s permission in order to work, but the battery consumption data doesn’t. So the cyber criminals can track your phone with 90% accuracy, later using this location information as they please, being able to locating you at all times.

lego on smartphone

The researchers have proven Power Spy’s capacities in two Nexus phones. This program enabled them to locate the phone even if its owner wasn’t using it at the moment. Power Spy would access your phone without you knowing it. The issue is that you might be downloading it together with any app without noticing it.

“We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement”, says Yan Michalevsky, one of the researchers.

Fortunately this technology has its limitations: in order to work it needs predefined routes and to have already traveled along the route before. “If you take the same ride a couple of times, you’ll see a very clear signal profile and power profile,” says Michalevsky.  In addition the tracking accuracy increases if the phone has just  a few apps rather than in the ones with more, where power is used unpredictably.

Anyone can start spying on your phone in ways you would have never suspected. Security is not only needed in your desktop computer, it is essential in the tiniest corners of your phone.

Do you want to try our free antivirus for Android?

The post New threats for Android phones, how do they work? Beware of your battery! appeared first on MediaCenter Panda Security.

AVG

USB Killer reminds us what untrusted really means

If this “USB Killer” invention is real, then plugging in one of these unknown devices could electrocute your defenseless PC or Mac, and damage it beyond repair.

It’s a far cry from today’s worst-case-scenario of getting infected by malware and it’s a timely reminder to anybody who stumbles across a USB device by chance – you’ll want to think twice before plugging it in.

Indeed the natural curiosity of what happens when someone finds a USB stick in a public place is well documented, and as far back as 2010 it even spawned the concept of the USB dead drop.

This latest news adds to a growing concern around the security of all USB devices.  Last year researchers Karsten Nohl and Jacob Lell revealed a number of attacks known as BadUSB that has since uncovered a swathe of problems where malware could be transferred at a hardware layer with very little ability to protect against this type of threat.

But we have previously warned about the dangers of anything ‘untrusted’ – be it software, apps and hardware devices.  Your security these days relies more on trust than ever before, as outlined recently by our CEO Gary Kovacs in his keynote speech at Mobile World Congress.

 

What to do if you find an unknown USB device?

NEVER connect it to your PC or Mac. At best it will contain Malware, or at worst it may be a USB Killer (although unlikely).

Try to return it to its owner. Ask around or check if it has a label on it; or leave it where you found it, in case the owner returns to find it.

Consider destroying the USB device. Remember, if the device isn’t yours – neither is the data that it might contain.

Until next time, stay safe out there.