Monthly Archives: October 2014
Julian Assange: Google Is Breaking Bad
Verizon's 'Perma-Cookie' Is A Privacy Killing Machine
42% of Americans hit by regular online attacks, says Microsoft survey
A study by Microsoft has revealed that 42 percent of Americans face ‘weekly or daily’ attacks by cybercriminals trying to access their computers, Network World reports.
The post 42% of Americans hit by regular online attacks, says Microsoft survey appeared first on We Live Security.
Pony stealer spread vicious malware using email campaign
Most people want to stay on top of their bills, and not pay them late. But recently, unexpected emails claiming an overdue invoice have been showing up in people’s inboxes, causing anxiety and ultimately a malware attack. Read this report from the Avast Virus Lab, so as a consumer you’ll know what to look for, and as a systems administrator for an SMB or other website, you will know how cybercrooks can use your site for this type of social engineering scam.
Recently we saw an email campaign which attempted to convince people to pay an overdue invoice, as you can see on the following image. The user is asked to download an invoice from the attached link.
The downloaded file pretends to be a regular PDF file, however the filename “Total outstanding invoice pdf.com†is very suspicious.
When the user executes the malicious file, after a few unpacking procedures, it downloads the final vicious payload. The Avast Virus Lab has identified this payload as Pony Stealer, a well-known data-stealing Trojan which is responsible for stealing $220,000, as you can read here.
We followed the payload URL and discovered that it was downloaded from a hacked website. The interesting part is that we found a backdoor on that site allowing the attacker to take control of the entire website. As you can see, the attacker could create a new file and write any data to that file on the hacked website, for example, a malicious php script.
Because that website was unsecured, cybercrooks used it to place several Pony Stealer administration panels on it, including the original installation package, and some other malware samples as well. You can see an example of Pony Stealer panel’s help page written in the Russian language on the following picture.
Avast Virus Lab advises:
For Consumers: Use extreme caution if you see an email trying to convince you to pay money for non-ordered services. This use of “social engineering” is most likely fraudulent. Do not respond to these emails.
For SMBs: If you are a server administrator, please secure your server and follow the general security recommendations. As you learned from this article, you can be hacked and a backdoor can be put in your website allowing anyone to upload whatever he wants to your website. Protect yourself and your visitors!
SHA’s and detections:
4C893CA9FB2A6CB8555176B6F2D6FCF984832964CCBDD6E0765EA6167803461D
5C6B3F65C174B388110C6A32AAE5A4CE87BF6C06966411B2DB88D1E8A1EF056B
Avast detections: Win32:Agent-AUKT, Win32:VB-AIUM
Acknowledgement:
I would like to thank Jan ZÃka for discovering this campaign.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Google Youtube – Filter Bypass & Persistent Vulnerability [9-5942000004564] (PoC Video Demonstration)
Posted by Vulnerability Lab on Oct 27
Document Title:
===============
Google Youtube – Filter Bypass & Persistent Vulnerability [9-5942000004564] (PoC Video Demonstration)
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1352
Google Security ID: [9-5942000004564]
Tor users targeted with exit node malware
An exit node on the Tor network has been discovered to be slipping malware on top of downloads, according to The Register. The server, based in Russia, has been flagged as bad by The Tor Project, but this “would not prevent copycat attackers from the more than 100 exit nodes in operation.”
The post Tor users targeted with exit node malware appeared first on We Live Security.
Folder Plus v2.5.1 iOS – Persistent Item Vulnerability
Posted by Vulnerability Lab on Oct 27
Document Title:
===============
Folder Plus v2.5.1 iOS – Persistent Item Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1348
Release Date:
=============
2014-10-24
Vulnerability Laboratory ID (VL-ID):
====================================
1348
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:…
Apple iOS v8.0.2 – Silent Contact Denial of Service Vulnerability
Posted by Vulnerability Lab on Oct 27
Document Title:
===============
Apple iOS v8.0.2 – Silent Contact Denial of Service Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1324
Video: http://www.vulnerability-lab.com/get_content.php?id=1333
Release Date:
=============
2014-10-23
Vulnerability…
TA14-300A: Phishing Campaign Linked with “Dyre†Banking Malware
Original release date: October 27, 2014 | Last revised: October 28, 2014
Systems Affected
Microsoft Windows
Overview
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.
Description
The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user’s system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6]
Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.
Phishing Email Characteristics:
- Subject: “Unpaid invoic” (Spelling errors in the subject line are a characteristic of this campaign)
- Attachment: Invoice621785.pdf
System Level Indicators (upon successful exploitation):
- Copies itself under C:Windows[RandomName].exe
- Created a Service named “Google Update Service” by setting the following registry keys:
- HKLMSYSTEMCurrentControlSetServicesgoogleupdateImagePath: “C:WINDOWSpfdOSwYjERDHrdV.exe”
- HKLMSYSTEMCurrentControlSetServicesgoogleupdateDisplayName: “Google Update Service”[11]
Impact
A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.
Solution
Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
- Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
- Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
- Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
- Maintain up-to-date anti-virus software.
- Keep your operating system and software up-to-date with the latest patches.
US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.
You can report phishing to us by sending email to [email protected].
References
- [1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
- [2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
- [3] New Banking Malware Dyreza, accessed October 16, 2014
- [4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014
- [5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014
- [6] VirusTotal Analysis, accessed October 16, 2014
- [7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
- [8]US-CERT Recognizing and Avoiding Email Scams
- [9] US-CERT Security Tip (ST04-003) Good Security Habits
- [10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
- [11] MS-ISAC CIS CYBER ALERT
Revision History
- October 27, 2014: Initial Release
- October 28, 2014: Added Reference 11 in Description Section
This product is provided subject to this Notification and this Privacy & Use policy.