Monthly Archives: March 2015

Avast

Ransomware holds eSports players hostage

Dreaded ransomware, the malware that locks your files and demands payment for the key to unlock them, is now targeting gamers.

New ransomware targets gamers.

 

In the first report of gamers being targeted by ransomware, more than 2o different games, including World of Warcraft, League of Legends, Call of Duty and Star Craft 2, various EA Sports and Valve games, and Steam gaming software are are on the list.  This variant of ransomware looks similar to CryptoLocker according to a report from a researcher at Bromium Labs.

What is CryptoLocker?

CryptoLocker is “ransomware” malware that encrypts files on a victim’s Windows-based PC. This includes pictures, movie and music files, documents, and certain files, like the gamer’s data files, on local or networked storage media.

A ransom, usually paid via Bitcoin or MoneyPak, is demanded as payment to receive a key that unlocks  the encrypted files. In previous cases, the victim has 72 hours to pay about a relatively small amount of money, usually in the low hundreds of dollars, but after that the ransom rises to over thousands of dollars. We have seen reports that says the gamers are demanded a ransom of about $1,000 via PayPal My Cash Cards or 1.5 bitcoins worth about $430.

“There’s mostly no way to get the data back without paying the ransom and that’s the reason why bad guys focus on this scheme as it generates huge profit, “ said  Jiri Sejtko, Director of Avast Software’s Virus Lab Operations last year when ransomware was making the news. “We can expect some rise in ransomware occurrences,” predicted Sejtko. “Malware authors will probably focus on screen-lockers, file-lockers and even on browser-lockers to gain money from victims.”

That prediction came true, and now ransomware authors are targeting narrower audiences.

How do I get infected with CryptoLocker?

Infection could reach you in various ways. The most common is a phishing attack, but it also comes in email attachments and PDF files. In the new case targeting gamers, the Bromium researcher wrote, “This crypto-ransomware variant has been getting distributed from a compromised web site that was redirecting the visitors to the Angler exploit kit by using a Flash clip.” There is a detailed analysis in the report.

How do I protect myself against ransomware?

Ransomware is continuing to evolve, most recently CryptoWall ransomware, and even mobile ransomware called Simplocker.  The most effective way to protect yourself is to back up your files and store them on an external hard drive, as the new malware could also attack other drives and even cloud storage like Dropbox.

“Outdated software makes you more vulnerable for ransomware, so keep your system and applications up-to-date, especially  Java, PDF Reader, Browsers, and Flash,” said Sejtko. The Avast Software Updater feature in all of our products, shows you an overview of all your outdated software applications, so you can keep them updated and eliminate any security vulnerabilities.

By all means, avoid paying the ransom. Even if you do – you’re dealing with cybercriminals – how can you trust them to give you the key?

Avast has an Android app called Avast Ransomware Removal that will eliminate the malware from an infected device. Get it free for your Android smartphone and tablet from the Google Play Store.

List of targeted games and software

Single User Games

Call of Duty, Star Craft 2, Diablo, Fallout 3, Minecraft, Half-Life 2, Dragon Age: Origins, The Elder Scrolls and specifically Skyrim related files, Star Wars: The Knights Of The Old Republic, WarCraft 3, F.E.A.R, Saint Rows 2, Metro 2033, Assassin’s Creed, S.T.A.L.K.E.R., Resident Evil 4, and Bioshock 2.

Online games

World of Warcraft, Day Z, League of Legends, World of Tanks, and Metin2.

Gaming Software

Steam

Company Specific Files

Various EA Sports, Steam, and Bethesda games

Game Development Software

RPG Maker, Unity3D, and Unreal Engine

CentOS

Continuous Release (CR) Repository updates are released for CentOS-7 (1503)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While we are working on the next CentOS-7 release (tag: 1503), a
majority of rpms to be included in this release have completed an
initial QA cycle and we feel they are ready to be deployed on machines
already running CentOS-7. While there might still be some small
changes in the content of these packages, typically we see a very low
churn. However, we do highly recommend that you try the package set
before deploying it into your production workloads.

In CentOS 7, the CR repo definitions are already included in the
latest centos-release file. You can check you have this by running
"rpm -q centos-release", this should give you a single line of output
"centos-release-7-0.1406.el7.centos.2.6.x86_64". If you have an older
release, you can update via "yum update". At this point you should be
able to run "yum --enablerepo=cr list updates" and then "yum
- --enablerepo=cr update" etc. The CR repo is disabled by default, In
order to enable it permanently, please refer to the wiki article on
the CR repo, mentioned below.

A typical usecase where this has proven helpful in the past, is where
people were to use this content as a preview of the release that follows.

This is also a great place for the wider audience to help us shape the
release notes into our next release, provide feedback and help with
warnings and changes that might not be communicated well enough already.

Update announcements for these packages are pushed to
http://lists.centos.org/pipermail/centos-cr-announce/2015-March/thread.html
- - since these are not updates into the regular channel, we wont
announce them to the -announce list at this point.

- --------
The CentOS CR repos contain rpms that are built to be included in the
next release for CentOS. In this case they include rpms being prepared
for the next CentOS 7 release (tag: 1503) and beyond.

Once the next release media are ready and announced, the CR repo
content will move away from the mirror network along with the last
release content, media, images, etc  (in the same manner that it has
in the past, as a part of the CentOS-Vault process).

- --------
For more information about the CR process visit the wiki page:
http://wiki.centos.org/AdditionalResources/Repositories/CR

- --------
Notes
* The CR repo is treated as a single stream of packages, and will
shortly also start including updates released since the upstream point
release. And therefore content in the CR repo might not map back to
any media or images released. However, every CentOS-7 installed and
yum updated to the same point in time will always have the same
content, the same rpms and the same feature set.
* Warning for IPv6 users: If you only have IPv6 (so no IPv4), you
will not be able to directly use the CR repository, as that repo is
hosted on mirror.centos.org nodes which currently do not have AAAA
records. What you can do is to fallback to the mirrorlist process and
use external mirrors that will also have the CR content. To do that,
remove (or comment out) the baseurl= line and add
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=cr&infra=$infra
in your /etc/yum.repos.d/CentOS-CR.repo. Note that external mirrors
will usually get the content several hours after the mirror.centos.org
nodes.

- --------
- From here, the CentOS Team, the CentOS QA team and the infra groups
around the project now goto work on getting the ISO media and release
content ready for preview. For this next release we are hoping to ship
the following images:
    - CentOS-7-DVD
    - CentOS-7-Everything
    - CentOS-7-Minimal
    - CentOS-7-GnomeLive
    - CentOS-7-KdeLive
    - CentOS-7-LiveCD
    - CentOS-7-GenericCloud
    - CentOS-7-Container

At this point, we are working to release this set which pulls in the
sources from RHEL 7.1 within the month of March 2015. Details can be
found on this release at
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7-CR - once the
media is final the final release notes will be located at
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 ( replacing the
older release notes, relevant content will be carried over )

I also want to take this opportunity to send out a huge thanks to the
CentOS-QA folks, and their commitment to the process - who often drop
their lives and come help build, test and document the new release in
CentOS. If you would like to join the effort, please get in touch with
me at kbsingh< at >centos.org - we can always use more help, from different
sort of use cases (including other projects that consume CentOS Linux
in their own process).

- -- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJVCHBuAAoJEI3Oi2Mx7xbt38sH/23g4/2LLZPDUQPv2RDQPiR7
LNzQxgoq6WXaKDQez+OKIicr7hLqbErSFCaa5drFVaIFVhdJUdDZjIVY9cs0AzL0
qeI8nVP1W6XT9wSdh93y2HXZGJGw9jAnvMvH8Sg38eZEsMs1MfSrRKXSUafZOGat
4eSM5vl+0p/2xTRY0NQOejcaIeSjBkgYLsTHrnpJjS0wrXk/1muIKst4+7mr58d8
/LaYLDmexH/rWO0AvyJ7CvvSxIY50t1d+q/3NaaCDdcD6m/5pXj4W9KGDQNagMP1
VLKHHo76VBbivMtYYOOfvAYM7LzkCH5eJ/0tL7TrwfvwNMH3lDhY8Udl9WfmQXg=
=PJvS
-----END PGP SIGNATURE-----
Panda Security

New threats for Android phones, how do they work? Beware of your battery!

smartphone battery charging

When buying a smartphone one of the first things we do is choosing an unlock pattern, trusting that by doing this our WhatsApp conversations will be protected from our nosy surroundings. If you are one of those who think that just one finger is able of drawing a complicated route on the screen, you are mistaken! Hacking an Android’s phone lock is easier than what you thought!

Digital thieves can reach even more. Not only can they get physically inside your phone, but they can also do it virtually or, using the phone’s microphone. Now they can even spy on you when the phone is turning off.

Those who trust that clicking on their smartphones “off” switch is enough to stop their contact with the outside world are in trouble. Virtual spies are able to remotely pull the strings, even so when the owner and his phone were sleeping. Security researchers have demonstrated how a Trojan for Android phones can make the users believe that they have turned it off as they usually do.

PowerOffHijack, the new malware, succeeds a very particular task: Hijacks the users’ shutdown process. When pressing the on/off button a fake dialog box appears making the users believe that their phone is turning off. Meanwhile, the malware is manipulating the operating system “system server” file.

smartphone and computer

The owner rests peacefully, even though the device is not at ease: the Trojan can make outgoing calls (even to foreigner numbers), make pictures and many other things without notifying the user. In China there have been more than 10.000 devices infected by this malware; it seems it expands via some apps.

In order to avoid this mocking Trojan we recommend you to pull out your battery so it doesn’t raise your phone bill to unsuspected limits. As much as the spies try, they are still not capable of controlling the phones without lithium. Another tip is to uninstall the apps that may have caused these silent thieves entry.

Although taking the battery off and putting it back on can resolve the Power Off Hijack issue, some hackers are using the battery’s internal information to spy mobile phones. Researchers of Stanford University together with a group of Israelis experts have developed Power Spy, a new technology that gathers the Android phone’s geolocation, even when the GPS is turned off. How? Tracking the phone’s power consumption over time.

WiFi and GPS connections need the user’s permission in order to work, but the battery consumption data doesn’t. So the cyber criminals can track your phone with 90% accuracy, later using this location information as they please, being able to locating you at all times.

lego on smartphone

The researchers have proven Power Spy’s capacities in two Nexus phones. This program enabled them to locate the phone even if its owner wasn’t using it at the moment. Power Spy would access your phone without you knowing it. The issue is that you might be downloading it together with any app without noticing it.

“We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement”, says Yan Michalevsky, one of the researchers.

Fortunately this technology has its limitations: in order to work it needs predefined routes and to have already traveled along the route before. “If you take the same ride a couple of times, you’ll see a very clear signal profile and power profile,” says Michalevsky.  In addition the tracking accuracy increases if the phone has just  a few apps rather than in the ones with more, where power is used unpredictably.

Anyone can start spying on your phone in ways you would have never suspected. Security is not only needed in your desktop computer, it is essential in the tiniest corners of your phone.

Do you want to try our free antivirus for Android?

The post New threats for Android phones, how do they work? Beware of your battery! appeared first on MediaCenter Panda Security.

NVD

CVE-2015-2292 (wordpress_seo)

Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

NVD

CVE-2015-2293

Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.

NVD

CVE-2015-2314

SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.

NVD

CVE-2015-2315

Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI.