Tag Archives: General

Tiny Banker Trojan targets customers of major banks worldwide

The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.

After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.

 hsbc_bank

In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences,  which we will describe later.

How does Tiny Banker work?

  1. 1. The user visits an website infected with the Rig Exploit kit (Flash or Silverlight exploit).
  2. 2. If the system is vulnerable, then the exploit executes a malicious code which downloads and executes the malware payload, Tinba Trojan.
  3. 3. When the computer is infected and the user tries to log into one of the targeted banks, webinjects come into effect and the victim is asked to fill out a  form with his personal data.
  4. 4. If he confirms the form, the data are sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name” which is often used as a security question to reset a password.

The example of an injected form targeting Wells Fargo bank customers is displayed in the image below.

form

Differences from the Czech campaign

In the case of the Tinba “Tiny Banker” targeting Czech users, the payload was simply encrypted with a hardcoded RC4 password. However, in this case, a few more steps had to be done. At first, we located the folder with the installed banking Trojan. This folder contained an executable file and the configuration file – see the next figure for the encrypted configuration file.

tinba_enc0

 

At first, XOR operation with a hardcoded value 0xac68d9b2 was applied.

tinba_enc1

 

Then, RC4 decryption with harcoded password was performed. After RC4 decryption, we noticed AP32 marker at the beginning of the decrypted payload, which signalized aplib compression.

tinba_enc2

 

Therefore, after aplib decompression, we got the configuration file in plaintext. After studying this roughly 65KB long plaintext file, we noticed that it targets financial institutions worldwide.

tinba_enc3

Targeted financial institutions

 Screenshots of targeted banks

us_bank

td_bank

 

Conclusion

Keep your software up-to-date. Software updates are necessary to patch vulnerabilities. Unpatched vulnerabilities open you to serious risk which may lead to money loss. For more protection, use security software such as avast! Antivirus with Software Updater feature. Software Updater informs you about  updates available for your computer.

SHA’s and detections

Exploits

CC0A4889C9D5FFE3A396D021329BD88D11D5159C3B42988EADC1309C9059778D
1266294F6887C61C9D47463C2FE524EB1B0DA1AF5C1970DF62424DA6B88D9E2A

Payload

856E486F338CBD8DAED51932698F9CDC9C60F4558D22D963F56DA7240490E465
88F26102DB1D8024BA85F8438AC23CE74CEAE609F4BA3F49012B66BDBBE34A7B

avast! detections: MSIL:Agent-CBZ [Expl], SWF:Nesty-A [Expl], Win32:Banker-LAU [Trj]

Acknowledgement

This analysis was done collaboratively by David Fiser and Jaromir Horejsi.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

 

AVAST invites you to the WebExpo 2014 in Prague!

WebExpo_EN

WebExpo is the largest Central European conference focused on topics related to the digital world. Among many topics, this year’s focus is security and big data. AVAST Software is not only a proud general sponsor of this event, but also an active participant.

One weekend, over 1,400 online professionals, presentations, workshops, and lots of fun.

WebExpo is a great networking and knowledge exchanging opportunity, and those here in Prague will get a chance to meet AVAST experts from various areas. You can meet the AVAST team at our booth, as well as on the stage. The AVAST booth is located at CEVRO Institut. 

Our team plans some fun for you at the booth, including testing new revolutionary glasses Oculus Rift – virtual reality headset for 3D gaming, and Android Wear. UX experts can try Card Sorting. For the most active expo-goers we will have prizes, so stop by to play and say Ahoy! :)

For the less technically-oriented, we also offer some fun and prizes. If you spot someone wearing an AVAST T-shirt, grab a selfie with this person and post it on Twitter or Instagram with the hashtag #AVASTselfie.  Come to our booth and show us the tweet or instagram post and you will receive a 1-year free license of avast! Premium Mobile Security!

The best part of WebExpo is all the knowledge sharing from AVAST specialists. Here is a list of our colleagues and the topics they will be presenting:

If you can’t attend personally, we have good news for you. Our team will be commenting during the event on social media, so you can join the conversation by following our accounts and special hashtags. Follow us at Twitter and Instagram at

or follow comments with hashes:

  • #AVASTdevs
  • #AVASTbooth
  • #webExpo
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Leave your credit cards at home; Apple Pay lets you buy things with your phone

source: CNET.com

In the wake of the Target, and now Home Depot, security breaches, Apple Pay wants to provide a safer way to make a purchase.

Nestled in-between this week’s announcements of the iPhone 6 and the Apple Watch, Apple CEO Tim Cook announced a new mobile payment system called Apple Pay. New iPhone and Apple Watch owners can leave their credit and debit cards at home because the devices come with a chip that lets them tap-to-pay at major retailers.

When you are in one of 220,000 participating stores, like McDonald’s, Walgreens, Disney, or Macy’s, you use the magic of near-field communication (NFC) to hold your phone by a terminal to pay. It also requires that you place your finger over a sensor to verify your fingerprint. The Apple Watch works the same way, without the added security of the fingerprint, and syncs to your iPhone 5, iPhone 5c, and iPhone 5s. The payment system will work with American Express, Mastercard, and Visa.

Sounds pretty good. But, Google Wallet, PayPal and other NFC systems have failed to really take off; will Apple give us a better way? I asked mobile malware analyst Filip Chytrý to share his thoughts about the security of Apple Pay.

Deborah: From a security perspective, what do you think about Apple Pay?

Filip: I have some concerns. Communications between your device or watch is through Bluetooth, and we have already seen many incidences of intercepted communication between two devices using a man-in-the-middle attack. Generally, anytime you use a pay system there is communication between the phone or watch over Bluetooth. This communication works over a much longer distance than NFC, so payment interception would be easier.

Deborah: I understand the convenience of paying with Apple Pay, but how is this more secure than paying with a credit card?

Filip: Apple says, that “Each transaction is authorized with a one-time unique number, and instead of using the security code from the back of your card, Apple Pay creates a “dynamic security code” to securely validate each transaction.“ It really depends on the type of encryption which is used, but I have to admit this sounds pretty cool, but who knows how long it’s going to take to decrypt this system.

Deborah: It has to be better than the magnetic stripe cards that are still widely used in the USA. Credit card companies have given their customers until 2015 to make the transition to EMV cards using smartchip technology. These cards are supposed to help increase security and reduce fraud. Isn’t that good enough?

Filip: Generally, Apple Pay sounds like it is better secured than the current magnetic stripe cards. NFC payments are just tags which can be easily copied, but magnetic stripes are even worse. A PIN number adds an extra layer which is good, but Apple Pay might provide an even better way in future.

Deborah: Other than the basic security concerns, what happens when your phone battery dies (this will happen to me when I am on a deserted rural highway and need to fill up with gas) or you spill your coffee on it before you can pay, or you break your finger and it’s in a cast?

Filip: Those are real world problems that can’t be solved by Apple. ;) But you’re an Android user, right? Didn’t you have a Nexus 4?

Deborah: Yes, I did. Until I accidentally went in the swimming pool with it. :(

Filip: Not even avast! Mobile Security can protect you from that! But still, you will find this hilarious.

Read more about Apple Pay.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.

Survey shows the person you trust the most may be spying on you

People expect that they are being watched online in cyberspace, but who would expect to be spied on by the people closest to them? You better watch out – your partner may be spying on you more than the NSA: One in five men and one in four women admitted to checking their partner’s smartphone in a survey with 13,132 respondents conducted by AVAST in the United States.

shutterstock_198273875

Playing detective

The survey found that while the majority of women check their partner’s device because they are nosey, a quarter of married women suspect their spouse is cheating on them and want to find evidence.

Married women are not the only ones who suspect their partner is cheating on them. The reason why most men pry on their partner is because they too are afraid their better half is being unfaithful and want to confirm their suspicions – especially if the relationship is fresh.

Caught red handed

One may think that people who snoop on their significant other to find evidence of cheating or lying are being paranoid. Unfortunately, the majority of them are not paranoid–their gut feeling is often correct. Seven out of ten women and more than half of men who turn to their partner’s device to find proof their partner is deceiving them, have found evidence. Which of the two sexes is more likely to confront their partner regarding their findings? Women. The survey revealed that women are 20% more likely than men to confront their partner with the facts.

“Picking” the mobile lock

Cracking their partner’s device passcode wasn’t necessary for the greater number of snoopers. A shockingly high percentage of respondents claimed they didn’t need a passcode to gain entry to their significant other’s device. Women did, however, have an easier time with 41% reporting their partner’s device did not have a passcode compared to the 33% of men. Coming in at a high second, both male and female respondents claimed to know their partner’s device passcode because their partner had shared it with them in the past, unknowingly setting themselves up to get caught.

An eye for an eye

More than half of men and women who check their significant other’s device think their partner checks their device as well. There seems to be a low level of trust between partners who feel the need to keep tabs on their significant other.

The survey results show that respondents who just started dating and check their new companion’s device are less likely to suspect their new love of doing the same, compared to snoopers in established relationships. People in long term relationships were the most likely to think their partner does the same behind their backs.

Tips to protect your privacy

Be it from your partner or somebody who finds your lost phone – you should always protect your mobile devices from prying eyes.

  • Protect your mobile devices with passcodes!

Everyone should protect their smartphones and tablets with passcodes, even if you aren’t worried about snoopers. Passcodes not only make it more difficult for nosey partners to access secrets and surprises, but can also protect your data should your device get lost or stolen.

  • Lock your precious apps

Apps that contain sensitive information deserve an extra layer of protection. With avast! Mobile Security’s app locking feature you can password protect your most precious apps.

  • Free your phone from old data – and back it up

Backing up your mobile data allows you to save your data to the cloud so you can delete old data from your phone. This not only prevents data loss, whether you lose your phone or accidentally delete data from your phone, but can prevent your partner from finding out about activity you want to keep to yourself. avast! Backup backs up your call log history, SMS, contacts and photos for free.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ andInstagram. Business owners – check out our business products.

Bad news for SMBs: Target’s “Backoff” malware attack hits 1,000 more businesses

PoS attacks

avast! Endpoint Protection can protect your network

U.S. merchants advised to protect themselves against same PoS hack that hit Target and Neiman Marcus last year.

More than 1,000 U.S. businesses have had their systems infected by Backoff, a point-of-sale (PoS) malware that was linked to the remote-access attacks against Target, Michaels, and P.F. Chang’s last year and more recently, UPS and Dairy Queen. In the Target breach alone, 40 million credit and debit cards were stolen, along with 70 million records which included the name, address, email address, and phone number of Target shoppers.

The way these breaches occur is laid out in BACKOFF: New Point of Sale Malware, a new U.S. Department of Homeland Security (DHS) report. Investigations reveal that cybercrooks use readily available tools to identify businesses that use remote desktop applications which allow a user to connect to a computer from a remote location. The Target breach began with stolen login credentials from the air-conditioning repairman.

Once the business is identified, the hackers use brute force to break into the login feature of the remote desktop solution. After gaining access to administrator or privileged access accounts, the cybercrooks are then able to deploy the PoS malware and steal consumer payment data. If that’s not enough, most versions of Backoff have keylogging functionality and can also upload discovered data, update the malware, download/execute further malware, and uninstall the malware.

General steps SMBs and consumers can take to protect themselves

  • You should use a proper security solution, like avast! Endpoint Protection, to protect your network from hacking tools, malicious modules, and from hackers using exploits as a gateway to insert malware into your network.
  • Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate.
  • Change default and staff passwords controlling access to key payment systems and applications. Our blog post, Do you hate updating your passwords whenever there’s a new hack?, has some tips.
  • Monitor your credit report for any changes. You’re entitled to one free report per year from each of the three reporting agencies.

Specific tips to protect your business and customers

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts.
  • Limit the number of users and workstations who can log in using Remote Desktop.
  • Use firewalls to restrict access to remote desktop listening ports.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network.
  • Segregate payment processing networks from other networks.

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.

See more mitigation and prevention strategies from DHS.

Learn more about PoS attacks against small and medium-sized business in our blog, Should small and medium-sized businesses be worried about PoS attacks?

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.

U.S. schools give an F to 2014-15 IT budget

AVAST Free For Education saves school IT money

AVAST Free for Education protects schools while significantly decreasing IT costs for security.

The beginning of the 2014/2015 school year is here. Parents and children are ready after a long summer break, but are schools prepared for the start of the new academic year?

AVAST surveyed more than 900 school IT professionals who participate in the AVAST Free for Education program and found that in terms of technology, schools are not as well equipped as parents expect.

  • 8 out of every 10 schools surveyed by AVAST said they do not feel they have adequate funding to keep up-to-date with technologies
  • 1 out of 5 schools still run Windows XP, and 12% of these schools said they do not intend to upgrade the unsupported operating system

Failing to upgrade to the most up-to-date software not only makes machines vulnerable to attacks, but also hinders the amount of programs that can be used by teachers and students. Keeping up with the most current technology is vital, as it has become ubiquitous in daily life, making it a valuable skill for children to have for the future. Despite technology’s important place in education,

  • 4 out of 10 school’s IT budgets are slashed for the upcoming school year
  • More than a quarter of schools have a $0 IT budget for this year

Technology in schools is not limited to instruction. Sensitive information about faculty, staff, and students is stored on administrative computers. This information needs to be protected from cybercriminals, which is difficult for schools with little to no IT budget. Schools without adequate protection put local families, faculty, and expensive hardware at risk.

AVAST Free for Education helps schools by providing them with enterprise-grade antivirus protection for free, saving school districts an average of $14,285 a year. The AVAST Free for Education program saves school IT departments money they can spend on software and hardware upgrades or use for supplies and salaries.

EDU infograph August 2014

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability

Do you trust the internet with your secrets?

Perhaps you shouldn’t, even if you’re using an app which professes to “deliver anonymously” secrets to your friends, and their circles, without identifying you as the owner of those secrets.

As Wired reports, researchers at Seattle-based Rhino Security Labs discovered a weakness in how the popular Secret app works, giving them a way of reading anybody’s supposedly anonymous postings.

At this point you’re probably imagining that for anyone to hack Secret, a popular app amongst iOS and Android users, would take ninja-like skills and advanced methods.

But in truth researchers found it remarkably easy, and the secrets of users can spill out within just a matter of minutes, as a Rhino Security researcher demonstrated to journalist Kevin Poulsen over lunch:

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

White hat hacker Ben Caudill is halfway through his sandwich when he casually reaches over to his iPhone, swipes the screen a few times, then holds it up to me. “Is that you?” he asks.

It is, but nobody was supposed to know. He’s showing me one of my posts to Secret, the popular anonymous sharing app that lets you confess your darkest secrets to your friends without anyone knowing it’s you. A few minutes ago I gave Caudill my personal e-mail address, and that was all he needed to discover my secret in the middle of a Palo Alto diner, while eating a BLT.

So just how did researchers manage to connect users’ email addresses with secrets they had posted via the Secret app?

Well, it’s breathtakingly simple.

Secret posts

When you create an account on Secret, the app requests access to your address book – so it can identify friends who might also be using the service.

And, as Secret’s FAQ explains, you need at least seven friends before the app will begin to say that a secret has been posted by one of your friends (although, of course, it doesn’t identify which one).

Part of Secret FAQ

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

Until you have 7 friends, posts will not be identified as coming from “friends” or “friends of friends” but will instead indicate “Your Circle.” We’ll never explicitly tell you which of your friends are on Secret to protect identities.

Does that sound reasonable to you?

Well, maybe this will make you think again.

Because what the researchers then did was create seven bogus Secret accounts – something that’s remarkably easy to do as Secret doesn’t require you to confirm your phone number or email address.

And then came the really clever part, as Kevin Poulsen of Wired explains:

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

Next, [Caudill] deleted everything from his iPhone’s contact list, and added the seven fake e-mail addresses as contacts. When he was done, he added one more contact: the e-mail address of the person whose secrets he wanted to unmask — me.

Then he signed up for another new Secret account and synced his contacts. He now had a new, blank Secret feed that followed eight accounts: seven bot accounts created and controlled by him, and mine. Anything that appeared as posted by a “friend” logically belonged to me.

Clever, huh? And, in retrospect, remarkably straightforward.

So all that was required to find out what secrets you had posted was your email address – something that, for most of us, cannot really be considered private or secret.

Secret CEO David Byttow told Wired that the vulnerability has now been closed, and claimed that they had no evidence that the privacy hole had been maliciously exploited.

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

“As near as we can tell this hasn’t been exploited in any meaningful way. But we have to take action to determine that.”

However, it’s worth bearing in mind that an absence of evidence is not evidence of absence. Just because Secret can’t tell if the flaw has been excused to embarrass or blackmail individuals who have posted compromising secrets, doesn’t mean that it hasn’t happened.

Secret appAnd the Secret app’s developers have confirmed that since a bug bounty was introduced in February, a total of 42 security holes have been identified and fixed.

Obviously it’s good that security and privacy vulnerabilities are being fixed, but when it’s your *secrets* which are at stake, wouldn’t you feel happier knowing that the app had been built on more sturdy ground in the first place?

One has to wonder whether Secret’s claims of “refined algorithms” to detect bots and suspicious activity on Secret are really enough to protect its users.

Secret is no stranger to controversy, of course.

Just this week a Brazilian judge has called for the app to be banned from official app stores, claiming that it encourages anonymous bullying.

But, in my mind, the problems lies not so much with the app but with the people who use it.

They clearly haven’t learnt the most basic rules of keeping secrets.

Don’t tell anyone. Don’t write it down. Don’t type it into an app. Never ever post it onto the internet.

As soon as you trust anyone or anything else with a secret, you’re doomed.

The post Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability appeared first on We Live Security.