Tag: trojan

Polite malware updates your computer

jeezesAn advertising fraud Trojan politely makes sure that you are running the latest version of Flash and updates you if you have not got it.

The Kovter ad fraud Trojan, infects computers through Web-based exploits, but its behaviour was recently observed by a malware researcher called Kafeine.

Kovter hijacks the browser process and uses it to simulate user clicks on online advertisements in order to generate revenue for its creators.

According to Kafeine’s research, the Trojan targets vulnerabilities in browsers and Flash Player, Adobe Reader, Java and Silverlight plug-ins. Once it is installed it closes the door behind it by upgrading the software. It isn’t the first time a malware program patched the flaws it used to get in. However, such cases are rare because malware writers normally want to leave as many backdoors as possible.

In this case the malware writer is shutting out rivals, making the Trojan the dominant species.

Senior executives are a major security threat

Executives with an internet porn habit are not only infecting their systems with malware, but are keeping reporting of the viruses secret to hide their red-faces.

According to a recent study from ThreatTrack Security, nearly six in 10 malware analysts at US enterprises have investigated or addressed a data breach that was never disclosed by their company.

In a secret study, the companies admitted that more than 40 percent of their malware security breaches were caused by executives searching for porn and visiting dodgy sites.

Size apparently matters. The bigger the company the less likely it was to report a breach, suggesting that executives were covering up their porn searching and had the power to supress the news.

The independent blind survey of 200 security professionals dealing with malware analysis within U.S. enterprises was conducted by Opinion Matters on behalf of ThreatTrack Security in October 2013.

ThreatTrack CEO Julian Waits was not surprised that the breaches were occurring. Malware is more sophisticated, and US enterprises are constantly targeted for cyber espionage campaigns from overseas competitors and foreign governments.

“This study reveals that malware analysts are acutely aware of the threats they face, and while many of them report progress in their ability to combat cyber-attacks, they also point out deficiencies in resources and tools,” he said.

The report suggests that malware analysts often spend their time “tackling easily avoidable malware infections originating at the highest levels of their organization.”

More than 40 percent of malware breaches were caused by a senior executive visiting a pornographic website. More than half of them had clicked on a malicious link in a phishing email and just under half had allowed a family member to use a company-owned device. A third of them had downloaded a malicious mobile app.

More than half of all malware analysts said it typically takes them more than two hours to analyse a new malware sample. Conversely, only four percent said they are capable of analysing a new malware sample in less than an hour, while 35 percent said they did not have access to an automated malware analysis software to do it.

The US has apparently beaten China as the most evil government hacker.  More than 37 percent of respondents said the US is the country most adept at conducting cyber espionage. China was a close second at 33 percent.

Android Trojan can mount DDoS attacks

The Russian anti-virus vendor Doctor Web has found a new malicious program for Android which allows hacker groups to carry out mobile denial of service attacks.

Dubbed TheAndroid.DDoS.1.origin, it can turn any mobile phone into an attack device at the press of a button.

Android.DDoS.1.origin creates an application icon, similar to that of Google Play. If the user decides to use the fake icon to access Google Play, the application will be launched. This means that users will not even be aware that they have been infected.

The Trojan connects to a remote server and transmits the phone number of the compromised device to criminals and then waits for further SMS commands.

It can be used to attack a specified server or send an SMS.

It is apparently easy for criminals to send a command to attack a server all they have to do is put in the parameter [server:port]. When they do this the phone will hit the specified address with data packets.

It can also be used to send SMS spam.

The only way  users can tell that they have been hit by the Trojan is if their phone connection performance is slower than a 150 year old hibernating turtle who has not had his first morning cup of coffee.

Their internet and SMS should go through the ceiling too, particularly if messages are sent to are premium numbers,

Dr Web thinks that the Trojan is spread using social engineering tricks although the source has not been found yet.

Writing in the company bog, Dr Web said that it is continuing to investigate the virus and hopes to come up with a few answers soon. 

McAfee: Malware at highest level for four years

Malware attacks are at the highest level for four years according to a McAfee report, with a malicious code writers finding new ways to attack mobile devices.

The Intel owned security company today revealed the results of its quarterly Threats Report, highlighting a 1.5 million increase in malware since the first quarter of 2012.  

McAfee Labs’ 500 researchers uncovered almost 100,000 malware samples each day, as attacks became more varied.

“Attacks that we’ve traditionally seen PCs are now making their way to other devices,” Vincent Weafer, senior vice president of McAfee Labs. said.  

This included Apple’s Mac devices targeted by the Flashback trojan, for example, as well as the ‘Find and Call’ malware worming its way into the Apple Store.

Also, attacks on mobile devices continued to increase after an explosion of mobile malware in the first quarter, according to McAfee. Nearly all of the new instances of malware were directed towards the Android operating system – including mobile botnets, spyware and SMS-sending malware.

Ransomware, malware which restricts access to a device until money is given to the attacker, was also on the increase, and is becoming a popular tool for cybercriminals. Instances of ransomware, typically targeting PCs, have increased with attacks favouring mobile devices.

Cyber criminals have also found new ways to control botnets to ensure anonymity, such as using Twitter.  Botnets, computer networks of infected machines used to send spam or to launch distributed denial of service (DDOS) attacks, are now being controlled through the social media site, with attackers tweeting commands to all infected devices. Overall instances of botnet infections reached a 12 month high during the quarter.

Malware being spread through USB thumb drives showed significant increases, with 1.2 million new samples of the AutoRun worm.  Password stealing  malware samples also increased by 1.6 million. 

Mutating Android trojan changes form whenever it's downloaded

In what could be an interesting case for Dr Who, Symantec has warned of a mutating Android trojan.

The company has found a new premium-rate SMS Android trojan that modifies its code every time it gets downloaded. This means that it can bypass antivirus detection.

It uses a technique known as server-side polymorphism and it has existed peacefully in the world of desktop malware for many years. Now, it seems that something in the mobile world has woken it up and reversing the polarity of the neutron flow does not seem to work.

According to Symantec, a special mechanism runs on the distribution server which modifies certain parts of the trojan to ensure that every malicious app that gets downloaded is unique.

This is not the same as local polymorphism where the malware modifies its own code, nor is it the same as a polymorphic ring tone.

So far, Symantec has seen several variants of the trojan which it calls Android.Opfake. All of them have come from Russian websites and it is believed that they had slumbered in the Siberian ice only to be awoken when a meteorite plummeted to earth .

The malware contains instructions to automatically send SMS messages to premium-rate numbers from a large number of European and former Soviet Union countries.

Writing in his bog, Vikram Thakur, the principal security response manager at Symantec, said that more complicated polymorphism requires more intelligent countermeasures and, we guess, when you deal with them it is really important not to blink.

DNSChanger trojan still infects Fortune 500 companies

Two months after a traffic hijacking scheme was brought to its knees, the software that powered a botnet is still running on computers at half of the Fortune 500 companies, and on nearly 50 percent of all federal government agency PCs.

The “DNSChanger Trojan” changes the host computer’s web settings to hijack search results and to block victims from visiting security sites that might help scrub the infections.

Inspector Knacker of the Estonian Yard fingered the collar of six men suspected of using the Trojan to control more than 4 million computers in over 100 countries. At the same time there was a coordinated attack on the malware’s infrastructure.

Companies were supposed to be cleaning up their systems before some bright spark figures out a way of reactivating the network.

But according to Krebs on Security,  that cleanup process has been slow-going.

Insecurity company Internet Identity found evidence of at least one DNSChanger infection in computers at half of all the Fortune 500 firms, and 27 out of 55 major government entities.

Rod Rasmussen, president and chief technology officer at Internet Identity, said that there were some difficulties with removing this malware, but you would think people would want to get it cleaned up.

The FBI has warned that although it has a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers, the order will expire on 8 March, 2012. When that expires the internet connection for infected servers will break completely.

Grey market entrepreneurs turn trojans into profit

A small gang of men living St. Petersburg, Russia, managed to elude law officials, Facebook and computer security firms for years. They operated Koobface, an infamous worm named after a play on Facebook which spread like wildfire on the social network.

Security outfit Sophos has an excellent investigation revealing the mistakes the men made, which is available to read here. But what Koobface really demonstrated is the link between those irritating spam posts you wish your friends wouldn’t fall for. Everyone know the sort: posts with names like “How can a girl be this sexy???” and “SHOCKING survivor story” which look almost real, but actually redirect the user and help to spread the virus. 

The Koobface gang even stole real information from real people on dating websites and pieced it together into Facebook profiles which looked real. Captchas were no problem – you can hire companies in China which will provide you with 1,000 of them solved for just a dollar. 

Koobface is a fascinating bit of malware. It made money for the Koobface gang in two ways. First, it played on the gullible by redirecting them to scareware which appeared semi-legitimate. Less tech-savvy users would then download a bogus program that did nothing but remove a virus which never really existed – paying roughly $60 for the privilege. 

Second, Koobface had its roots entrenched in the Russian pornography industry. Affiliates are an easy money spinner if you’re prepared to leave any moral scruples at the door. The Koobface gang would make profits from porn sign-ups and adverts ran by agencies that will claim ignorance. 

Koobface’s legacy highlights the far-reaching and enormously profitable black market on the web, though a security analyst, who does not wish to be named, says calling it that isn’t entirely accurate. But he does agree that we are talking about at least a billion dollar industry.

It’s not technically a black market, our analyst says, because often the perpetrators are aware that the countries they operate in don’t have the cyber laws in place that give authorities the powers to bring them down.

Dirk Kollberg, a lead investigator in the Sophos report, explains the link to Russia’s porn industry and web attacks clearly: “What we know is porn is a good way to make money, proven over the internet for years. So there are people in Russia who think it might be interesting for them to take it as a main source of income. If they want to boost their income, they might want to use some trojans to get more people on their site…”

Along with the porn link, there was the scareware. When users sign up for the “service” and pay the rate for the fake antivirus, the affiliate gets 40 or 50 percent depending on how much money they generate, Kollberg tells us. “There are other people just making money getting customers to the pages,” he continues, and it’s not just about Facebook. “You might get redirected while searching for something on Google Images – looking for pictures of nice cars, for examples – and you might get redirected to a blog. And if you sign up to where that blog redirects you, Koobface gets the money.”

Steve Jobs once said: “It is hard to think that a $2 billion company with 4,300-plus people couldn’t compete with six people in blue jeans.” 

But that is the way cyber crime can work. Sophos’ previous investigation was with a group calling itself InnovativeMarketing, based in the Ukraine, one of the biggest ever scareware vendors on the web. “They focus on creating the software and creating fake websites,” Kollberg says, “fooling ISPs into hosting their sites, and then also providing tech support for their users. Those people would tell them it’s not scareware and they’re fine. They had call centres in Germany, France, Switzerland, Denmark, Dallas and two call centres in India.” 

Providing their own infrastructure, using clever but morally bankrupt social engineering and tools available in the grey market, InnovativeMarketing brought in $180 million in revenues in 2008 alone. 

Kollberg says that the scene is “very modular” now. “You just put the stuff in that you need: Look at the Zbot trojan. Someone buys the software, configures it for its own need, then puts it somewhere on the web.” 

Brazen grey-market entrepreneurs have never had it easier. “If you want to distribute the trojan, to thousands of people,” says Kollberg, “you can just rent a botnet.”

State trojan will see heads roll in Germany

On Saturday, Germany’s Chaos Computer Club (CCC) released a detailed analysis of the so-called Bundestrojaner (Federal Trojan) used by various police forces to spy on suspects.

According to the CCC, the trojan was in breach of tight limits determind by Germany’s highest court, the Federal Constitutional Court.

Rules imposed by the court limit any sort of trojan employed by police and intelligence services to surveillance of VoIP, i.e. voice chats over Skype. However, it appears the police have ignored the Federal Constitutional Court’s order by using an insecure and shoddily programmed trojan offering more features than is allowed.

Apart from being badly programmed and insecure, the trojan also allows various modules to be downloaded and installed. Theoretically, investigators would be able to search HDDs and manipulate data. As for shoddy programming, commands transmitted to the trojan are not encrypted, only one single key was used for all the trojans. Data transferred from PCs and commands were routed over a server in the USA, outside of German law.

The trojan, labelled R2D2 by various antivirus outfits due to the inclusion of C3PO, R2D2 and POE in the code, was pieced together by a German company called Digitask. In 2002, the company’s former CEO and owner was sentenced to 21 months probation and a 1.5 million euro fine for bribing state employees at the Customs Criminal Office in Cologne.

The company renamed itself from Reuter Leiterplatten GmbH to DigiTask GmbH and once more enjoys selling services to state agencies. Cryptome.org managed to lay its hands on a small presentation by the company.

One of the trojans analysed by the CCC was forwarded to the club by German lawyer Patrick Schladt. Bavarian state police were investigating one of his clients on drug-related charges and installed a trojan on his PC, which forwarded screenshots to investigators which were in clear breach of the law. A court later determined the police had no legal basis to do so.

Furthermore, the Bavarian police shouldn’t have made use of a trojan to monitor the client. The Federal Constitutional Court limited not only the means of surveillance, but also in which cases a trojan may be used by state authorities.

Cases are limited to the most serious crimes and terrorism. The client being monitored was a drug distributor whose crime may or may not have been shipping medicines to distribute in Germany, but perhaps not legal to export. Terrorism or serious crime, this is not.

The Bavarian police recently also hit the news in Germany for various cases of police brutality.

One of the cases saw a 14 year old youth losing teeth as a result of a police beating, and his head smashed against a wall. The conservative ruling party in Bavaria, the CSU (Christian Social Union), ignored the case until press reports led to public and political pressure.

Bavaria was not the only federal state to use the trojan.

Baden-Württemberg used it, however its Green-Labour coalition government has stopped. In Brandenburg, it has been used to monitor a suspect against facing an international arrest warrant. Berlin has not used a trojan, due to legal concerns.

Germany has a political scandal brewing which will influence upcoming elections. Heads are set to roll, especially in Bavaria where the trojan has been used in clear breach of law.

The Pirate Party is set to profit. Recent polls have seen the party at nine percent, and voter approval can only be expected to grow in the following weeks and months. Should Angela Merkel’s conservative-liberal coalition drop dead before the next election, the situation will become very interesting.

Votes for the Pirate Party will mean less for the Social Democrats and Germany’s Green Party, who are more or less expected to form the next coalition government. The most likely  outcome will be either a grand coalition government between Christian and Social Democrats, or a coalition between Social Democrats, Greens and – hold your breath – Pirates.

This is a reasonable scenario, should the Social Democrats and Greens suffer losses to the Pirate Party.

It would indeed be a political earthquake if the Pirate Party pass the five percent barrier required for a seat in the Bundestag, the German Federal Parliament.

Such a result would pressure established parties to become competent in technology and place more scrutiny on the law. Lobbying would be hit hard, while the democratic process would be strengthened.

It wouldn’t be far-fetched to recognise the Pirate Party as a replacement for the liberal Free Democrats as an upholder of civil rights in the 21st century.

OddJob trojan hijacks secure online banking

Insecurity outfit Trusteer has discovered a trojan named after charismatic Bond villain OddJob. 

This one acts subtly, by keeping financial sessions open after customers think they’ve safely logged off. It tries to hijack banking sessions in real time using session ID tokens, but while the user is making a cuppa or cursing the bank, the trojan lets cyber criminals transfer dosh seemingly legitimately.

It is primarily being used by criminals based in Eastern Europe, and is targeting customers in a range of countries but predominantly in the USA, Poland and Denmark. It’s a “work in progress,” according to Trusteer.

Changes in hooked functionas have been witnessed by security analysts over the past couple of weeks, as well as the way the Command & Control protocols work. Trusteer expects an evolution of the malware as the functionality does not appear to be complete yet: coders are working to refine it.

OddJob is able to perform different actions on targeted websites depending on configuration – including logging GET and POST requests, as well as terminating connections, downloading full pages and placing data on websites. All requests work in real time meaning hidden session hijacks are a piece of cake.

This is different from other malware because hackers don’t need to make the step to log in to online banking. Instead they muscle in on something that has already been authenticated.

Malware configuration is not saved to disk either so it’s unlikely to be spotted by a lot of current antivirus applications. A fresh copy is made each time a user opens a new session.  Coupled with the ability to ignore log-out requests, it’s a dangerous piece of code which can quite easily rinse your account. 

Gigabytes of government data stolen in fake e-card scam

Several gigbaytes of sensitive government data has been stolen from government and online security staff in a fake White House e-card scam, according to KrebsonSecurity.

An email circulated among a large number of public sector employees in the US on December 23 pretending to be a legitimate electronic greeting card from the government. The message read:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

Greeting card:


Merry Christmas!


Executive Office of the President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500

When users accepted it, however, it installed data-stealing malware on their computers, including a ZeuS trojan variant that focused on nabbing documents rather than financial details, suggesting that this attack was primarily interested in taking advantage of the Christmas season to steal government information.

A large number of people fell for the scam, including an official at the Moroccan government’s Ministry of Industry, Commerce and New Technologies, an employee of the Millennium Challenge Corporation, a member of the Financial Action Task Force, and worst of all an intelligence analyst working for the Massachusetts State Police and a staff member of the National Science Foundation’s Office of Cyber Infrastructure, people who probably should have known better.

Information that was gathered in the 2GB data attack includes NSF technology and science grant applications, court-ordered mobile phone intercepts, classified national security documents, financial files, and other sensitive information.