Viry a Červi

Jailed fraudster admits running same cold-caller con from behind bars

The Register - Anti-Virus - 12 Červen, 2017 - 19:12
Fooling marks into divulging bank details made £2m a week

The jailed kingpin behind a multimillion-pound fraud has admitted attempting to run an almost identical con from behind bars.…

Kategorie: Viry a Červi

Apple to auto-update devices to two-factor authentication

Sophos Naked Security - 12 Červen, 2017 - 18:59
iOS 11 and macOS High Sierra public beta testers will be automatically upgraded from 2SV. But, most users are unclear about the benefits of using 2FA.

Facebook wants to feel your pain (and your joy)

Sophos Naked Security - 12 Červen, 2017 - 18:13
Feeling happy? Feeling sad? Facebook plans to harness your phone's keyboard and camera to find out.

Google's news algorithm serves up penis pills

The Register - Anti-Virus - 12 Červen, 2017 - 18:02
This story has: Maths, Google, 'fake' pharma, explicit screenshots...

+Comment  Our Monday here at The Reg's London offices has been cheered to no end by Google News, which has been spitting out odd pharmaceutical-related "journalism" throughout the day.…

Kategorie: Viry a Červi

Word exploits weaponised in quick time

Sophos Naked Security - 12 Červen, 2017 - 17:55
The normal lifecycle of an Office exploit can take months - what makes this latest Word exploit different?

Move over, Stuxnet: Industroyer malware linked to Kiev blackouts

The Register - Anti-Virus - 12 Červen, 2017 - 17:36
Modular nasty can seize direct control of substation switches and circuit breakers

Security researchers have discovered malware capable of disrupting industrial control processes.…

Kategorie: Viry a Červi

German police nick alleged admin of dark web gun sales site

The Register - Anti-Virus - 12 Červen, 2017 - 15:39
Charge connected to 2016 Munich mass-murder weapon

German police have arrested a man they suspect of being the administrator of a dark net website. The site is said to have been used to buy a gun used in a 2016 mass murder.…

Kategorie: Viry a Červi

Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability

VirusList.com - 12 Červen, 2017 - 15:34
Kaspersky Lab said it has seen some of the first exploits targeting a patched Samba vulnerability, and those are being used to mine Monero cryptocurrency.
Kategorie: Viry a Červi

Mac ransomware author is giving away malicious code to script kiddies

The Register - Anti-Virus - 12 Červen, 2017 - 14:19
Ringleader passes 30 per cent of earnings to their stooges

Security researchers have discovered a ransomware variant that targets Macs rather than Windows PCs.…

Kategorie: Viry a Červi

VB2016 paper: Diving into Pinkslipbot's latest campaign

Virus Bulletin News - 12 Červen, 2017 - 11:10
Qakbot or Qbot, is a banking trojan that makes the news every once in a while and was the subject of a VB2016 paper by Intel Security researchers Sanchit Karve, Guilherme Venere and Mark Olea. In it, they provided a detailed analysis of the Pinkslipbot/Qakbot trojan and its then latest campaign. Their full paper is now available to download or read online.

Read more
Kategorie: Viry a Červi

Who will save us from voice recog foolery from scumbags? Magnetometer!

The Register - Anti-Virus - 12 Červen, 2017 - 11:03
Yes, the one that lives in your mobile ...

Scientists are working on a way of using the internal orientation sensors in smartphones to defend against efforts to trick voice recognition systems.…

Kategorie: Viry a Červi

Monday review – the hot 24 stories of the week

Sophos Naked Security - 12 Červen, 2017 - 10:20
From secret posts that aren't secret and Facebook denying parents access to dead daughter’s account to why ‘I forgot my password’ won't cut it, and more!

Virgin Media resolves flaw in config backup for Super Hub routers

The Register - Anti-Virus - 12 Červen, 2017 - 10:00
Backups encrypted but key was the same across all UK hubs

A recently resolved flaw in Virgin Media wireless home routers gave hackers a means to gain unauthorised administrative-level access to the devices.…

Kategorie: Viry a Červi

Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke

The Register - Anti-Virus - 12 Červen, 2017 - 09:02
Canadian banks' bête noire spills the beans

Staff at Indian outsourcing biz Tata Consultancy Service uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed.…

Kategorie: Viry a Červi

Two Tickets as Bait

Kaspersky Securelist - 10 Červen, 2017 - 15:21

Over the previous weekend, social networks were hit with a wave of posts that falsely claimed that major airlines were giving away tickets for free. Users from all over the world became involved in this: they published posts that mentioned Emirates, Air France, Aeroflot, S7 Airline, Eva Air, Turkish Airlines, Air Asia, Air India, and other companies. We cannot rule out that similar posts mentioning other brands may appear in the nearest future as well.

Naturally, there have been no promotions to give away airline tickets. Users were addressed by fraudsters who assumed the names of the largest airlines in order to subscribe their victims to paid mobile services, collect personal data, install malware, and increase traffic to websites with advertisements and dubious content. To do this, fraudsters have been registering a multitude of domains, where they host content on behalf of well-known brands. At the mentioned resources, users are congratulated on winning two airline tickets. Then, they’re asked to perform a series of actions to receive the gift. As a result, the victim ends up on another website that belongs to fraudsters, which monetizes their “work” and spreads information about the nonexistent campaign on a social network.

An example of a social-network post with a link to a fraudulent website

This is by no means the first case where users themselves have started spreading fraudulent content on social networks. We have previously about a fake petition in defense of Suarez, which was distributed by Facebook users, fake donations, and pornware. All of the incidents have one thing in common: the threats are distributed over social networks, which users themselves often participate in.

The attack model

Let us return to the most recent case and examine it a bit closer. By following the link from a social network news feed, a user navigates to a fraudulent website. We have found a series of domains that belong to fraudsters: deltagiveaway.com, vvxwx9.us, aeroflot-com.us, aeroflot-ticket.us, qq3mz9.us, emiratesnow.us, emiratesgo.us, com-beforeitsends.us, emirates.iwelltrip.us, and many others.

Some examples of fraudulent websites that make use of famous airline brands

Since the fraudulent schemes only varied by logo, language, and color scheme, depending on the brand, let’s take one website out of the many and discuss it. The website that claims to belong to American Airlines contains information about a promotional giveaway of two tickets to respondents who must answer three questions.

An example of a fraudulent website that uses American Airlines branding.

After completing the survey, the victim is asked to take two more steps. First, the victim is asked to post the promotional information on his or her page on a social network and thank the airline in the comment. Secondly, the victim has to click the “Like” button. It should be noted that the web page shows what appear to be Facebook comments from users who have already won tickets. An investigation showed that the comments are actually fake. We can even leave our own comment, but it will disappear after the page is refreshed. All of this is directed at coaxing a victim into believing that the page is legitimate.

We would like to note that most comments are posted in various languages by the same people, and the messages are similar in content and most likely are translated using machine translation.

After performing all of the necessary actions, the website redirects the user to various web pages by using the geolocation feature. In some cases, we were redirected to the websites shown below.

Each time all of the same aforementioned actions are performed and the same survey is completed, the website does something different and may redirect users to various web pages. We have found websites with a variety of dubious content, including lotteries, advertisements, new surveys with giveaways, links to suspicious files that can be downloaded, and so on.

Among other things, some websites suggests users download a certain useful file and at the same time urge them to install a potentially dangerous extension for a browser. The extension obtains permission to read all of the data in a browser, potentially allowing fraudsters to get a hold of passwords, logins, credit-card data, and other confidential information entered by the user. Aside from that, later on, the extension may continue spreading links that redirect users to the extension itself on Facebook but on behalf of the user and among his or her friends. This is exactly the threat that was carried out by an attack that we discussed previously.

At the moment of publication, this indicated extension alone had been installed on the systems of over 5,000 users, according to the statistics of the web apps store.

The number of victims and their location

Most resources that utilize the fraudulent scheme contain links to external services that collect statistics for website traffic. These data show that the attack was widely distributed and was mostly directed at smartphone users. For example, here are some impressive statistics for only two of all the domains that we discovered.

Statistics for the aeroflot-ticket.us website

Statistics for the aeroflot-ticket.us website

Statistics for the emirateswow.us website

Unfortunately, numerous users took the bait of the fraudsters. These users tried their luck and did not pay attention to a multitude of signs that are typical for a scam, which resulted in spreading potentially dangerous content among friends over a social network.

Some examples of published posts with links to fraudulent websites

Thus, fraudulent web resources and a plethora of their counterparts across the Internet gained huge popularity in a matter of hours.
The possibilities of social networks are endless when it comes to spreading information across the globe. These fraudsters only confirm this fact.

Some examples of published posts with links to fraudulent websites

Finally, here are a few pieces of advice.

  • You should be sensibly skeptical about similar “promotions”. Before navigating to suspicious links and entering your personal data on a web resource, you should contact a representative of the company that is supposedly running the promotion and confirm the information.
  • A scrupulous examination of a web resource’s address will help identify fraud. It may be a good idea to verify whether the domain belongs to the company indicated on the website or not. Services that provide whois data about domains may prove helpful in that endeavor.
  • Be responsible when posting content from your account on a social network. In order to avoid becoming involved in a fraudulent scheme, do not spread information with questionable authenticity.
  • Do not install suspicious browser extensions. Upon detection of an installed extension that seems suspicious or whose purpose you do not remember, delete the extension immediately in the settings section of your browser and change the passwords of websites that you visit, especially those dealing with online banking.
  • Use security solutions that protect users from phishing, such as Internet Security-level solutions and higher. They will block any attempts to navigate your browser to fraudulent websites.

SambaCry is coming

Kaspersky Securelist - 10 Červen, 2017 - 00:07

Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue. The story was about a new vulnerability for *nix-based systems – EternalRed (aka SambaCry). This vulnerability (CVE-2017-7494) relates to all versions of Samba, starting from 3.5.0, which was released in 2010, and was patched only in the latest versions of the package (4.6.4/4.5.10/4.4.14).

On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!

Vulnerability exploitation

In order to check that an unauthorized user has permissions to write to the network drive, the attackers first try to write a text file, consisting of 8 random symbols. If the attempt is successful they delete the file.

Writing and deleting the text file

After this check, it is time for the exploit’s payload (it is assembled as a Samba plugin). After successful exploitation of the vulnerability, this runs with super-user privileges, although first the attackers have to guess the full path to the dropped file with their payload, starting from the root directory of the drive. We can see such attempts in the traffic captured on our honeypot. They are just brute-forcing the most obvious paths (specified in different manuals, etc.), where files can be stored on the drive.

Bruteforcing the path to the payload

After the path to the file is found, it can be loaded and executed in the context of the Samba-server process, using the SambaCry vulnerability. Afterwards the file is deleted in order to hide the traces. From this moment it exists and runs only in the virtual memory.

In our case two files were uploaded and executed in such a way: INAebsGB.so (349d84b3b176bbc9834230351ef3bc2a – Backdoor.Linux.Agent.an) and cblRWuoCc.so (2009af3fed2a4704c224694dfc4b31dc – Trojan-Downloader.Linux.EternalMiner.a).

INAebsGB.so

This file stores the simplest reverse-shell. It connects to the particular port of the IP-address specified by its owner, giving him remote access to the shell (/bin/sh). As a result, the attackers have an ability to execute remotely any shell-commands. They can literally do anything they want, from downloading and running any programs from the Internet, to deleting all the data from the victim’s computer.

Listing of INAebsGB.so

It’s worth noting that a similar payload can be found in the implementation of the SambaCry exploit in Metasploit.

cblRWuoCc.so

The main functionality of this file is to download and execute one of the most popular open-source cryptocurrency mining utilities – cpuminer (miderd). It is done by the hardcoded shell-command, shown on the screenshot below.

The main functionality of cblRWuoCc.so

The file minerd64_s (8d8bdb58c5e57c565542040ed1988af9 — RiskTool.Linux.BitCoinMiner.a) downloaded in such a way is stored in /tmp/m on the victim’s system.

Cpuminer and what it actually mines

The interesting part is that the version of cpuminer used is “upgraded”, so it can be launched without any parameters to mine currency directly to the hardcoded attackers’ wallet. We obviously became interested in this wallet, so we decided to investigate a bit and uncover the balance of the attackers account.

Along with the attackers’ wallet number, the pool address (xmr.crypto-pool.fr:3333) can be found in the body of the miner. This pool is created for mining the open-source cryptocurrency – monero. Using all this data we managed to check out the balance on the attackers’ wallet and the full log of transactions. Let’s have a look:

Balance of the attackers’ account on 08.06.2017

Log of transactions with all the attackers’ cryptocurrency income

The mining utility is downloaded from the domain registered on April 29th 2017. According to the log of the transactions, the attackers received their first crypto-coins on the very next day, on April 30th. During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day. This means that the botnet of devices working for the profit of the attackers is growing.

Considering that the world discovered the EternalRed vulnerability only at the end of May, and the attackers had already adopted it, the rate of growth in the number of infected machines has significantly increased. After about a month of mining, the attackers gained 98 XMR, which means they earned about $5,500 according to the currency exchange rate at the time of writing.

Conclusion

As a result, the attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers. In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware.

At the moment we don’t have any information about the actual scale of the attack. However, this is a great reason for system administrators and ordinary Linux users to update their Samba software to the latest version immediately to prevent future problems.

GameStop Online Shoppers Officially Warned of Breach

VirusList.com - 9 Červen, 2017 - 22:11
Some customers are irked it took GameStop months to inform them that their personal and financial information could have been compromised in a breach of GameStop.com that began in August 2016.
Kategorie: Viry a Červi

Google Releases reCAPTCHA API for Android

VirusList.com - 9 Červen, 2017 - 21:38
Google has released a reCAPTCHA API for Android, a first for the mobile applications.
Kategorie: Viry a Červi

News in brief: Ransomware-proof Windows?; Al Jazeera attacked; Coats keeps quiet

Sophos Naked Security - 9 Červen, 2017 - 19:22
Your daily round-up of some of the other stories in the news

Platinum APT First to Abuse Intel Chip Management Feature

VirusList.com - 9 Červen, 2017 - 18:46
Microsoft has found a file-transfer tool used by the Platinum APT that leverages Intel Active Management Technology to stealthily load malware onto networked computers.
Kategorie: Viry a Červi
Syndikovat obsah