DNS Changer infrastructure shutdown is a *good* thing

The FBI may shutdown the DNS servers victims of the DNS Changer malware have been using on March 8th. Is this a dangerous action, or is five months to clean up your PC enough?

Posted: 4 Feb 2012 | 4:05 pm

Malware Uses Sendspace to Store Stolen Documents

We’ve recently encountered malware that grabs MS Word and Excel files from users’ infected systems and then uploads them to the file hosting site sendspace.com. Sendspace is a file hosting website that offers file hosting to enable users to “send, receive, track and share your big files.”

Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

Once executed, TROJ_DOFOIL.GE downloads and executes  TSPY_SPCESEND.A.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

After creating the archive, TSPY_SPCESEND.A sends it to Sendspace.com:

Once the upload is done, the malware retrieves the Sendspace download link, and then sends the link to the C&C server, along with the generated password for the archive:

Here is a screenshot of the Sendspace page leading to the archive of collected documents:

Storing Exfiltrated Data to External File Storage Infrastructures As a New Trend

Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.

Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.

In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.

Trend Micro Smart Protection Network™  protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Uses Sendspace to Store Stolen Documents

Posted: 3 Feb 2012 | 3:37 pm

Biz urged to blast DNSChanger Trojans before safety net comes down

8 March cutoff following Operation Ghost Click

Half of all Fortune 500 companies still contain computers infected with the DNSChanger Trojan, weeks after a FBI-led takedown operations targeting the botnet's command-and-control infrastructure.…

Posted: 3 Feb 2012 | 10:28 am

Android Market Gets a Bouncer to Kick Out Malware

Today Google announced its Bouncer security service for the Android Market. This is a good initial step in protecting Android users.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.

Posted: 3 Feb 2012 | 10:17 am

TDL4 - Purple Haze (Pihar) Variant - sample and analysis

Posted: 3 Feb 2012 | 4:58 am

Anonymous Leaks FBI Conference Call

Breaking: a faction of Anonymous has released an MP3 recording of an FBI conference call which took place on January 17th.

During the call, which is currently posted on YouTube, members of the USA's FBI can be heard discussing several Anonymous and LulzSec related cases with investigators from the UK.



Today's leak helps explain just how "Anonymous Sabu" (leader of the LulzSec group) appeared to have insider information regarding the postponement of Jake Davis a.k.a. Topiary's (LulzSec member) trial on January 27th.

Sabu appeared to have some sort of insider information.



And in fact, he did… Topiary's trial date and its delay was discussed during the conference call.

Anonymous has promised additional FBI related releases today. Those could also be quite interesting as it appears that an active member of the FBI's e-mail has somehow been compromised…

Stay tuned.

On 03/02/12 At 11:33 AM

Posted: 3 Feb 2012 | 1:48 am

Android and Security

Posted by Adrian Ludwig, Android Security Engineer

We frequently get asked about how we defend Android users from malware and other threats. As the Android platform continues its tremendous growth, people wonder how we can maintain a trustworthy experience with Android Market while preserving the openness that remains a hallmark of our overall approach. We’ve been working on lots of defenses, and they have already made a real and measurable difference for our users’ security. Read more about how we defend against malware in Android Market on the Google Mobile Blog here.

Posted: 2 Feb 2012 | 12:29 pm

Lab Matters - The death of browser trust

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

Posted: 2 Feb 2012 | 4:15 am

Wild Wild West – 02/2012

New ones added:

Jet Exploit
MassInfect
Impossible Sploit
Hierarchy Exploit Pack
Sakura Exploit Pack
Techno XPack
“Yang Pack”
Fragus Black

 

 

Posted: 1 Feb 2012 | 10:13 am

the last/final touch!

It's very sad to recognize and discover that the screenshots on my blog, which for some reason have been saved in the "Gallery" of my Android mobile phone, once cleared from there, will be deleted from the Google cloud! Someone could confirm this ? This blog has been to me a lot although I have ceased to update it ... but with this last touch .. I almost want to finalize it. what remains of my

Posted: 29 Jan 2012 | 3:54 am

FireEye Advanced Threat Report 1H2011

Our new 1H 2011 Advanced Threat Report is out! It is our inaugural report and I think you will find it interesting because it is uniquely focused on the new and dynamic threats. We have thousands of appliances protecting organizations around the world, and they are deployed _behind_ firewalls, intrusion prevention systems, antivirus and Web gateways. So, the threat data we reviewed in this report are the _successful_ malware attacks breaking through traditional defenses. This...

Posted: 31 Aug 2011 | 3:10 am

FBI IC3 2009 Report

The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.

The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

Posted: 13 Mar 2010 | 8:48 am