Computer Security Articles

Following a quick trip to the Consumer Electronics Show in Las Vegas, United States Secretary of Commerce Gary Locke is headed for the Stanford Institute on Policy Research on Friday. He’s there to talk up the Obama administration’s efforts to “enhance online security and privacy and next steps in meeting the challenges of a growing cyber world,” according to a press statement.

The plan is to launch a National Strategy for Trusted Identities in Cyberspace (NSTIC)—an effort to support private-sector solutions to make the online environment more secure. The sooner the better, because the Zeus (or ZeuS) Trojan has struck again, this time targeting government employees.

Read the comments on this post

Full story: Security

There has been something of a sting in the tail of the year for lovers of the Android mobile operating system, as researchers uncovered a new Trojan horse.

The Troj/Geinimi-A malware (also known as “Gemini”) has been seen incorporated into repackaged versions of various applications and games, and attempts to steal data, and may contact remote URLs.

Although some media reports have portrayed Geinimi as the first ever malware for the Google Android operating system, this isn’t correct. For instance, in the past we’ve seen banking malware has been found in the Android Market, security researchers have demonstrated spyware rootkits for Android devices, and users have been warned about Trojans from Russia which send SMS text messages to premium-rate numbers.

In the case of the Geinimi malware, the good news is that it appears not to have made it into the official Android market app store – meaning that you would only have been putting yourself at risk if you installed poisoned software from an unauthorised source. Researchers at mobile security firm Lookout say they have only seen the software on unofficial Chinese app stores.

And you have to deliberately change the settings on your Android smartphone to make it possible to install software from such “unknown sources”.

So, the sky is not falling – and it’s not the end of the the world as we know it if you love all things Android. But Android users should still be sensible about security.

Android is a much more “open” operating system than the Apple iOS used on iPhones and iPads, and Android users don’t have to jump through as many hoops to install applications that have not been made “officially” available.

And, it shouldn’t be forgotten that not all attacks are OS-specific. Phishing attacks, for instance, don’t care what operating system you’re running – they just rely on you not taking enough care about the link you are clicking on (something that’s pretty easy to do when you have a small screensize to view a – perhaps – long url).

And increasingly we are seeing examples of threats which only exist “within the browser” or spreading entirely inside a social network, never touching your smartphone’s operating system.

So there are dangers out there whatever kind of browsing device you are using. Desktop or laptop, mobile or tablet.

Sophos products can detect samples of the Geinimi Trojan we have seen to date as Troj/Geinimi-A.

Image source: Laihiu’s Flickr photostream. (Creative Commons)

Full story: Naked Security – Sophos

Two months ago, the authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan. Despite these efforts, the Bredolab Trojan is still spreading malware on user’s machines.

Unlike the Zeus or SpyEye Trojans, the Bredolab Trojan is a pretty simple and has limited capabilities, which is similar to the Ofikla Trojan.  It’s functionality was reviewed in a very interesting and detailed blog of Kaspersky Lab Expert Alexei Kadiev “End of the Line for the Bredolab Botnet?” Our blog sheds a light on additional aspects of Bredolab communication, its evasive techniques and C&C functionality.

Let’s take a step by step look at how the Trojan operates.

Once the malware is executed, it copies itself to a temp folder and injects code into “svchost.exe” process.  It then generates a key and sends basic information.

Ollydbg Dump of "svchost.exe" Process

The bot wraps up the data and sends it to the command and control server.

The bot Communicates with the Command and Control Server

The following is a screenshot of Virus Total scan results (16/41) for the latest generated malware:

Virus Total Results of Bredolab Trojan

As mentioned, Bredolab, unlike the Zeus Trojan, doesn’t have local configuration files pre-generated by the malware operator.  The Trojan operates like a Trojan Dropper; it receives the malware, saves it on the hard disk or in the memory according to the Trojan operator, and then loads it.

Along with the Trojan itself, the operator manages the Trojan using a Control Panel called “BManager” which contains the following functionalities:

• Statistics of the controlled bots
• Downloaded and executed malwares sent by the operator
• Manages users of the administration panel
• Create bots commands

The BManager control panel provides real time information on the infected machines:

BManager Statistics

BManager Statistics Divided by Country

Besides statistics, the tool provides the administrator management over user accounts along with specific permission for each section in the control panel.

As mentioned previously, the main objective of the tool is to download and execute malware onto the victim’s machine.
The control panel supplies the cybercriminal a variety of capabilities such as:

• Location to save the malware (Hard disk / Memory)
• Define specific regions that will or will not receive certain malware
• Time limit in which to execute the malware

Once the malware is successfully installed on the victims’ machine, it becomes much more complicated for AV companies to detect any activity committed by Bredolab Trojan. Looking closely at the traffic sent from the server to the victim shows how the downloaded executable is encrypted in a unique way for each machine, rendering AV pattern detection useless.

Incoming traffic Sent from the C&C to the bot

The screenshot above describes the information sent by the Command &Control. The image shows that the server adds 2 additional parameters:

• “Rnd”: A number generated by the client, re-generated by the server, and sent back to the bot.

“Magic-Number”: A new key generated by the server that is sent to the client to de-crypt the malware

Bredolab, Generate Key Algorithm

The server is using the “Rnd” key sent from the bot and generates a new key. Meanwhile it loads the relevant malware to load for the specific bot.

Bredolab, encrypt the loaded malware

The new malware package is encrypted using the encryption key and sent to the bot along with the “Rnd” and the “Magic-Number” as described earlier.

Bredolab, Keys sent to the bot for Forwarded Communication

While instances of the Bredolab Trojan can still be found in the wild and used by cybercriminals, it is expected that it will gradually decrease over time.

– Daniel Chechik on M86 Security Labs Blog

If you or your relatives wander onto a site claiming to be a genuine Kodak website, you might want to think twice before downloading any executables.

Here’s an example of a site located at kodak-webgallery(dot)com, which is currently offline:

Click to Enlarge

The message at the top reads: “New shared photos! You have received some new pictures, to view them simply click the button below”. Hitting the button launches a “Slideshow”, which is actually an executable file that the end-user is asked to download and run.

Doing so opens up a set of photographs taken of a rather large truck from different angles:

Click to Enlarge

After executing the file, the folder \WINDOWS\system32821772 was created containing various configuration files. Additionally, sijgzxel.exe and fvwtmkry.exe were copied to the System32 Folder itself.

The final piece of the puzzle are references to an email address, EBay, EBay motors and various other EBay domains (along with the non-Ebay Escrow.com) in the process dumps we generated while testing.

It looks like a blast from the past called Trojan.Bayrob has risen from the grave to cause problems for big moneyspenders on eBay. It seems to come around every so often – here’s an attack from 2007 and here’s one from 2008 – and now someone has decided to spam it out from a fake Kodak domain registered via a privacy service.

Bayrob is a nasty little thing, spoofing pages from eBay and other sites to fool the end-user into handing over bundles of cash. Motor buyers are a popular target, hence the reason why many of these attacks tend to involve car photo slideshows. The Trojan can have a devastating impact – here’s a victim who was fleeced out of $ 8,600 by scammers.

To coin a phrase: whoops.

We detect this one as Win32.Malware!Drop. Detection rates are very low, currently clocking in at 5/43 so be careful out there and don’t be fooled by random photograph galleries. There’s no way to tell if these fake Kodak sites are currently being pimped by automated spam programs, random chatroom links, infected PCs or strange flashing lights in the sky so always check with a known contact if they suddenly want you to check out their new car pictures.

It might cost you a bit more than a tyre change and a new air freshener…

Christopher Boyd

– on Sunbelt Blog

There is a Facebook page that is tricking users into installing a tool to make money: Zoomed in: In fact, people will be downloading a malicious Java applet from: minusplus111.fileave.com/HowToBeatTheSystem.jar VirusTotal detection for it is abysmal (4/43). Analysis of the Jar file left me perplexed for quite some time. There is indeed a dummy executable file that really fooled [...] – on Malware Diaries

In a crime story that sounds like an Internet update of the Italian Job, a gang of British teens have admitted being behind an online forum that stole and marketed stolen credit card numbers and bank details worth an estimated £12 million ($ 18 million). –
John E Dunn on Network World on Security

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your account. The email indicates that the password of your account has been reset and that you should open the attached document with your new password.

Following subjects are possible – or similar:

Facebook Service. Your password has been changed. ID309
Facebook Service.Your acciunt is blocked. ID799
Facebook Support. Your password has been changed. ID991
Facebook Support. A new password is sent  to you. 920

The email is send from the spoofed address “Facebook office <donotreply.nr.6170@facebook.com>” – note that the from before the @ changes with each email – and has the following body:

This is a post notification!

A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service.

The attachedZIP file has the name Facebook_document_Nr59469.zip and contains the folder Facebook_document with inside the 60 kB large file Facebook_document.exe.

The trojan is known as Trojan.Win32.Oficla (Ikarus), W32/Trojan3.CIG (F-Prot), Trojan:Win32/Oficla.AE (Microsoft), Trojan.Sasfis (Symantec).

The following files will be created:

%Temp%.tmp
%System%\ttux.qqo
%Temp%.tmp

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

85.195.104.161
91.204.48.46

Data can be obtained from following URLs:

* http://pupmypzed.ru/alimp/bb.php?v=200&id=738176302&b=1711_fa&tm=1
* http://pupmypzed.ru/alimp/bb.php?v=200&id=738176302&tid=4&b=1711_fa&r=1&tm=1
* http://91.204.48.46/test/dot.exe

Virus Total permlink and MD5: 16e7189085f1135d0ee38b56928811be.

Source: mxlab – all about anti virus and anti spam

Legitimate businesses ought to be worried when they are hosting malware. Take this website for OptimumData Inc., it looks nice and all but hackers have been able to exploit a vulnerability in order to upload a malicious file on their server. The zip file contains one of those fake DHL invoices: www.optimumdata.net/DHL_Information_S.Nr07251.zip The malware will infect your [...]

Source: Malware Diaries

Angry Birds is the top-selling mobile game at the moment. Available for Apple, Nokia and Android devices, the game has been downloaded millions of times.

An application called Angry Birds Bonus Levels was uploaded to Android Marketplace earlier this week.

This application was not developed by the company behind Angry Birds (Rovio of Finland), but by researcher Jon Oberheide.

Jon had discovered a security vulnerability in Android. This vulnerability would make it possible for one application to download and launch additional applications from the Marketplace. To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker and Fake Toll Fraud. These would be launched by the Angry Birds trojan.

In reality, these demonstrations applications did not do anything malicious. Also, there were no Bonus Levels either. Sorry.

We do not know if Mr. Oberheide had permission to use the Angry Birds trademark in his demonstration.

Google has removed these applications from the Marketplace.

To protect your Android phone against malicious attacks, take a look at F-Secure Mobile Security for Android.

On 13/11/10 At 11:30 AM

View full post on F-Secure Antivirus Research Weblog

Emsisoft Labs are always on the lookout for something out of the ordinary happening, and we recently came across a circulation of spam portraying as fake FedEx Emails. Emsisoft Anti-Malware will detect and remove the same as Trojan-Dropper.Win32.Oficla (alias Sasfis).

The email comes with subjects like “ID N4815147” or “FedEx Item Status N5561690” and does not contain any text but image. More and more spams recently are using this tactics to prevent being blocked by mail servers/gateway spam blockers.

The attachment comes in zipped format and spoofs the executable as a PDF format.

Once executed, the dropper drops a DLL under System32\yise.ero which overwrites the shell entry in the registry.

The module yise.ero on decryption exposed the payload and we could confirm the same on the following events.

When the system restarts, the malware automatically executes itself and injects yise.ero module to svchost.exe process. The malware calls “mpgyjp” which is an export function of the DLL.

Carrying out the process and initiation of a botnet in the system, a HTTP GET request is sent to the server or C&C, which in this case is: ilovelasvegas.ru (109.196.134.44). The GET result contains command for the bot to download and execute another file.

Sources: blog.emsisoft.com

The widely-reported ‘Boonana’ Trojan was a new piece of malware after all and had nothing directly to do with Koobface, Microsoft and other security companies have reported a week after the event.

View full post on Network World on Security

The FBI is warning the public about a new and disturbing crime: “sextortion”.

The crime involves a webcam trojan used by the criminal to take pictures surreptitiously and to search the PC for explicit photos. While he had control of the PC, he used it to spread the trojan to friends of the infected PC’s owner, usually by sending a message from that user with the trojan presented as a “scary video.” Many of the victims were teenage girls.

The attacker used a variety of screen names and e-mail addresses which are listed in the FBI story.

If you have seen any such activity or any of the screen names or e-mail addresses, please contact the FBI about them.

Hat tip to F-Secure’s Antivirus Research Team.

View full post on Security Watch

Only weeks after Microsoft added anti-Zeus Trojan detection to its free Malicious Software Removal Tool (MSRT), it is unable to detect the latest versions, a rival security company has claimed.

View full post on Network World on Security

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Scan from a Xerox WorkCentre  P9275821″.

The email is send from the spoofed address and has the following body:

Good morning,
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACD7299422.

The attachedZIP file has the name Scanned_Documents.zip and contains the 44 kB large file Scanned_Documents.DOC.exe.

The trojan is known as W32/Refroso.AGEA!tr (FortiNet), Trojan:W32/Agent.DQBL (F-Secure), Troj/Bredo-ER (Sophos), Win32/LockScreen.QX (NOD32)

At the time of writing, only 13 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: eb7753949819409a8b13d650fc473b53.

View full post on mxlab – all about anti virus and anti spam

The FBI has issued a warning about a cautionary incident.

A 31-year-old Californian man was arrested for infecting computers with a backdoor trojan. He was sending the trojan via e-mail to people he had friended online. The malware was typically made to look like a video file. In reality it dropped a backdoor that gave the attacker control of the victim’s PC. Then the attacker searched for explicit pictures from victims’ computers. If he found any, he downloaded them, and used the images in an attempt to extort more pictures and videos from them. Many of the victims were teenage girls.

Now FBI is trying to find more on the case. The hacker used a variety of screen names and e-mail addresses, which are listed below. If you have seen them online and have information that might help in the case, please contact the investigators working on the case.

Suspect screen names and e-mail addresses:

gui_blt
Woods05
CoFfEkId014
ELEvatrHZrD03
Pimpcess03666
Your3name3here03
Bri23nice
Dmagecntr137
H2IOW14
ELEvATrhRZd03
Playgrl37
Your3name3here3
goldlion14
Hotchit13w
yousoylammer@hotmail.com
christ@yahoo.com
gui_blt@live.com
mistahxxxrightme@aim.com
zapotin@hotmail.com
guich_x@aim.com
guicho_1.1@roadrunner.com
mijangos3@msn.com

On 05/11/10 At 02:10 PM

View full post on F-Secure Antivirus Research Weblog

Not being allowed to close explorer windows ftw

Lately I’ve been interesting in dissecting malicious Java programs. I found one used as a drive-by download on this site under the deceiving name: “Sun_Microsystems_Java_Security_Update_6.jar” www.rs2merching.com/update.html You can decompile the jar file using a program such as JD-Gui: The malicious web page passed a parameter for the file to download.  It’s the “file” variable. The [...]

View full post on Malware Diaries

Our HoneyPot caught this Trojan video-shares.in/flash_player.exe. Doing a search on the URL you will notice that there are many infected users already that are retweeting the malicious link: And not just on Twitter, IM too: The site, which is still alive looks like this: video-shares.in is registered to: Thomas Chow ChowPromo 56 Neythal Road Singapore [...]

View full post on Malware Diaries

A new trojan horse has cropped up that affects Mac OS X (and Windows as well), primarily disguised as a video flitting around social networking sites. When users click an infected link, a Java applet is launched that downloads multiple files, including an installer that runs automatically without users’ knowledge.

The Trojan, dubbed trojan.osx.boonana.a by security firm SecureMac, appears as a message on social networking sites such as Facebook that reads, “Is this you in this video?” When the user clicks the link, a Java applet runs, allowing the system to download several files and install a program that can bypass the usual password verification OS X requires for installation.

The malware launches automatically on startup, communicates with command and control servers, and can also crack user accounts on other sites to continue to spread itself as spam.

SecureMac asserts that because the initial phase of the trojan runs on Java, it can spread itself to both Mac OS X and Windows. SecureMac doesn’t say explicitly how it differs on Windows, only that the payload includes “other files” that are directed at Windows.

Disabling Java in your browser can help you avoid infection, but the problem is solved easily enough—don’t click shady links. For those already under Boonana’s spell, though, SecureMac has created a free removal tool. The company also reminds Mac users that as Apple’s market share grows, they need to be mindful of increased attention from hackers.

Read the comments on this post

View full post on Security

Recently Symantec Security Response analyzed a Trojan that uses social networking vectors to infect users on multiple platforms. Virus writers have often used this technique to entice unsuspecting users to click on a malicious link, which may result in download and execution of threats onto the user’s “PC”(one example being W32.Koobface). I say “PC”because in the computer world, PC is synonymous with Windows computers and they are often the target platform for virus writers for various reasons. But, the popularity of other operating systems, for example Mac OSX, has captured the attention of malware writers. They are constantly trying to expand their scope beyond Windows and maximize their infection base by infecting other popular operating systems.

This particular Trojan (that Symantec detects as Trojan.Jnanabot) is one such attempt to target multiple platforms. Jnanabot has numerous functionalities that include key logging, connection to IRC servers, and posting malicious links on social networking sites, affecting users on Windows, Mac OSX, and Linux platforms.

The threat is composed of multiple files. I will address them as components throughout this blog. Each component is meant for a specific task. Some components are compiled Java files whereas others are platform specific executable files.

1. Library component:  Contains Library files needed to run the threat on various platforms namely: Mac OSX, Linux with AMD 64 machines, Linux with x86 machines, Windows with x86 machines
2. Main component: The main .jar file that controls execution of all the components.
3. Install/update component: Installs and updates the threat.
4. IRC component:Connects to remote IRCs and waits for further commands from the master.
5. Key logging component.
6. Crypt component: Windows and Mac executable files to decrypt the packaged files.
7. Facebook component: We are currently analyzing this component. From our brief analysis it seems as if the threat can read cookies of logged on user and may post malicious links on the social networking site.

Its worth noting that the choice of language to code the Trojan is also cleverly chosen. The Trojan is written in Java, which is a platform independent language. Individual modules contain Java compiled files (.class files), which are packaged in a Java runtime executable (.jar files). As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself.

Here is a typical scenario of installation and working of Jnanabot on a Windows platform:

An unsuspecting user clicks on a malicious URL on a social networking site, resulting in the downloading of a dropper file. This file then drops and launches the main component of the threat, that is jnana.tsa, which is a .jar file. This file contains many encrypted class files. Cplib_x86_win module is used to encrypt and decrypt those class files. This component has the ability to control all the other components of the threat.

The main component then downloads the installer/updater component and the Keylogging component.

Symantec detects this threat and its components as Trojan.Jnanabot. We are currently analyzing the threat and will post more information on it as it is available.

View full post on Symantec Connect – Security Response – Blog Entries

Following last September’s turn of events, where several individuals were arrested for using information stealing Trojans known as the ZeuS toolkit, a much anticipated “upgrade” was inevitable so that it could continue its money-making ploy. Soon enough, we received cases about a ZeuS Trojan (TSPY_ZBOT.BYZ) with the following new features:

1. Trojanizing executable files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove.
2. Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedowns.

Over the past few weeks we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes analysis of its runtime decompression/de-obfuscation stub, configuration file decryption used in its information-stealing payload, the command and control servers used, and the above-mentioned file infection and domain generation algorithm.

Earlier this week, reports about the supposed SpyEye and ZeuS toolkit merger came out. The result of this merger may be a hybrid toolkit that uses the best features of both SpyEye and ZeuS.

The full analysis in the report, File-Patching ZBOT Variants: ZeuS 2.0 Levels Up, is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April and Robert McArdle.

We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

• File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
• ZeuS Ups the Ante with LICAT
• ZeuS’ Response to Automated Analysis
• The Plot Thickens for ZeuS-LICAT
• ZeuS, Still a Threat; Now Also Spreading Through LICAT

View full post on TrendLabs | Malware Blog – by Trend Micro

As ZeuS draws the industry’s attention, a new spyware silently but successfully entered the cybercrime scene. CARBERP, as indicated in initial reports, is a new Trojan family that might have been created to challenge the already dominant ZeuS.

TROJ_CARBERP.A uses an ingenious technique to avoid detection. This malware deliberately drops a copy of itself and its component files in directories that do not require administrator privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. As such, its routines are not detected in newer Windows OS versions. More specifically, it drops files into the Startup and Application Data folders but neither creates nor modifies registry entries. Since files dropped in the Startup folder can easily be spotted even by novice users, CARBERP hooks two APIs to hide itself, its thread in Explorer.exe, and its component files.

Apart from its stealth tactics, the real danger that CARBERP brings is that it hooks network APIs in WININET.DLL to monitor browsing activities on the affected system. Furthermore, it contacts its C&C server to download a possible configuration file, to send a list of processes running in the affected system, and to receive arbitrary commands. These capabilities can enable the cybercriminals behind this malware to steal virtually any information they wish to get their hands on.

As of this writing, CARBERP connects to already inaccessible websites and, as such, fails to perform its intended routine. TrendLabs engineers will continue monitoring this emerging malware family and will post updates as more information is obtained.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™,  which detects and blocks the Trojan from running on affected systems.

View full post on TrendLabs | Malware Blog – by Trend Micro

I found the following site (kurd-ever.com) to be delivering a Backdoor Trojan part of the Bifrost family: Upon execution the malware talks to: kochar0.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=XP&ipadresi=192.168.2.10&serverportu=81&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=10:05:07_AM&servertarihi=10/5/2010&serversifre=123456&islem=log to report the successful installation. (Prorat is another well known backdoor) Bifrost includes a server component: as well as a rootkit that hides the malware processes. Removing this pest is harder [...]

View full post on Malware Diaries

Despite dozens of recent arrests targeting large online fraud organizations, other criminals are continuing to use the Zeus Trojan and other Web tools to steal identities and money from Internet users, a cybersecurity expert said.

View full post on Computerworld Security News