ISSSource White Papers

Posts Tagged ‘infections’

Thursday, August 9, 2012 @ 03:08 PM gHale

Cyber criminals are now using the Police Virus malware as fully functioning ransomware, according to a new report.

The Police Virus is a common technique used by criminals to infect computers by masquerading as law enforcement agencies demanding money for fictional crimes, said researchers from security firm PandaLabs.

One Attack Starts at Web Site
Beware of Internet Scammers
Malware Continues Growth Cycle
Spam Drops; Malicious Attachments Hike

Scams like these across the globe demand money for things like copyright infringement, missed court dates and even parking tickets.

PandaLabs detected the evolution of the scam from standard scareware to ransomware in its latest quarterly threat report, which analyzed incidents from April through June 2012.

The firm went on to warn the campaigns are continuing to evolve at a rapid pace, with criminals creating increasingly effective ways to hold users data to ransom and demand payment for its safe return.

“The first versions of the new Police Virus only use encrypted .doc files, and the encryption wasn’t too hard to crack, so it was possible to decrypt the files without the key,” the report said.

“Now, however, a more sophisticated encryption is being used, and the decryption key is required to unlock the files. And not only that, the files are encrypted with a different key for each infected computer, so, unless you are able to access the server that stores all keys, it is absolutely impossible to access the files.”

The evolution came alongside a boom in the number of Trojan viruses hitting the cyber street. The report revealed Trojans are now the most common form of cyber attack, accounting for 79 percent of all threats.

Worms were the second biggest threat detected, responsible for 11 percent of all attacks, the report said.

Trojans continued to prove the most effective attack method during the quarter speaking for 76 percent of all infections, while viruses came second accounting for eight percent.

“It is interesting to note that worms have only caused six percent of infections despite accounting for almost 11 percent of all new malware”, said Luis Corrons, technical director of PandaLabs.

“The figures corroborate what is well known: massive worm epidemics have become a thing of the past and have been replaced by an increasing avalanche of banking Trojans and specimens such as the Police Virus.”

Looking to the future Corrons warned the scam is one of the numerous cyber crime kits currently on sale and will likely remain an ongoing problem in the foreseeable future.

“This so called Police Virus appears to be created for and distributed by a cyber criminal gang from Eastern Europe or Russia, and police forces from across Europe are working together to try and identify and arrest them,” said Corrons.

Tuesday, July 10, 2012 @ 02:07 PM gHale

A new Android Trojan is running through China with at least 100,000 infections so far.

The Trojan provides a variation on covert premium calls where it secretly buys apps via China Mobile’s Android Market. The cost automatically bills to the user’s account.

No Android Botnet, Just a Simple Flaw
Google: No New Android Spam Botnets
Botnet Masters Busted
Botnet Infects 6 Million Systems

The Trojan!MMarketPay.A@Android is in nine China app markets and has already infected more than 100,000 Android devices, said researchers at security firm TrustGo Mobile. TrustGo warns it may come as a repackaged app, such as cn.itkt.travelskygo or

Its purpose is to log on to the China Mobile Android Market and download paid-for apps and video. China Mobile is one of the world’s largest mobile providers with 677 million customers. It operates an app store for its customers where charges automatically add on to the users’ phone bills.

The Mobile Market allows users to log in and download free or paid-for apps, or view multimedia content. If an app ends up paid for, China Mobile sends a verification code to the user. MMarketPay operates by covertly instigating and hijacking the log-in process, and intercepting the verification code.

For now, TrustGo said “this sophisticated new malware could cause unexpected high phone bills.” However, given the large number of apps installed and their relatively low cost, it is possible users will notice neither the app nor the addition to the phone bill and will remain unaware of any infection. The same methodology could also occur when a user downloads and installs spyware or spyware-infected apps planted in the Market.

TrustGo said the majority of mobile malware is in applications that originate from and attack third-party markets in China and Russia. It “recommends customers only download apps from trusted app stores and download a mobile security app which can scan malware in real-time.”

Friday, July 6, 2012 @ 02:07 PM gHale

Masters behind the Carberp botnets are now under arrest and facing charges.

As expected, the number of infected devices dropped right after each series of arrests, but for the time being, the number of impacted computers is still high, said researchers at IT security company ESET.

Botnet Infects 6 Million Systems
Lulzsec Member Plead Guilty
Indicted: Access to Supercomputers
British Hackers Face Jail Time

Carberp first came to light in 2009 when a group started using it to steal sensitive information. At the time, the malware wasn’t as sophisticated as the updated variants. The old version mainly relied on legitimate remote access software.

In 2010, a second organization began its activities and in the summer of 2011, the biggest botnet based on Carberp came to life. A few months later, the Trojan improved to incorporate a bootkit.

By the end of 2011, mass infections started coming from hijacked websites. Each of these versions came with new features and improved mechanisms such as a smartcard detection functionality.

Starting in March 2012, law enforcement agencies managed to apprehend the individuals that coordinated the massive operations. At the end of June police arrested a man suspected of running the largest banking botnet in the world (4.5 million computers).

The figures provided by ESET’s Live Grid show after each series of arrests, the number of detections slightly dropped, but the number of infected machines is still high, compared to the past years.

“All the Carberp botnet organizers have been arrested, but our statistics aren’t showing a big drop in detections. The Russian region leads as before for Carberp detections and after the arrests it showed a brief dip,” said Aleksandr Matrosov of ESET’s Security Intelligence Team Lead.

Wednesday, March 7, 2012 @ 02:03 PM gHale

Just around 30,000 unique websites are currently suffering from compromises that redirect visitors to sites that promote bogus antivirus software.

Of those 30,000 sites, 200,000 webpages suffer from the compromise, with the campaign mostly targeting ones hosted by the WordPress content management system, said researchers at Websense.

McAfee: Abundant Gaps in Security
GOP Sen.’s Offer Own Security Bill
Cyber Security Bill Launches in Senate
White House: Congress Must Pass Cyber Laws

After multiple redirects, victims go to a website that performs a fake scan, pointing out a large number of infections and threats that affect the system. The scan looks as though it takes place in a Windows Explorer window, but in reality it’s nothing more than a webpage set up to dupe users.

When the scan is complete, a dialogue box then urges the user to install an antivirus tool that will remove the pieces of malware. However, the antivirus installer is nothing more than a Trojan that once installed can give its master complete control over the infected machine.

More than 85% of the compromised website are in the United States. Other countries like Turkey, Brazil, UK, India, China, South Africa, Jordan, Canada, Philippines and Taiwan are feeling the brunt end of the attacks also.

The injected code usually goes before the tag.

Wednesday, October 26, 2011 @ 04:10 PM gHale

Duqu is sending shivers up and down the spine of security experts, not necessarily for what it has done, but more along the lines of fear of the unknown.

As more information comes out, the more fears get set aside and the protection mode kicks in. Along those lines, ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis neither industrial control systems nor vendors/manufacturers were the target of Duqu. In addition, as of October 21, 2011, there have been very few infections and there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems.

ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware

Having said that, organizations need to remain vigilant against this and other sophisticated malware.

ICS-CERT will also continue coordination with Symantec, McAfee, the international community, and ICS Stakeholders.

On October 18, Symantec released a Security Response Report saying the original sample of W32.Duqu came from a research organization based in Europe and that additional variants also came from a second organization in Europe.

The attackers, Symantec said, were looking for information, such as design documents, that could see use in a future attack on an industrial control facility.

This threat focused on a limited number of organizations, apparently to exfiltrate data concerning their specific assets; officials do not know the propagation method yet. Symantec said W32.Duqu is not self-replicating.
Symantec reported other attacks could be ongoing using undetected variants of W32.Duqu. Symantec said they are continuing to analyze additional variants of W32.Duqu.
Key points from the report include:
• The executables share some code with the Stuxnet worm, and they came after the recovery of the last Stuxnet sample.
• There is no ICS specific attack code in the Duqu or infostealer.
• No one knows the primary infection vector for Duqu deployment. (Duqu does not self-replicate or spread on its own).
• There seems to be a limit on targeted organizations.
• The malware employed a valid digital certificate (revoked as of October 14, 2011)
• The malware self-deletes after 36 days.
• The Command and Control servers are in India.

McAfee Labs has also published a blog entry on the Duqu malware.

Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server at This server is in India and the ISP disabled it.

Organizations should check network and proxy logs for any communication with this IP address. If users find any communication, contact ICS-CERT for further guidance.

Symantec provided sample names and hashes for the files identified as part of this threat:
• File name, cmi4432.pnf, MD5 Hash, 0a566b1616c8afeef214372b1a0580c7
• File name, netp192.pnf, MD5 Hash, 94c4ef91dfcd0c53a96fdc387f9f9c35
• File name, cmi4464.PNF, MD5 Hash, e8d6b4dadb96ddb58775e6c85b10b6cc
• File name, netp191.PNF, MD5 Hash, b4ac366e24204d821376653279cbad86
• File name, cmi4432.sys, MD5 Hash, 4541e850a228eb69fd0f0e924624b245
• File name, jminet7.sys, MD5 Hash, 0eecd17c6c215b358b7b872b74bfd800
• File name, Infostealer, MD5 Hash, 9749d38ae9b9ddd81b50aad679ee87ec

The full extent of the threat posed by W32.Duqu is currently under evaluation. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. One measure organizations should do is to update antivirus definitions for detection of the Duqu Trojan.

Thursday, September 29, 2011 @ 04:09 PM gHale

Failure to patch third-party applications is the main reason Windows machines suffer from malware infections, a new study said.

Drive-by download attacks from hacker-controlled websites loaded with exploits replaced infected email attachments as the main distribution method for malware somewhere between three to five years ago. At the start of this period browser exploits were the main stock-in-trade for VXers but this has changed over time, a study by Danish security firm CSIS showed.

Battle against Botnets
Flying Drone can Attack Wireless Networks
TSA Hikes Wireless Security
Man in the Middle Attack? Not So Fast

Up to 85 percent of all virus infections happen as the result of drive-by attacks served up via commercial exploit kits, said CSIS, a security consulting firm that focuses on e-crime research. The company monitored the behavior of 50 different exploit kits over a period of three months, analyzing the causes of infection of commercial and consumer systems.

The study discovered that 31.3 percent of 500,000 users exposed to exploit toolkits were secretly force-fed malware as a result of missing security updates.

Systems running vulnerable versions of Java JRE, Adobe Reader and Acrobat, and Adobe Flash were particularly at risk of attack. Vulnerabilities in Internet Explorer were in 10 percent of attacks. By contrast, Java flaws (37 percent), Adobe Reader/Acrobat (32 percent) and Flash (16 percent) were far more productive routes to exploit. Apple QuickTime holes were in two percent of attacks. Infected systems are typically loaded with quite a bit of malware, including fake anti-virus software and information-stealing spyware.

CSIS concludes that “99.8 percent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.”

Click here for more information of the study.

Anti-virus still has a role to play in guarding against malware infection while stressing the point that relying on security software without improving patching practices is bound to result in trouble, said CSIS Researcher Peter Kruse.

Monday, September 19, 2011 @ 12:09 PM gHale

Mitsubishi Heavy Industries Ltd, the manufacturer of Patriot Advanced Capability 3 missiles, is under attack with hackers targeting the submarine, missile and nuclear power plant component factories.

Japan’s largest defense contractor said 45 servers and 38 PCs suffered infections with viruses at 10 facilities in Japan, including its submarine manufacturing plant in Kobe and a factory in central Japan that makes engine parts for missiles.

Seeking Help? Beware
Cutting Through Morto Worm
Virus Hides from Scanners
Malware Changes, Systems Need to, Also

The manufacturer makes weapons including surface-to-air Patriot missiles and AIM-7 Sparrow air-to-air missiles. Mitsubishi Heavy has also been working closely with Boeing, making wings for its 787 Dreamliner jets.

The incident, which comes amid a heightened focus on cyber warfare refers to a politically motivated hacking to conduct sabotage and espionage.

At a U.S. conference on cyber warfare, General Keith Alexander, the head of the U.S. Cyber Command, said cyber attacks were escalating from large-scale theft and disruption of computer operations to more lethal attacks that destroy systems and physical equipment.

“We’ve found out that some system information such as IP addresses have been leaked and that’s creepy enough,” said a Mitsubishi Heavy spokesman. “We can’t rule out small possibilities of further information leakage but so far crucial data about our products or technologies have been kept safe.” he said.

At least eight different kinds of computer virus including a Trojan horse, which steals key information from infected computer hardware, were in Mitsubishi Heavy’s main office or production sites, a Yomiuri, Japan, newspaper reported.

The U.S has become extremely cautious about the cyber attacks and beginning September has pledged, along with Australia, to jointly thwart potential threats in cyberspace.

In addition to Australia, the U.S already has treaty ties with Japan, South Korea, the Philippines and Thailand. The White House, earlier this year, released its strategy for preventing and countering attacks on cyberspace, calling for responding to hostile acts in that domain “as we would to any other threat to our country.”

Wednesday, August 31, 2011 @ 11:08 AM gHale

A virus can spread and cause huge ramifications, but a new application injected into the social networking site Facebook can serve as a better indicator of how infections spread among populations.

PiggyDemic allows users to “infect” their friends with a simulated virus or become infected themselves. The resulting patterns allow researchers to gather information on how a virus mutates, spreads through human interaction, and the number of people it infects, said Dr. Gal Almogy and Professor Nir Ben-Tal of the Department of Biochemistry and Molecular Biology at Tel Aviv University’s George S. Wise Faculty of Life Sciences.

Math for Safer Deep Water Oil Drilling
Math Brings More Chemical Safety
Robot Thinks Safety First for Miners
Forecasting Fractures in Pipes

Currently, scientists use mathematical algorithms to determine which virus will spread and how, but this method has flaws. It assumes a virus has equal distribution across populations, but that is simply not the case, the researchers said.

In addition, patterns of social interaction also come into play. “HIV is concentrated in Africa; certain types of flu are widespread in North America and Asia,” Almogy said. “Adding the element of human interaction, and looking at the social networks we belong to, is critical for investigating viral interaction.”

Facebook is an ideal tool for such an undertaking, Almogy said. The social networking site’s digital interactions simulate in-person interactions. Viral infections, like the flu, are a social phenomena, he said.

Once added to a user’s Facebook account, PiggyDemic follows the user’s newsfeed to determine the people they interact with. Users are either “susceptible,” “immune” or “infected” with various simulated viruses, and can pass them on to their online contacts. Researchers then follow these interactions using network visualization software, and watch the links between users as the “viruses” pass on.

Accurate modeling of viral dynamics is critical for developing public health policy, Almogy said. There will be better use of vaccinations, medications, quarantine and anti-viral procedures if medical personnel are able to more accurately predict the course of infection.

More than a research tool, PiggyDemic is also a game (users try to infect as many of their friends as possible), a teaching tool (users make choices that help them live a healthy life), and potentially a method for high-resolution, real-time tracking of virus outbreaks.

“People who have this software can report if they are actually ill,” Almogy said. “If we know who their friends are and the sequence of the infecting virus, we can figure out which virus they have and how it passes from one person to another.” If the network is large enough, he said, they might be able to post warnings of possible outbreaks to Facebook networks.

Monday, August 1, 2011 @ 12:08 PM gHale

Users beware: Computers running Windows XP make up a huge amount of infected PCs that can spread malware to other systems.

With Windows XP about 10 years old, it obvious has its share of issues, but according to a survey from Avast, a Czech antivirus company, the amount of rootkit infections are out of proportion to the operating system’s market share.

Embedded Web Servers Open to Hackers
Botnet’s Fall Leaves Malware-Free Zone
Microsoft Updates Rootkit Removal Plan
‘Indestructible’ Botnet Making Rounds

XP accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines.

XP’s share of infections was larger than Windows 7’s, which accounted for 12% of the malware-plagued machines, even though the 2009 operating system runs on 31% of all Windows PCs.

Rootkits have become an important part of the most sophisticated malware packages, particularly botnets, because they mask the infection from the user, the operating system and most security software. By installing a rootkit, the hacker insures the compromise goes undetected as long as possible, and the PC remains available to the botnet’s controller so it can send things like spam or spread malware to other machines.

Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter’s better security.

“According to our stats, as many as a third of XP users are running SP2 [Service Pack 2] or earlier,” said Ondrej Vlcek, the chief technology officer of Avast. “Millions of people are out of support and their machines are unpatched.”

Vlcek assumed people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits.

Archived Entries