Posts Tagged ‘infections’
Thursday, August 9, 2012 @ 03:08 PM gHale
Cyber criminals are now using the Police Virus malware as fully functioning ransomware, according to a new report.
The Police Virus is a common technique used by criminals to infect computers by masquerading as law enforcement agencies demanding money for fictional crimes, said researchers from security firm PandaLabs.
Scams like these across the globe demand money for things like copyright infringement, missed court dates and even parking tickets.
PandaLabs detected the evolution of the scam from standard scareware to ransomware in its latest quarterly threat report, which analyzed incidents from April through June 2012.
The firm went on to warn the campaigns are continuing to evolve at a rapid pace, with criminals creating increasingly effective ways to hold users data to ransom and demand payment for its safe return.
“The first versions of the new Police Virus only use encrypted .doc files, and the encryption wasn’t too hard to crack, so it was possible to decrypt the files without the key,” the report said.
“Now, however, a more sophisticated encryption is being used, and the decryption key is required to unlock the files. And not only that, the files are encrypted with a different key for each infected computer, so, unless you are able to access the server that stores all keys, it is absolutely impossible to access the files.”
The evolution came alongside a boom in the number of Trojan viruses hitting the cyber street. The report revealed Trojans are now the most common form of cyber attack, accounting for 79 percent of all threats.
Worms were the second biggest threat detected, responsible for 11 percent of all attacks, the report said.
Trojans continued to prove the most effective attack method during the quarter speaking for 76 percent of all infections, while viruses came second accounting for eight percent.
“It is interesting to note that worms have only caused six percent of infections despite accounting for almost 11 percent of all new malware”, said Luis Corrons, technical director of PandaLabs.
“The figures corroborate what is well known: massive worm epidemics have become a thing of the past and have been replaced by an increasing avalanche of banking Trojans and specimens such as the Police Virus.”
Looking to the future Corrons warned the scam is one of the numerous cyber crime kits currently on sale and will likely remain an ongoing problem in the foreseeable future.
“This so called Police Virus appears to be created for and distributed by a cyber criminal gang from Eastern Europe or Russia, and police forces from across Europe are working together to try and identify and arrest them,” said Corrons.
Tuesday, July 10, 2012 @ 02:07 PM gHale
A new Android Trojan is running through China with at least 100,000 infections so far.
The Trojan provides a variation on covert premium calls where it secretly buys apps via China Mobile’s Android Market. The cost automatically bills to the user’s account.
The Trojan!MMarketPay.A@Android is in nine China app markets and has already infected more than 100,000 Android devices, said researchers at security firm TrustGo Mobile. TrustGo warns it may come as a repackaged app, such as cn.itkt.travelskygo or com.funinhand.weibo.
Its purpose is to log on to the China Mobile Android Market and download paid-for apps and video. China Mobile is one of the world’s largest mobile providers with 677 million customers. It operates an app store for its customers where charges automatically add on to the users’ phone bills.
The Mobile Market allows users to log in and download free or paid-for apps, or view multimedia content. If an app ends up paid for, China Mobile sends a verification code to the user. MMarketPay operates by covertly instigating and hijacking the log-in process, and intercepting the verification code.
For now, TrustGo said “this sophisticated new malware could cause unexpected high phone bills.” However, given the large number of apps installed and their relatively low cost, it is possible users will notice neither the app nor the addition to the phone bill and will remain unaware of any infection. The same methodology could also occur when a user downloads and installs spyware or spyware-infected apps planted in the Market.
TrustGo said the majority of mobile malware is in applications that originate from and attack third-party markets in China and Russia. It “recommends customers only download apps from trusted app stores and download a mobile security app which can scan malware in real-time.”
Friday, July 6, 2012 @ 02:07 PM gHale
Masters behind the Carberp botnets are now under arrest and facing charges.
As expected, the number of infected devices dropped right after each series of arrests, but for the time being, the number of impacted computers is still high, said researchers at IT security company ESET.
Carberp first came to light in 2009 when a group started using it to steal sensitive information. At the time, the malware wasn’t as sophisticated as the updated variants. The old version mainly relied on legitimate remote access software.
In 2010, a second organization began its activities and in the summer of 2011, the biggest botnet based on Carberp came to life. A few months later, the Trojan improved to incorporate a bootkit.
By the end of 2011, mass infections started coming from hijacked websites. Each of these versions came with new features and improved mechanisms such as a smartcard detection functionality.
Starting in March 2012, law enforcement agencies managed to apprehend the individuals that coordinated the massive operations. At the end of June police arrested a man suspected of running the largest banking botnet in the world (4.5 million computers).
The figures provided by ESET’s Live Grid show after each series of arrests, the number of detections slightly dropped, but the number of infected machines is still high, compared to the past years.
“All the Carberp botnet organizers have been arrested, but our statistics aren’t showing a big drop in detections. The Russian region leads as before for Carberp detections and after the arrests it showed a brief dip,” said Aleksandr Matrosov of ESET’s Security Intelligence Team Lead.
Wednesday, March 7, 2012 @ 02:03 PM gHale
Just around 30,000 unique websites are currently suffering from compromises that redirect visitors to sites that promote bogus antivirus software.
Of those 30,000 sites, 200,000 webpages suffer from the compromise, with the campaign mostly targeting ones hosted by the WordPress content management system, said researchers at Websense.
After multiple redirects, victims go to a website that performs a fake scan, pointing out a large number of infections and threats that affect the system. The scan looks as though it takes place in a Windows Explorer window, but in reality it’s nothing more than a webpage set up to dupe users.
When the scan is complete, a dialogue box then urges the user to install an antivirus tool that will remove the pieces of malware. However, the antivirus installer is nothing more than a Trojan that once installed can give its master complete control over the infected machine.
More than 85% of the compromised website are in the United States. Other countries like Turkey, Brazil, UK, India, China, South Africa, Jordan, Canada, Philippines and Taiwan are feeling the brunt end of the attacks also.
The injected code usually goes before the