Posts Tagged ‘Trojan’

Tuesday, July 22, 2014 @ 12:07 PM gHale

A new Trojan seeking credit cards is targeting Android users, researchers said.

Right now, the malware is targeting Russian users, but it won’t take long before it starts to infiltrate other users from other countries, said researchers at antivirus provider Dr. Web.

Details on DDoS Linux Trojan
Newer, More Secure Trojan Found
Big Bank Haul in One Week
APT Alert: Two Airports Hacked

The Trojan hides as an Adobe Flash Player and after the user installs it, the malware immediately tries to gain administrator privileges on the device. It does so by persistently asking users to allow it, and doesn’t stop popping up the message until they do.

Once that task is successful the malware searches to find an active Google Play application window.

“If one is present, the malware displays a standard credit card information form used to associate a credit card with an account,” the researchers said in a blog post. “All the submitted information, such as the card number, expiration date and CVC code, and the address and phone number of the cardholder, is transmitted to the attackers’ server.”

The malware is also capable of collecting information about the infected device and send it to the same server.

The Trojan can also intercept incoming SMS messages as well as to send messages to certain numbers.

Since Android is a big target for bad guys, users need to remember to be careful when downloading apps on their device, especially if they are downloading them from third-party app markets.

Tuesday, May 13, 2014 @ 04:05 PM gHale

While there are quite a few ways for bad guys to steal your money, click fraud still represents an efficient way for them to make off with more bounty.

Along those lines, researchers have been analyzing the activities of cybercriminals that rely on the Viknok Trojan for click fraud operations.

New Ransomware Hits Market
Android Ransomware For Sale
Security App Minus the Security
Multiple Attacks for Android Trojan

Trojan.Viknok has been around since at least April 2013. According to Symantec, the threat is capable of turning infected computers into botnet zombies by obtaining elevated privileges on the operating system, including on the 32- and 64-bit versions of Windows 7.

Last month, researchers noticed a considerable increase in the number of infections. In many cases, victims report hearing audio clips through their speakers when their systems end up infected with the Trojan.

So far 16,500 unique victims ended up recorded in May alone, most of them being located in the United States.

Viknok infects computers by injecting its payload into DLL files. However, on the latest operating systems, this is not an easy task. This is why cybercriminals are using a number of methods to inject files, such as rpcss.dll, a library that lets software run each time the operating system starts.

The threat uses the SeTakeOwnerhipPrivilege function to take ownership of system files. It also leverages the Dynamic-Link Library Search Order to run a malicious DLL inside the System Preparation Tool process. The RunLegacyCPLElevated.exe (Run a legacy CPL elevated) tool ends up utilized to execute DLLs with elevated privileges.

Another technique, which Symantec experts say is the most powerful, involves the exploitation of CVE-2013-3660, a Windows Kernel “Win32k.sys” local privilege escalation vulnerability.

When it first lands on a computer, Viknok uses one or more of these techniques to inject the rpcss.dll file. This allows the malware to execute every time the operating system starts. Once this file ends up infected, it loads the core of the malware, which is in the System folder in an encrypted file.

“In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points,” Symantec researchers said.

In some instances, a User Account Control (UAC) prompt is displayed, and the victim needs to grant permission in order for the infection to be successful. However, the UAC prompt might not look suspicious, so users might give the Trojan permission without giving it too much thought.

As far as click fraud goes, once the threat infects a computer, its masters send it commands to load various websites. Researchers believe victims might be hearing audio clips in their speakers because the content plays on the websites visited by Viknok. The websites offer car insurance, travel tickets, domain name registration, and many other services.

The number of infections has increased over the past months. If in December almost no infections were spotted, in January, the number increased to over 10,000. In February it dropped to around 2,500, but in March it increased to 7,500. In April, the total number of unique infections was 22,000.

Monday, April 21, 2014 @ 05:04 PM gHale

In this year’s first quarter, one Trojan was responsible for 25 percent of attempted infections on Android devices.

Trojan-SMS.AndroidOS.Stealer.a accounted for almost a quarter of attempted infections on Android devices which have the company’s security solutions installed on them, said researchers at Kaspersky Labs.

Android Trojan Relies on Inattentive Users
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare
Android Malware Hits Windows PCs

Most of the infections ended up spotted in Russia, but researchers said Trojan-SMS.AndroidOS.Stealer.a is capable of targeting users from numerous countries, including Belgium, France, Latvia, Lithuania, Ukraine, Belarus, Germany, Armenia, Azerbaijan, Kyrgyzstan and Kazakhstan.

The Trojan, which cybercriminals distribute by disguising it as legitimate Android apps, contacts its command and control server (C&C) and waits for commands. The C&C can command it to change the server, send SMSs, delete incoming messages, update itself, upload information on the phone and applications, and intercept messages.

The threat’s configuration file ends up distributed along with the malware, instead of being somewhere online. This enables the Trojan to operate even if it can’t find a connection to the Web.

The configuration file can order the malware to open a web page, get geographic coordinates, send SMSs with a certain message to a specified number, install applications, create shortcuts and more.

A complete description of the commands accepted by Trojan-SMS.AndroidOS.Stealer.a is available on Kaspersky’s Securelist blog.

Tuesday, April 8, 2014 @ 06:04 PM gHale

A downloader known as Upatre is going out with the aid of spam emails that come from “major financial institutions” such as Lloyds TSB and Wells Fargo.

The fake emails inform recipients that they’ve received a new secure message, said researchers at Trend Micro. The message is the same where potential victims end up told to open the .msg file in the attachment to see the message.

Attacks Continue from Compromised Sites
DDoS Attacks: ‘A Common Pain Point’
Execs Not Sharing Breach Info
Security Pros Fret Attacks, not NSA

“In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages,” said Marilyn Melliang, senior threat research engineer with Trend Micro in a blog post.

The .msg file contains another .msg file which hides Upatre (TROJ_UPATRE.YYKE). The attackers most likely use that method to ensure the malware does not end up immediately detected by security solutions. In essence, it is malware within malware.

Once it infects a device, the malware starts downloading other threats.

The sample analyzed by Trend Micro downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs’ goal is to disable security features on compromised computers to make them vulnerable to other infections.

Upatre also sees use from cybercriminals to distribute pieces of ransomware like CryptoLocker.

After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics.

“UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” Melliang said.

Friday, March 14, 2014 @ 06:03 PM gHale

There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.

Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.

Tor Running 900 Criminal Services
Android Malware Using TOR
Botnet uses Tor as a Hideout
Details Revealed in Crash Reports

It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.

“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.

In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.

“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.

Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.

Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.

Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.

Monday, March 10, 2014 @ 06:03 PM gHale

A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.

The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.

Oil, Gas Companies Targeted
Latvia Creates Civilian Cyber Defense Unit
Navy System Hack More Extensive
Xtreme RAT Targets Governments

One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.

The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.

“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”

Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.

“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”

Wednesday, February 19, 2014 @ 03:02 PM gHale

A Metasploit module that allows attackers to remotely access most Android-running devices brings up the point that security on mobile devices is a weak link.

This most recent bug is in Android’s WebView programming interface.

It gives attackers access to the devices’ camera and file system via a malicious web page, but it can also end up set off via a man-in-the-middle attack to deliver an app update laced with a Trojan that would then allow attackers to access all the things the app itself has permission to use.

Google Play Malicious Apps Up 400%
Trojan SMS Malware a Moneymaker
Android Apps can Pinpoint Device Details
Android Bootkit Going Global

The vulnerability in question ended up publicly disclosed in December 2012, and Google fixed it in November 2013 when it released Android 4.2, according to Ars Technica.

Tod Beardsley, technical lead for the Metasploit Framework, said this vulnerability is “kind of a huge deal”, and 70 percent of devices out there are vulnerable because they run Android versions below 4.2.

By publishing an E-Z-2-Use Metasploit module that exploits it, Beardsley hopes he can push vendors toward ensuring single-click vulnerabilities like this don’t last for over 93 weeks.

There is not much that users can do to fix this problem, except pester their carriers in great numbers in the hope they will release a security update sooner rather than later, hope that cyber criminals won’t start using the module en masse, and be careful on which links the click on when using their Android devices.

Users of devices who receive their OS updates directly from Google remain safe.

Wednesday, January 29, 2014 @ 02:01 PM gHale

An Android bootkit has already hit 350,000 devices from across the globe, researchers said.

In addition to being a new threat, the Trojan, called Android.Oldboot.1.origin, is not easy to remove for a system, said researchers from Doctor Web. One component installs right on to the boot partition of the file system.

Trojan Pushes Malware onto Androids
Mac Trojan Updated and Active
Trojan Slowed, but not Gone
Trojan Remains a Danger After Deleted

The unit file ends up modified so when the device starts, a script loads and Android.Oldboot components install as a typical application. Once installed on a device, the threat connects to a remote server and waits for commands.

“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Doctor Web Anti-virus detects it as Android.Oldboot.1), which extracts the files (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively,” Doctor Web researchers said.

“Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications,” the researchers said.

The problem is even if it’s removed, once the device reboots, the Trojan ends up reinstalled due to the component that resides in the protected memory area.

Experts believe the malware is undergoing distribution via a modified firmware. When users reflash their smartphones and install this firmware, they’re actually infecting them with the Trojan.

Most infections (92 percent) are in China, which appears to be the main target. However, infected devices are also in Germany, Spain, Russia, Italy, the U.S., Brazil and other countries from Southeast Asia.

The best way to protect your smartphone against this piece of malware is pretty basic, but needs saying: Avoid installing firmware downloaded from untrusted sources.

Archived Entries