Posts Tagged ‘Trojan’
Friday, March 14, 2014 @ 06:03 PM gHale
There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.
Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.
It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.
“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.
In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.
“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.
Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.
Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.
Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.
Monday, March 10, 2014 @ 06:03 PM gHale
A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.
The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.
One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.
The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.
“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”
Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.
“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”
Tuesday, March 4, 2014 @ 05:03 PM gHale
A new version of the Gameover malware is able to steal online banking credentials and has a kernel-level rootkit that makes it very hard to remove, researchers said.
Gameover is a computer Trojan based on the Zeus banking malware whose source code leaked over the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts, according to researchers at Sophos.
At the beginning of February, researchers from security firm Malcovery Security, reported a new variant of Gameover was going out as an encrypted .enc file in order to bypass network-level defenses. The latest move from Gameover authors comes from using a kernel rootkit called Necurs to protect the malware’s process from terminating and its files from deletion, Sophos researchers said in a blog post.
The latest Gameover variant is going out through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don’t contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.
If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.
If the system ends up patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, researchers said.
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” researchers said.
Zeus and its spin-offs continue to be popular with cybercriminals. A new report from Dell SecureWorks, found Zeus variants accounted for almost half of all banking malware seen in 2013.
In addition to stealing online banking credentials and financial information, bad guys are increasingly using such malware to collect other types of data. Security firm Adallom just found a Zeus variant designed to steal Saleforce.com credentials and scrape business data from the compromised accounts.
Wednesday, January 29, 2014 @ 02:01 PM gHale
An Android bootkit has already hit 350,000 devices from across the globe, researchers said.
In addition to being a new threat, the Trojan, called Android.Oldboot.1.origin, is not easy to remove for a system, said researchers from Doctor Web. One component installs right on to the boot partition of the file system.
The unit file ends up modified so when the device starts, a script loads and Android.Oldboot components install as a typical application. Once installed on a device, the threat connects to a remote server and waits for commands.
“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Doctor Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively,” Doctor Web researchers said.
“Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the libgooglekernel.so library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications,” the researchers said.
The problem is even if it’s removed, once the device reboots, the Trojan ends up reinstalled due to the component that resides in the protected memory area.
Experts believe the malware is undergoing distribution via a modified firmware. When users reflash their smartphones and install this firmware, they’re actually infecting them with the Trojan.
Most infections (92 percent) are in China, which appears to be the main target. However, infected devices are also in Germany, Spain, Russia, Italy, the U.S., Brazil and other countries from Southeast Asia.
The best way to protect your smartphone against this piece of malware is pretty basic, but needs saying: Avoid installing firmware downloaded from untrusted sources.