Posts Tagged ‘Trojan’
Monday, March 10, 2014 @ 06:03 PM gHale
A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.
The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.
One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.
The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.
“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”
Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.
“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”
Tuesday, March 4, 2014 @ 05:03 PM gHale
A new version of the Gameover malware is able to steal online banking credentials and has a kernel-level rootkit that makes it very hard to remove, researchers said.
Gameover is a computer Trojan based on the Zeus banking malware whose source code leaked over the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts, according to researchers at Sophos.
At the beginning of February, researchers from security firm Malcovery Security, reported a new variant of Gameover was going out as an encrypted .enc file in order to bypass network-level defenses. The latest move from Gameover authors comes from using a kernel rootkit called Necurs to protect the malware’s process from terminating and its files from deletion, Sophos researchers said in a blog post.
The latest Gameover variant is going out through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don’t contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.
If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.
If the system ends up patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, researchers said.
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
“The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet,” researchers said.
Zeus and its spin-offs continue to be popular with cybercriminals. A new report from Dell SecureWorks, found Zeus variants accounted for almost half of all banking malware seen in 2013.
In addition to stealing online banking credentials and financial information, bad guys are increasingly using such malware to collect other types of data. Security firm Adallom just found a Zeus variant designed to steal Saleforce.com credentials and scrape business data from the compromised accounts.
Wednesday, January 29, 2014 @ 02:01 PM gHale
An Android bootkit has already hit 350,000 devices from across the globe, researchers said.
In addition to being a new threat, the Trojan, called Android.Oldboot.1.origin, is not easy to remove for a system, said researchers from Doctor Web. One component installs right on to the boot partition of the file system.
The unit file ends up modified so when the device starts, a script loads and Android.Oldboot components install as a typical application. Once installed on a device, the threat connects to a remote server and waits for commands.
“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Doctor Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively,” Doctor Web researchers said.
“Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the libgooglekernel.so library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications,” the researchers said.
The problem is even if it’s removed, once the device reboots, the Trojan ends up reinstalled due to the component that resides in the protected memory area.
Experts believe the malware is undergoing distribution via a modified firmware. When users reflash their smartphones and install this firmware, they’re actually infecting them with the Trojan.
Most infections (92 percent) are in China, which appears to be the main target. However, infected devices are also in Germany, Spain, Russia, Italy, the U.S., Brazil and other countries from Southeast Asia.
The best way to protect your smartphone against this piece of malware is pretty basic, but needs saying: Avoid installing firmware downloaded from untrusted sources.
Monday, January 27, 2014 @ 02:01 PM gHale
There is now a Windows Trojan out there designed to infect the Android devices connected to the affected computer, researchers said.
When the Trojan, called Trojan.Droidpak, infects a computer, the threat drops a malicious DLL file and registers it as system service. After that, it downloads a configuration file, which ends up parsed in order to retrieve a malicious malicious application package file (APK) file, said Symantec researchers in a blog post.
In the next phase of the attack, the Android Debug Bridge Tool ends up installed. The application then installs the malicious APK onto the Android devices connected to the infected computer.
To make sure the infection is successful, the process repeats a number of times. However, it only works if the user enables the USB debugging mode on the Android smartphone.
Once installed, the Android threat poses as a Google App Store program. The malware, Android.Fakebank.B, is actually a malicious replica of a Korean online banking application.
If the legitimate banking app end up detected on the infected device, it’s removed and replaced with the fake one. The malware is also capable of intercepting SMS messages and sending them to cybercriminals.
To avoid falling victim to this new infection vector, Symantec suggests users follow these best practices:
• Turn off USB debugging on your Android device when you are not using it
• Exercise caution when connecting your mobile device to untrustworthy computers
• Install reputable security software
Click here for more details on the Trojan.
Wednesday, December 18, 2013 @ 01:12 PM gHale
The Tor anonymity network is truly getting a malicious workout these days as another new piece of malware is using it to host its infrastructure.
The idea of using Tor is ending up integrating into more pieces of malware, including ZeuS and the Atrax crimeware kit, said researchers at Kaspersky Lab.
The threat, called “ChewBacca by the Kaspersky folks,” is currently not available on public underground forums. Researchers said the malware is either still in development, or the developers are selling it privately.
The Trojan’s underpinnings are with Free Pascal 2.7.1 and it ends up distributed as a 5 Mb PE32 executable file that also includes Tor 0.2.3.25.
When executed, ChewBacca (Trojan.Win32.Fsysna.fej) drops an executable in the operating system’s “Startup” folder and obtains the victim’s IP address via the ekiga.net/ip service. Next, tor.exe drops into the “Temp” folder and executes.
Once it settles in on a device, the malware starts logging keystrokes into a file called “system.log.” The file later uploads to a remote server.
Another important function integrated into ChewBacca is the one that enables cybercriminals to uninstall the threat.
As far as the command and control (C&C) infrastructure goes, the server is a LAMP installation running Linux CentOS, Apache 2.2.15, PHP 5.3.3 and MySQL. When the user interface opens via Tor, the user gets a log in prompt.
The background image of the login screen shows ChewBacca of the “A Game of Clones” series.
The server hosts a couple of PHP scripts. One of them, sendlog.php, facilitates the uploading of the file in which the stolen information ends up stored. The second file, recvdata.php, is for exfiltrating data obtained after enumerating all running processes and reading their process memory.
While Tor offers a lot of advantages for cybercriminals, it also has some drawbacks. The most glaring is it is slower. Furthermore, more botnet activity could have an impact on the entire network, and similar to the case of the Mevade malware, it could attract the attention of security researchers.
Thursday, November 21, 2013 @ 04:11 PM gHale
There have been over 12,000 victims of the malware CryptoLocker in less than a full week, which has been locking up computers with ransomware over the past couple of months, researchers said.
“CryptoLocker servers are changed very often – it is rare that a command-and-control server remains online for more than a week,” according to security technology company Bitdefender Labs. That is one reason why the virus can avoid getting shut down by law enforcement. “However, once it has been reverse engineered, security researchers can pre-register the relevant domains and count connection attempts.”
Bitdefender Labs researchers did just that – they used Domain Name Server (DNS) sinkholes – and learned that 12,016 CryptoLocker-infected hosts attempted to contact the “sinkholed” domains. The bulk of those connections traced back to Internet Protocol (IP) addresses in the U.S.
“In fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the U.S. are targeted, with the rest being collateral damage,” said the Bitdefender Labs blog post.
CryptoLocker came on the radar in September as a Trojan spreading through fake emails. The virus infiltrates then encrypts files in the user’s computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days.
Victims who pay the ransom of two Bitcoins will receive a key that unlocks their encrypted files. The key would end up destroyed 72 hours after infection, locking the files permanently, but the developers updated CryptoLocker on Nov. 1 to allow recovery beyond the allotted time at a ransom of 10 Bitcoins.
“Almost all the CryptoLocker command-and-control servers also host a public payment service through which victims can purchase decryption keys,” according to the Bitdefender Labs post.
Thursday, November 14, 2013 @ 12:11 AM gHale
Ever since police arrested the person they feel is responsible for Blackhole, there has been a significant reduction in spam campaigns using the exploit kit, creating a vacuum in the spam-sending world.
However, the Upatre exploit kit has become one of the preferred replacements for Blackhole, which had been a common tool of cybercrooks since 2010, said researchers at Trend Micro. Upatre is a significant vector for the spread of CryptoLocker.
“We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying Upatre (which ultimately leads to CryptoLocker) right around October,” Maria Manly, an anti-spam research engineer at Trend Micro said in a blog post. “In fact, we have monitored multiple IPs involved in the transition – [from] sending Blackhole Exploit Kit spam [to] sending CryptoLocker spam.”
“The Cutwail-Upatre-ZeuS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker,” she said.
The Cutwail botnet has the capability to send very high numbers of spam messages, a factor that might go a long way toward explaining the sudden recent upsurge in CryptoLocker activity.
CryptoLocker is an aggressive ransomware Trojan. It normally arrives in an email as an executable file disguised as a PDF file, packed into a zip attachment. If opened, the malware attempts to encrypt the user’s documents across both local and any mapped network hard drives. The malware uses an encryption key generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair.
The owner then receives a ransom demand, payable within 72 hours, of around $300 or more.
The reaction to Blackhole’s removal from play “highlights, somewhat perversely, how resilient cybercrime can be,” Manly said.
Tuesday, November 5, 2013 @ 05:11 PM gHale
A Trojan program that targets online banking accounts also contains code to search if infected computers have SAP client applications installed..
Researchers found the malware a few weeks ago by Russian antivirus company Doctor Web, which shared it with researchers from ERPScan, a developer of security monitoring products for SAP systems.
“We’ve analyzed the malware and all it does right now is to check which systems have SAP applications installed,” said Alexander Polyakov, chief technology officer at ERPScan. “However, this might be the beginning for future attacks.”
When malware does this type of reconnaissance to see if a system has a particular software installed, the attackers either plan to sell access to those infected computers to other cybercriminals interested in exploiting that software or they intend to exploit it themselves at a later time, the researcher said.
To Polyakov’s knowledge, this is the first piece of malware targeting SAP client software not created as a proof-of-concept by researchers, but by real cybercriminals.
SAP client applications running on workstations have configuration files that can be easily read and contain the IP addresses of the SAP servers they connect to. Attackers can also hook into the application processes and sniff SAP user passwords, or read them from configuration files and GUI automation scripts, Polyakov said.
There’s a lot that attackers can do with access to SAP servers. Depending on what permissions the stolen credentials have, they can steal customer information and trade secrets or they can steal money from the company by setting up and approving rogue payments or changing the bank account of existing customers to redirect future payments to their account, he added.
There are efforts in some enterprise environments to limit permissions for SAP users based on their duties, but those are big and complex projects. In practice most companies allow their SAP users to do almost everything, Polyakov said.
Even if some stolen user credentials don’t give attackers the access they want, there are default administrative credentials that many companies never change or forget to change on some instances of their development systems that have snapshots of the company data, the researcher said.
With access to SAP client software, attackers could steal sensitive data like financial information, corporate secrets, customer lists or human resources information and sell it to competitors. They could also launch denial-of-service attacks against a company’s SAP servers to disrupt its business operations and cause financial damage, Polyakov said.
SAP customers are usually very large enterprises. There are almost 250,000 companies using SAP products in the world, including over 80 percent of those on the Forbes 500 list, Polyakov said.
If timed correctly, some attacks could even influence the company’s stock and would allow the attackers to profit on the stock market, according to Polyakov.
Dr. Web detects the new malware variant as part of the Trojan.Ibank family, but this is likely a generic alias, he said. “My colleagues said that this is a new modification of a known banking Trojan, but it’s not one of the very popular ones like ZeuS or SpyEye.”
However, malware is not the only threat to SAP customers. ERPScan discovered a critical unauthenticated remote code execution vulnerability in SAProuter, an application that acts as a proxy between internal SAP systems and the Internet.
A patch for this vulnerability released six months ago, but ERPScan found out of 5,000 SAProuters accessible from the Internet, only 15 percent currently have the patch, Polyakov said. If you get access to a company’s SAProuter, you’re inside the network and you can do the same things you can when you have access to a SAP workstation, he said.