WebProNews

Tag: Trojan

  • Java Ransomware Spotted In The Wild

    Java Ransomware Spotted In The Wild

    A Java-based ransomware that targets the software market and education sectors has been spotted in the wild by Blackberry.

    The BlackBerry Research and Intelligence Team, working with KPMG’s UK Cyber Response Services, recently discovered the ransomware, dubbed “Tycoon.” The ransomware is written in Java and has been in the wild since at least December 2019.

    According to the researchers, “it is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.”

    Once a computer has been infiltrated, the software encrypts files using an AES-256 algorithm. To make matters worse, the ransomware overwrites deleted files in each encryption path, ensuring they cannot be recovered without the decryption key.

    There are two spots of good news, however. First, it does not appear that the ransomware is widespread, leading the researchers to believe “the malware may be highly targeted.”

    Even better, it appears the hackers used the same encryption key repeatedly. As a result, some have had success using a deception key purchased by one of the other victims.

    “Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker’s private RSA key,” the researchers write. “Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power.

    “However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files.”

    Unfortunately, later versions of the malware use “.grinch” and “.thanos” as the file extensions, and the reused key does not work on those files.

  • The Latest Mac Virus Is Hilariously Bad

    The Latest Mac Virus Is Hilariously Bad

    Mac users should become increasingly aware of the threat that malware poses to their machines. Hackers and malicious coders are getting better everyday at breaking into the once thought unbreakable Mac. The Flashback trojan was a sign that Macs are no longer safe from the threat of malware. The latest Mac virus to hit the streets isn’t one of those threats.

    The latest report of Mac malware come to us from Sophos Security. The malware in question is called NetWeird and it’s definitely interesting. As Sophos points out, the virus is poorly written and really has next to no chance of infecting you. Funny enough, hackers are selling this new virus on the black market for $60.

    What does this poor excuse of Mac malware do? It installs itself into the Mac home directory, but it can’t even get that right. The best kind of viruses install themselves as an application so that it’s always running whenever you reboot your Mac. This particular virus installs itself as a folder thus making it pretty much useless.

    The team at Sophos also reports that the malware reports back to a server in the Netherlands. If it does infect your Mac, it will be able to run programs and send information all from this remote server. The worst it can do it is send password files from third-party browsers to the host server. Any would be criminal who bought this piece of trash for $60 should be asking for their money back.

    Even better, Mountain Lion’s default security settings prevent this particular piece of malware from even being installed. The latest version of Mac OS X will prevent any software not from the app store or a verified developer from being installed.

    Although NetWeird is a poor excuse of a virus, it should be taken as a sign. Hackers are turning their attention towards Mac owners. It won’t be long before a much better coder will make some form of malware that will be able to bypass all the security on Mountain Lion and do more damage than previously thought.

    It’s always good to remember the basics of dealing with computer security. One should only download apps from trusted sources. Never install anything that sounds too good to be true, because it likely is. Finally, just use some common sense when dealing with potentially suspicious files.

  • Malware Is Just Insulting These Days

    Malware Is Just Insulting These Days

    Malware has always been pretty nasty, but at least it was polite about it. It would pose as a nice email from an old friend or perhaps a bank statement from your friendly neighborhood credit union. It seems that malware has stopped being Mr. Nice Virus and has taken up the mantle of just being a jerk.

    According to naked security, there’s a particularly nasty piece of malware floating around to inboxes around the world with the subject line “You pig!” That’s the first tip that this malware is not here to make friends. It immediately insults you by saying you resemble a farm animal. Unfortunately, it gets worse.

    If you open the email to find out why somebody has resorted to petty insults against your good name, you will find the following message, “You should stop ignoring me or i will send this photos to your spouse!!!” Not only does this malware insult you, but it threatens to blackmail you while violating the rules of good grammar. The nerve of some malware, I’m telling you.

    The tip off that this is indeed malware and not some long lost scorned lover is that the attached file is a .zip file. Nobody uploads a photo into a .zip file to send over email unless they’re new to this Internet thing or they’re my grandmother. I don’t think my grandmother would have incriminating photos of you, so we’re going to have to go with the new guy on the block scenario.

    That theory falls flat on its face as well because the email comes from a multitude of places including LinkedIn, UPS and Hotmail. Look, I don’t care how new you are to the Internet, you don’t have a hotmail and LinkedIn account while working at UPS. These kind of combinations just don’t happen in nature.

    So now that we’ve figured out that this particular message is a form of malware – how do you stop it? It turns out that it’s actually two trojans in one. The file inside the .zip folder is a trojan while the actual .zip folder is in itself a trojan as well. Thankfully, both of them can be easily detected with the latest malware updates from your security provider of choice.

    Remember, malware is everywhere and it takes on many forms. Be forever vigilant and don’t trust an email just because it says it has scandalous photos. In fact, trust it less if the malware doesn’t at least offer you something good in return for infecting your PC.

  • Diablo III Trojan Pulls Off Impressive Movie-Inspired Hack

    Hollywood gets a lot of things wrong when it comes to technology. One of the most persistent errors that we see is the hacker character. They’re always portrayed as some kid who can perform all manner of technological magic that is just too good to be true. It turns out that one hacker in China just moved from the silver screen to reality.

    Hynek Blinka, on the AVG blog, detailed his recent run-in with a Chinese hacker as he was investigating a Diablo III key logger. It’s common practice to intentionally infect your machine with a virus so that you can take it apart and find out how it works. It was pretty standard procedure until a dialog window opened up.

    According to Blinka, the person who had constructed the Trojan was talking to him through a backdoor in the malware. The first thing the hacker says, “What are you doing? Why are you researching my Trojan?” If your mind isn’t blown by that, I don’t know what it will take to impress you.

    Blinka continues on with the hacker pretending to be interesting in purchasing Trojans from him. The hacker knows that Blinka is debugging his Trojan and even knows that Blinka doesn’t currently have a Web cam plugged into his machine. If he had, the hacker would have been able to take remote control of the camera and get a good view of what was on the other side.

    Funny enough, it turns out that the Diablo III key logger wasn’t a key logger at all. It was actually more interesting as it was hoping to steal usernames and passwords of those who are still on dial up connections. It seems almost a waste to have this advanced of a virus and wasting it on finding passwords to outdated technology.

    Besides the impressive use of technology here, it’s important to note that this virus is still out there. It’s been spotted on the battle.net forums in China with users linking to an executable disguised as a video guide. It could very well migrate to the forums here in the U.S. so be on your guard. Blizzard may say that there have not been many cases of account theft, but it is still happening.

    By the way, if you happen to stumble across this talkative hacker, send him my way. I would love to conduct an interview within a virus. I’d be willing to infect my worthless laptop for the chance.

  • New Zeus Trojan Targets Facebook And Email

    Viruses are pretty funny. You turn your back one moment and the next, they’re stealing your credit card out of your digital wallet. OK, that’s not really funny, but it would be if the virus was wearing a top hat and monocle.

    Disregarding parodies of Victorian England fashion, it gets pretty serious when a new one is found in the wild. Trusteer has found a new P2P variant of the Zeus trojan going after the easily tricked on Facebook with fake offers for free money.

    The current attack via Facebook has the malware present the user with a legitimate looking page to enter your credit/debit card details in return for 20 percent cash back on all Facebook points you buy. It looks like the malware only accepts Visa and Mastercard though so I guess even botnet operators can be picky when it comes to credit card issuers.

    New Zeus Trojan Targets Facebook and Email

    The new Zeus trojan isn’t just going after Facebook either. The malware is going back to an old standby – email. There’s a new scam floating around going after Gmail, Hotmal and Yahoo Mail users that plays on a person’s desire for more security.

    The scam offers to sign them up for a 3D secure service that’s offered by Visa and Mastercard just by entering their credit card information into a form. Trusteer points out that you can only sign up for 3D Secure at the bank that issued your card. That information was probably in the fine print though and the tellers never actually tell you anything, so can’t blame people for not knowing.

    This scam is a little more advanced than just a simple email trick though. It plays upon more trusted brands like Google and Yahoo by saying that they can link their 3D Secure account up with their Google or Yahoo Checkout account to prevent fraud. If you’ve been keeping up, Google Checkout is now called Google Wallet so that should be your first red flag. Also, I’m pretty sure banks aren’t too keen on partnering with Google and Yahoo to offer services through them.

    As Trusteer points out, these latest scams look pretty legit and come from well-respected brands. We also can’t forget the fact that people are usually really gullible on the Internet. If they can fall a simple photoshop that is obviously fake, their chances of falling for a legitimate looking scam are pretty high.

    Like with all malware threats, be observant. Look at the URL of the page and all the text. Even if these scams look legitimate, there are always some obvious signs that they are fake. Use common sense when dealing with something that looks too good to be true, because it often is.

  • Another, Different Apple Trojan Discovered

    Another, Different Apple Trojan Discovered

    Hot on the heals of the news about the Flashback botnet that infected around 600,000 macs, security analysts have confirmed the existence of another Trojan that is compromising Apple products. This one, dubbed Backdoor.OSX.SabPub.a, infects Mac OS X computers and opens a backdoor to a remote connection. Using the connection, screenshots can be taken and commands can be executed on the computer.

    Costin Raiu of Kaspersky Lab wrote about how the trojan was confirmed:

    For the past two days, we have been monitoring a “fake” infected system – which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it.

    Raiu found evidence that the SabPub infection has been active for over a month. One interesting thing about the infection is the way it spreads. It rides along on Microsoft Word documents, exploiting a known stack-based buffer overflow vulnerability. From Raiu’s analysis:

    One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict — with four dropping the MaControl bot. The remaining two drop SabPub.

    Oddly, one of the documents that spreads the infection is named “10th March Statemnet” [sic], a reference to the Dalai-Lama’s statement over a year ago commemorating the Tibetan People’s National Uprising Day. It seems odd that the person or persons implementing this attack have a strong “free Tibet” political stance, but I suppose it’s possible. It was reported last month that political activists for Tibet were targeting Macs with malware attacks. What do you think? Let me know in the comments below.

  • New Variant of Flashback Malware Exploits Unpatched Java Vulnerability in Macs

    A new variant of the Flashback trojan has appeared, exploiting a Java vulnerability found in Macs. Cyber security firm F-secure announced this discovery via its blog today.

    Flashback is a trojan that was originally distributed in the guise of erotic images or politically offensive material. It was later updated to be distributed in a fake installer application for the Adobe Flash Player plug-in. The malware works by downloading its payload from remote sites and creating a backdoor in users’ browsers through which the users’ information is transmitted to remote servers. Previous versions of the malware targeted older Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353, according to F-secure) which were repaired in updated versions of Java.

    But the most recent variant of Flashback, called Flashback.K, exploits a newly discovered vulnerability (CVE-2012-0507) and is capable of “infecting systems without user interaction” [F-secure]. Originally this variant of Flashback targeted both Mac and Windows systems, but a patch released by Oracle in February as part of a Windows Java update has rendered up-to-date Windows machines safe from the attack. Apple has yet to release the update for OS X.

    F-secure also warns of yet another available Java exploit that is currently on sale in the computer underworld.

    At least until Apple releases a patch for the newly targeted exploit, F-secure urges users to disable the Java client on their Macs. As a rule, the company recommends that users keep Java disabled on their browsers, enabling it only when necessary and with caution, and then disabling it again immediately when it is no longer needed.

    The company also provides instructions on detecting and removing Flashback from your Mac.

    [F-secure, Photo Source: ThinkStock]

  • The Evolution Of The Computer Virus

    The computer virus, or just malware in general, is unique among computer programs because it evolves just like a real virus. It can change and mutate into stronger viruses that can cripple your computer and make you spend hundreds of dollars on malware software that may not even do anything.

    All the computer virus carnage had to start somewhere, but where? The good people at TrendLabs have tossed up a little infographic that seeks to give us a look into how the computer virus has evolved over the years. The origin may surprise you since the first computer virus was made in 1986, created by two Pakistani brothers. It was called Brain and it was a file infector. The next two viruses, Michelangelo (1992) and Melissa (1999), attacked hard drives and servers.

    Once we got into the 2000s, that’s when the virus infection went global and began causing the mass damage that we see today. This era saw the introduction of the Worm virus that could be sent via email. Then things got really nasty with the introduction of Trojans. Viruses prior to this were made, as the infographic points out, for fame and notoriety. People were just doing it for the attention. Trojans were made for an entirely different reason – to steal your information.

    If you thought that it couldn’t get any worse, enter the current era of malware attacks over social networks. Facebook and Twitter users are targeted with fake ads and applications that hijack their account and steal their personal information. Facebook and Twitter are actively waging a war against such attacks, but it’s going to keep happening until virus makers find a new target. The best way to protect yourself is to remain vigilant and not click on that Facebook link that asks you to install an application just to view a picture.

    Check out the full infographic below. It’s absolutely mind blowing that the computer virus has come so far and they will grow even more complex and terrifying. We’re already seeing viruses fusing with worms to become a super virus.

    The Evolution Of The Computer Virus

  • Anonymous Tricked Into Downloading Trojan

    Anonymous may be most known for their DDoS attacks on company and government Web sites. It turns out, however, that those DDoS attacks may not have been all that safe for the Anon members partcipating.

    The Symantec blog recently detailed how Anonymous members were tricked into downloading a Trojan infected version of Anonymous’ DDoS tool, the Low Orbit Ion Cannon. The Zeus botnet users downloaded steals their online banking and email credentials alongside their cookies.

    The infection deception apparently began on the day MegaUpload was taken down by the authorities. This is when Anonymous jumped into action and began #OpMegaUpload. There were reports then that users were tricked into launching DDoS attacks against their will.

    The Trojan was a bit different, however, in that somebody switched out a link in a guide for DDoS attacks on PasteBin. The first link was to Mediafire, but a second post on the day of #OpMegaUpload led to a multiupload file that featured a larger client that contained the virus.

    Anonymous Downloading Trojan

    It began to spread from there with a another user guide to DDoS including a link to the Trojan infected version of the DDoS tool Slowloris.

    What followed was a social media spread that saw 470 tweets all linking to the infected tool. There were probably many more people sharing the two guides containing the infected tool beyond just what was seen on Twitter.

    When Anonymous members downloaded the Slowrolis tool, they became infected with the Zeus botnet Trojan. The virus sticks to its profession as a Trojan by pretending to be the Slowrolis tool. While it does perform the DDoS attack as expected, it also, as explained above, sends the users financial banking credentials to the operator of the botnet.

    Symantec, while reiterating that DDoS attacks are illegal, says they aren’t the only threat anymore.

    The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.

    Anonymous is now aware of the trojan and is urging its members to exercise caution.

    @AnonymousIRC
    AnonymousIRC    http://t.co/hT56i69o | #Anonymous supporters tricked into installing Zeus trojan | This MUSTN’T happen. Be careful what you post & click on! 9 hours ago via LulzTweeter ·  Reply ·  Retweet ·  Favorite · powered by @socialditto

  • Dept. of Homeland Security Is Watching You Twitter & Tweet

    If you have a Twitter account, you may have “people” that follow you with what are suspiciously fake accounts. The tell-tale signs are standard: thousands of followers with barely any (if even one) tweets, tweets that contain lots of links and mentions without any real content, an empty profile or very generic (or porn-y) information in the profile. Most likely, they’re bots, automated accounts run by computers that generate comments and follow people – it’s like the spam of the Twitterscape. Here’s an example of someone that followed me recently that I suspect is most likely not a real person:

    You don’t have to scrutinize Ms. Maribel’s information too hard to gather that there is something fishy about this account. I’d wager that those nearly 100 followers of hers are probably also bots and they probably non-Tweet about botty things. These things are everywhere on Twitter. In all seriousness, I don’t think I’ve been followed by a real person on Twitter in months. And although Facebook certainly has its share of phony accounts, Twitter seems to be the more polluted of the two.

    HOWEVER. It turns out that these might not be meaningless bots after all thanks to a new operation from the United States Department of Homeland Security. According to a new report in The Daily Mail, the DHS uses fake Twitter and Facebook accounts to monitor and track people who happen to use “sensitive” words. What kind of sensitive words? Words that despite sounding villainous are actually fairly generic. “The DHS outlined plans to scans blogs, Twitter and Facebook for words such as ‘illegal immigrant’, ‘outbreak’, ‘drill’, ‘strain’, ‘virus’, ‘recovery’, ‘deaths’, ‘collapse’, ‘human to animal’ and ‘trojan’, according to an ‘impact asssessment’ document filed by the agency.” If the DHS catches someone using any of these words and suspects you might be up to no good, it could mean that ” spies from the government read your posts, investigate your account, and attempt to identify you from it, acccording to an online privacy group.” Spies! Human to animal virus death recovery! Okay, DHS, you guys are obviously new to The Internet because just about every one of those keywords of yours could also be easily used in the context of sex and if you were familiar at all with this thing called The Internet you’d realize that 98% of it is porn-related. (P.S. – in case you didn’t know, porn includes sex.)

    Not a group to let this trespass of our blessed privacy, everyone on Twitter responded appropriately:

    @Boxer_AF
    Animal Farm    Hello #USA #humantoanimal #outbreak #drill #strain #illegalimmigrant #virus #recovery #deaths #collapse #trojan http://t.co/iVphexbY 2 hours ago via web · powered by @socialditto

    @SazeracLA
    Chuck Taggart    Drill illegal immigrants infection strain outbreak virus recovery deaths collapse human to animal Trojan. Bring it on, bitches. #DHS #spies 13 hours ago via web · powered by @socialditto

    @ShiningService
    Linda Franklin    Dept. of Homeland Security could be watching Facebook & Twitter 4 danger words like ‘virus’, ‘illegal immigrant’ & drill. 1 hour ago via HootSuite · powered by @socialditto

    @red_red_head
    Red    I’m pretty sure we’re on watch lists anyway, but apparently “drill” is also a word DHS searches on social media… http://t.co/VNfEEVIu 33 minutes ago via Facebook · powered by @socialditto

    @Albatross
    Albatross    Me 1st! illegal immigrant, outbreak, drill, strain, virus, recovery, deaths, collapse, human to animal and trojan http://t.co/rhqsrzeg 18 minutes ago via Digsby · powered by @socialditto

    @nikopeltokangas
    Niko Peltokangas    Human to animal. Infection. Collapse. Outbreak. Illegal immigrants. Please RT! 1 hour ago via TweetDeck · powered by @socialditto

    So as if the keyword surveillance probably wasn’t muddled with sexy search results already then the noble crusaders of Twitter have undoubtedly thrown a couple more monkey wrenches into the Big Brothery gears of the DHS. At least I hope it has because if not then the combination of my searches on Twitter for their keywords in addition to my use of all of the words in this article will probably be enough for the feds to punch my ticket to Gitmo later today.

  • PETA Supporters Modify Dog Fighting App To Embarrass Its Users

    Animal rights activists are using a highly controversial Android app to get out their message.

    Apparently, opponents of the “Dog Wars” app have modified an older version of the app to include a specific trojan code. The malware, which Symantec is identifying as “Android.Dogowar,” is only planted in Beta version 0.981. That older version hasn’t been found on the official Android Market but has been found on various warez sites.

    Dog Wars has received a lot of criticism since developer Kage Games put it on the market earlier this year. The app, which allows you to “raise your dog to beat the best,” was not pulled by Google despite numerous petitions asking the company to do so.

    According to Symantec, here’s how the modified app looks-

    Agreement by the user to grant the permissions requested by the app (which will include SMS permission) will allow for the the app to be installed. Upon installation, the display icon of the legitimate app looks almost identical to that of the app that has been bundled with the Trojan (on devices with a screen size of 3 – 3.5 inches). In fact, they looked so similar, we almost failed to spot this one difference several times; but closer inspection into the icon of the app containing the Trojan revealed that it actually says ‘PETA’ rather than ‘BETA’ in the app icon.

    Internally the Trojan code has been injected as a package called ‘Dogbite’. Once a compromised device starts up, a service called ‘Rabies’ is initiated in the background, which carries out the core functionality of the app.

    What is the core functionality of the modified app? First, it sends a text message to everyone on the user’s contact list that reads “I take pleasure in hurting small animals, just thought you should know that.” Then, it send a text message to “73822,” which signs the user up for a PETA text-alert service.

    A PETA rep told CNET that “We don’t know who created this version of the app, but we think it is ingenious. When someone creates a game that glorifies animal abuse, you can bet that people will come up with clever, smart ways to take action against it.”

    PETA is known for creative campaigns to promote their message. We told you yesterday about their plans to run a pornography site to bring attention to animal cruelty on the new .xxx domain.

    The makers, Kage Games, have said in the past that they are “in fact animal lovers ourselves,”

    This is our groundbreaking way to raise money/awareness to aid REAL dogs in need, execute freedom of expression, and serve as a demonstration to the competing platform that will not allow us as developers to release software without prejudgment

    I guess there is always the Grand Theft Auto argument as well – I fight dogs in a video game so I don’t do it in real life, like I take out my aggression by killing hookers in GTA so I don’t do it in real life.

    All kidding aside, what do you think about the app itself? Should it have been removed? What do you think about this malware attack by the activists – clever or childish? Let us know in the comments.