Under the Hood: Banking Malware

Posted on June 4, 2013 by mea

After 48 hours (and two all-nighters in a row) I logged onto the (now really REALLY) infected computer, complete with shiny new malware updates. I surfed to Bank of America’s web page, and found what I was looking for– a Man-In-The-Browser attack in action!

via Under the Hood: Banking Malware » LMG Security Blog.

We cover malware network forensics, web proxies and flow analysis during Days 3-4 of the Network Forensics class. We’ll be teaching next at Black Hat USA, July 27-30. Seats are limited, so sign up soon!

New Skype malware spreading at 2,000 clicks per hour makes money by using victims’ machines to mine Bitcoins

Posted on May 14, 2013 by mea

To avoid this threat and others like it, don’t click on random links you receive on Skype. You’ll be doing yourself a favor, helping stop the spread of malware, and ensuring criminals get a smaller pay day.

via New Skype malware spreading at 2,000 clicks per hour makes money by using victims’ machines to mine Bitcoins – The Next Web.

At least it’s just bitcoin mining and not stealing credentials. This is why I always have three performance monitors on my dashboard; CPU usage, bandwidth, and memory. With this piece of malware you would immediately see a problem because the CPU monitor shouldn’t be full of color. Then simply take the PC offline and do some investigation or bring it to someone. On Windows machines there’s Perfmon to look at these performance monitors. Just like a car has its fuel and temperature guages, computer users would be far more secure getting used to performance monitor guages. I often wonder why distributors don’t display these somewhere as a default option much like they have for the clock.

Department Of Labor Attack Points To Industry Weaknesses

Posted on May 9, 2013 by mea

“This is basically the same pattern that a lot of advanced malware is taking today,” says Srinivas Kumar, CTO of TaaSERA. By taking a multi-stage approach and going after server-side vulnerabilities at legitimate sites, the attackers can be assured that unsuspecting visitors to the site are more likely to trust links redirecting to malware-laden sites, he says.

via Department Of Labor Attack Points To Industry Weaknesses — Dark-Reading

Apparently the Department of Labor’s site was hosting links to malware. Usually users get hacked by sites hosting compromised advertisements.

Time To Dump Antivirus As Endpoint Protection?

Posted on April 22, 2013 by mea

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.

via Time To Dump Antivirus As Endpoint Protection? — Dark Reading.

There are some other useful tips in this article as well. I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade. These upgrade cycles in and of themselves pose a security hazard. The more complex a system becomes, the more that can go wrong.

Google Uses Reputation To Detect Malicious Downloads

Posted on April 6, 2013 by mea

Unlike Microsoft’s solution, CAMP attempts to detect locally whether any downloaded file is malicious, before passing characteristics of the file to its server-based analysis system. First, the system checks the binary against a blacklist–in this case, Google’s Safe Browsing API. If that check returns no positive result and, if the file has the potential to be malicious, CAMP will check a whitelist to see if the binary is a known good file.

via Google Uses Reputation To Detect Malicious Downloads – Dark Reading.

CAMP’s 99-percent success rate trounced four antivirus products, which individually only detected at most 25 percent of the malicious files and collectively detected about 40 percent, the researchers stated.

Android Trojan Found in Targeted Attack

Posted on March 27, 2013 by mea

After the installation, an application named “Conference” appears on the desktop

via Android Trojan Found in Targeted Attack – Securelist.

Some sort of malware for android is in the wild. Theoretically any app one loads on any computer can be malicious. This was spread via email but the next line highlights something:

If the victim launches this app, he will see text which “enlightens” the information about the upcoming event:

Note the highlighted text. If you don’t want to become a victim don’t launch applications unless you know why they are there. Here is the extent of damage to this piece of malware:

While the victim reads this fake message, the malware secretly reports the infection to a command-and-control server. After that, it begins to harvest information stored on the device. The stolen data includes:

Contacts (stored both on the phone and the SIM card).

Call logs.

SMS messages.

Geo-location.

Phone data (phone number, OS version, phone model, SDK version).

A lot of legitimate applications transmit this information back to home base. I don’t see this piece of malware being that big of a deal. Rule of thumb: Don’t install any .apk files from untrusted sources — like random emails. If you do happen to install a malicious application, don’t open any app unless you know what it is and why it is there.

US National Vulnerability Database Down Following Malware Infestation

Posted on March 14, 2013 by mea

According to the email, some suspicious activity was detected by NIST firewalls following which steps were taken “to block the unusual traffic from reaching the Internet.”

via US National Vulnerability Database Down Following Malware Infestation – ParityNews.com: …Because Technology Matters.

Meet the men who spy on women through their webcams

Posted on March 11, 2013 by mea

And if even this handholding isn’t enough, more successful ratters sometimes rent out slaves they have already infected. In other cases, they simply hand them off to others in a “Free Girl Slave Giveaway.”

Calling most of these guys “hackers” does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves.

via Meet the men who spy on women through their webcams | Ars Technica.

Security Firm Bit9 Hacked, Used to Spread Malware

Posted on February 9, 2013 by mea

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9′s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9′s secret code-signing certificates.

via Security Firm Bit9 Hacked, Used to Spread Malware — Krebs on Security.

Sony Rootkit Redux: Canadian Business Groups Lobby For Right To Install Spyware on Your Computer

Posted on February 6, 2013 by mea

This provision would effectively legalize spyware in Canada on behalf of these industry groups. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception.

via Michael Geist – Sony Rootkit Redux: Canadian Business Groups Lobby For Right To Install Spyware on Your Computer.

Hopefully something like this never sees the light of day in the US and if it does, it helps raise awareness of copyright abuse. The Sony rootkit was a pretty nasty piece of malware that was rather difficult to remove properly. Bad things will happen to the unsuspecting and the more novice computer user should the ability of anyone to install spyware at the root level become legal. If I recall correctly, the Sony rootkit installed before the user accepted the End User License Agreement. Thus, even if you read the EULA and decided not to install or have anything to do with Sony, Sony already parked itself on your computer.

Bucktown Bell

Cut to the chase.

Tag Archives: malware