Multi-platform Backdoor Lurks in Colombian Transport Site – F-Secure Weblog : News from the Lab.
Note how this works. The bad guys need your confirmation in order to proceed.
Tag Archives: malware
Microsoft Revokes Trust in 28 of Its Own Certificates
Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs”. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.
via Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost.
Malware author taunts security researchers with built-in chat
Security researchers from AVG were decompiling a trojan — it had been originally posted to a Diablo III forum, masquerading as a how-to video — when the malware’s author popped up in a window on their screen. It turned out that the trojan had a built-in chat, as well as a screen-capture facility. The hacker who wrote the malware saw them working on defeating her or his virus and decided to tell them off for their audacity. Franklin Zhao and Jason Zhou, the AVG researchers, wrote up their experience:
via Malware author taunts security researchers with built-in chat – Boing Boing.
Flame Malware Hijacks Windows Update Mechanism
According to Symantec’s Security Response team, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.
“When clients attempt to resolve a computer name on the network, and in particular make WPAD (Web Proxy Auto-Discovery Protocol) requests, Flamer will claim it is the WPAD server and provide a rogue WPAD configuration file (wpad.dat),” Symantec noted. “NetBIOS WPAD hijacking is a well-known technique and many publicly available hack tools have implemented the technique.”
via Flame Malware Hijacks Windows Update Mechanism | SecurityWeek.Com.
This is why automatic Windows updates should always be off. Only update manually when you know your network is secure.
US warns users of new Citadel ransomware hit
This variation, called Reveton, lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer, says the U.S. Internet Crime Complaint Center (IC3). Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The crimeware declares the user’s IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content.
Religious sites ‘riskier than porn for viruses’
Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.
via Religious sites ‘riskier than porn for viruses’.
“We hypothesize that this is because pornographic website owners already make money from the Internet and, as a result, have a vested interest in keeping their sites malware-free; it’s not good for repeat business.”
HP Ships Network Switches With Malware Infected Flash Cards
HP has warned of a security vulnerability associated with its ProCurve 5400 zl switches that contain compact flash cards that the company says may be infected with malware. The company warned that using one of the infected compact flash cards in question on computer could result in the system being compromised.
via HP Ships Network Switches With Malware Infected Flash Cards | SecurityWeek.Com.
In March 2012, a consortium of experts published a preview of standards meant to improve the security of the global supply chain for commercial software and hardware products. The standards are the work of The Open Group, and are supported by companies ranging from Boeing to Oracle to IBM. The document has been dubbed the Open Trusted Technology Provider Standard (O-TTPS) Snapshot. The standards are being aimed at providers, suppliers and integrators with the goal of enhancing the security of the supply chain and allowing customers to differentiate between providers who adopt the standard’s practices and those who don’t.
A unique ‘fileless’ bot attacks news site visitors
Analysis of the exploit’s JAR file demonstrated that it exploits a Java vulnerability (CVE-2011-3544). Cybercriminals have been exploiting this vulnerability since November in attacks targeting both MacOS and Windows users. Exploits for this vulnerability are currently among the most effective and are included in popular exploit packs.
via A unique ‘fileless’ bot attacks news site visitors – Securelist.
After successfully injecting and launching the malicious code (dll), Java begins to send requests to third-party resources, which look like Google search requests: “search?hl=us&source=hp&q=%s&aq=f&aqi=&aql=&oq=”…
These requests include data on the browsing history taken from the user’s browser, as well as a range of additional technical information about the infected system.
Researchers Seek Help in Solving DuQu Mystery Language
While other parts of DuQu are written in the C++ programming language and are compiled with Microsoft’s Visual C++ 2008, this part is not, according to Alexander Gostev, chief security expert at Kaspersky Lab. Gostev and his team have also determined that it’s not Objective C, Java, Python, Ada, Lua or many other languages they know.
via Researchers Seek Help in Solving DuQu Mystery Language | Threat Level | Wired.com.
The module is an important part of DuQu’s payload — which is the part of DuQu that performs malicious functions once it’s on an infected machine. The module allows DuQu’s DLL file to operate completely independent of other DuQu modules. It also takes data stolen from infected machines and transmits it to command-and-control servers and has the ability to distribute additional malicious payloads to other machines on a network, in order to spread the infection.
Trend Micro Migrates Security Tool HijackThis to Open Source
Trend Micro today announced that is has open sourced the code to its popular free security tool, HijackThis. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems.
via Trend Micro Migrates Security Tool HijackThis to Open Source | SecurityWeek.Com.
“As new malicious code is released faster than ever before, the need for analyzing log data to identify new malicious code is more important than ever,” the company said in a statement. “Through this offer to the open source community, the product has the opportunity to develop and become an even better solution to quickly identify new malicious code.”
Download HijackThis.exe here. (sourceforge)
Official website here.