Leaked NSA Malware Is Helping Hijack Computers Around the World

The U.S. software weapon would have allowed the spy agency’s hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print.

Source: Leaked NSA Malware Is Helping Hijack Computers Around the World

From:  Security Update for Microsoft Windows SMB Server (4013389)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Hacking Team’s RCS Android: The most sophisticated Android malware ever exposed

The spyware is delivered either via the aforementioned app, or via an SMS or email that contain a specially crafted URL that will trigger exploits for several vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean.

This will allow the attacker to gain root privilege, and allow the installation of a shell backdoor and RCS Android.

Source: Hacking Team’s RCS Android: The most sophisticated Android malware ever exposed

Self-repairing software tackles malware

Unlike a normal virus scanner on consumer PCs that compares a catalog of known viruses to something that has infected the computer, A3 can detect new, unknown viruses or malware automatically by sensing that something is occurring in the computer’s operation that is not correct. It then can stop the virus, approximate a repair for the damaged software code, and then learn to never let that bug enter the machine again.

via Self-repairing software tackles malware — ScienceDaily.

The A3 software is open source, meaning it is free for anyone to use, but Eide believes many of the A3 technologies could be incorporated into commercial products

Download papers from the source: A3 : Flux Research Group

The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.

Available Software

Researchers Find Malicious Tor Exit Node Adding Malware to Binaries

The exit node in question was in Russia, and Pitts discovered that the node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including Microsoft.com, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.

via Researchers Finds Malicious Tor Exit Node Adding Malware to Binaries | Threatpost | The first stop for security news.

From: The Case of the Modified Binaries

Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to “Internet freedom,” as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear—and all users should have a way of checking hashes and signatures out of band prior to executing the binary.

Turning USB peripherals into BadUSB

BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:

  1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

via Turning USB peripherals into BadUSB | Security Research Labs.

The biggest iPhone security risk could be connecting one to a computer

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.

Wang’s team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn’t see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

via The biggest iPhone security risk could be connecting one to a computer – Computerworld.

SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices. CSO Australia has asked Synology for comment and will update the story if it receives one.

According to the victim, Synology’s support team are interested in hearing from victims who have not reinstalled its Linux-based DiskStation Manager NAS operating system. Synology’s NAS devices were hit late last year by scammers looking to use their compute power to mine several cryptocurrencies, including Bitcoin.

via SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices – CSO | The Resource for Data Security Executives.

Having proper backups would thwart this attack.  Simply wipe the box and rebuild the NAS.

Malware Posing as Official Google Play App Found in….Official Google Play Store

When you click on it, the app asks for administrator privileges of the device. Once opened the sole user interface FireEye observed for the app contains pops up saying “Program Error” and “It’s Deleted!” when translated to English from Korean.

via Malware Posing as Official Google Play App Found in….Official Google Play Store.

These exploits usually require the user to approve of something first.

The app captures text messages, security certificates and banking details which it then sends to a Gmail address included in the malware – an email address which Google has now terminated

New crimeware tool Dendroid makes it easier to create Android malware, researchers warn

Dendroid’s features include deleting call logs and files; calling phone numbers; opening Web pages; recording calls and audio from the microphone; intercepting text messages; taking and uploading photos and videos; opening applications and launching HTTP flood (denial-of-service) attacks for a period of time specified by the attacker.

Dendroid is not the first Android RAT, but is one of the most sophisticated one seen to date.

via New crimeware tool Dendroid makes it easier to create Android malware, researchers warn | ITworld.