Labs Report Sees Mobile Malware Abuse Trust in Early 2014

McAfee Labs today released the McAfee Labs Threats Report: June 2014, revealing mobile malware tactics that abuse the popularity, features, and vulnerabilities of legitimate apps and services, including malware-infested clones masquerading as the popular mobile game Flappy Birds. The report highlights the need for mobile app developers to be more vigilant about the security of their apps, and encourages users to be mindful when granting permission requests that criminals could exploit for profit. The manipulation of legitimate mobile apps and services played a key role in the expansion of mobile malware at the beginning of 2014. McAfee Labs found that 79 percent of sampled clones of the Flappy Birds game contained malware. Through these clones, perpetrators were able to make phone calls without user permission, install additional apps, extract contact list data, track geo-location, and establish root access for uninhibited control over anything on the device, including the recording, sending, and receiving of SMS messages. Other examples of trusted mobile app and service features being manipulated for criminal gain include: Android/BadInst.A: This malicious mobile app abuses app store account authentication and authorization to automatically download, install, and launch other apps without user permission Android/Waller.A: This Trojan exploits a flaw in a legitimate digital wallet service to commandeer its money-transfer protocol and transfer money to the attacker’s servers Android/Balloonpopper.A: this Trojan exploits an encryption method weakness in the popular messaging app WhatsApp, allowing attackers to intercept and share conversations and photos without users’ permission “We tend to trust the names we know on the internet and risk compromising our safety if it means gaining what we most desire,” said Vincent...

Hackers Arrested by US

U.S. authorities said Monday they have disrupted two sophisticated types of computer malware used to steal millions of dollars from people all over the world. The Gameover Zeus botnet, a network of virus-infected computers, targeted thousands of small businesses. And Cryptolocker, a software that encrypts files on computers, was used to extract ransom payments from computer owners who wanted access to their files Federal prosecutors also announced charges against 30-year-old Evgeniy Bogachev, who they say led a gang of cyber criminals in Russia and Ukraine that was running Gameover Zeus. The United States is in talks with Russian authorities to try to secure Bogachev’s arrest and have him sent to the U.S. for trial. But that remains an unlikely outcome at this point. Gameover Zeus was responsible for more than $100 million in losses among U.S. victims, and up to one million computers worldwide were infected since 2011, according to the FBI. Since emerging in 2013, Cryptolocker has been used to attack about 200,000 computers, half of which were in the U.S. In its first two months, criminals extorted an estimated $27 million from victims, Deputy Attorney General James Cole said Monday. David Hickton, U.S. attorney in Pittsburgh, whose office filed the charges, said the action was intended to help “hundreds of thousands of computer users who were unwittingly infected and victimized.” Among the victims, Hickton said, was the police department in Swansea, Mass.; it paid a ransom to cyber criminals to restore access to its files after its systems were infected by Cryptolocker. In the case of Gameover Zeus, one victim lost $6.9 million from a fraudulent wire...

Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. users

Although the Gameover Zeus botnet and Cryptolocker ransomware have been disrupted, it is still too early for a victory celebration. First, the two week deadline expires on June, 17th, leaving just one week left before cybercriminals could regain control of their botnet. Second, stories of the Gameover Zeus and Cryptolocker campaign have already spawned a number of copycats, also among mobile malware writers. Last Sunday, June 8th, Kaspersky Lab detected a mobile Trojan now operating in the USA and UK, called Svpeng, which combines the functionality of financial malware with ransomware capabilities. This is the first time that Svpeng, a famous money stealing mobile Trojan in Russia, has turned its attention to other markets. For now, this piece of malware, allegedly of Russian origin, does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known Trojan that operates in Russia and is used mainly for money stealing. Additionally the Trojan’s code contains some mentions of the Cryptor method which was not used yet, so it is likely that soon it will be utilized for file encryption. In this case Svpeng will become the second most well-known mobile malware, with such functionality after Pletor, which appeared in the wild in May 2014. The Trojan checks a user’s phone for a list of certain financial applications –probably more for future usage, when it starts stealing login/password of online banking as it does now among Russian banks accounts. English-language Svpeng currently checks the following applications presence on a victim’s device: USAA Mobile Citi Mobile Amex Mobile Wells Fargo Mobile Bank of America...

Critical flaw exposes admin passwords of nearly 32,000 servers

Over 30,000 servers with Supermicro baseboard management controllers (BMCs) on their motherboards are offering up administrator passwords to anyone who knowns where to look, warns Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net. This confidential information is made available because the company has created the password file in plain text, and the file can be downloaded by simply connecting to port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” says Wikholm, and adds that this is not the only file that is vulnerable to such an attack. “All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files.” The vulnerability still endangers servers despite Supermicro fixing the issue with a new IPMI BIOS version, as the fix requires administrators to reflash their systems with the new IPMI BIOS and this is not always possible. Wikholm has stepped in and has devised a temporary fix for them. “Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh’, you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he shared, but added that the fix lasts just as long as the system isn’t disconnected or rebooted. With the help of John Matherly – the creator of Shodan,...

banking malware invasion

new piece of banking malware is being delivered via tax- and invoice-themed phishing campaigns, Danish security company CSIS is warning. Dubbed “Dyreza,” the malware targets users of a number of major online banking services in the US and the UK: Bank of America, Natwest, Citibank, RBS, and Ulsterbank. “The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware,” shared CSIS researcher Peter Kruse. The Trojan is currently being delivered through emails purportedly coming from the aforementioned financial institutions and, once run, the attached malicious file beacons back to its C&Cs. The malware also allows attackers control browser traffic and perform Man-in-the-Middle attacks. By having this opportunity to read all the encrypted traffic between the victims’ browser and the financial institutions’ servers, they can also try to circumvent 2-factor authentication. “We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code,” says Kruse. “Still it’s unclear if this is provided as a “Crime as a Service” or if it’s a full circle criminal outfit.” They managed to track down some of the malware’s C&C servers, and have even accessed parts of them and found a customized “money mule” panel with several accounts in Latvia. Kruse also warns users to be wary of future spam campaigns delivering the Trojan, as there are indications that the crooks will try to push it onto users by masquerading it as a Flash Player...