Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. users

Although the Gameover Zeus botnet and Cryptolocker ransomware have been disrupted, it is still too early for a victory celebration. First, the two week deadline expires on June, 17th, leaving just one week left before cybercriminals could regain control of their botnet. Second, stories of the Gameover Zeus and Cryptolocker campaign have already spawned a number of copycats, also among mobile malware writers. Last Sunday, June 8th, Kaspersky Lab detected a mobile Trojan now operating in the USA and UK, called Svpeng, which combines the functionality of financial malware with ransomware capabilities. This is the first time that Svpeng, a famous money stealing mobile Trojan in Russia, has turned its attention to other markets. For now, this piece of malware, allegedly of Russian origin, does not steal credentials, but it is only a matter of time, since Svpeng is just a modification of a well-known Trojan that operates in Russia and is used mainly for money stealing. Additionally the Trojan’s code contains some mentions of the Cryptor method which was not used yet, so it is likely that soon it will be utilized for file encryption. In this case Svpeng will become the second most well-known mobile malware, with such functionality after Pletor, which appeared in the wild in May 2014. The Trojan checks a user’s phone for a list of certain financial applications –probably more for future usage, when it starts stealing login/password of online banking as it does now among Russian banks accounts. English-language Svpeng currently checks the following applications presence on a victim’s device: USAA Mobile Citi Mobile Amex Mobile Wells Fargo Mobile Bank of America...

Critical flaw exposes admin passwords of nearly 32,000 servers

Over 30,000 servers with Supermicro baseboard management controllers (BMCs) on their motherboards are offering up administrator passwords to anyone who knowns where to look, warns Zachary Wikholm, a senior security engineer with the Security Incident Response Team of hosting provider CARI.net. This confidential information is made available because the company has created the password file in plain text, and the file can be downloaded by simply connecting to port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” says Wikholm, and adds that this is not the only file that is vulnerable to such an attack. “All the contents of the /nv/ directory are accessible via browser including the server.pem file, the wsman admin password and the netconfig files.” The vulnerability still endangers servers despite Supermicro fixing the issue with a new IPMI BIOS version, as the fix requires administrators to reflash their systems with the new IPMI BIOS and this is not always possible. Wikholm has stepped in and has devised a temporary fix for them. “Most of the systems affected by this particular issue also have their ‘sh’ shell accessible from the SMASH command line. If you login to the SMASH via ssh and run the command ‘shell sh’, you can drop into a functional SH shell. From there you can actually kill all ‘upnp’ processes and their related children, which provides a functional fix,” he shared, but added that the fix lasts just as long as the system isn’t disconnected or rebooted. With the help of John Matherly – the creator of Shodan,...

banking malware invasion

new piece of banking malware is being delivered via tax- and invoice-themed phishing campaigns, Danish security company CSIS is warning. Dubbed “Dyreza,” the malware targets users of a number of major online banking services in the US and the UK: Bank of America, Natwest, Citibank, RBS, and Ulsterbank. “The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware,” shared CSIS researcher Peter Kruse. The Trojan is currently being delivered through emails purportedly coming from the aforementioned financial institutions and, once run, the attached malicious file beacons back to its C&Cs. The malware also allows attackers control browser traffic and perform Man-in-the-Middle attacks. By having this opportunity to read all the encrypted traffic between the victims’ browser and the financial institutions’ servers, they can also try to circumvent 2-factor authentication. “We believe this is a new banker trojan family and not yet another offspring from the ZeuS source code,” says Kruse. “Still it’s unclear if this is provided as a “Crime as a Service” or if it’s a full circle criminal outfit.” They managed to track down some of the malware’s C&C servers, and have even accessed parts of them and found a customized “money mule” panel with several accounts in Latvia. Kruse also warns users to be wary of future spam campaigns delivering the Trojan, as there are indications that the crooks will try to push it onto users by masquerading it as a Flash Player...

Beware

A Chinese Android smartphone on sale on Amazon, eBay and other online stores has been found to contain a virus that pretends to be the Google Play Store but steals user data. The Star N9500, which closely resembles Samsung’s Galaxy S4 smartphone in appearance, is manufactured in China but sold online through resellers based in Belfast and Hong Kong. The Trojan, known as “Uupay.D”, disguised as the Google Play Store, comes pre-installed on the Android smartphone and cannot be removed by the user, according to German security company G Data, which analysed one of the smartphones purchased directly from the factory in...

Ebay hacked

If you’re a spammer, big news like the recent breach of eBay’s computers is like striking oil in your back yard. Perpetrators of unwanted email live for headline-grabbing events that they can use to separate gullible Web wanderers from their money, so the eBay breach is a perfect vehicle for the scammers, Cloudmark reported last week. “We see this around security events like the eBay breach and natural disasters,” Cloudmark Threat Researcher Andrew Conway told TechNewsWorld. “In some cases, they’ll take you to a malicious site that will try to convince you to install a Trojan on your system,” he said, “but this one is not that bad.” The scam discovered by Cloudmark tries to scare recipients of the spam message into believing that their eBay credentials may be used to give them a criminal record. “My name was used falsely in an arrest, and I didnt even Know it until I checked my public record,” one typical spam message...

P.F. Chang’s

  Restaurant chain P.F. Chang’s China Bistro said on Tuesday that it is investigating claims of a data breach which may have led to debit and credit card details being posted on an underground forum. According to journalist Brian Krebs, thousands of freshly stolen debit and credit cards appeared for sale on “carding” website Rescator on Monday. The Rescator website is perhaps best known for its selling of tens of millions of the cards swiped as part of the Target breach. Krebs contacted several banks and was informed that all of the stolen cards had been used at P.F. Chang’s restaurants across the United States between the beginning of March and 19 May this year. In an emailed statement Anne Deanovic, a spokeswoman for P.F. Chang’s said: P.F. Chang's takes these matters very seriously and is currently investigating the situation, working with the authorities to learn more. We will provide an update as soon as we have additional information. The restaurant chain, owned by Centerbridge Partners, operates 211 stores in the US as well as additional eateries in Argentina, Canada, Chile, Mexico, Puerto Rico and the Middle East. According to Krebs, banks have reported that the cards were only stolen from restaurants in the States, specifically in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. We don’t yet know how it happened, although recent breaches such as that at Target and Neiman Marcus were as a result of attacks on point of sale (POS) systems. These kinds of attacks occur when thieves plant malware onto cash registers which then records the data stored on the magnetic strip of...

Control access to buildings and work areas

Each one of us has a responsibility to ensure that our building is secure. When you enter the building from a side door or after hours, make sure the door closes properly and check to see that no one has slipped in behind you. If you see someone you don’t know wandering around, don’t be afraid to grab a co-worker and ask which room they’re looking for or who they’re visiting. It’s better to be safe than...

How Websites and Their Users Get Infected

How Websites and Their Users Get Infected Given how destructive malware can be, it is alarming just how easily it can infect websites and their users. While many different attack methods exist, injection and cross-site scripting are the most popular. With these types of strikes, users can become infected with malware just by visiting a site. Often called “drive-by downloads,” these attacks do not require the user to actively download an infected file. The malware will download itself to users’ computers without their knowledge. As you can imagine, this makes website malware particularly insidious and dangerous. Figure 1. Top Drive-By Downloads 7 No Threat Description 1. Trojan.Clicker.CM Displays pop-up ads that lure users to click; when clicked, the pop-ups lead to sites that contain malicious adware. 2. Trojan.Wimad.Gen.1 Poses as a common Windows Media audio file; if run, this threat allows attackers to load malicious software onto a user’s computer. 3. Trojan.AutorunINF.Gen Malware that autoruns and executes the Conficker virus that has the potential to turn computers into hosts in a botnet, and lock users out of accounts, among many other symptoms. 4. Trojan.Downloader.JLPK A malware that decrypts functions and downloads more malware files. 5. Trojan.Exploit.SSX Usually appears on sites through SQL Injection attacks that insert an invisible iFrame into clean code; can steal user information. 6. Trojan.Downloader. Js.Agent.F A JavaScript file which inserts a links to malicious JavaScript and iFrames into clean code; can steal user information. 7. Trojan.Exploit.ANPI A Visual Basic script that exploits a vulnerability in Internet Explorer to download, save, and execute infected files; can steal user information. 8. Trojan.IFrame.GA A JavaScript file which gets...

What Is Malware?

Malware is software designed to attack and damage, disable, or disrupt computers, computer systems, or networks. Hackers often take advantage of website security flaws, also known as vulnerabilities, to inject malware into existing software and systems with consequences that can range from the relatively benign—like annoying pop-up windows in a web browser—to the severe, including identity theft and financial ruin. Many web users are already familiar with computer viruses and the damage they can do, so does that mean that malware and viruses are the same? Yes and no—malware is an umbrella term that has come to encompass a range of threats, including viruses, worms, spyware, trojans, bots, and other malicious programs. However, each of these sub-types has its own unique features, behaviors, and targets. For example, a computer virus is designed to infect a computer, replicate itself, and then spread to other computers. Spyware, on the other hand, is software that collects information without a user’s knowledge and secretly sends it to hackers who use it for malicious purposes. Examples of spyware include keyloggers that record the keystrokes of users. Hackers can use these to record usernames and passwords that users type into bank websites to gain access to accounts in order to steal...

Malware Evolves in 2013

Since our last Security Threat Report, malware and related IT security threats have grown and matured, and the developers and publishers of malicious code and websites have become far more creative in camouflaging their work. In 2013, botnet and exploit kit innovations that were once restricted to the cutting edge have proliferated, as new malware authors learn from the experiences and released source code of their predecessors. Cyber criminals have become more adept at eluding identification, relying more heavily on cryptography and increasingly placing their servers in the darknet—closed, anonymous areas of the Internet designed to resist...