Tag Archives: Trojan

Android malware that installs malware on computer.

Recently Kaspersky has found an Android malware that not only infects the phone but also infects Windows computers when the user connects the infected Android phone to a computer. The two apps named SuperCleaner and DroidCleaner which says that it cleans uup and frees memory and helps the phone to run faster actually is a malware.

android malware

When the user runs the application it shows the list of processes running and restarts them, but here is when the malicious activity starts.

android malware in action

 

It downloads three files to the Android phone

autorun.inf,
folder.ico,
svchosts.exe.

So when 68 del 23 marzo 2010, “Disciplina dei giochi di abilita nonche dei giochi di sorte a quota fissa e dei giochi di carte organizzati in forma diversa dal torneo con partecipazione a distanza”. the user connects the phone to the computer the svchosts.exe automatically tries to execute. The file is actually Backdoor.MSIL.Ssucl.a. That records audio from the microphone and uploads it to the cyber criminal”s server after encrypting them.

And on the phone it causes a lot of malicious activities too, like

  1. Sending SMS messages
  2. Enabling Wi-Fi
  3. Gathering information about the device
  4. Opening arbitrary links in a browser
  5. Uploading the SD card’s entire contents
  6. Uploading an arbitrary file (or folder) to the master’s server
  7. Uploading all SMS messages
  8. Deleting all SMS messages
  9. Uploading all the contacts/photos/coordinates from the device to the master”s server.

Malware spreading via email in name of a secure message.

“You have received a secure message” well actually you have not, all you have received is a malware. Recently its seen that there are many emails spreading which contains malware and unlike other malware spreading emails which says about you winning lottery or you gaining a big sum of wealth ,etc. This malware laced email says that someone has sent you one secured and encrypted message and you need to download some file to read it, well and there you have it the malware infecting your computer as soon as you install it.

 

trojan_LCD_Screen-ahitagni-dot-com

 

The email says the following (Please note I have removed the links and phone number for obvious reason)

You have received a secure message

Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at <a phone number>.

First time users - will need to register after opening the attachment.
Help - < url link >
About IronPort Encryption - < url link >

 

The file which the email will offer you to download named securedoc.zip contains a Trojan horse , namely Troj/Zbot-DPM. The trojan is a part of notorious ZBot family of malware (also known as Zeus) can hijack your computer, making it part of a criminal botnet. Over the past few years these kind of ZBot trojans have been used to steal personal information,like email id password ,social networking sites id and password and even sed to stel money from bank. So you understand how much har can it cause if it infects your computer.

 

Operation “Red October”

Cyber espionage against Governments of many countries. Kaspersky research lab was the first to found the threat. During the past five years, a high-level cyber-espionage campaign has been running successfully.And stealing classified and sensitive information. It’s suspected that the attack is either from Russian or Chinese hackers.

 

Operation Red October

 

The Red October targeted number of

  • Government
  • Diplomatic / embassies
  • Research institutions
  • Trade and commerce
  • Nuclear / energy research
  • Oil and gas companies
  • Aerospace
  • Military

 

The attack spread from a rtf file (word file) that had the infection.

 

red oct

The exploits used for the attack were:

  • CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
  • CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
  • CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

 

Interestingly the name Red October was inspired from the novel “The Hunt For The Red October” and it was named so probably because it started on the month of October.

pie chart Red Oct

 

Interesting text from the malware, misspelt words and typos.

 

network_scanner: “SUCCESSED”, “Error_massage”, “natrive_os”, “natrive_lan”

imapispool: “UNLNOWN_PC_NAME”, “WinMain: error CreateThred stop”

mapi_client: “Default Messanger”, “BUFEER IS FULL”

msoffice_plugin: “my_encode my_dencode”

winmobile: “Zakladka injected”, “Cannot inject zakladka, Error: %u”

PswSuperMailRu: “——-PROGA START—–“, “——-PROGA END—–”

 

The C++ class that holds the C&C configuration parameters is called “MPTraitor” and the corresponding configuration section in the resources is called “conn_a”. Some examples include:

 

  • conn_a.D_CONN
  • conn_a.J_CONN
  • conn_a.D_CONN
  • conn_a.J_CONN

 

Information stolen from infected systems includes documents with extensions:
txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa.

 

red oct infect chart

 

A list of MD5s of known documents used in the Red October attacks:

114ed0e5298149fc69f6e41566e3717a
1f86299628bed519718478739b0e4b0c
2672fbba23bf4f5e139b10cacc837e9f
350c170870e42dce1715a188ca20d73b
396d9e339c1fd2e787d885a688d5c646
3ded9a0dd566215f04e05340ccf20e0c
44e70bce66cdac5dc06d5c0d6780ba45
4bfa449f1a351210d3c5b03ac2bd18b1
4ce5fd18b1d3f551a098bb26d8347ffb
4daa2e7d3ac1a5c6b81a92f4a9ac21f1
50bd553568422cf547539dd1f49dd80d
51edea56c1e83bcbc9f873168e2370af
5d1121eac9021b5b01570fb58e7d4622
5ecec03853616e13475ac20a0ef987b6
5f9b7a70ca665a54f8879a6a16f6adde
639760784b3e26c1fe619e5df7d0f674
65d277af039004146061ff01bb757a8f
6b23732895daaad4bd6eae1d0b0fef08
731c68d2335e60107df2f5af18b9f4c9
7e5d9b496306b558ba04e5a4c5638f9f
82e518fb3a6749903c8dc17287cebbf8
85baebed3d22fa63ce91ffafcd7cc991
91ebc2b587a14ec914dd74f4cfb8dd0f
93d0222c8c7b57d38931cfd712523c67
9950a027191c4930909ca23608d464cc
9b55887b3e0c7f1e41d1abdc32667a93
9f470a4b0f9827d0d3ae463f44b227db
a7330ce1b0f89ac157e335da825b22c7
b9238737d22a059ff8da903fbc69c352
c78253aefcb35f94acc63585d7bfb176
fc3c874bdaedf731439bbe28fc2e6bbe
bb2f6240402f765a9d0d650b79cd2560
bd05475a538c996cd6cafe72f3a98fae
c42627a677e0a6244b84aa977fbea15d
cb51ef3e541e060f0c56ac10adef37c3
ceac9d75b8920323477e8a4acdae2803
cee7bd726bc57e601c85203c5767293c
d71a9d26d4bb3b0ed189c79cd24d179a
d98378db4016404ac558f9733e906b2b
dc4a977eaa2b62ad7785b46b40c61281
dc8f0d4ecda437c3f870cd17d010a3f6
de56229f497bf51274280ef84277ea54
ec98640c401e296a76ab7f213164ef8c
f0357f969fbaf798095b43c9e7a0cfa7
f16785fc3650490604ab635303e61de2

 

Source: Kaspersky

“Win 8 Security System” has nothing to do with Windows8 ,its just a Fake Antivirus , rouge software.

There has been a lot of Fake Antivirus, it has been a trend that , the name of these softwares were always named in such a way that it can be confused with a Windows or Microsoft software. The latest one is “Win 8 Security System” it can be very easily confused with a software program or some software related to the upcoming Windows 8, by general computer users.

The Win 8 Security System works by installing a rootkit driver that takes the control of all the process of the operating system.

Win 8 Security
Win 8 Security, the Fake Antivirus software.

 

The rootkit is installed in the C:\Windows\system32\drivers\51991c15f7a6834.sys (note the numbers are random, your may be a different filename but the location is the same) The rootkit is of two  variant the 64bit , the rootkit disables the Windows 64bit kernel-mode driver signing. The cyber criminals also went ahead and slef signed the rootkit driver, note that the certificate date starts from 30th August (yesterday) !

Note the date of the certificate on the Fake Antivirus it starts on 30th August thats yesterday.

The virus also creates a Fake Action Center which shows the user that the computer is not fully protected.

Fake Windows Action Center

Browser Hijack, the proxy settings gets changed it happens both IE and Chrome , so whatever you type in the address bar it gives a fake  warning.

The main purpose of these fake antivirus is to scare the user and ask them to pay money and says that if you pay money the will get it out of your system and you should know this they wont! even if you have submitted your credit card (which is taken by the cyber criminals) I have seen many people who have regretted submitting their credit card. So, my request is that please do not submit your credit card, they will steal your money and not fix your computer.

They say to buy the software and they will fix your PC, but they wont trust me.

 

Clicking the shortcut icon to buy the software will add this to your computer registry   Target: C:\WINDOWS\system32\reg.exe add “HKCU\SOFTWARE\Microsoft\Windows NT” /v FrameworkBuild /t REG_DWORD /d 0 /f that will open the shopping cart

Shopping cart designed to steal your credit card information.

 

 

How to remove it?
You must be wonderring how to remove this from your PC. You can use the Hitman Pro software (you will get a free licence with the download)
 
Hitman Pro running on 64 bit machine.

 

Its Time You Disable Java On Your Browser. New Java exploit , included in the Blackhole exploit kit , Oracle was told about this exploit in April.

Recently there has been lot of malwares and virus designed with help of Java, to make the malicious code run anywhere, be it Windows , Linux or Mac. But a flaw in the Java itself which was informed to Oracle , in the month of April, has still not being patched. And thus the exploit has been public which is now included in Blackhole exploit kit, to spread virus to Windows machine.

Brain Krebs was first to find out the that  CVE 2012-4681 was being added casino to the Blackhole exploit kit,security company SophosLabs also confirmed it. As of now its only known to be spreading virus on Windows computers, if Mac or Linux are effected is not confirmed yet. The version which is effected in Java 7 , as Mac”s Java version is updated by Apple that version is not yet known to be effected. But as Java 7 has been made available for Mac OS X by Oracle , if user has updated to the new version, they are at risk.

Its is wise to keep Java disabled for the time, till patches are being applied.

Update

Go to http://isjavaexploitable.com/ to check if you Java is vulnerable to exploit.

 

Apple App Store’s First Malware.

Apple’s App Store is known to be very rigorusly check every app before it makes to the App Store. But the Worlds First App that contain trojan confirmed by Kaspersky made it to Apple’s App Store, it steals users phonebook and uploads it to remote server, without users permission.iOS users dont need to worry the app has been removed from the store by Apple. The name of the app is “Find and Call”.

 

The same app also made it to Google Play Store , but now Google has removed it. This kind of apps are generally made to get large number of phone numbers for massive SMS scams.

 

Kaspersky says

“… the application steals data from the device (phone book and cellphone numbers) which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call’ application. It is worth mentioning that the ‘from’ field contains the user’s cellphone number. In other words, people will receive an SMS spam message from a trusted source.”

 

World First Malware App that made it to Apple App Store

Abuse of Dropbox and spreading viruses through shared folders and public links.

Recently there is a new group of cybercriminals in Brazil that are spreading some virus using Dropbox. As I am a big fan of Dropbox , I thought that it would be nice to draw the attention and warn other fellow users.

Infected Dropbox link

The cybercriminals claiming that they got some leaked nude photos of the actress Carolina Dieckmann, in a Youtube video they showed a link shortened by Google URL shortner, that is actually a Dropbox referral link(free space). The victim has to signup to Dropbox and install it. Then the cybercriminal shares a shared folder where they claim to have the pictures, but actually here where they have stored the viruses. And in some cases they are also giving a public download link, from a file in their pubic folder.

We have seen earlier that this kind of files being shared on popular file sharing sites, but the abuse of such a nice service like Dropbox! I haven’t imagined. It’s my request to the dear Dropbox please make a check, at least to the link of public folders, if you want the infected files link which are stored in the attackers Dropbox I can provide it to you.

Note: According to my antivirus the virus was a variant of Win32/Spy.Banker.WXM trojan there may be other variants or different viruses too.

600,000 Infected Macs 247 in Cupertino

 

Generally it is considered that only Windows computers are the ones that can get infected with backdoor trojan but the scenario has changed overtime. Recently a large number of Macs (600,000 plus Macs including 247 from Cupertino: its the Apple HQ) were found infected with a backdoor trajan Flashback (  Trojan-Downloader.OSX.Flashfake.ab ) . Its is to be noted that the trojan works on venerability of  Java ( Java 6 update 31.) and not the core Mac OS.How ever the fault which I see of Apple is that they did not patch the CVE-2012-0507 exploit even after 6 weeks.

If you are reading this on your shiny new MacBook Pro or a Mac you should be thinking by now how to remove it. Well here is a guideline on finding if you are infected with Flashback trojan.

Manually removing Flashback Trojan.

 

Manual Removal Instructions

  • 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  • 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  • 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

Please note that I cant assure you that following these steps will remove ALL traces of the Flashback trojan, its highly recommended that you install a antivirus for Mac and run a through scan after updating it.

Steps to help protect your Mac from future attacks.

1 Create a non admin account in your Mac. And use it for daily purpose like checking emails and surfing internet.(the account that is generally created by default and you use has admin rights)

2 Download and use a secure browser. I recommend to use Google Chrome as it got a sandboxing plus it also comes with a sandboxed flash player of its own.

3 After you have downloaded and installed the new browser dont forget to make it your default browser.

4 Uninstall or update the default flash player (Apple does not update the flash player regularly) Note: As you have default Google Chrome you no longer need the default flash player as Chrome comes with the updated flash player.

5 Uninstall/Disable Java, Apple does not regularly updates the Java it generally does after months since the release of it, and its not possible to manually update it on Mac. So if you don’t want to uninstalled it because you use some java web applets it is recommended that you at least  disable it from Safari browser.

6 Update your Mac software on a regular basis, it wont cost you a dime but will save you from known vulnerabilities.

7 Install a good antivirus for Mac. And update and run the antivirus from time to time.

8 Install the Little Snitch, it is a firewall program that shows you which application is trying to use the network and offers you to allow or block that application to connect to network.

 

Apple has yet to come up with a tool to remove the Flashback Trojan but guys from Kaspersky has come up with a tool which can be downloaded from here.