Barracuda Networks, the provider associated with the cloud storage solutions and ICT security, introduces Threat Glass, an online tool for searching, analysis and exchange of information on websites with malware. With Threat Glass users can see reviews of the infected websites with screenshots of the stages of infection and analyze network issues.
Monday, 31 March 2014
Barracuda launches Threat Glass
Tuesday, 25 March 2014
XP malware allows criminals ATM emptying via SMS
ATM malware infects a Windows XP installation makes it possible for criminals by sending a single SMS message to retrieve the dispenser. Empty It involves the Ploutus malware last October for the first time in Mexico was discovered, but is now active in more countries.
Two weeks after the discovery of a new variant Ploutus was found . This version was translated not only in English but also had a modular architecture. Anti-virus company Symantec has this version further analyzed and discovered that criminals now the ATM to clean out. via sending text messages.
Attack
To attack the ATM criminals first need to have physical access to it. Then the ATM machine booted from a boot CD. This boot CD contains the Ploutus malware that infects the operating system of the ATM during startup. In addition, the virus may be present, the malware also switches off.
After installation, it is possible to activate Ploutus via a special key combination can be spent on command. Money Criminals straw men gave the command to retrieve the money had to share this key. If the straw men knew what could be done with the key they can light up their client, says Symantec.
Smartphone
To solve this problem, the criminals can also link a smartphone to the ATM. The already installed malware ensures that the criminal can communicate. Using the smartphone with the ATM This avoids key shared. Lake with the straw man The criminal can now send an SMS to the ATM which then spends the money that is being recorded. Straw man by himself The attacks would have been observed. Different places in the world.
Symantec notes that as encrypted hard drives, which installed the malware may occur. Modern ATMs have better security, Older ATMs, however, would run on XP and are therefore more vulnerable. Ploutus example works only on Windows XP. Banks also get the advice to Windows 7 or 8 upgrade. In addition, the BIOS must be locked so that it can not be booted. From other media.
MD5:
488acf3e6ba215edef77fd900e6eb33b
b9f5bd514485fb06da39beff051b9fdc
Virus Total Link:
https://www.virustotal.com/en/file/0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025/analysis/
https://www.virustotal.com/en/file/34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1/analysis/
Two weeks after the discovery of a new variant Ploutus was found . This version was translated not only in English but also had a modular architecture. Anti-virus company Symantec has this version further analyzed and discovered that criminals now the ATM to clean out. via sending text messages.
Attack
To attack the ATM criminals first need to have physical access to it. Then the ATM machine booted from a boot CD. This boot CD contains the Ploutus malware that infects the operating system of the ATM during startup. In addition, the virus may be present, the malware also switches off.
After installation, it is possible to activate Ploutus via a special key combination can be spent on command. Money Criminals straw men gave the command to retrieve the money had to share this key. If the straw men knew what could be done with the key they can light up their client, says Symantec.
Ploutus ATM attack overview |
Smartphone
To solve this problem, the criminals can also link a smartphone to the ATM. The already installed malware ensures that the criminal can communicate. Using the smartphone with the ATM This avoids key shared. Lake with the straw man The criminal can now send an SMS to the ATM which then spends the money that is being recorded. Straw man by himself The attacks would have been observed. Different places in the world.
Symantec notes that as encrypted hard drives, which installed the malware may occur. Modern ATMs have better security, Older ATMs, however, would run on XP and are therefore more vulnerable. Ploutus example works only on Windows XP. Banks also get the advice to Windows 7 or 8 upgrade. In addition, the BIOS must be locked so that it can not be booted. From other media.
MD5:
488acf3e6ba215edef77fd900e6eb33b
b9f5bd514485fb06da39beff051b9fdc
Virus Total Link:
https://www.virustotal.com/en/file/0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025/analysis/
https://www.virustotal.com/en/file/34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1/analysis/
Labels:
ATM,
Attack,
Banks,
Criminals,
Discovered,
Installation,
Key,
Mexico,
Money,
Plotus Malware,
SMS,
Symantec,
Virus Total,
XP
Monday, 24 March 2014
White Hat Security company launches "secure browser" on Internet
An American security company claims to have the "most secure browser" launched on the Internet that users must protect. Against both malware and parties who want to violate the privacy Aviator, such as the browser is called, was published last year, the Mac version and now there is also a Windows version.
Aviator has been developed by white hat security and based on Chromium, the open-source browser that is used. Google Chrome The reason it was chosen Chromium is that it has several unique security features, such as a sandbox. White Hat found that Chromium is not safe enough and made an adapted version with more security and privacy settings.
"Google and Microsoft make a lot of money on online ads. Unfortunately, very intrusive online advertising, because you basically follow anywhere on the Internet. Even Mozilla receives most of the revenue through advertisements. Implementing truly effective security and privacy could adversely for their business operations, " said the security company
For example, the default search engine DuckDuckGo instead of Google and integrates the browser Disconnect. An extension that ads and tracking on the Internet blocking. In addition, the browsing history, cache, cookies, auto-complete, and local storage after restarting the browser removed. Standard third party cookies are blocked, plug-ins require an additional mouse to work state Do-Not-Track is enabled by default and minimum data is sent to Google.
Earnings
Although there is little advertising for the Mac version was made, was downloaded thousands of times in recent months. The browser is free to download, but still is underway on a revenue model, allows product management director Robert Hansen know . He gives the guarantee that no money will be earned on the information provided by users, as do many other browsers.
Current users of the browser, however, would be no need to worry, because the browser can always use for free. "Once we have determined how we can make money on new users will only have to pay for a license." In the future, other operating systems are supported. Alongside Mac and Windows
Labels:
Aviator,
blocking,
Browser,
chromium,
cookies,
duckduckgo,
Google,
Internet,
mac,
Malware,
Microsoft,
open-source,
privacy,
search engine,
security,
Track,
Windows
Sunday, 23 March 2014
India is fighting botnets computers with cleaning center
The Indian government is planning to establish that engages in the fight against botnets. A special "cleaning center" In recent years, the number of Indian computers part of a botnet has exploded. In 2007 it went to some 26,000 systems.
In the first half of 2013 the number of bots, however, rose to 4.2 million systems . The increase is explained by the growing Internet usage in India. In addition, it is not just computers that become infected, more and more smart phones would become part of a botnet. Therefore, the government now wants to start a center to end the infection must, along with internet providers said the Deccan Herald.
NSA spying on Chinese networking giant Huawei
The NSA has a widespread espionage attack against China conducted in which both the Chinese government and Chinese companies were targeted. Reports that the German newspaper Der Spiegel on the basis of documents received from the whistleblower Edward Snowden.
Among the attacked companies are banks and telecommunication companies. However, the NSA focused in particular on the Chinese networking giant Huawei, the second largest network provider in the world and a competitor of the U.S. Cisco. In 2009, the U.S. Secret Service began an operation that internal "Shot Giant" was mentioned. A special NSA unit managed to break into the corporate network from Huawei and copied a list of 1,400 customers, as well as internal documents on training were engineers on the use of Huawei products.
Source
From a secret NSA presentation shows that the NSA also managed to gain access to the internal e-mail archive and the secret source of Huawei products. The network where the U.S. Secret Service had broken up generated as many e-mail and data that the NSA did not know what to do with it. The reason for the break-in at the company let the NSA in the documents know that many of the targets via Huawei products communicate. "We want to make sure that we can attack these products," said an official in one of the secret documents.
In a statement, says a spokesperson from the network giant that if the reports are correct it is very ironic, since the United States Huawei always have accused the Chinese government would help in espionage. More details about the espionage attack by the NSA will Der Spiegel published tomorrow.
Labels:
China,
Cisco,
Der Spiegel,
Edward Snowden,
espionage,
German,
Government,
Huawei,
NSA,
Shot Giant,
Spying
Wednesday, 19 March 2014
Windows Spyware WinSpy and GimmeRAT monitors Android devices
If you are using Android Phone and syncing with the Windows Operating System for backup and transferring files, Then Be Careful.
Mechanism of attack on financial institution employing WinSpy |
Researchers have found by analysis of an attack on a U.S. financial institution Windows spyware that is also able to monitor. Android devices The institution was attacked by a spear phishing email, which had a large NSIS file as an attachment.
Once the file was opened, the recipient was a picture of a payslip to see while installed in the background. WinSpy This is commercially available Windows-spyware which makes it possible to monitor, according to the authors. Computers but also Android devices In a second attack on the institution was again used WinSpy, only the malware was now hiding in an Excel document with a macro.
Once the malware on your computer is active, the attacker can control the webcam, capture screenshots, saving keystrokes, disable security software, downloading and surfing habits chat conversations via the microphone shoot, upload and download files and send messages to the computer.
Android
During the analysis of the malware security company FireEye also discovered various Android components that can be used to monitor the victim. It involves three different applications, one of which only works when the device is connected to the Windows computer while the other two make it possible to control. Android device via SMS
Deployment Scenarios for Android Components |
To install the Android spyware must be connected, then the installation takes place. On the infected computer Windows phone Through the Android spyware screenshots can be stolen and it is possible to find out. The location of the target
"These attacks and tools to confirm that we live in an age of digital surveillance and theft of intellectual property. Commercial Remote Administration Tools (RATs) continue to proliferate and are increasingly being used by attackers," said analyst Thoufique Haq. He notes that the rise of mobile platforms like Android, a new market has emerged which also asked about RATs that support these platforms.
Labels:
Android,
Devices,
fireeye,
GimmeRAT,
Hacking,
Macro,
Malware,
Monitor,
NSIS,
Phishing,
RATs,
Screenshot,
Screenshots,
Spyware,
Target,
Thoufique Haq,
tools,
Windows,
WinSpy
Operation Windigo: 25,000 Linux servers infected by malware
In cooperation with the CERT-Bund, the Swedish National Infrastructure for Computing and other institutes, ESET's malware researchers have uncovered an attack by cyber-criminals, currently more than 25,000 Unix monitored worldwide server.
High level perspective of Windigo’s components and their relationship |
Due to the attack, the security experts "Operation Windigo" call servers are infected, which then send out millions of spam e-mails. But the criminals have developed a complex system of sophisticated malware components. This pirate servers, infect visiting computers and steal information. Among the victims of "Operation Windigo" include cPanel and kernel.org.
ESET released today under welivesecurity.com / windigo a detailed document that represents the results of the studies and an analysis of malware. A guide provides information about how users can check their own system for infection. In addition, ESET shows how the malicious code can be removed.
Operation Windigo: Over three years have gone unnoticed
While experts have encountered early on parts of Windigo, the full extent and complexity of these cyber criminal organization in the professional sector has remained undetected.
Flowchart of Windigo’s credential stealing scenario
|
"Windigo has largely won unnoticed by the security community in more than two and a half years in strength and taken control of over 10,000 servers," says ESET security researcher Marc-Etienne Leveille. "More than 35 million spam messages sent every day to the e-mail accounts of innocent users. These clog inboxes and compromise computer systems.'s Worse is that every day half a million computers are running the risk of becoming newly infected. Visiting a web page whose server has been infected by the 'Operation Windigo', ends on dangerous exploit kits or with unwanted advertising. "
Although sites were infected by Windigo Windows computers only contaminate an exploit kit with malware, even Mac users get advertisements for dating sites. iPhone owners will be redirected to pages with pornographic content.
Sysadmins are encouraged to take action against Windigo
About 60 percent of the world's websites run on a Linux server. ESET researchers ask webmasters and system administrators to review their systems to infection.
"Webmasters and IT professionals generally have much going on why we're sorry that we can make them even more work -.. However it is important it is to protect their opportunity and perhaps even duty, other Internet users," says Leveille. "Everyone should strive to prevent the spread of malware and spam. A few minutes can make a big difference and contribute to the solution."
Timeline of Events |
Quick-Check for Server
The ESET experts advise Unix server administrators and webmasters, perform the following command. He is quick indication of whether the own server is compromised:
$ ssh-G 2> & 1 | grep-e-e illegally unknown> / dev / null && echo "System clean" | | echo "system infected"
$ ssh-G 2> & 1 | grep-e-e illegally unknown> / dev / null && echo "System clean" | | echo "system infected"
In the case of an established infection ESET recommends to clean the affected computer completely and reinstall the operating system and the software. It is imperative to use new passwords and private keys. The existing credentials might be compromised.
Bitter medicine for Windigo victims
"The Ebury backdoor that was used by 'Operation Windigo', does not use the weaknesses of Linux or OpenSSH from" Leveille continues. "Instead, they will be installed manually by the attacker. It's scary that the cyber criminal group has done this successfully on thousands of different servers. During antivirus programs and two-factor authentication on clients are common, they are rarely on the protection of servers employed. This makes in relation to the theft of access and malware rankings quite vulnerable. "
Should therefore be message in the future about it for a greater degree of protection, also use technologies, such as two-factor authentication.
"We know that cleaning the server and the rebuilding of the systems is a very bitter pill. If attackers have but stolen or cracked administrators access data and were able to establish a remote access to the server, which is the only safe way," said Leveille. "Unfortunately, some of the victims, to whom we have contact, so far done nothing to clean up their systems - and thus bringing other Internet users at risk." All computer users should always remember never to use passwords that are easy to crack or have been used.
Labels:
Compromised,
Eset,
Hijacked,
Information,
Leveille,
Linux,
Malware,
OpenSSh,
Operation Windigo,
Server,
Steal,
Unix,
Windigo
Tuesday, 18 March 2014
Intruders attacked Google public DNS server
Traffic to the free DNS service provided by Google last Saturday was hijacked 22 minutes so that the commands and traffic to Google's servers temporarily came out at a Venezuelan network, as claimed BGPmon, a company that monitors network and internet traffic.
Internet, the DNS servers of their own provider replaced by that of Google. The Domain Name System (DNS) is similar to the directory and translates among other domain names into IP addresses. By setting up Google's the DNS servers (8.8.4.4 and 8.8.8.8) Internet users do not ask their provider where the IP address of a given domain name is found, but at Google.
Last Saturday was the traffic to the DNS servers of Google redirected to a network in Venezuela 22 minutes. According BGPmon there was a BGP (Border Gateway Protocol) hijacking. Had implications for both the transmission networks in Venezuela and Brazil. How the hijacking could occur late BGPmon not know, but the possibility of abuse was enormous, the company said on Twitter .
Monday, 17 March 2014
Spyware provider sells smartphones with spyware
A provider of a spyware program for smartphones nowadays also offers aircraft where the spyware already installed in advance. mSpy, the company name, defines its own software as a "powerful monitoring solution" that all activities of the user to follow.
Thus, it is possible to listen in on phone calls to block calls them to read, chat conversations view, browsing history to lock the device, calendar, and view, store, read emails and photos and videos to view keystrokes address book . Spyware which '100% undetectable "would be had to still first be installed. Device
For the cases where this is not possible or too much work, in the shop of mSpy now advance infected devices available.It is a 5 Nexus, Apple iPhone 5S, HTC One and Galaxy S4, including annual subscription to the spyware. According mSpy is to use the spyware is legal, as long as the target in advance is informed and gives consent.
In a Forbes Article highlighting the software, the company founder Andrei Shimanovich, addressing that issue, is quoted as saying:
It is the same question with the gun producer. If you go out and buy a gun and go shoot someone, no one will go after the gun producer. People who shoot someone will be responsible for this. Same thing for mSpy. We just provide the services which can solve certain tasks regarding parents and teenagers.
Labels:
Device,
Forbes,
HTC,
Infected,
iPhone,
Keylogger,
Malware,
Mobile,
Monitoring,
mspy,
Program,
Smartphones,
Spying
Sunday, 16 March 2014
Connection Link Between Turla, Uroburos & Agent.BTZ
Experts from G-Data and BAE Systems recently released information about a persistent cyber espionage operation codenamed Turla (also referred to as Snake or Uroburos). Further to this, Kaspersky Lab's research and analysis team have now found an unexpected connection between Turla and an existing piece of malware known as Agent.BTZ.
The company "Kaspersky Lab" program analysed the relationship Turla, which is also known as Snake or Uroburos, with other known kibershpionami. After the release of reports on this threat a number of companies working in the field of IT security, many experts in the field were made with the conclusion of the relationship Turla and other acclaimed at the time of malicious software - so-called Agent.BTZ.
In 2008 worm infected Agent.BTZ LANs Central Command of U.S. forces in the Middle East and was named the worst event in the history of U.S. military computer. According to some sources, the Pentagon has spent nearly 14 months to eliminate the effects of infection networks sun, and as a result of this incident provided the impetus for the creation of the U.S. Cyber Command, U.S. Army internal divisions.
A malicious program supposedly created in 2007, contains the functionality to search and send valuable information from the infected computer to a remote control center. "Kaspersky Lab" first encountered the aforementioned malicious programs for Turla in March 2013 during an investigation of another incident involving the use of highly complex rootkit.
Then in the course of the investigation specialists "Kaspersky Lab" found interesting facts indicating that apparently served as a model Agent.BTZ worm creators most technically advanced cyber weapons - Red October, Turla, as well as Flame and Gauss. Careful analysis showed that the creators of Red October, obviously knew about the functionality of the worm Agent.BTZ. Written by them in 2010-2011 module USB Stealer inter alia seeking and copies with USB-media archives with information accumulated worm and its log files. Turla, in turn, uses the same as Agent.BTZ, file names for logging their own actions, and the exact same key for encryption.
Finally, the program adheres Flame worm similar to file extensions and also stores the stolen information on USB-devices. Taking this into account, it can be argued that the creators of the aforementioned cyber-espionage campaigns thoroughly studied worm Agent.BTZ work and adopted the experience to develop their own malicious programs with similar goals. However, this makes it impossible to talk about a direct connection between the two groups of intruders.
"Based on the data that we have, it is impossible to make such a statement. All information used by the developers of these malicious programs, was opened to the public for at least the time of creation and Flame Red October . were also not a secret and the names of files in which information accumulated worm from infected systems. Finally, the encryption key, which is identical in cases and Turla Agent.BTZ, was launched back in 2008. unknown, since when it has been applied in Turla. On the one hand, we found it in samples that were created in this and last year, on the other hand, there is information that Turla creation began in 2006, before the sample was found Agent.BTZ. Consequently, the question of communication development of cyber weapons is still open, "- concluded Aleks, the main anti-virus expert" Kaspersky Lab ".
Detail from Kaspersky Report is available: Here
The company "Kaspersky Lab" program analysed the relationship Turla, which is also known as Snake or Uroburos, with other known kibershpionami. After the release of reports on this threat a number of companies working in the field of IT security, many experts in the field were made with the conclusion of the relationship Turla and other acclaimed at the time of malicious software - so-called Agent.BTZ.
In 2008 worm infected Agent.BTZ LANs Central Command of U.S. forces in the Middle East and was named the worst event in the history of U.S. military computer. According to some sources, the Pentagon has spent nearly 14 months to eliminate the effects of infection networks sun, and as a result of this incident provided the impetus for the creation of the U.S. Cyber Command, U.S. Army internal divisions.
A malicious program supposedly created in 2007, contains the functionality to search and send valuable information from the infected computer to a remote control center. "Kaspersky Lab" first encountered the aforementioned malicious programs for Turla in March 2013 during an investigation of another incident involving the use of highly complex rootkit.
Map of infections caused by different modifications of “Agent.btz” in 2011-2013 |
Then in the course of the investigation specialists "Kaspersky Lab" found interesting facts indicating that apparently served as a model Agent.BTZ worm creators most technically advanced cyber weapons - Red October, Turla, as well as Flame and Gauss. Careful analysis showed that the creators of Red October, obviously knew about the functionality of the worm Agent.BTZ. Written by them in 2010-2011 module USB Stealer inter alia seeking and copies with USB-media archives with information accumulated worm and its log files. Turla, in turn, uses the same as Agent.BTZ, file names for logging their own actions, and the exact same key for encryption.
Finally, the program adheres Flame worm similar to file extensions and also stores the stolen information on USB-devices. Taking this into account, it can be argued that the creators of the aforementioned cyber-espionage campaigns thoroughly studied worm Agent.BTZ work and adopted the experience to develop their own malicious programs with similar goals. However, this makes it impossible to talk about a direct connection between the two groups of intruders.
"Based on the data that we have, it is impossible to make such a statement. All information used by the developers of these malicious programs, was opened to the public for at least the time of creation and Flame Red October . were also not a secret and the names of files in which information accumulated worm from infected systems. Finally, the encryption key, which is identical in cases and Turla Agent.BTZ, was launched back in 2008. unknown, since when it has been applied in Turla. On the one hand, we found it in samples that were created in this and last year, on the other hand, there is information that Turla creation began in 2006, before the sample was found Agent.BTZ. Consequently, the question of communication development of cyber weapons is still open, "- concluded Aleks, the main anti-virus expert" Kaspersky Lab ".
Detail from Kaspersky Report is available: Here
Labels:
Agent.BTZ,
BAE,
Encryption,
Flame,
Flame Relations,
G Data,
Gauss,
Kaspersky,
Malicious,
Malware,
Red October,
security,
Snake,
Turla,
Uroburos
Phishing Attack on Google users hosted by Google
In a recent phishing attack on users of Google Docs and Google Drive cybercriminals have the phishing page where victims had to introduce hosted on the servers of Google. Their credentials Something the phishing attack is both refined and remarkable, says Symantec.
Google Docs phishing login page |
The anti-virus company discovered the attack, which starts with an email subject "Documents" has. The email prompts the recipient to view an important document. The link does not point to Google Docs, but after a fake Google login page. The neppagina however hosted on Google's servers and then ran over an SSL-secured connection, which makes the attack seem more convincing.
In this case, the scammers a folder in a Google Drive account is created, placed it in a file and then put the public folder. The preview feature of Google Drive they got this way a publicly accessible URL that was added. To the phishing emails When users their information on the phishing page fill go directly to the criminals behind the attack, while the victim to the real Google Docs page is redirected and possibly nothing by it.
Labels:
Attack,
Credentials,
Docs,
Document,
Email,
Folder,
Gmail,
Google,
Google Drive,
Login,
Page,
Phishing,
Scammers,
SSL,
Symantec
Thursday, 13 March 2014
NSA wants to infect millions of computers with malware
According to The Intercept leaked documents obtained from Edward Snowden at the U.S. National Security Agency (NSA) has plans to spread malicious software to control millions of computers.
"Sometimes NSA disguised as Facebook server, using it to infect the target computer, stealing files from the hard drive, while at other times, NSA will send spam containing malware, malicious software through a computer microphone recording, but also take a snapshot camera with a computer ", The Intercept's Ryan Gallagher and Glenn Greenwald explained road.
Documents show that the NSA program was confined to infect a network of hundreds of targets, but soon expanded to a larger scale in order to hunt down the suspects.
The Intercept, said: "NSA began 10 years ago, the ability to rapidly increase its invasion of confidential internal records show that in 2004, NSA will manage one of only 100 units to 150 units implanted malware computer network.."
"But in the next six years to eight years, called specific invasion TAO (Tailored Access Operations) elite troops recruited new hackers, and the development of new malware tools, implanted a surge in the number of computer malware to tens of thousands of units. "
And Edward Snowden most leaked files, we do not know how the impact of this project, and whether they have been stopped. It just let us know, NSA on monitoring the Internet has done anything.
Intelligence agencies have long believed that the encryption technology is a threat to national security. Since the beginning of the 1990s , they actively lobbied backdoor access to people from developing computer tools. And recently, they seek to undermine international security standards , in order to hunt down the suspects. However, security experts worry that weaker standards make the Internet becomes more fragile when subjected to attacks by malicious users.
"As long as the backbone infrastructure to open the back door, software and security engineer for me it was horrible," the University of Pennsylvania professor Matt Blaze in an interview with The Intercept interview, said: "Do not think you want to achieve the goal of our NSA. how do you know it will work properly know how it would be confined to the target NSA want to investigate it "
Tuesday, 11 March 2014
McAfee: POS malware can be ordered online threats jumped 197% issued report
Sellers offer BlackPOS (“Dump, CC Memory Grabber”) for purchase online. |
Online marketplaces for stolen credit card numbers are thriving. |
McAfee report released 2013 Q4 mobile platform malware threats jumped 197%
2013 fourth quarter, Target and other well-known retailers, consumer credit card information was leaked events, and McAfee's 2013 Q4 report that the malware used by attackers, is derived from 'cyber crime as a Service' ( Cybercrime-as-a-Service) communities.
In addition, McAfee also updated the malware data mobile platform - the company's called "Malware Zoo". Compared to last year, the situation did not diminish - soared 197%.
As ever (probably) the largest credit card information leak case together, despite its place in the point of sale POS system, but the company for the conclusion of the event, but it paints a depressing picture.
Vincent Weafer (McAfee Labs), senior vice president of McAfee Labs wrote: "What is more worrying is that the malicious software industry is how their customer service."
After buying a ready-made version of the POS network malware (Target's case, this stock is called BlackPOS), hackers also specifically modified it for their own use.
The McAfee After working with different organizations to extract and identify different data (domain name and user accounts, etc.), and returns the data to the hacker's code (as shown below).
The Target malware included hardcoded scripts to steal domain names, user accounts, and other data |
Vincent Weafer added: "They even had a ready-made, highly efficient black market to sell stolen credit card information, and even includes an anonymous virtual currency payment system based POS raw materials, manufacturing, marketing, trading support - nothing is there. "
McAfee expects these stolen credit card data (reported 40 million), in Lampeduza Republic and other black market price, between one million to four million U.S. dollars.
McAfee's report, there are many noteworthy:
For example, malicious binary signature rise. McAfee said the distribution of content on the network, the "ambiguous" (dubious) more and more. CA certificate malware abuse cases are also quite common.
2013 fourth quarter, the company found that the more than 2.3 million malicious binaries signed, an increase of 52% over the third quarter. The amount of 2013 year was 5.7 million, which is already three times in 2012 and more.
McAfee wrote: "This threat is not only the proliferation of faster, are becoming increasingly complex."
As for the mobile platform, the number of malicious software also continues to climb. Total 2013 collected has reached 2.47 million, of which there are 744000 in the fourth quarter - an increase of 197 percent from a year ago.
McAfee did not pick out a platform, but given Android is already the world's most popular smartphone platform, these words are clearly not self evident.
McAfee noted that malware mobile platform, its mode of transmission and computer platforms roughly the same - be infected through the application, or web browsing. 2013, when the company tracked 200 new malware samples per minute.
Distribution, North America still "tops the list." Although the "hacker hotbed" "is on the rise in other countries and regions," but suspicious content and spam links to the United States is still "excellent."
Overall, the browser is still the most common malicious hacker attacks approaches.
This script sent credit card data to the Target attackers. |
MD5:c4e99fdcd40bee6eb6ce85167969348d
Virus Total Link
Detail from McAfee Report is available: Here
Monday, 10 March 2014
Bitcoin trading platform Mt. Gox security issue is a fraud? Hackers say!
Last month, Tokyo-based trading platform Bitcoin Mt. Gox claims to have lost because of security vulnerabilities worth nearly $ 500 million in customer bitcoins, but many users do not trust the platform to explain this Bitcoin trading platform.
Bitcoin trading platform Mt. Gox did not provide further information they are black, according to reports hackers use the trading system software vulnerabilities to steal, eventually led Mt.Gox crash. On Sunday, a group of hackers have claimed that black into Mt. Gox CEO Capet DeGeneres (Mark Karpeles) personal blog and found the number of bits stored coins and Mt. Gox claimed the number was stolen inconsistent.
According to Forbes, the hacker entered the Capet DeGeneres personal blog and Reddit account and posted a message claiming Bitcoin trading platform Mt.Gox still claiming the right to use some of Capet DeGeneres stolen bitcoins.
These hackers uploaded a series of documents, including a spreadsheet containing the anonymous user Bitcoin balances, as well as proof of residence Capet DeGeneres screenshot hacker access these data. In addition, hackers also released a file size of 716MB, saying the file containing the stolen data from the Mt. Gox server. Here is the link to the data address .
List of files
Hackers also said, saying the company's balance there bitcoin 951,116 BTC, based on current dollar terms, worth more than 600 million U.S. dollars. MtGox claiming that it lost a total of 850,000 bitcoins In announcing the bankruptcy filing, where 100,000 is the trading platform they own.
It CENT was reported that hackers published these data have not been confirmed, but some Reddit users said their personal account balances and hackers released data match.
As of press time, Capet DeGeneres and special currency trading platform Mt.Gox not yet issued a statement on the matter.
Bitcoin trading platform Mt. Gox did not provide further information they are black, according to reports hackers use the trading system software vulnerabilities to steal, eventually led Mt.Gox crash. On Sunday, a group of hackers have claimed that black into Mt. Gox CEO Capet DeGeneres (Mark Karpeles) personal blog and found the number of bits stored coins and Mt. Gox claimed the number was stolen inconsistent.
According to Forbes, the hacker entered the Capet DeGeneres personal blog and Reddit account and posted a message claiming Bitcoin trading platform Mt.Gox still claiming the right to use some of Capet DeGeneres stolen bitcoins.
These hackers uploaded a series of documents, including a spreadsheet containing the anonymous user Bitcoin balances, as well as proof of residence Capet DeGeneres screenshot hacker access these data. In addition, hackers also released a file size of 716MB, saying the file containing the stolen data from the Mt. Gox server. Here is the link to the data address .
List of files
$ Tree
.
├ ─ ─ backoffice
│ ├ ─ ─ Bin
│ │ ├ ─ ─ TibanneBackOffice
│ │ │ ├ ─ ─ MacOSX
│ │ │ │ └ ─ ─ TibanneBackOffice.app
│ │ │ └ ─ ─ Windows
│ │ │ └ ─ ─ TibanneBackOffice.exe
│ │ └ ─ ─ screenshot.png
│ ├ ─ ─ Docs
│ │ ├ ─ ─ CV-Mark_Karpeles_20100325.pdf
│ │ ├ ─ ─ btc_xfer_total_summary.txt
│ │ ├ ─ ─ home_addresses.txt
│ │ └ ─ ─ trades_summary.txt
│ └ ─ ─ Exports
│ ├ ─ ─ btc_xfer_report.csv
│ └ ─ ─ mtgox_balances
└ ─ ─ trades
├ ─ ─ 2011-04.csv
├ ─ ─ 2011-04_mtgox_japan.csv
├ ─ ─ 2011-05.csv
├ ─ ─ 2011-06.csv
├ ─ ─ 2011-07.csv
├ ─ ─ 2011-08.csv
├ ─ ─ 2011-09.csv
├ ─ ─ 2011-10.csv
├ ─ ─ 2011-11.csv
├ ─ ─ 2011-12.csv
├ ─ ─ 2012-01.csv
├ ─ ─ 2012-02.csv
├ ─ ─ 2012-03.csv
├ ─ ─ 2012-04.csv
├ ─ ─ 2012-05.csv
├ ─ ─ 2012-06.csv
├ ─ ─ 2012-07.csv
├ ─ ─ 2012-08.csv
├ ─ ─ 2012-09.csv
├ ─ ─ 2012-10.csv
├ ─ ─ 2012-11_coinlab.csv
├ ─ ─ 2012-11_mtgox_japan.csv
├ ─ ─ 2012-12_coinlab.csv
├ ─ ─ 2012-12_mtgox_japan.csv
├ ─ ─ 2013-01_coinlab.csv
├ ─ ─ 2013-01_mtgox_japan.csv
├ ─ ─ 2013-02-12_coinlab.csv
├ ─ ─ 2013-02-12_mtgox_japan.csv
├ ─ ─ 2013-02-19_coinlab.csv
├ ─ ─ 2013-02-19_mtgox_japan.csv
├ ─ ─ 2013-02-26_coinlab.csv
├ ─ ─ 2013-02-26_mtgox_japan.csv
├ ─ ─ 2013-02_coinlab.csv
├ ─ ─ 2013-02_mtgox_japan.csv
├ ─ ─ 2013-03-05_coinlab.csv
├ ─ ─ 2013-03-05_mtgox_japan.csv
├ ─ ─ 2013-03-12_coinlab.csv
├ ─ ─ 2013-03-12_mtgox_japan.csv
├ ─ ─ 2013-03-19_coinlab.csv
├ ─ ─ 2013-03-19_mtgox_japan.csv
├ ─ ─ 2013-03-26_coinlab.csv
├ ─ ─ 2013-03-26_mtgox_japan.csv
├ ─ ─ 2013-03_coinlab.csv
├ ─ ─ 2013-03_mtgox_japan.csv
├ ─ ─ 2013-04_coinlab.csv
├ ─ ─ 2013-04_mtgox_japan.csv
├ ─ ─ 2013-05_coinlab.csv
├ ─ ─ 2013-05_mtgox_japan.csv
├ ─ ─ 2013-06_coinlab.csv
├ ─ ─ 2013-06_mtgox_japan.csv
├ ─ ─ 2013-07_coinlab.csv
├ ─ ─ 2013-07_mtgox_japan.csv
├ ─ ─ 2013-08_coinlab.csv
├ ─ ─ 2013-08_mtgox_japan.csv
├ ─ ─ 2013-09_coinlab.csv
├ ─ ─ 2013-09_mtgox_japan.csv
├ ─ ─ 2013-10_coinlab.csv
├ ─ ─ 2013-10_mtgox_japan.csv
├ ─ ─ 2013-11_coinlab.csv
└ ─ ─ 2013-11_mtgox_japan.csv
33 directories, 80 files
Dump contains information about all the trades took place, exchange management utility, summary statistics, the authors computed hacking (archive formed by attackers to avoid the leakage of personal data of customers MtGox).
Currency: AUD Balance: 924,124.65121
Currency: BTC Balance: 951,116.21905382 <- This fat fucker lied to us! (Sic)
Currency: CAD Balance: 320,184.36558
Currency: CHF Balance: 99,487.07308
Currency: CNY Balance: 297,775.78994
Currency: DKK Balance: 112,264.56207
Currency: EUR Balance: 5,634,625.59531
Currency: GBP Balance: 921,892.96793
Currency: HKD Balance: 740,519.14894
Currency: JPY Balance: 384,885,150.13700
Currency: NOK Balance: 91,346.00305
Currency: NZD Balance: 58,224.95320
Currency: PLN Balance: 1,645,194.67364
Currency: RUB Balance: 551,162.54477
Currency: SEK Balance: 15,335.84383
Currency: SGD Balance: 43,193.59706
Currency: THB Balance: 666,464.33497
Currency: USD Balance: 30,611,805.67481
Total BTC Deposits: 19,065,241.307202
Total BTC Withdrawl: 18,563,466.149383
------------
BTC Difference: 501,775.157819
Hackers also said, saying the company's balance there bitcoin 951,116 BTC, based on current dollar terms, worth more than 600 million U.S. dollars. MtGox claiming that it lost a total of 850,000 bitcoins In announcing the bankruptcy filing, where 100,000 is the trading platform they own.
It CENT was reported that hackers published these data have not been confirmed, but some Reddit users said their personal account balances and hackers released data match.
As of press time, Capet DeGeneres and special currency trading platform Mt.Gox not yet issued a statement on the matter.
Sunday, 9 March 2014
Hackers attacked government computer in the U.S. and E.U, said the attack came from Russia
Hundreds of government computers in Europe and the USA in silence infected sophisticated malicious applications. According to Reuters, it is one of the most comprehensive programs for cyber espionage, which has so far been discovered. Some security analysts and Western intelligence agencies have concluded that this so-called spyware, known as Turla is the work of the Russian government, and that is related to software used for massive hacking U.S. military, which was unveiled in 2008.
Hackers using Spyware Turla building in the contested networks "focal points", thanks to which the computer searches for data, save your information and, where necessary data to send to their servers.
"It's sophisticated malware, which is associated with another Russian malicious program. It uses encryption and targeting Western governments.Shows traces of Russian work, "said Jim Lewis, who previously worked in the diplomatic service for the U.S. State Department, and now works at the Center for Strategic and International Studies in Washington.
They watch them in years
Security experts warn that can not be proven truly Russian origin.
Experts from established security companies monitor turly several years. Symantec estimates that malware Turla with relatives Trojan Horse to infect Agent.BTZ thousand networks. Symantec has not communicated the names of the victims, said only that it is mostly a government computer.
Anti-virus firm F-Secure with truly met for the first time last year, when examined contested organization. "Although it looks like the Russians, there is no way to determine with certainty," said Mikko Hypponen of F-Secure. Nor did he mention the names affected.
Reuters addressed this matter in several European governments, many of them, but the malware Turla refused to comment. Government sources from the Czech Republic, Estonia, Poland and Romania, however, indicated that this malicious program were not affected immediately.
The threat of a snake
On the question of public threats in connection with this program came this week when the less well known German company G Data Antivirus published a report on the virus identified as Uroburos.
The name is derived from part of the program code and the ancient symbol that shows a snake or dragon devouring its own tail.
British company BAE Systems Applied Intelligence, formerly known as Detica, which is a cybernetic arm of a prominent British defense contractor, has issued its own report on this malware, which it describes as "a snake". The sheer sophistication of the software goes much further than what we have encountered so far, says a British document without mentioning one's responsibility for the attack.
Detail from BAE System Report is available: Here
Více na: http://e-svet.e15.cz/internet/hackeri-napadli-vladni-pocitace-v-usa-i-eu-utok-pry-prisel-z-ruska-1067660#utm_medium=selfpromo&utm_source=e15&utm_campaign=copylinkVíce na: http://e-svet.e15.cz/internet/hackeri-napadli-vladni-pocitace-v-usa-i-eu-utok-pry-prisel-z-ruska-1067660#utm_medium=selfpromo&utm_source=e15&utm_campaign=copylinkThursday, 6 March 2014
G Data found Russian cyber weapon - rootkit Uroburos
According to experts, the rootkit that steals confidential information used by hackers since 2011.
The specialists of the German company G Data found a new malicious program designed to steal confidential information. According to the data of professionals engaged in the development of malware Russian special services. Rootkit Uroburos got its name from a mythical dragon, as well as the sequence of characters within the code of the malware: Ur0bUr () sGotyOu #.
Uroburos steals files from infected computers and intercepts network traffic. A malicious program designed to work in P2P mode to establish communication between the infected systems. This feature allows you to remotely access the same computer with an Internet connection in order to control other PCs on a LAN.
It is interesting that in order to hide their activities rootkit uses two virtual file system - NTFS and FAT, which locally are on the infected machine. These file systems could allow attackers to be stored on the victim's PC party tools, tools for post-operation, temporary files, and binary output. Access to virtual file system can be accessed through the device: Device \ RawDisk1 and Device \ RawDisk2, as well as CDs \ \. \ Hd1 and \ \. \ Hd2.
G Data experts say: "The creation of such structures as Uroburos requires huge investments. The development team of this malware, obviously consists of highly qualified IT-specialists. Such a conclusion can be drawn by analyzing the structure and modern design of the rootkit. We believe that the developers are also improved versions Uroburos, which will appear in the future. "
Finding certain specifications (file name, encryption keys, behavior, etc.), representatives of the G Data suggested that a group of authors Uroburos intruders, which in 2008 carried out an attack on the computer systems of the U.S. with the help of malware Agent.BTZ.
Experts say that before installing the system on its victims Uroburos checks for the presence of Agent.BTZ. If present, the new rootkit remains inactive. Evidence that the creation of Russian Uroburos can stand is that in the code of the malware is present Cyrillic.
Recall that after the attack on the system Agent.BTZ United States banned the use of American military USB-drives and other removable media. While it was assumed that infection of the Ministry of Defence was through USB-drive.
According to statements made by G Data, the authors aim Uroburos are large enterprises, the state intelligence agencies and other organizations. Presumably, the rootkit has been used for three years, as the most long-standing version of the program were written in 2011.
Technical details SHA256: BF1CFC65B78F5222D35DC3BD2F0A87C9798BCE5A48348649DD271CE395656341 MD5: 320F4E6EE421C1616BD058E73CFEA282 Filesize: 210944
Detail from G Data Report is available: Here
Subscribe to:
Posts (Atom)