Wednesday 28 February 2018

Decrease Of Malicious Advertisements In The Second Half Of 2017



The number of malicious advertisements that Internet users tried to infect with malware, tried to deprive data or attempted to defame it in another way, was reduced in the second half of 2017, security company RiskIQ claims. In the third quarter, the security company detected 53 percent less malvertising than in the second quarter of 2017. In the fourth quarter, this decline continued and 10 percent fewer malicious ads were detected.


The use of advertisements to attack unpatched internet users, for example through vulnerabilities in Adobe Reader or Internet Explorer, decreased by 36 percent in the third quarter and 20 percent in the fourth quarter. Other malware in ads decreased by as much as 67 percent in the fourth quarter. The fourth quarter, however, saw an increase of 16 percent in the number of ads pointing to a scam, but overall there were fewer rogue ads in both the third and fourth quarters.

Coinhive Code Injected On LA Times Website


The website of the American newspaper the LA Times has unknowingly implemented Coinhive code in order to minate Monero's. The code has certainly been on an interactive map of the newspaper about murders in cities since 9 February , researchers from Bad Packet's report have discovered. The code let the CPU run just below 30 percent of its power to remain unnoticed, writes John Dunn from security company Sophos .

The code has been injected via a poorly secured Amazon AWS S3 bucket. This S3 bucket offered visitors write permissions. The researchers also found a message that suggested that someone else had access, in addition to the Bad Packet Report researchers and the cryptojackers themselves. The message was as follows:

Hello, this is a friendly warning that your Amazon AWS S3 bucket settings are wrong.
Anyone can write to this bucket. Please fix this before a bad guy finds it.

After the researchers informed the newspaper about the incident, the code was cleaned up and the cloud environment better secured. Coinhive has also lifted the account that was linked to the code. The researchers suspect that approximately 24 dollars of crypto currencies have been generated.

Veil System: Researchers Make Private Browsing More Private


All modern browsers now have private browsing, a function that ensures that the surfing behavior is not stored on the computer. However, the information that is accessed during private browsing can still be retrieved from the computer by a motivated attacker. Reason for researchers from MIT and Harvard to develop a new system called Veil that should make private browsing more private.

Browsers should delete all stored data after closing a private browsing session. However, modern memory management is complex and can ensure that data is left in the memory somewhere. Veil tries to tackle this problem by encrypting all data that the browser loads into memory until it is displayed on the screen.

The use of Veil

To use Veil, the Veil user goes to the Veil website and enters the url of a website. A special "blinding server" then sends a version of the requested page in the Veil format. The Veil page is similar to a normal web page, but contains code that executes a decryption algorithm. The data on the page is unreadable until it is decrypted by the algorithm. Once the data has been decrypted, it must be loaded into the computer's memory to be displayed on the screen. This temporarily stored data should be much harder to trace when the browsing session is over.

In order not to give attackers a chance, Veil takes an additional security measure. The blinding server adds meaningless code to every loaded page. This code has no effect on how the page before the user looks, but does change the underlying source file. Every page that is loaded by a blinding server, even if it is the same page, looks different. An attacker who manages to obtain part of the decrypted code after closing a Veil session is therefore unlikely to say which website the user visited.

When these measures are not enough, Veil also offers the option to have the blinding server take a picture of the requested page. In this case, the blinding server opens the requested page, makes a screenshot of it and sends it to the user. This prevents executable code from ending up on the user's system. If the user then clicks on the image somewhere, the browser registers this and sends the new request to the blinding server, which then loads a new zoomed image and sends it back to the user.In order to use the system, websites do have to create a Veil version of their website, but the researchers have developed a compiler for this that automatically performs the conversion. A bigger challenge is hosting the blinding servers, which can be done by volunteers, as is the case with the Tor network, or by companies that, for example, want to offer their visitors more privacy. No adjustments to the browser are required for the implementation of Veil.

Researchers Warn Of Android Malware RedDrop



Security researchers warn of a new type of malware for Android phones called RedDrop. Hackers can not only steal a lot of information from the infected smartphone, sounds can be recorded and photos can be taken and Premium SMS messages can be sent.

Security company Wandera has researched the new malware and observes that RedDrop is now nestled in at least 53 Android apps. When such an infected app is opened, at least seven new APKs are installed in the background, each with malicious functions.


With the help of spyware, all kinds of information about the user is collected and then sent to a Dropbox account of the attacker. The data collected includes local files, such as photos, live sound recordings, device and SIM information (IMEI, IMSI, MNC, MCC) and information from the application and Wi-Fi networks in the area.

Also, if a user uses the infected app, a text message is sent to a payment service in the background, which is immediately removed to prevent discovery.

The creators of RedDrop use a content distribution network with more than 4000 domain names to distribute the malware. The researchers suspect that a lot is referred to domains to hide the source of the malware as well as possible.

Malware Infection Chain:



According to Michael Covington, VP Product Strategy at Wandera, this is very sophisticated malware . "The criminals very cleverly offer a seemingly handy app that performs all sorts of complex malicious activities in the background. The attacker not only uses a wide range of malicious applications to tempt the victim, they have also perfected every little detail to ensure that their actions are difficult to trace. This is one of the more persistent malware variants we've seen. "

Decrypting Tool For GandCrab Ransomware Available



Victims of the GandCrab ransomware can regain access to their encrypted files. The decrypting tool for GandCrab was made available today on the site nomoreransom.org by the Romanian police in cooperation with Bitdefender and the European police organization Europol.

GandCrab has been observed in the wild for about a month and has now made more than 50,000 victims worldwide, including many Europeans. It is therefore one of the most aggressive forms of ransomware this year, according to Europol .

GandCrab spreads via manipulated advertisements on websites and via fake invoices that are sent as attachments by e-mail. When the malware is installed, the files on the victim's computer are encrypted and an amount of 300 to 500 dollars in ransom is demanded, to be paid in the virtual currency DASH.

As far as we know, GandCrab is the first ransomware copy that requires payment in DASH. GandCrab also has an affiliate program where the ransomware is offered as a service (ransomware-as-a-service) and the developers receive a commission for each ransom payment received.