Tag Archive for Malware

RB | January 17, 2012
One comment

QR Codes Can Put Users at Risk

QR malware-Updated 01-26-12- It was just a matter of time and now the Websense (WBSN) ThreatSeeker Network has started spotting spam messages that lead to URLs that use embedded QR codes. According to a report at Help Net Security this is a clear evolution of traditional spammers towards targeting mobile technology. The spam email messages look like traditional pharmaceutical spam emails and contain a link to the Web site 2tag.nl. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL. When the QR code is read by a QR reader, it automatically loads the spam URL.

Quick Response codes (QR codes) are a “new” type of barcode that can be used for a variety of purposes tracking, ticketing, labeling of products, etc. They can be put anywhere, in magazines, buses, websites, TV, tickets, and on almost any object which they might want to learn more about.

 Help Net Security writes that when used for legitimate purposes, they make life easier for users. “All you need to ‘visualize such a code is a smartphone with a camera and a QR reader application to scan it – the code can direct you to websites or online videos, send text messages and e-mails, or launch apps,” point out BullGuard’s researchers.

Unfortunately, QR codes can just as easily be used to compromise users’ mobile devices. “Much like URL shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception,” Joe Levy, CTO of Solera Networks told DarkReading. “QR codes … provide a direct link to other smart phone capabilities such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities.”

Mobile malwareThere are several ways attackers are already using malicious QR codes to perpetrate their scams. A recent attack via QR code “Attaging” took place in Russia and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” sent a series of expensive text messages ($6 each), racking up unwanted charges.

On Apple (AAPL) iOS devices, hackers are sending users to websites that will jailbreak the device and install more malicious malware. Tomer Teller, security evangelist at Check Point Software Technologies, told DarkReading, “a user scans a barcode and is redirected to an unknown website … the user phone will be jail broken and additional malware could be deployed (such as key loggers and GPS trackers).”

Android malware“On the Google (GOOG) Android  … Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode and it will redirect to a website that will download the Android Application” according to the article.

In addition attackers are using QR codes to redirect users to fake websites for phishing. “A QR code will redirect to a fake Bank that will look exactly like your bank. Since most smart phone screens are small, a normal user may not see the difference and will type in his or her (information) and hand it to the attackers,” Teller says. According to Mobile Commerce News some apps, like the NeoReader from Neomedia, that collect personal identifiable information (PII). This information is then sent to third parties who mine the data and possibly resell it.

Mobile paymentsThe trend to mobile QR based payment systems from firms like LevelUp, Kuapay, and Paypal are developing will drive QR code malware forward Mr. Levy says. “As our mobile devices and our wallets continue to converge through such technologies as near field communications (NFC), Bump and QR, malware authors are bound to prefer these very direct paths to the money. After all, these devices and apps are well on the road to becoming our new currency.”

So how do you protect yourself and the data on your mobile?

  • Download an app that scans QR codes and barcodes and shows the URL to which the codes want to take you. “Only use QR code reader software that allows the user to confirm the action to be taken i.e. visit a website link,” Paul Henry, security and forensic analyst at Lumension told DarkReading. “If you do not know and trust the link, cancel the action.
  • Do not scan QR codes from random stickers on walls and similar surfaces. Help Net Security says scammers are counting on people to do that because they can’t curb their curiosity.
  • Consider installing a mobile security app on your device, especially if it runs the Android OS. “Android is an open platform, which means that its source code can be examined by criminals and exploited easily when they find a weakness in, say, the Android browser,” according to the article. “That’s why most malicious apps transmitted via QR codes target the Android-based smartphones.”

rb-

I am not a fan of QR codes they seem to take you to an advertisement. Most of the destinations are fluff at best and dangerous at worst. Now that they have become nearly ubiquitous, they present more risk than necessary. Avoid QR codes.

Related articles

 

Category: Security | Tags: , , , , , , , , , ,
RB | December 1, 2011
2 comments

Blackhole Crimeware

Malware Dark Reading reports that attackers are increasingly using the Blackhole exploit kit in phishing campaigns. The latest phishing scam poses as an email notification from an HP (HPQ) OfficeJet Printer has sent around 36,000 per minute resulting in nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

BotnetResearchers at AppRiver told Dark Reading the trend demonstrates how Blackhole is following the pattern of popular crimeware kit Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. “This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time,” says Fred Touchette, senior security analyst for AppRiver.

Blackhole, which previously had been marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit according to the AppRiver blog.

AppriverMr. Touchette said that attackers using Blackhole have changed tactics,”This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites,” he says.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims’ online banking credentials according to Dark Reading. It works a lot like Zeus and others, using browser vulnerabilities on victims’ machines and creating a backdoor for downloading and installing the Trojans. AppRiver’s Touchette says Blackhole appears to favor Sun Oracle (ORCL) Java (I wrote about Java holes here) and Adobe (ADBE) bugs (I wrote about Adobe bugs here).

HP“This most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals … we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute,” Mr. Touchette says.

Recent botnet takedowns have spurred an increase in malware attacks recently as botnet operators try to rebuild, AppRiver’s Touchette told Dark Reading.

rb-

Yeap- We are still seeing these trickling in and still have users reporting they cant access their OfficeJet .

Related articles
Category: Malware, Security | Tags: , , , , , , , , , ,
RB | November 10, 2011
One comment

Tablet Security Tips

Portable computingICSA Labs suggests a series of security tips for users of smartphones, tablets and apps Help Net Security reports.

App store1. Only buy apps from recognized app stores. Apps from unofficial third-party stores and applications downloaded from peer-to-peer sites are much more likely to contain malware than apps sanctioned by official vendor stores such as the Android App Market or Apple App Store.

2. Think twice about accepting “permissions.” Most applications, legitimate as well as malicious ones, need users to accept several “permissions” before the apps are installed. Check carefully to be sure that the app comes from a legitimate source. I wrote about mobile phones leaking data previously.

Inspect bills3. Monitor bills for irregular charges. If attackers gain access to personal information stored on the mobile device, they can quickly rack up charges by sending “silent” text messages to high-priced call services. For example, if the Google (GOOG) Android Trojan GGTracker is inadvertently installed on a device, it can sign up users, without their knowledge, for premium text messaging services.

4. Employ security policies to protect employer-issued devices. Employers should enforce password-based access and require voice mail codes so that only authorized users can get access to data on employer-issued devices.

Bring your own device5. Be mindful that more and more employees bring their personal devices to work. Companies must have security systems and policies in place to safeguard their business environment and prevent access to company networks from employees’ personal devices. I wrote about BYOT here

6. Remember that mobile devices are tiny handheld PCs. Many security threats that apply to traditional computers also apply to mobile devices, such as smartphones and tablets, and consumers should take necessary measures to protect themselves. One way to do this is to install anti-malware software on mobile devices and enable VPN functionality.

7. Protect your mobile phone password and voicemail PIN. If your mobile phone does not have a password, add one that is at least six digits. Try to choose a unique password that is not already used across other systems and accounts. Do not use repeating digits in passwords or voice mail pins. Remember that your provider will never request your voice mail pin, so do not be tempted to give it to anyone who requests it.

Related articles
Category: Security | Tags: , , , , , , , , , , ,
RB | September 6, 2011
One comment

Malware in Text

MalwareA team of security researchers have engineered a way of hiding malware in sentences that read like English language spam. The research led by Dr Josh Mason of Johns Hopkins University along with Dr Sam Small of Johns Hopkins, Dr Fabian Monrose of the University of North Carolina, and Greg MacManus of iSIGHT Partners outlined the threat in a paper English Shellcode (PDF) presented at the 2009 ACM Conference on Computer and Communications Security. According to the UK’s Computing the paper shows hackers could evade anti-virus protection by hiding malicious code in sentences that read like English language spam

ThText on screene article says that attackers could develop a tool that would be the next step in the hacking and virus arms race. Hackers could hide alphanumeric shellcode in valid files which would activate the malicious payload of a code-injection attack, This attack vector could give attackers control of system resources, applications, and data on a compromised computer.

The researchers report they can generate English shellcode in less than one hour on standard PC hardware. The text in bold is the instruction set and the plain text is skipped.“There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former Soviet Union. International organization participation.”

The good news, Dr. Mason said that the widespread use of this attack vector is limited because the alphanumeric character set is much smaller than the set of characters available in Unicode and UTF-8 encodings. This means that the set of instructions available for composing alphanumeric shellcode is relatively small.  “There was really not a lot to suggest it could be done because of the restricted instruction set,” said Dr. Mason. Long strings of mostly capital letters, for example would be very suspicious.

Computing claims the work is a breakthrough. Current network security techniques work on the assumption that the code used in code-injection attacks, where it is delivered and run on victims’ computers, has a different structure to non-executable plain data, such as English prose. If an attacker challenge’s the assumption that executable code structure is different than non-executable data malware would be almost impossible to detect  Dr Nicolas T Courtois, an expert in security and cryptology at University College London, said malware deployed in this way would be “hard, if not impossible, to detect reliably.” The research is a proof of concept, but Dr. Mason doubts any hackers are using the technique to disguise their code. “I’d be astounded if anyone is using this method in the real world owing to the amount of engineering it took to pull off,” he said. “A lot of people didn’t think it could be done.”

Professor John Walker, managing director of forensics consultancy Secure-Bastion, argued the research highlights the flaws in the anti-virus community’s approach to security exploits. “There is no doubt in my mind that anti-virus software as we know it today has gone well past its sell by date,” he said.

rb-

Carly Fiorina

Did Carly Fiorina lock up mid-thought due to this?

If this technology gets out in the wild, most experts believe that the current signature based anti-malware products will miss the attack and leave us all defenseless. Sounds like a something the chip makers should be working on. Is this why Intel bought McAfee?

What do you think?

Can the anti-malware industry adapt to new threats from attachers?

View Results

Loading ... Loading ...


 

Related articles
Category: Malware, Security | Tags: , , , , , ,
RB | August 2, 2011
2 comments

Jay Leno Most Dangerous Celebrity in Cyberspace

MalwareThere are many late nights when I sit in the Bach Seat after a long day of coordinating shared technical services and need some silliness. Jay Leno was my late-night source of silliness until BitDefender told me he is the Most Dangerous Celebrity in Cyberspace.

Jay LenoAccording to an analysis of 25 million spam messages by the Bucharest, Romania based anti-malware firm, comedian and TV host Jay Leno is the most dangerous Hollywood celebrity in cyberspace. BitDefender found Mr. Leno mentioned in the subject line of 38,000 spam messages most of which focused around medicine and the purchasing of pills but come with enticing subjects such as ‘Jay Leno found taking drugs.’

“Cyber criminals follow the latest trends just as consumers do and they use these and the names of popular celebrities in their campaigns in order to lure people to websites that are full of malicious software (malware),” said Catalin Cosoi, Head of the BitDefender Online Threats Lab.

AfBitDefenderter Mr. Leno, the article at InfosSec Island says that cyber criminals next most often used Madonna and Cameron Diaz to spread spam. (I wrote Cameron Diaz’s reign and the McAfee “Most Dangerous Celebrity on the Web” here). The rest of the top 10 personalities used by spammers include:

Other notables on the list are:

Notable for their absence from the list are:

rb-

The use of celebrities to promote malware and spam is deeply rooted in social networking and Web 2.0. In 2009, Barracuda Networks identified a ‘Twitter crimewave’ on Twitter after popular celebrities joined the service to tweet to fans. Criminals followed the celebrities to the new service sensing a new population of easy-to-fool users, using a range of techniques including impersonation and simple link spamming to draw people to malware-infested websites. Facebook still has a major problem with celebrity abuse.

This may seem trivial because most firms have set up gateways to filter these spam-mails from hapless users in boxes. However, there are enough users that ignore the warnings and open spam-mails to make spamming on a vast scale worthwhile to the spammers.

What do you think?

Who is your favorite late nigt host?

View Results

Loading ... Loading ...
Related articles
Category: Malware, Security | Tags: , , , , , , , , , , ,
« Older Entries  

Switch to our mobile site