Site called Ragebooter.net allows users to pay for removal of sites from the network, using DDoS attack. Unlike other existing sites that offer similar services, the Ragebooter have particularly interesting back door leading directly to the FBI.

The moment you kissed me at my doorstep, I know I am yours forever.
With loads of hugs and kisses, Akilina.

The email body text is highly variable and therefore resistant to spam filters (except of the dating site URL). There are never any attachments, font styles and colors, modified words typical for other spam - just plain text email.

The number of malware activities which threaten smart phones and tablets surged in the first quarter of 2013 and climbed rapidly, with more than 90% on Android environment.

This new malware attack focuses on the users' Facebook profile. The malware is a Trojan Horse transmitted through a browser plugin, detected so far in Firefox and Chrome.

Tracking shows that the Trojan horse was first identified in Brazil, and its main activity is monitoring and testing whether the user logged into Facebook account. If the user is connected, the malware tries to get the configuration file that includes list of gestures that the Trojan could use on behalf of the user.

The malware, is a variant of the malicious Zeus, which is known for several years and aims to take over the victim's computer and steal valuable information from it.

This anti-virus software pretender combines two methods of fraud – the fake anti-virus software and a malware that supposedly locks the screen in order to make the victim pay money to unlock. After the user installs this free “anti-virus” software it immediately notifies that the security level of the computer is low and which they need to call for support to address the found “threats”. At this point, pop-ups are opened notifying the daunting number of threats found.

The first mistake of the average smartphone user is the belief that these devices are safer from your home PC and in most cases they are not aware of the tremendous amount of personal and business information that is stored on their device. Using our smartphone one can find a lot of information about us. For example where we are (GPS), what we are interested in (browser history), who our friends are (Facebook), our plans (logs), our finances (bank online connection), how we work and what we work on (business emails) and sometimes other personal information stored on our personal computer (by using the synchronization between the smartphone to the computer). In the near future, even our wallet will become digital and will be replaced by the smartphone as planned today by many cellular providers around the world.

Cellular phones security is an intensively studied area by security companies and research institutions around the world since the release of G1 devices Android based operating system in 2009.

The spyware received the non-surprising name ‘bad news’, and is currently detected in 32 different applications, created by four different developers. We can’t tell  exactly how many devices got infected, because Google Play is not showing exact number of downloads, but only a relatively wide ranges, so all we can say now is that between two million to nine million, not bad for relatively new spyware.

Both applications allow users to navigate through the use of information obtained from their devices, along with other devices currently on the road - and analyze the real-time traffic in order to offer the ideal route. But just at this point hackers can cause damage and change the route, anonymously and without being discovered by the applications, and to persuade users to take completely different tracks than they should.

Once the hackers manage to break into the site, they transplant a malicious software that allows them to remotely control the site. And what do they do with it? Very simple. Hacked site makes its a botnet server, which in turn attacks other sites using the same method.

The horror scenario, where any terrorist with Android could kill hundreds of people, not because of Android, God forbid, but because of a serious loopholes in the commercial flights security protocol and flight management software is now real.

The engine, running 24 hours a day, 7 days a week, gathers information on some 500 million devices and services connected, every single month, and possibly you are there in the search results.

It is easy to see the differences between real email from LinkedIn and a fake one.

To understand what was the trick he invented, and how this stunt affects us today, you need to understand the times in which he lived. In 1982, just like today, people loved to exchange games. Only the computer itself was then in its infancy, the Internet was the preserve of a few university laboratories if any, and the idea of sharing "in the air" was a kind of science fiction. So what was then? There were black disks, the kind that older people may remember that they were called "floppy".

The simple fact repeats like a mantra in recent years that some viruses go out for a particular operating system depends on its popularity and nothing else. Economic viability in developing virus is the main cause that affects the amount of viruses coming out for an operating system. There is no bulletproof system.

After the download, the computer starts to harvest BitCoins using its processing power, which increases the level of CPU usage significantly and makes the computer very slow. After mining, the BitCoin money is transferred directly to the malware developers and allows them to make money online by selling the currency.

A likely scenario is possible for the virus circulated last tonight in Facebook is an attempt to create a Botnet, i.e. a network or an army of computers that can be remotely activated to attack or disable other sites. For example, if a hacker wants to disable a large site and paralyze it, he only needs to send an order to all infected computers which in turn each sends a request or multiple requestes to the site and eventually create a congestion.

The findings are a bit worrisome, as evidence that this is a group that works for at least five years behind the scenes and without the knowledge of security companies, during which time they collected massive amounts of classified information from high-profile targets in the United States, Eastern Europe, Central Asia and the rest of the world. It is still unknown exactly what was done with this information

Zeus along with other financial Trojans are already a huge headache to internet banking consumers around the globe for a long time.
Specific nations for instance the japanese have escaped assaults from financial Trojans, possibly as a result of language barrier and perhaps other unfamiliar cause.
Since the national law enforcement organization of Japan has reported repeatedly, Japanese internet banking consumers began to become victims for this form of assault.

This malware comes up being a system solution that assists with accelerating your system. Right after set up, it displays an image launcher.
After the harmful application is launched, the user will discover its homescreen.
The application offers a number of different “clean options” for the user to select, however they really practically do nothing at all other than display an activity bar.

Ransomware Trojan horse is hitting over again, prevents you from accessing your computer. The latest one discovered lately covers the entire desktop with a message that appears to be from the local authorities, which asks for a fine payment in order to unlock your system. This threat identifies your country by your IP and display relevant image in your language and the relevant authority logo.

It connects to a remote site and downloads additional components to the compromised computer, then it creates multiple additional 'Link' files to further spread into other systems, installs file-sharing application and copy itself to the application's shared folder.

The holiday season is quickly approaching. Research data taken over last few years shows this period of time to have the largest spike in malware infections. The "bad guys" know that lots of people will search the internet for good deals and the hottest holiday items. They take advantage of this by populating the internet with phony web sites and links that trick folks into downloading malwares like fake antivirus software, ransomwares, bots, etc

Today hackers run malware-spreading campaigns that distribute and promote virus messages claiming to be from the Federal Bureau of Investigation. An example of such malware is the FBI Greendot Moneypak Virus. The message says "Your computer has been locked!" and the malware program is actually locking the system. The hacker wants to hide the actual plans and disguise the malware as a warning allegedly coming from the FBI, the US Department of Justice. A ransom message is written on the screen that instructs users how to transfer funds in favor of the government, which eventually lands in ininto the pocket of the hacker. Users should be wise enough to understand that this is a malware infection and not a real FBI warning.

Another exploit based on MS Security Advisory 2757760 is being used to actively install malware on vulnerable Internet Explorer versions 6 through 9.

Basically all Windows versions up-to Windows 7 are affected. Windows 8 is safe.

The exploit is based on memory corruption that allows an attacker to execute arbitrary code within Internet Explorer memory space.

Up until now we know of one Trojan known as "Poison Ivy" that uses this exploit to install itself on a vulnerable system.

Total Defense Security Suite detects and remove this Trojan as well as the scripts components it uses to exploit this vulnerability.

While processing the sample collections of the past month, we have seen increase in the number of samples that shows spaghetti structure which was quite similar to the once seen in samples obfuscated using a commercial obfuscator called “Allatori.”  Indeed the obfuscation is quite powerful, much more so than the normal obfuscated samples we generally see in the collections. This is not the first time we have seen the Java samples being obfuscated using Allatori. However what makes it interesting is that we see a stark rise in the trend as more and more new variants are obfuscated using this method. This gives an impression that the Malware authors are becoming very serious about obfuscating the plain byte code.  A likely response to the fact that generally the vanilla Java byte code decompilation is a straight forward task.

What is DNSChanger?

DNSChanger, also known as Alureon, is a high profile piece of Malware that modifies the DNS settings on the victim PC to divert Internet traffic to malicious web sites. The Malware also acts as a robot or “Bot” for short and can be organized into a BotNet and controlled from a remote location. DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names. On July 9th the FBI will turn off the rogue DNS servers and DNS resolution will effectively stop for any system still infected with DNSChanger.

We have been coming across many facebook scams. This sample which is taken from one of such scams has an interesting feature in it. It checks for the location of affected victim, and based on the country where the victim is located, additional scripts are injected. The victim is redirected to many other sites that uses Facebook API, post scam on Victim's friends' pages and additional malicious files could be downloaded to the user machine.

Infection Vector

The user is tricked to click scam page attached on his friend ‘s page or in public posts page of Facebook. The scams hold luring pictures and words like "Hey See This Now " etc. Once the user clicks this link, he will be redirected to a link where he is asked to download a plugin to watch the video. This link checks whether the user is using Chrome or Firefox and then installs the malicious plugin as the missing plugin to watch the video.

DNSChanger, also known as Alureon, is a high profile piece of Malware that modifies the DNS settings on the victim PC to divert Internet traffic to malicious web sites. The Malware also acts as a robot or “Bot” for short and can be organized into a BotNet and controlled from a remote location. DNSChanger has received significant attention due to the large number of affected systems worldwide and the fact that as part of the BotNet takedown the FBI took ownership of the rogue DNS servers to ensure those affected did not immediately lose the ability to resolve DNS names. On July 9th the FBI will turn off the rogue DNS servers and DNS resolution will effectively stop for any system still infected with DNSChanger.

Scam lotteries have been a frequent issue in the past and they continue to exist following the media trend.
Total Defense Intelligence Service (Research ISI Team) today caught an interesting email pretending to come from Facebook’s CEO Mark Zuckerberg.

The email clearly informs of a fake lottery win, getting the user to contact a Mr. Douglas Price as a fiduciary agent who will handle the award.

I have come across the similar scenario when I have downloaded the video.

It must be mentioned that the video format itself is not immune to embedded malicious links, but this time, the links are far more obvious.
In fact, the links are in plain sight. Almost “Helpful” and benign looking... if only they were!
See screen grab.

This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/SabPub.A.

Once executed, OSX/SabPub.A, the decoy Word file will be executed, it will cause distraction to the user to hide its malicious activity in the background.

Upon accessing the main page, it shows a lot of common error that people may encounter in a typical windows machine and in its “Repair Guide” links, it will always ask the user to download the file “PC_Cleaner_Pro.exe” which TotalDefense products detects as Win32/FraudPCCleanerPro.A.

Recently, another Tibetan-themed malware has been discovered which takes advantage of a patched Java Vulnerability (CVE-2011-3544).

When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet exploiting (CVE-2011-3544) then it will determine the malicious payload depending on what Operating System the user is using. Using the new variant samples, as you can see in Figure 1, if your OS is Windows the file “img.jar” will be executed and if your OS is Mac OSX the file “ref.jar” will be executed.

As you can remember, OSX/Flashback has appeared last year and disguised as Adobe Flash Player Installer. The previous variants connects to remote host to download its component files and installing backdoor that injects to web browsers and other applications in order to steal sensitive user information.

This time the malware author of OSX/Flashback has another trick up its sleeves. A new variant of OSX/Flashback has been discovered and it takes advantages of Java Vulnerabilities namely (CVE-2008-5353, CVE-2011-3544 and CVE-2012-0507). This new variant doesn’t need user interaction in order to infect the system successfully not like its old variants where it needs the user to input the administrator password.

When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet. If the Java in that system is enabled and vulnerable, then the infection will be successful.

Upon execution of the malicious Java applets, it drops a file as “~/.jupdate” in User’s Home folder. It then creates “com.java.update.plist” in the ~/Library/LaunchAgents/, to ensure that the dropped file will be active on the system.

OSX/Flashback botnet has more than 550,000 infected machines according to reports.

Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found.

A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/MS09-027!exploit.

Once executed, OSX/MS09-027!exploit, will drop the following files:

•    /tmp/launch-hs
•    /tmp/launch-hse
•    /tmp/file.doc

The file launch-hs are a script that executes the file launch-hse and file.doc. Once the file.doc has been executed, it will cause distraction to the user to hide its malicious activity in the background.

So, What does it do?

It is a typical SMS Trojan that sends SMS to premium message centres. In the process, it makes sure that the messages are sent only once during the first time the code is run. This feature is taken from the very old “FakePlayer” family.

We thought the rogue security software trend went down this year, but in truth we are witnessing two new reported incidents by users and customers of rogues.

According to data obtained, in only one month of monitoring the process of Winwebsec we have seen an impressive number of reported incidents which, in terms of numbers, translates into almost 7,000 issues.

While processing a recent bunch of malware collections, we have noticed heavy use of reflections  in quite a few Android samples. It is important to note that the usage of reflections by malware is not new. It has been practiced by traditional desktop threats created in Java for a long time now and even we have seen the usage of it in some of the android variants sporadically since last year. Now, it is interesting to see this trend adopted in full fledged manner by the new variants in bulk numbers.

It's that time of the year when people in some parts of the world are filing their tax returns, and what better time for cyber crooks to trick them into falling prey for phishing attacks via emails. India has been reported in recent malware threat reports as one of the regions with high spam activity and this blog will briefly discuss a very convincing social engineering spam I ran into recently.
I received an email in one of my email inboxes which seemed to promise me a refund of 34,000 Indian Rupees, provided I submit a request through a URL on the email [see Figure 1]. This email immediately aroused my suspicion, as I have been abroad for more than a year now and was not expecting such an email. The content of the email also seemed fairly convincing from an ordinary net user's perspective. Sure enough, the URL was parked on a German subdomain hosted on a free hosting website. Well I am fairly certain that the Income Tax Department of India would not be hosted on a .de domain.

Yesterday, a familiar Android threat was making news powered by a sound social engineering trick.  This blog looks at the differences/similarities of the different variants of this particular bunch of variants.

Though the variants exhibit the same behavior claiming that the “application” is an installer for famous applications, different variants use different brands such as Opera browser, Jimm, and Skype. However in the process,  they actually send messages  to the message centers obtained by decrypting the config file. After sending the SMS messages, the user may or may not be redirected to the download link of the orignial application.

Although none of the Apps were functionally tested to empirically measure the privacy impact, it's still great to see the FTC continuing their focus on our children.  This report stands in firm support of the COPPA legislation and furthers the dialog necessary to better protect children online.

Earlier yesterday, a few SMS Trojans were found in Android Market and subsequently removed from the market place. In this blog post, we will be demonstrating some of the interesting behaviours uncovered through dynamic analysis.

This blog is written to emphasize the importance of physical security in this current day and age. I myself am a victim to a recent physical security breach that happened with Lucky Superstores in the United States, which has resulted in the theft of debit card details of many of its customers. It has been confirmed that more than 20 stores are affected through the 500 or more self-checkout stations which were compromised to aid in this physical security based attack.

Recently, Adobe has released a new security advisory, APSA11-04, alerting users about a critical vulnerability in Adobe Reader and Acrobat.

The U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe is in the process of finalizing a fix for the issue and expects to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, Adobe is currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. Adobe is planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.

Not long ago, the malware called Stuxnet made its foray into the world of Internet capturing people's attention. This was the first malware of its kind which embodied payload that impacted not only software running on infected machines but also affected attached Industrial processes. This malware's impact was very unique, targeted and revolutionary in nature. In September 2011, a new malware called 'Duqu' was discovered which appeared to be identical to Stuxnet and has been deemed as a precursor to the Stuxnet worm.

Last week, we have blogged about an Android malware that was impersonating as a popular browser (http://totaldefense.com/securityblog/2011/09/23/The-SMSer-Trojan-Returns-as-Fake-Browser-Again.aspx).

This time we present the analysis of another interesting Android malware to highlight its noteworthy features that users need to be aware of.
This sample shows how easily such kind of impersonating malware is being created to impersonate many popular messengers and chat clients.

Another new Mac OS X Threat has been discovered and disguises as Adobe Flash Player Installer. Like other malware, it also uses social engineering tricks to lure users to download the malware.

Once the user unknowingly visited a malicious website to watch a video, it will prompt the user that the Adobe Flash plugin has crashed

A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity.

When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and hide the malicious activity in the background. The dropper is detected as OSX/Revir.A.

A few months ago, we blogged about an increasing trend of SMSer Trojans disguising themselves as popular browser applications targeting the users of smart phones with support for J2ME. For the past few days, we have been observing a similar trend in the influx of SMSer Trojans posing as browser applications in our sample processing channels. However this time, they are actually targeting Android users.

A few weeks ago, we have witnessed Zitmo arriving to Android landscape http://totaldefense.com/securityblog/2011/08/29/ZBot-Targeting-Android-Users.aspx. As it was widely predicted earlier, fellow researchers at Trusteer discovered that now Spitmo emerges for the Android platform. We, like the worldwide research community, have taken the the growth of Android malware very seriously.

Free Facebook t-shirts at the cost of your Personal Information?

Just like the many other social-engineering spam attacks observed on Facebook, the recent one which offers victims free t-shirts as its 7th Anniversary special gift, seem to have gained quite a bit of popularity. If stats are to be believed, [Figure 1, courtesy hacker9] quite a few people have fallen victim to this like-jacking social engineering spam. Interestingly, I already have spotted close to eight people's accounts in my Facebook contact list posting the scam over and over again on my wall, which is one of the aftereffects of falling prey to this social-engineering attack. Another startling fact is that when I checked on other related security blogs, there appears to be different variants of this spam. Some have already been taken down. So this means that possibly scammers have realized that the "free Facebook t-shirt" is an extremely good proposition for luring in innocent Facebook victims.

"Supercookies" (Local Shared Object), or flash cookies as they are otherwise commonly called, and their implication on the privacy of Internet users have been a hot topic in the security- news blogs lately.

"Cookies", as most of you already know, are small text files that are used to keep small pieces of browsing information stored on a computer to track and retain user preference information when Internet users visit various websites online. But the risks involved with tracking cookies are already well known in the security community. There are also options available on various browser setting pages which explicitly allow users to clean these cookies. Many anti-virus companies, including Total Defense, have protection against tracking/third party cookies, too.

The Black Market is not new at all, and we know it exists because illegal products or services are readily available, such as drugs, sex, stolen goods, etc.

These days I have been impressed by the increase in the number of emails targeting Italian users with offers of electronic goods sold at very interesting prices.

Everyday my personal inbox is stuffed with emails coming from people pretending to offer me electronics at below market value prices and suggesting I visit their new commercial web site (Figure 1-2).

Intricacies of its execution

This sample's payload is same as what the age old downloader agents are known to do.  By Design, It downloads additional malware executables from distribution sites on the internet and proceeds to trigger their installation routines. Implemented as an applet, a better and easy understanding of this malware component can be gained through the output of instrumented standalone version of this applet shown in  Fig 1.

SpyEye is now very well known within all security communities and security blogs of the world. The latest version of the SpyEye tool includes very powerful capabilities, specifically designed to steal sensitive data from Windows users conducting monetary transactions over the Internet.

The Trojan tool is sold on the underground market and in cybercrime forums to be used by cybercriminals. Designed to defeat the security defenses in place by online banks, the SpyEye Trojan renders these security systems useless. If people are infected by this Trojan then their credentials and sensitive data such as, identities, credit card numbers and similar information, are stolen and sent to the criminals waiting to collect this data and enumerate their new budget.

Hence, in this blog, we will demonstrate this particular conversation recording payload of the malware.

On its Twitter page LulzStorm posted a supposed dump of the databases of 18 Italian Universities, containing thousands of usernames, cleartext passwords, emails and private information.

Though this sample has been in the wild for some time, it was found now that it is actually the one that Zbot uses to target its victims.

In this blog, we will demonstrate how the sample actually works to target the mTAN based authentication scheme.

Since we have published static analysis of such Trojans in our earlier blogs, this blog covers the dynamic analysis of the Trojan in a controlled environment. Please note that this blog post will only demonstrate one of the malicious activities the sample does and does not intend to demonstrate all the activities of the malware.

We recently witnessed another rootkit infection which raised the attention of the press and Microsoft users.

It is again a high profile malware whose target is the hard drive’s master boot record (MBR) corrupting the bootstrap of the Windows Operating System.

Once run the malware follows the steps below:

1. Open file: \\.\PhysicalDrive0
2. Create File: hello_tt.sys

The first step of the malware is the access phase to the hard drive partition where the operating system is installed. That is the sequence where the malware finds the master boot record (MBR).

The second step is the creation of a service dropped and installed on the victim OS.

A QR Code is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode reader.  There are many QR Code Reader apps available today for camera phones. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, like a URL, or other data.