Zberp Banking Trojan: A Hybrid of Carberp and Zeus

It’s official: Zeus and Carberp have gotten hitched and hybridized. Malware authors have combined source code from the financial Trojans to produce Zberp, a new variant that targets 450 banking institutions around the world.

Zeus + Carberp = Zberp

For those unfamiliar, Zeus is one of the most capable and popular forms of banking malware around. Most notably, Zeus can perform “man in the middle attacks” to automatically intercept online banking credentials when they are shared in an online session between a customer and their bank. Since Zeus’ source code was leaked on a hacker forum in 2011, the malware has become extremely widespread and has morphed into numerous forms. Similarly, Carberp is also a form of financial malware, which at one time was so advanced and feature-rich that it sold for $40,000 per license in underground marketplaces. One year ago, Carberp’s code was also leaked, leading to an increase in its reach as well.

Zberp is a hybrid combination of Zeus and Carberp, created by someone with access to both Zeus’ and Carberp’s source code. Like its parents, Zberp is designed to steal money from people who bank online. Unlike its parents, Zberp’s relative youth gives it the ability to bypass antivirus products that rely on signature-based detection alone.

Zberp’s Zeus Inheritance

Zberp is a highly capable malware. From Zeus, the malware inherits the ability to steal information transmitted between users and a reported 450 financial institutions around the world. Accordingly, Zberp can:

• gather IP addresses and computer names


• take screen shots and upload them to a remote server


• steal data entered by a user into an HTTP form, steal a user’s SSL certificate, and/or steal FTP and POP3 credentials


• perform malicious web injections


• carry out man in the middle attacks


• initiate a remote desktop session through VNC/RDP protocols, allowing attackers direct access to an infected PC

Additionally, Zberp has what is called “invisible persistence.” Invisible persistence means that Zberp actually deletes its start up registry key during Windows start up and returns it when it detects that Windows is shutting down. This is an evasion technique meant to sneak past antivirus software that scans for malware during system boot.

Zberp also uses the method of steganography to allow for surreptitious configuration updates. With steganography, malware authors will typically disguise their malicious files as harmless images. In the case of Zberp, that image is the Apple logo.

Zberp’s Carberp Inheritance

Zberp’s authors have borrowed significantly less from Carberp, yet what they have borrowed is not insignificant. According to initial reports, Zberp utilizes a modified version of Carberp’s “hooking” technique. In practice, this “hooking” technique allows cybercriminals to hijack a browser session to steal information. The fact that the code responsible for Zberp’s hooking technique is different than Carberp’s means that many antivirus products familiar with Carberp alone will fail to detect it.

Protecting Yourself from Zberp

Much of what makes Zberp powerful is that it is designed to evade signature-based malware scanners. This is precisely why Emsisoft Anti-Malware utilizes an advanced layer of malware prevention, called Behavior Blocking. Behavior Blocking identifies root malicious behaviors, instead of specific signatures. To learn more about Behavior Blocking, you can see our Security Knowledge article, Efficient protection against new malware: Emsisoft’s Behavior Blocker.

In addition, it is crucial to realize that Zberp can only wreak havoc once it has infected your PC. In order for this to occur, you would need to encounter the Trojan somewhere on the web and download it to your computer. This can happen in any number of ways, however two of most common scenarios are through targeted emails, that contain malicious links or attachments.

In the case of a link, clicking would direct you to a “drive-by” download website, which would automatically install Zberp while pretending to do something else. In the case of an attachment, the same trick is used: you click on an executable that installs Zberp but pretends to be and do something else. In both of these scenarios, the single greatest method of prevention is caution.

As an extra measure, you can also consider using Emsisoft’s 3 layered approach to malware prevention, which hybridizes Surf Protection + File Guard + Behavior Blocker to create award winning anti-malware technology.

Have a Great (Zberp-Free) Day!

 

More on Zberp

Zberp was discovered by researchers from IBM security. A full technical report on this new malware can be found at their Security Intelligence blog.

 

 

Related Posts:

• Zeus Found Crawling through Salesforce.com


• New Zeus Variant with Digital Certificate


• Alert! Monster.com Serving Gameover Zeus


• PayPal Vulnerability Publically Disclosed


• OldBoot Bootkits – Advanced Android Malware

Zberp Banking Trojan: A Hybrid of Carberp and Zeus

ALERT: Spotify Has Been Hacked

Attention music lovers: Spotify has been hacked!

The popular music streaming website has just posted an announcement which states that someone gained unauthorized access to their systems and internal company data. As a result, attackers gained access to just one Spotify user account. The company stresses that this access did not divulge the user’s password, financial or payment information, and that they have since contacted the user and launched an investigation.

It may seem a bit of an over reaction to publish such an announcement that apparently only affects one user, however in the wake of last week’s massive data breach at eBay, the company is likely aiming for complete transparency.

As an extra security measure, Spotify states that they will be requiring a manual log-in for all users in the next few days, in order to re-verify account credentials. Additionally, Spotify will be releasing an automated Android upgrade which will guide users through install. This update is slated for release sometime in the next week.

Emsisoft encourages Spotify users who want to err on the side of caution to change their Spotify password as soon as possible. Though Spotify’s announcement indicates that only one account was hacked, it never hurts to update what may be a weak log-in credential, especially when it is used for a popular website.

Spotify’s official press release regarding this matter can be viewed in full here.

Have a Great (Data-Breach-Free) Day!

 

 

Related Posts:

• ALERT: You need to change your eBay password, now.


• Emsisoft Alert: Kickstarter Data Breach


• Covert Redirect Security Flaw in Sites Using OAuth and…


• Emsisoft Security Warning: 16 Million Email Accounts hacked…


• The 2014 Verizon Data Breach Investigations Report

ALERT: Spotify Has Been Hacked

New Facebook Features Focus on Privacy and Malware

This week, Facebook has introduced two new privacy and security measures. The first is a new feature that attempts to detect malware on infected devices as they log in to Facebook. The second is a more complete and easy-to-use set of features designed to ensure post privacy.

“Making malware cleanup easier”

On May 20th, 2014, Facebook announced that it will be partnering with two antivirus vendors to implement a new security feature that attempts to detect malware on infected devices during Facebook log in and then offers a free antivirus scanner download to identify and remove the infection. Download will be entirely optional, and Facebook states that after the chosen scanner runs to completion it will remove itself from the device.

While it sounds nice enough, and while it may indeed make the world a little bit more malware-free, this new feature assumes malware infection. That is to say, it’s meant to cleanup malware after the mess has been made. In addition, these scanners will only remove a malware infection if they are able to recognize the malware in question through signature-based means. If a device is infected with a new strain of malware that is not yet registered on one of these scanners, the device will remain infected.

One of the main reasons Emsisoft Anti-Malware is a pay-for-use product is that it provides proactive malware prevention. It does this by combining the scanning power of two engines with heuristic “Behavior Blocking” technology that recognizes and prevents unregistered malware threats. Even better, you don’t need to log in to Facebook for it to work. Emsisoft Anti-Malware runs in the background of your computer continuously, and it is automatically updated several times per day.

“Making it easier to share with who you want”

Facebook’s second new measure announced this week concerns user privacy. Namely, new Facebook users who are posting for the very first time will be set by default to only share that post with Friends. This is a marked change in Facebook’s policy, as since 2009 the default share setting for all new users was to share with Public. No doubt because the social media megalith boasts an average 1 billion active monthly users, this shift has already garnered a lot of attention from writers all over the web – specifically the New York Times.

Facebook product manager Mike Nowak is quoted in that article, stating: “It’s not fun when you share something, and someone you didn’t expect to be able to see it can see it.” Nowak also points to a continual stream of customer complaints – displayed on a real time, big screen monitor at FB headquarters – as impetus for the privacy policy shift. The article also features commentary from Pam Dixon, an advocate from the World Privacy Forum. Dixon states that she “would really like to see some kind of permanent tool that would let people do a privacy checkup anytime they want.”

Facebook’s upcoming “Privacy Checkup” feature might give her just that.

In addition to changing new users’ default share setting to Friends, Facebook writes that it will soon be implementing a “Privacy Checkup” feature for established users. This feature will apparently attempt to consolidate what some have called a convoluted set of privacy features. No specific details about this feature have been released, but according to the initial announcement “checkup” will be initiated by a pop-up window, designed to remind users of how they are sharing their information. Should users click on the window, the checkup will then guide them through their account’s privacy settings.

Facebook, Malware, Privacy, and You

Making announcements of new security features in a week that’s seen an FBI crackdown on BlackShades RAT users, U.S. cyber espionage allegations against China, a data breach at eBay affecting 145 million users, and an IE 8 zero day public disclosure is more than just good PR for Facebook – it’s also a well intentioned reaction to a world of cyber threats.

With roughly 1 billion active monthly users and a gold mine of personal information, Facebook is prime territory for malware authors and identity thieves. Most common among these are silly scams, like early May’s Hack Your Friend’s Facebook, which implicated infected users in Like fraud. Perhaps even more ridiculous (but also more malicious) was the Naked Videos of Your Facebook Friends scam we spotted in March, which had the ability to connect users to a fraudulent webpage where they could download a Trojan repair kit for Adobe Flash.

Facebook malware isn’t always so tongue-and-cheek, though. In fact, that’s far from the case with the iBanking Rogue, which we first spotted in April. iBanking leverages the general public’s increasing concern over Facebook security to create a powerful malware that combines social engineering with multi-device interaction, all aimed at infecting Androids with malware that can monitor everything you do with your smartphone, including banking. As it turns out, iBanking has since grown so popular with cybercriminals it is now selling for around $5000 a pop.

All of these malware developments reflect the fact that Facebook is a massive watering hole, and they don’t even begin to scrape the surface of how a website people use to contain their online identities can be used to stalk, steal, and commit fraud – no malware coding experience required. At the same time, this wealth of easily accessible information is what makes Facebook most powerful as a business, as the social media network’s growth has seen its simultaneous transformation into every online marketers’ favorite tool. It is this trend in particular that will pretty much guarantee that in the years to come the best approach to Facebook privacy will be a “use at your own risk” mindset.

Lastly, it is important to consider that in the world of cyber security, each new measure of protection usually provokes a new, malicious response. As we have seen the iBanking rogue pose as a legitimate security solution for wary users, Facebook’s antivirus scanner push might inspire the creation of more rogue security apps. The upcoming change in Facebook’s privacy policy could similarly spawn phishing emails across the board. Moving forward, probably the best approach to Facebook security will therefore be informed and educated usage. That means a solid password, caution when confronted with requests for action, and no selfies past midnight.

And remember, if you’re running Emsisoft, we’ve got your back.

Have a Great (Malware-Free) Day!

Related Posts:

• Watch out for iBanking Android Rogue on Facebook


• Naked Videos of Your Facebook Friends – Translation:…


• Hack Your Facebook Friends? More Like Hack Yourself.


• Take care of this new Facebook scam: Amy Winehouse SHOCKING…


• The transparent citizen – How can I actively prevent…

New Facebook Features Focus on Privacy and Malware

Zero Day Alert: Unpatched Vulnerability in Internet Explorer 8

Zero Day Alert!

Researchers at HP’s Zero Day Initiative (ZDI) have just disclosed an unpatched vulnerability in Internet Explorer 8. This vulnerability allows attackers to install malware on your computer, should you click on a malicious link or open a malicious email attachment. Such malware can then allow direct access to your files. Because HP has opted for public disclosure prior to Microsoft issuing a patch, this zero day is now known to both IE 8 users and would be attackers alike.

How to ensure protection from this threat

Microsoft has yet to issue a statement or a patch regarding this latest zero day. If you are running Internet Explorer 8, you are therefore vulnerable. Fortunately, this exploit hinges on user interaction; so, to avoid infection simply follow best web practices, and avoid clicking on any mysterious links or opening any unsolicited attachments.

Researchers at HP have recommended that users running IE 8 should also consider downloading Microsoft’s Enhanced Mitigation Experience Toolkit, the generic go-to repair tool for most Microsoft vulnerabilities. Additionally, we at Emsisoft recommend considering migration to a new web browser entirely, as this is the second IE zero day that has occurred in the last month alone. (See CVE-2014-1776, from late April.)

More Zero Day Details

According to HP ZDI’s disclosure timeline, Microsoft has actually known about this vulnerability since October 11th of last year, when researchers initially notified the company of the flaw. HP ZDI’s standard practice is to give vendors 180 days to issue a patch before making public disclosure. Accordingly, HP could have made disclosure as early as April 9th, 2014, but opted instead to give Microsoft more than a month long grace period. To date, the vendor has still not issued a patch.

Public disclosure will inevitably mean that until a patch comes, attackers will be leveraging the IE 8 zero day as a path to malware infection and remote access to infected machines; and, unless Microsoft issues an out-of-band patch, as they did with last month’s IE zero day, that patch will not come until June 10th, next month’s Patch Tuesday.

Perhaps most alarming of all, however, is that IE 8 runs on Windows XP. This means that today’s zero day will remain unpatched on the now-unsupported operating system until the end of time.  In other words: If you are running this combination, your system now contains an open, publicly known, door.

HP ZDI’s public disclosure can be viewed in full here:

http://zerodayinitiative.com/advisories/ZDI-14-140/

 

Have a great (Malware-Free) day!

 

 

 

Related Posts:

• Patch Tuesday: It Doesn’t Apply to Windows XP


• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…


• Reminder: Microsoft Ends Support for Windows XP April 8th,…


• Warning: Internet Explorer Zero Day CVE-2014-1776


• Vulnerabilities in Oracle Java Cloud Publicly Disclosed

Zero Day Alert: Unpatched Vulnerability in Internet Explorer 8

ALERT: You need to change your eBay password, now.

Attention eBay users: eBay has confirmed a data breach affecting all user accounts. Compromised information includes: customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

It is recommended that all eBay users change their passwords as soon as possible.

Details on the Breach

Emsisoft first caught wind of eBay data breach rumors early Wednesday morning. Preliminary reports pointed to a botched blog post on the PayPal community blog, entitled “eBay Inc. To Ask All eBay Users To Change Passwords.” Besides the alarming title, the post was mysteriously empty; and, following a news leak from Reuters it was mysteriously taken down. Due to the fact that PayPal is actually owned by eBay, the rumor mill started spinning pretty fast.

Shortly thereafter, eBay confirmed the data breach with a corporate press release. The press release stressed that no financial information was compromised, as that data is stored in a separate location, where it is encrypted. eBay also indicated that their investigation revealed no evidence of fraudulent account activity.

The breach is reported to have occurred between late February and early March 2014, when cyber attackers gained direct access to eBay employee log-in credentials. This compromise was first detected two weeks ago, and eBay states that, in the time between then and today’s official announcement, they worked with law enforcement officials to investigate and resolve the issue. Later today, eBay will begin contacting its users directly, via email and various marketing channels.

Ensuring the best password protection

After any data breach, it is crucial to change your password. It is also important to realize that if you use that password for any other account, you should change it on that account as well to something new and unique. For best password practices, see our article on The Worst Passwords of 2013.

In the wake of a data breach affecting a company as massive as eBay, it is also important to be on the look out for phishing emails. As eBay points out in their press release, they will be directly emailing their user base and requesting a password change. This is a prime opportunity for fraudsters to pose as eBay and do the same, and thereby collect user credentials on phishing pages. To be safe, it is therefore best to navigate to your eBay account directly and change your password independently of any email provided link.

Have a Great (Password-Protected) Day!

Related Posts:

• Caution: You might need to change your eBay password


• Emsisoft Alert: Kickstarter Data Breach


• Emsisoft Security Warning: 16 Million Email Accounts hacked…


• ALERT: 18 Million Email Accounts Compromised


• Protecting Yourself from Heartbleed

ALERT: You need to change your eBay password, now.

Global Security Alert: China Bans Windows 8 on Government Computers

After yesterday’s media frenzy about the United States indicting 5 Chinese PLA officers of cyber espionage, you’d expect an equally dramatic response from China. Today the headlines read that China is banning the Windows 8 operating system on all government computers. Dramatic enough for you? Well, hold on just a sec.

The initial source document that spawned today’s headlines was actually published on May 16th, a full 3 days before the United States published its landmark indictment. This document only extended the ban to Chinese government machines that are to be part of a new “energy efficient” initiative. Pre-U.S. indictment, this document was not even newsworthy; but, today it has been repeatedly cited as evidence of Chinese rebuke.

Were there no further statements about this specific Windows 8 ban…well, it might not have even reached the editing room. As it turns out, however, there was – and it came from no less than China’s state-sponsored media body, Xinhua News. This statement was published on May 20th, and it reads, quite clearly, and in reference to the initial source document, that “all desktops, laptops and tablet PCs to be purchased by central state organs must be installed with OS other than Windows 8.”

That same report indicates that the Windows 8 ban is being adopted as a future national security measure, citing Microsoft’s recent end of support for Windows XP – an operating system the report claims has a 70% market share in China – as the ban’s primary motivation.

It would seem, then, that this is not a direct response to Monday’s indictment…but, boy, talk about timing

China’s official response to the indictment

For China’s official response to the U.S. accusation of cyber espionage, one need look no further than…well, once again Xinhua News. Not very surprisingly at all, this statement denies all charges as “groundless accusations.” It also goes quite a bit further, and accuses the U.S. of a number of cyber crimes committed against China.

Xinhua writes that from March 19 to May 18, the National Computer Network Emergency Response Technical Team Coordination Center of China found:

•  ”a total of 2,077 Trojan horse networks or botnet servers in the U.S. directly controlled 1.18 million host computers in China”


• “135 host computers in the U.S. carrying 563 phishing pages targeting Chinese websites that led to 14,000 phishing operations”


• “2,016 IP addresses in the U.S. had implanted backdoors in 1,754 Chinese websites, involving 57,000 backdoor attacks”

The report does not, however, specify whether these attacks were instigated by the U.S. government or by U.S. citizens.

More than a war of words

Although many within the computer security industry, as well as everyday net citizens, have already brushed aside this week’s U.S.-China shouting match as yet just another iteration of the superpowers’ tense relationship and ongoing war of words, the Chinese ban of Windows 8 will indeed have global computer security implications. If Xinhua’s claim that roughly 70% of Chinese computers run on Windows XP is even close to true, that means that a lot of Chinese computers, be they owned by the government or not, are insecure. Furthermore, if the Chinese government won’t switch to Windows 8, that means they’ll either be switching to Windows 7 or a non-Microsoft – i.e., non-U.S. manufactured – operating system. As it stands now, the ban does not extend to Chinese citizens, but one can assume that it might exert influence on the average Chinese citizen’s decision making process when upgrading their PC.

What this will all mean for malware is that, at the very least, a significant percentage of the world’s population might be shifting its OS of choice (Chinese population = 1.4 billion, or 19% of world population) to something other than Windows. For malware authors, this could perhaps disincentivize the long standing practice of authoring variants that run strictly on Windows PCs. That more of the world’s population currently owns a smartphone than does a personal computer might also supplement this trend.

…So does China’s rebuke of Windows 8 and U.S. cyber spying allegations mean that it just got a little bit safer for the rest of us to view our favorite Youtube videos and Vines from the desktop comfort of our Windows based PC?

Let’s hope so, because it would be nice to get at least a little something out of all this drama from the talking heads.

 

To a Malware-Free Future…and Beyond!

Related Posts:

• U.S. Charges Chinese Military Hackers with Cyber Espionage


• BlackShades RAT Users – Busted


• Emsisoft Anti-Malware 8.1.0.40 released!


• Emsisoft Anti-Malware 8.1.0.40 released!


• Reminder: Microsoft Ends Support for Windows XP April 8th,…

Global Security Alert: China Bans Windows 8 on Government Computers

U.S. Charges Chinese Military Hackers with Cyber Espionage

This Monday, the United States Department of Justice made formal cyber espionage charges against 5 members of the Chinese People’s Liberation Army. This is the very first time the United States has taken such action against any state-sponsored actors for cyber crime.

The Facts

Monday’s indictment from the U.S. DOJ brings a whopping 31 charges against each one of the alleged 5 offenders. Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui of Unit 61398 of the Third Department of the Chinese PLA have all been accused of committing:

1. conspiracy to commit computer fraud


2. unauthorized access of a protected computer for commercial advantage/financial gain


3. transmission of malware


4. aggravated identity theft


5. economic espionage


6. trade secret theft

These crimes are alleged to have occurred between 2006-2014, and according to the official DOJ press release and executive statement, victims include corporations involved in the nuclear power, metals and solar products industries, such as Alcoa Incorporated, Westinghouse Electric Company, and the United Steelworkers Union (USW).

An initial report from Ars Technica also sheds light on some specifics:

• 1,700 US Steel servers – hacked


• nuclear power piping systems of Westinghouse nuclear power plants – hacked


• email accounts of members of the USW steelworkers’ trade union – hacked


• email accounts of Alcoa executives – hacked, with some 3,000 messages and 800 attachments stolen

All of these attacks allegedly occurred during time sensitive periods, when victim U.S. companies were engaged in business with Chinese clients – times when it would have been most opportune for Chinese competitors to obtain information and gain a commercial advantage.

The Reasoning

State-sponsored cyber-spying is nothing new; however, this is the very first time the U.S. government has sought to enforce its Computer Fraud and Abuse Act and its Economic Espionage act against foreign offenders. Officials have emphasized that the economic element of the alleged crimes is the main reason the charges have been brought forward.

“Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.  This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

    -U.S. Attorney General Eric Holder

Many writers, critics, and legals experts have noted how this distinction is extremely important, especially in the wake of Edward Snowden’s revelations on the NSA – particularly because those revelations point to U.S. sponsored cyber espionage campaigns to monitor both its citizens and other governments, including China. During a news conference, U.S. Attorney General Eric Holder went on to state that China’s actions are entirely different, because they are economically motivated and because they negatively affect the economic health of US citizens who work for the victimized companies. Adds David Hickton, U.S. Attorney for the Western District of Pennsylvania:

“Cybertheft impacts real people in real and painful ways. When these cyberintrusions occur, production slows, workers get laid off and lose their homes. This 21st century burglary has to stop.”

-David Hickton, U.S. Attorney for the Western District of Pennsylvania

The Impact

Monday’s accusation is both an unprecedented legal and cyber security event. The impact the charges will have on both fields is therefore impossible to predict. Many observers have already pointed out that the DOJ’s indictment is largely a political chess move; whether the Chinese government will choose to honor it and hand over the 5 accused will undoubtedly affect U.S.-China relations moving forward.

Regardless, Monday’s events reflect the ever-increasing importance of Internet Security in a ubiquitously connected world. Malware campaigns enacted to collect competitor credentials and, in turn, competitor trade secrets have simply become part of doing business for some companies. In free market economies, like the United States, governments have reacted to this trend with legislation; however, no law – real-world-based or cyber – can ever boast a 100% prevention rate.

Perhaps, then, computer security expert and former Justice Department lawyer, Marc Zwillinger, has put it best:

“The only computers these days that are safe from Chinese government hackers are computers that are turned off, unplugged, and thrown in the back seat of your car.”

-Marc Zwillinger, former Justice Department lawyer

In reality, the same can be said about malware coming from any attacker, anywhere in the world. Any business’s information can be a powerful tool to that business’s competitor, and today protecting such information should be a top priority for any business that wants to remain viable. Accordingly, Zwillinger has probably never heard of Emsisoft Anti-Malware for Business

Have a Great ((State-Sponsored) Malware-Free) Day!

 

Related Posts:

• BlackShades RAT Users – Busted


• The 2014 Verizon Data Breach Investigations Report


• Emsisoft one of Austria’s Leading Companies


• Emsisoft one of Austria’s Leading Companies


• 2013: The Year We Were “Snowden”

U.S. Charges Chinese Military Hackers with Cyber Espionage

BlackShades RAT Users – Busted

After a week of speculation, it would appear that the rumors are true: European law enforcement agencies have coordinated with the FBI to crackdown on international cybercrime, specifically targeting individuals who have downloaded the BlackShades remote administration tool (RAT).

Translation? The world is a little bit more Malware-Free.

What is BlackShades?

BlackShades is a remote administration tool, or a RAT. RATs allow their users to “remotely administrate” on other computers. In many cases, such as tech support or software demonstrations, RATs do indeed have legitimate use: they allow one user to help another or to show them how to use a new software tool. RATs can, however, also be used to commit cybercrime.

RATs become illegal when they are installed on target computers without consent. The BlackShades RAT is a hacking tool specifically designed to do just that and to, in turn, allow its user to perform a number of malicious actions. BlackShades is a versatile tool that can be used to spy on targets and to steal personal information. It allows for remote access to a victim’s files, it can log keystrokes, it can activate a victim’s webcam, it can be used to carry out a distributed denial of service attack (DDoS) on another victim, and it can be used to install more malware.

Typically, BlackShades can be purchased on underground hacker forums for a mere $40-100.

Who was arrested?

Early reports indicate that between 81-97 people have been arrested by the FBI and various European law enforcement agencies, on the premise of downloading BlackShades. At least 300 homes in many countries across the world, including Austria, Belgium, Canada, Chile, Croatia, Denmark, Estonia, France, Germany, Italy, the Netherlands, the United Kingdom, and the United States were raided. Raids followed seizure of one of the largest European BlackShades distribution websites, bshades.eu, on Wednesday.

In all, at least 1,000 computers were seized.

Part of a larger Anti-Cyber Crime effort

Last week’s BlackShades crackdown coincides with an FBI announcement via Reuters to increase its global, anti-cyber crime efforts and to take a more offensive approach to arresting criminals. In the weeks to come, it will be interesting to see if the BlackShades raid is just one of many conducted against popular malware kits and tools.

News of BlackShades is also followed by headlines that read that the United States will be charging Chinese Army personnel with cyberspying. Official announcement of the charges will come Monday morning.

Have a Great (Malware-Free) week ahead!

For more on RATs and how to stay protected, see our March warning on WinSpy and GimmeRAT, two prevalent variants that allow for remote monitoring of PCs and Android devices.

Related Posts:

• Rat Warning: WinSpy and GimmeRAT


• U.S. Charges Chinese Military Hackers with Cyber Espionage


• Mysterious DDOS Attack Against Top 50 Website


• Warning: Internet Explorer Zero Day CVE-2014-1776


• The 2014 Verizon Data Breach Investigations Report

BlackShades RAT Users – Busted

Why you need an anti-malware app (but not a rogue one)

As of late, a lot of attention has been shifted towards smartphone security. This attention comes from all angles. Roughly 22% of the world’s population owns a smartphone or a mobile device. That gives your everyday thug a 1-in-5 chance that they’ll find something valuable to steal the next time they decide to mug someone on the streets.

Since there are roughly 7 billion people on planet Earth, that also gives cybercriminals roughly 1.5 billion targets to infect when they create mobile malware.

Smartphone security response

These big number statistics have prompted response from security-minded organizations around the world. In April, a number of mobile device manufacturers signed the Smartphone Anti-Theft Voluntary Commitment. This commitment represents a promise from some of the largest smartphone manufacturers in the world to include a preloaded anti-theft kill switch in all smartphones manufactured after July 2015. Kill switches like these will allow users to remotely lock and deactivate their smartphone in the event it is stolen.

As the commitment’s title points out, signing it was voluntary; however, some governments have made or are working to make built-in anti-theft kill switches the law. Minnesota state is one such government. Accordingly, after July 1^st, 2015 all smartphones sold in Minnesota will require “preloaded anti-theft functionality or [option] of downloading that functionality.” (See full law here.) California state, proverbial home of Silicon Valley, is another such government – however the law has yet to be passed. (See proposed bill here.) In both cases, high physical crime rates are cited as legislative impetus.

Naturally, manufacturer and governmental response has inspired new mobile security products across the board. It may very well be that many manufacturers will include anti-theft kill switches in their smartphone products after July 2015, but many security software developers have realized that consumers need a solution in the meantime. Furthermore, anti-theft kill switches do not protect users from mobile malware.

Emsisoft Mobile Security – Accept no substitute

Here at Emsisoft, our first response to the smartphone crime wave is Emsisoft Mobile Security. Emsisoft Mobile Security provides remote anti-theft capabilities AND mobile malware protection. It can also prevent you from downloading malicious apps in real-time, as they arrive.

That third capability is particularly relevant in light of yet another trend which can be attributed to the increased public awareness of smartphone security: rogue antivirus apps! If it sometimes seems like there is no end to the deep, dark deviousness of your average cybercriminal’s imagination, rogue mobile antivirus apps provide all the more proof of such suspicion.

As these fraudulent security solutions exist on the PC, they now also exist as mobile apps. And, in fact, because cybercriminals are always looking for low investment strategies to cash in big, many of these “apps” are designed to do absolutely nothing at all. In early April, one such app by the name of Virus Shield achieved over 10,000 downloads, and all it did was change its graphic display from a warning X-mark to a check. Virus Shield featured absolutely no anti-theft capabilities, and it did not scan for malware. It also sold for $4 a pop.

More recently, independent reports indicate the presence of a number of rogue mobile antivirus apps on both Google Play and the Windows Phone store that again do absolutely nothing but dupe the user into thinking their device is secured. This time around, the apps feature falsified branding from legitimate software developers, including Mozilla, Avira, and Kaspersky Labs. Most of these apps are being sold for only a few dollars apiece, and fortunately none of them feature any malicious functionality outside of being total scams. Unfortunately, this not-so-malicious design is also the reason why these apps slip through to market in the first place, as most app marketplace security measures are designed to detect malware proper.

Watch out for mobile malware too

Stolen smartphones and fake anti-virus solutions cost their victims cash, but these petty crimes pale in comparison to what can be done with mobile malware. One of the most common techniques is to infect victims with an SMS Trojan, which surreptitiously connects the mobile device to a premium service and charges exorbitant rates for use. Even worse is malware like the iBanking rogue and OldBoot, both of which can be used to carry out identity theft. Perhaps most alarming of all is a recent report that shows ransomware is headed mobile too.

All of these developments point to a future where mobile security is a primary concern. That’s why as an anti-malware company, we’re offering a mobile anti-malware and anti-theft solution. If you’re familiar with Emsisoft Anti-Malware for the PC, or even if you’re a first time user, we encourage you to give our new product a try.

Have a great (mobile-malware-free) day!

 

 

Related Posts:

• Emsisoft Mobile Security 1.0 released!


• Preview: Emsisoft Mobile Security offers protection for your


• BadLepricon Mobile Malware Mines for Bitcoin Gold


• OldBoot Bootkits – Advanced Android Malware


• Watch out for iBanking Android Rogue on Facebook

Why you need an anti-malware app (but not a rogue one)

PayPal Vulnerability Publically Disclosed

Independent bug bounty researchers have just publicly disclosed a vulnerability affecting PayPal’s MOS (Multi-Order Shipping) Web Application. The vulnerability allowed researchers to inject malicious code into the “Preset Name” field while using the application to create a new shipping preset.

PayPal Corporation was privately notified of this vulnerability prior to public disclosure, and as of May 10th, 2014 it has been patched.

How this vulnerability was exploited

To clarify, there are no reports that indicate that this vulnerability was or is being exploited by criminals. Fortunately, it was discovered by white-hat researchers at vulnerability-lab.com. Details of their proof-of-concept exploit can be found in this publication.

According to the disclosure, the discovered vulnerability allowed researchers to inject malicious code into one of the form fields customers are presented with when ordering from merchants with the PayPal MOS Web Application. The injected code would then be executed when merchants opened their order forms. In testing, executed code was designed to drop a benign payload; but, in theory it could have been designed to drop malware and to steal merchant funds.

Researchers performed this proof of concept attack with dummy accounts, and only a low-privileged user account was needed to carry out the exploit.

Should I be worried about my PayPal account?

Short answer: No.

PayPal has patched the vulnerability and it can no longer be exploited.

Long answer: Yes.

But only because you should always be a little cautious about your online funds.

Readers who’ve taken a glance at this vulnerability’s official public disclosure might find it somewhat alarming that initial notification to PayPal occurred on August 8th, 2013 – a full 9 months ago.  So far, there are no reports that indicate that this vulnerability was exploited during that time.

Watch out for phishing attacks

In the days that follow this disclosure, it is likely that PayPal will issue an official statement to its customers. It is also likely that cybercriminals will use this as an opportunity to create phishing emails and landing pages that play off the disclosure’s hysteria. Such phishing messages and websites are used to steal your credentials and even infect your computer with financial Trojan malware like Zeus.

Don’t become a victim. If you receive anything from PayPal – or someone pretending to be PayPal – it’s best to avoid clicking the provided link and navigate to the real PayPal.com on your own.

Can Emsisoft protect me from things like this?

We try our best to notify our users of important vulnerabilities affecting major websites, software, and service providers. Additionally, the Emsisoft Internet Security pack comes with our Online Armor Firewall, which allows users to run a fully-protected Banking Mode for secure online banking.

This capability will also be included in the upcoming Emsisoft Internet Security 9, our first ever fully integrated Internet Security Suite which is now available for beta download and testing: emsi.at/beta9

Have a Great (Vulnerability-Free) Day!

Related Posts:

• Vulnerabilities in Oracle Java Cloud Publicly Disclosed


• The Heartbleed Bug: A Critical Vulnerability in OpenSSL


• Warning: Dropbox and Box File Sharing Security Bug


• Firmware Vulnerabilities Discovered on Linksys and ASUS…


• Covert Redirect Security Flaw in Sites Using OAuth and…

PayPal Vulnerability Publically Disclosed

Patch Tuesday: It Doesn’t Apply to Windows XP

It’s the second Tuesday of the month, and for those of you who keep up with what your computer is doing when you put it to sleep that means it’s time for some Microsoft issued updates – unless you are still running Windows XP.

This is the first “Patch Tuesday” that will not apply to the 12 year old operating system. That means that all of the vulnerabilities that get patched on newer, Microsoft-supported operating systems will remain vulnerabilities on Windows XP. One of these vulnerabilities is the critical  zero day that affected Internet Explorer 6-11 in late April.

Microsoft did release an emergency “out-of-band patch” for this zero day on May 1^st, and this emergency patch did apply to Windows XP; however, today’s update, and the additional updates that come with it, will not. This includes a patch for a previously undisclosed IE vulnerability (CVE-2014-1815) that has been spotted in targeted attacks by Google researchers in the wild, as well as a patch for multiple Microsoft SharePoint vulnerabilities that allow for remote execution of malicious code.

In all, this month’s Patch Tuesday features 8 Security Bulletins, and it remedies 13 Critical and Important vulnerabilities.

How can I get the updates?

As always, users who have automatic updates from Microsoft enabled will receive all issued Security Bulletins the next time they restart their computer – unless of course they are running Windows XP.

If you do not have automatic updates enabled, you can turn this feature ON in the System and Security section of your PC’s Control Panel. From there, you can also check for updates manually, if you prefer.

What should I do if I’m running XP?

From this point forward, all of the vulnerabilities that get patched on newer, Microsoft-supported operating systems will remain vulnerabilities on Windows XP. Microsoft officially cut support for the antiquated operating system on April 8^th, 2014.

Fortunately, Microsoft has not released technical details regarding the vulnerabilities this month’s round of updates have been designed to patch – but this does not mean that these details will remain indefinitely undisclosed. An estimated 25-40% of the world’s PCs still utilize XP, including end-user machines, point of sale registers, and ATMs. This is a huge incentive for financially motivated cybercriminals to uncover and exploit unpatched XP security holes.

As per our January announcement, Emsisoft will continue to provide support for Emsisoft Anti-Malware on Windows XP until at least April 2016. If, however, you are still running the OS, we highly recommend a system upgrade as soon as possible. As the months go by, each new Patch Tuesday will repair Microsoft-supported operating systems, but it was also effectively notify malware authors of which XP applications are vulnerable, allowing for more accurate and powerful malware attacks.

Have a great ( XP-Free Patch Tuesday!

Microsoft’s May 2014 Security Bulletin announcement can be viewed in full here:

https://technet.microsoft.com/en-us/library/security/ms14-may.aspx

Related Posts:

• Reminder: Microsoft Ends Support for Windows XP April 8th,…


• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…


• Emsisoft Extends Protection for Windows XP


• Emsisoft Extends Protection for Windows XP


• Warning: Internet Explorer Zero Day CVE-2014-1776

Patch Tuesday: It Doesn’t Apply to Windows XP

Want Instagram on your PC? Watch out for PUPs

There’s something to be said for a smartphone app that has in less than 4 years managed to acquire more than 200 million users – 40.5 million of which log on at least once a month.  They call it Instagram, and its overwhelming popularity proves just how much people like to take pictures with their smartphones and share them with the world.

Google Instagram, and besides the latest tabloids about celebrities using it to post provocative selfies, you’ll find a few more pertinent links that convey a lot of information. The first one will be Instagram.com, and if you go to it from your PC you’ll find a landing page that encourages you to download the Instagram app to your smartphone. Scroll down a bit on your Google Search, and you’ll also find the Instagram Wikipedia page, which in its History section states that in 2012 Facebook bought Instagram for a modest 1 billion American dollars.

So what do we have here?

A lot of users, a lot of money, and a lot of room for malware.

Instagram PUPs Designed for the PC

That over 40 million people log on to Instagram at least once a month makes for quite the mobile malware target. Instagram is itself an app – designed to help its users share their photos with family and friends through both the Instagram network and through an automatic sync to Facebook, Twitter, and Tumblr. Imagine, then, if a malware author decided to create a malicious app designed to pilfer Instagram credentials. In one fell swoop, that author could gain access to every single one of your social media profiles and wreak digital-identity havoc.

Scenarios like these are exactly why we have created Emsisoft Mobile Security.

Such scenarios don’t have much to do with your PC or PUPs, though – and, since both of those terms are contained within the  title of this article, the Instagram malware rabbit hole indeed goes deeper.

First a word on PUPs: they are potentially unwanted programs that usually come bundled with other, legitimate software. They are designed primarily for the purpose of advertisement, and in addition to slowing down your computer they can be extremely annoying. PUPs are not legally malware, but they come pretty darn close. (For more on PUPs, see our Security Knowledgebase: What is a PUP? or A Typical Day at Emsisoft’s HQ, which recounts our CEO’s real-life encounter with a PUP Peddler.)

Now: What if someone made a PUP for Instagram?

There’s no doubt that marketers have targeted the hugely popular app as the next ad-mecca, so what’s to stop the makers of PUPs from doing the same? According to a recent insight from one of our rivals, absolutely nothing at all. It’s already happening, and it’s hinging on the fact that Instagram isn’t instantaneously accessible via PC. Established users can log on to Instagram from their PC, but first time users can really only set up an Instagram account by downloading the app to their smartphone. This leaves a window of opportunity for PUP authors to target new Instagram users who want to set up an account through their PC.

For example:

1. Say you hear about Instagram (from an article like this one and you Google it while on your computer.


2. You visit Instagram.com and find out that it’s an app, meant for your smartphone.


3. You don’t like downloading apps or smartphones but you still want to try Instagram, so you go back to Google.


4. You search for ways to get “Instagram for PC.”


5. You download an Instagram “PC Installer” PUP, the nefarious author of which knew you were going to use the search term listed in #4.

It might sound like a round about way to distribute malicious software, but with over 200 million fish in the barrel it’s a low effort strategy to PUP payoff – particularly as Instagram grows in popularity and continues to attract less tech-savvy users.

Protecting Yourself from Social PUPs

PUPs might sound harmless or even downright silly, but if your computer collects enough of them it will slow down to a crawl. For this reason, Emsisoft Anti-Malware features PUP prevention technology which can recognize and protect you from 1000s of these not-so malware advertising schemes.

We go through this effort because Instagram PUPs are simply one of too-many potentially unwanted programs circulating the web, essentially parasitizing the success of legitimate websites and applications. In the social media centric world we live in, there are endless opportunities for PUP authors to attach their creations to new trends and cash in with advertisements that slow down your computer.

For this reason, in addition to running a PUP-aware anti-malware, you should always take care to READ BEFORE YOU INSTALL. Most PUPs hide in the fine print – which is an excellent place to remain undetected in a world of character restricted commentary and tweets.

Have a Great (PUP-Free) Day!

Related Posts:

• Hätten Sie gerne Instagram auf Ihrem Computer? Achten Sie…


• Stable Scan Engine Update Identifies Over 6000 New PUPs


• Stable Scan Engine Update Identifies Over 6000 New PUPs


• Emsisoft Update Cleans Up Database and Identifies Over 6000…


• Emsisoft Update Cleans Up Database and Identifies Over 6000…

Want Instagram on your PC? Watch out for PUPs