Kelihos Botnet Spam Waves False Russian Flag

 Would you volunteer your computer’s resources to help a political cause?

It is a strange question, but it’s one being asked by Kelihos botnet spammers to Russian citizens. So reads the spam message:

We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country. We have coded our answer and below you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.

Referencing political actions taken by Western nations against Russia for its recent relations with Ukraine – and hoping to incite the ire of displeased Russian citizenry – the link provided in the message actually leads to malware. More specifically, users who click are connected to the Kelihos botnet, which is capable of the following malicious activities:

• Password theft from web-browsers and other programs


• Bitcoin theft and mining


• Establishment of “backdoors” for future access to the infected machine


• Hijacking infected PCs to perform DDOS attacks


• Downloading more malware


• And, of course, sending more spam

According to reports from PC World, the variant disbursed by this latest campaign also borrows digitally signed files from a legitimate network monitoring software to spy on infected users and reduce the chances of detection.

Whether or not “volunteers” actually get to participate in a digital attack against Western states is unconfirmed. Kelihos is capable of commanding bots to carry out DDOS attacks, and such attacks could, in theory, be carried out against Western governments’ websites; but, all of the little extra things the botnet can do suggest that this politically-charged variant of Kelihos is nothing more than malware, waving a false flag.

The takeaway?

Social engineering is a dangerous beast, especially when it leverages contentious current events. As a rule of thumb, if an email provokes an emotional reaction, it is usually best to stop and think (and maybe even walk away) before you click.

…And as for those seeking political action – whatever the viewpoint – there are much better ways to implement change than clicking on Internet chain mail

Have a great (bot-free) day!

For the full story and source of quote, see Hackers prey on Russian patriotism to grow the Kelihos botnet, at PC World.

 

 

Related Posts:

• Emsisoft Explains the Syrian Electronic Army


• Facebook Fights Malware, Calls Greek Police and Wins


• New Sefnit Variant Adopts SSH to Commit Click Fraud


• The MiniDuke of Ukraine


• Gameover Zeus Decides to TRY AGAIN

Kelihos Botnet Spam Waves False Russian Flag

Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre Banking Malware

Malware Alert!

A new phishing campaign that collects user login credentials and infects users with the Dyre banking Trojan is targeting  JP Morgan Chase customers around the world.

Phishing Page + Dyre Banking Trojan

Evidence of this latest campaign was first discovered by corporate security SaaS provider ProofPoint. According to a Thursday blog post and a followup report by Reuters, the attack leverages a fraudulent email modeled after legitimate JP Morgan Chase messages and containing a malicious link.

Users who click on the link are brought to a phishing website, which requests JP Morgan Chase banking credentials and initiates a download of the Dyre banking Trojan in one of two ways. If users enter credentials (and share them with cybercriminals) the site will suggest a fake Java update which serves the malware through an executable file. If users don’t enter credentials, the malware will still attempt to infect as an automated, drive-by download.

Those who are infected with Dyre receive a malware capable of stealing credentials from users who interact with banking sites from the likes of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group Plc.

How to Avoid this Threat

By the numbers, JP Morgan Chase is the the No. 1 US bank in terms of assets. As a result, this campaign will likely affect many people. To avoid this attack and others like it:

Always log into your online banking independently – NOT through email.

This simple practice alone can stop phishers dead in their tracks.

What Should I Do If I Clicked?

Anyone who might have accidentally click on this -or any – phishing link should contact their bank immediately. In addition, anyone who needs assistance is encouraged to contact Emsisoft Support. We provide free malware removal to all who need it, even if they aren’t an Emsisoft customer yet.

Those seeking automated online banking protection are also encouraged to consider the Emsisoft Internet Security pack.

Have a great (phish-free) day!

Additional Resources

• Smash & Grab Campaign Targets JP Morgan Chase Customers, ProofPoint Threat Insight


• JPMorgan customers targeted in email phishing campaign, Reuters

Related Posts:

• ALERT: The Google Drive Phishing Scam Returns!


• ALERT: Watch out for new Emotet Banking Malware!


• Alert! Monster.com Serving Gameover Zeus


• ALERT: Google Drive Phishing Scam


• Warning: Don’t Get Vished

Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre Banking Malware

PlayStation Network Back Online After “Lizard Squad” DDOS Attack

After a weekend of widespread service outages, PlayStation Network (PSN) is back online. Reports now indicate that the gaming network was taken down by a massive DDOS attack carried out by a group known as the Lizard Squad.

Important details are as follows:

• The personal user information of all 53 million PSN users WAS NOT compromised.


• The XBox Live gaming network and World of Warcraft servers were also targeted by Lizard Squad. Reports indicate that users of both networks experienced outages.


• The identities of those behind the “Lizard Squad” have yet to be revealed.

Perhaps most seriously, service outages coincided with a bomb threat by the Lizard Squad to American Airlines via Twitter. The tweet made mention of a bomb on a Boeing 757, carrying 179 passengers – one of which was Sony Online Entertainment President John Smedley. Fortunately, the flight was safely diverted and grounded in Phoenix, AZ.

At present, the Lizard Squad continues to leverage Twitter as its personal soapbox, accusing Sony of corporate greed and throwing around associations to ISIS.

From Sunday:

Sony, yet another large company, but they aren’t spending the waves of cash they obtain on their customers’ (PlayStation Network) service. End the greed.

From today:

Currently planting flag in XBL’s upstream with an AK47 #ISIS #jihad #IS

Such behavior is not likely to bode well with international authorities, and reports indicate that the FBI has already launched an investigation into Lizard Squad.

Additional information:

• Sony says PlayStation network back online, user information safe after attack, Reuters.


• Update: PlayStation Network is Back Online, PlayStation.Blog


• Lizard Squad Twitter

Have a great (lizard-free) day!

Related Posts:

• Is the NSA Spying on Gamers?


• DDoS Attacks Affect Cloudflare and Bitcoin Exchange


• The transparent citizen – How can I actively prevent…


• Seriously? USA to legalize rootkits, spyware, ransomware and


• Mysterious DDOS Attack Against Top 50 Website

PlayStation Network Back Online After “Lizard Squad” DDOS Attack

Data Breach Alert: 51 UPS Stores Affected!

Attention customers of 51 US-based UPS stores: It is time to cancel your credit/debit card.

UPS corporate has recently issued a press release stating that 51 of its franchise locations from 24 different states were infected by POS malware from January 20, 2014 – August 11, 2014. This malware could have stolen credit/debit card numbers, customer names, addresses, and contact information located on the stores’ point-of-sale registers.

For the official advisory and a list of affected locations, see theupsstore.com.

Many will note that this is not the first data breach headline of 2014 involving a major U.S. retailer. In fact, it is at least the tenth. For insight into why this is happening so much, we suggest Brian Krebs’ latest Q&A, Why So Many Card Breaches? There, Krebs suggests the impending October 2015 U.S. deadline to switch to chip-and-PIN technology set by Visa and MasterCard as one potential motivation and provides a brief introduction to the underground world of “carding.”

For more insight, we also suggest our latest posting on Backoff.

Although unfortunate, this latest breach also acts as an important reminder: big name brands are often malware targets. (No pun intended). In fact, delivery companies in particular are often used in email scams, where fake invoice attachments or links are used as means of infection. For more on this type of attack and tips on how to avoid one, see our 2010 article on Scam Emails.

Have a great (data-breach-free) day!

 

Related Posts:

• Michaels Arts & Crafts Confirms Data Breach


• LaCie Data Breach – Part of a Larger Malware Trend


• What’s with all the Point of Sale Data Breaches?


• ALERT: You need to change your eBay password, now.


• The SEPA Switch and Internet Fraud

Data Breach Alert: 51 UPS Stores Affected!

Malware Alert: “Defru” Rogue Performs Fake Scan in Browser

Rogue Alert!

A new browser-based rogue security scanner Microsoft has named Rogue:Win32/Defru pretends to find malware on your computer, attempts to sell you fake security products, and prevents you from connecting to over 300 common websites – many of which belong to companies that sell legitimate security products. Those familiar with rogue security products will know that such capabilities have been employed by attackers for years; however, Microsoft reports that Defru is notable due to its simplified, browser-based approach.

Defru Play-by-Play

Defru modifies the infected PC’s hosts file, which is responsible for website navigation. If the user attempts to navigate to one of more than 300 websites Defru has been designed to recognize, they will instead be redirected to an infamous “PC Defender” rogue site: pcdefender[.]co[.]vu.

Users need not download anything from PC Defender to be scammed. Rather, the website simply displays a graphic that looks like a scan within the website’s browser window. The “scan” then pretends to find malware as it runs, and cites a number of fake malware variants. After “finding” these threats, the website offers malware removal, for a fee which can be paid via credit card at Payeer.com.

How Can I Tell If I’m Infected?

If you try to navigate to a normal website but are instead redirected to a site like the one pictured above, you may be infected by Defru. Note: your navigation bar will display the website you typed into it, not pcdefender[.]co[.]vu.

Microsoft has prepared a full report on Defru, which includes a list of all the websites it can perform redirects on here. Presently, emsisoft.com is not part of that list. This means that if you suspect your computer has been infected, you can navigate to support.emsisoft.com to receive assistance from one of our malware removal experts. Alternatively, advanced users can find removal instructions at the end of this blog post from Microsoft malware researcher Daniel Chipiristeanu.

Have a great (rogue-free) day!

 

Related Posts:

• Fake antivirus – What you should know about Rogue Security


• Emsisoft’s Malware Digest: Windows Prime Accelerator


• Emsisoft’s Malware Digest: Windows Prime Accelerator


• Windows Premium Shield Detected


• Windows Premium Shield Detected

Malware Alert: “Defru” Rogue Performs Fake Scan in Browser

Don’t Download That Facebook Color Change App. It’s Malware.

Facebookers beware. Research has confirmed that malware comes in every color, and that an old trick has struck again. It’s called the Facebook color changer, and it is downright malicious.

Like many an app, the color changer entices with a simple ad that appears on the side panel of your Facebook. Rather than leading you to a legitimate downloader, though, clicking on the ad brings you to a malicious website. According to reports, this website can steal Facebook access tokens (allowing attackers to connect to your friends) and infect both PC and Android devices with malware, if users decide to download the app.

As yet, a reported 10,000 Facebook users have been affected by this latest incarnation of the Facebook color changer, which has intermittently reappeared over the last 2 years.

Anyone who has downloaded the app is urged to uninstall immediately under Facebook’s app settings and change their Facebook password to something strong and unique as soon as possible. Anyone who sees advertisements for the app on their Facebook should not click. Finally, those who require malware removal assistance are encouraged to contact our experts at Emsisoft Support. Don’t worry, we won’t tell any of your friends

Have a great (and-colorful) day!

For full coverage, see the initial report from Mashable.

Related Posts:

• Naked Videos of Your Facebook Friends – Translation:…


• New Facebook Privacy Feature: More Control, But More Ads Too


• Hack Your Facebook Friends? More Like Hack Yourself.


• ALERT: Ads on Disney, Facebook, Guardian Lead to Ransomware


• Watch out for iBanking Android Rogue on Facebook

Don’t Download That Facebook Color Change App. It’s Malware.

Alert: If you’re running WordPress, it’s time to update

WordPress Alert: Users running WordPress versions 3.5-3.9 and Drupal versions 6.x-7.x are vulnerable to a newly discovered denial of service attack which can render both website and web server completely inaccessible.

For comprehensive security, immediate updates are recommended.

• How to update your WordPress Site


• How to update your Drupal site

The vulnerability, which uses what’s called an XML Quadratic Blowup Attack, was discovered by security researcher Nir Goldshlager of both Break Security and Salesforce.com.

Goldshlager has prepared a technical analysis of the vulnerability here. For a less technical overview, readers can also see his collaborative post at Mashable. Most importantly, though, make sure those updates are applied as soon as possible!

Have a great (DoS-Free) day!

Related Posts:

• Emsisoft Anti-Malware ottiene Advanced+ nel File Detection…


• The 2013 AV-Comparatives Real World Test Results Are In


• The 2013 AV-Comparatives Real World Test Results Are In


• Die Ergebnisse der AV-Comparatives Real World Test 2013 sind


• VB100 award April 2013 for Emsisoft Anti-Malware

Alert: If you’re running WordPress, it’s time to update

Poweliks: The file-less little malware that could

When you think about malware, you probably imagine a nasty little file that’s been installed on your computer. When you think about anti-malware, you probably imagine some sort of program that can remove that nasty file, and help you go about your day, malware-free. Malware doesn’t always need files though. And anti-malware can’t always do its job through file detection alone.

New research has uncovered a malware called Poweliks that can infect your computer without creating any files on your hard drive.

Instead, Poweliks creates two registry entries: a null embedded subkey and a registry value that contains an encoded script. The null embedded entry helps to hide Poweliks and to protect the value containing the script. The script will check if your computer has Windows PowerShell installed, and initiate a download of the scripting program if it doesn’t. Once the presence of PowerShell is confirmed, Poweliks will then inject a malicious DLL into system memory. This DLL then connects your computer to a command and control server, which can be used to collect personal information or to load more malware onto an infected PC.

Poweliks is particularly evasive for two reasons: it does not create files on the hard drive, and it hides itself through use of a null embedded registry entry using a non-ASCII character. Both of these measures ensure that manual detection by user or even malware researcher are difficult. Poweliks’ file-less nature also means that antivirus products that rely on file-based detection alone will not find it.

For the full story on Poweliks, see PC World Magazine. For technical analysis, see Malware Don’t Need Coffee.

Have a great (malware-free) day!

 

 

Related Posts:

• Linux Rescue CD: a help or a hinderance?


• Emsisoft’s dual-engine scanner Behind the scenes


• Dorifel crypto malware paralyzes Dutch companies and public…


• Emsisoft Malware Library


• Emsisoft Malware Spotlight: Blackbeard and Pigeon

Poweliks: The file-less little malware that could

Backoff Malware: The Reason Why You See So Many Data Breach Headlines

Target, Neimann Marcus, Michaels, Sally Beauty, Hilton, Sheraton, Marriott, and Westin. P.F. Chang’s, Goodwill, and just yesterday, Jimmy John’s.

Names that have appeared on your monthly statement? Let’s hope not. These are all restaurants and retailers that have fallen victim to point of sale data breaches in just the last 8 months – and the list is not exhaustive.

A report from the United States Computer Emergency Readiness Team has now illuminated how many of these breaches – and apparently hundreds like them affecting smaller companies across the U.S. – have been able to go down. They call it: Backoff malware.

According to US-CERT, attackers’ strategy has been to use publicly available (and legal) software to locate point of sale systems that utilize remote desktop applications from Microsoft, Apple, Google, and others. Once systems with such apps are located, they’re then brute forced* until administrative access is achieved. Once logged on with admin rights, it’s then only a matter of installing Backoff and letting the malware do all the nasty things it’s been designed to do – like scraping RAM for unencrypted credit card information, logging keystrokes, connecting to a command and control server, and installing a malicious stub into explorer.exe to ensure the malware’s persistence.

Detection by US-CERT has been thanks to a coordinated effort with a number of U.S. entities, including the secret service. Hopefully, all their hard work will help to stymie the ridiculous slew of POS data breach headlines we’ve all (unfortunately) gotten used to.

Have a great (data-breach-free) day!

Additional Resources

• US-CERT alert – technical overview and defense measures for businesses/retailers


• New York Times – less computer lingo and more big picture understanding


• Emsisoft Knowledgebase – more on POS intrusions, RAM scraping, and BlackPOS


• Curious how Emsisoft interacts with Backoff? Our signature database currently detects two of the malware’s most prevalent variants: 1.55 backoff and 1.55 goo.

* Brute forcing is when a hacker uses an automated program to guess log in credentials. Brute force programs use dictionaries of weak and common usernames and passwords.

Related Posts:

• The 2014 Verizon Data Breach Investigations Report


• Michaels Arts & Crafts Confirms Data Breach


• LaCie Data Breach – Part of a Larger Malware Trend


• What’s with all the Point of Sale Data Breaches?


• Emsisoft Alert: Kickstarter Data Breach

Backoff Malware: The Reason Why You See So Many Data Breach Headlines

Research Compares USB devices to Dirty Needles – What now?

Flash drives: we share them with friends knowing full well that if they come back with some mysterious .exe the last thing we should do is open it. Easy enough to remember and easy enough to avoid. But what if the malware is hidden? What if there’s no trace of malware, or .exe, at all?

New research from a pair of independent security pros has proven that USB firmware can be reverse engineered to act as malware. That means that the hard coded instructions that tell your flash drive how to operate can be altered, to behave maliciously. It’s not just flash drives, though. It’s anything that uses the USB protocol. Like mouses and keyboards and public phone charging stations and printers.

In their proof-of-concept hell spawn, white hat researchers Karsten Nohl and Jakob Lell achieved complete control of a test computer by reprogramming a USB memory stick to be recognized as a USB-connected keyboard instead. From there, it was a merely a matter of telling the memory stick to act like a keyboard and issue malicious commands. Quite fittingly, the researchers have named their creation BadUSB.

BadUSB was made possible by the fact that USB firmware does not implement code signing, meaning it can be updated and altered by un-certified sources – like hackers.

For users, this now means that essentially all USB technology is vulnerable; and, it’s not just a one-way street. In theory, malware can now also be created to infect the PC, spread to a connected USB device and transform that device’s firmware into malware.

Sound freaky? Some reports are suggesting that this type of thing has been being done by the NSA for years. With public disclosure, it is now only a matter of time before attacks go mainstream.

In the meantime, we’d suggest saying no the next time someone wants to share files unprotected.

For complete coverage, see the original article at Wired.

Related Posts:

• Viruses that went Viral: Conficker


• What is a Digital Certificate?


• Adobe Flash Zero Day: Operation GreedyWonk


• Warning: Adobe Flash Zero Day CVE-2014-0515


• Firmware Vulnerabilities Discovered on Linksys and ASUS…

Research Compares USB devices to Dirty Needles – What now?