Warning: All unpatched Drupal 7 sites assumed to be compromised

Attention Drupal users: Drupal has published a Highly Critical Security Advisory.

If you use Drupal 7 to manage your website and you did not update to version 7.32 within a few hours of the latest Drupal vulnerability disclosure on October 15th, you should assume your website has been compromised by hackers and take immediate action. If you have not yet updated to v7.32, applying the update now will not guarantee that attackers haven’t installed a backdoor in your website. Furthermore, if the update has been applied – and your website administrator was not the one who applied it – this may actually indicate compromise, as hackers will do this to prevent their competition from compromising your site as well.

For comprehensive protection, Drupal recommends recovering your website from backups or rebuilding it entirely, as soon as possible. Step-by-step instructions can be found here.

More information on this threat

In the hours that followed Drupal’s October 15th vulnerability disclosure, hackers launched an automated attack that scanned the web for Drupal 7 sites that had not yet applied the patch. When a website was found, attackers would then install a backdoor to allow for future, remote access. Backdoor access to a website not only compromises administrator and user information, but it can also be sold for the purposes of hosting illegal content and spreading malware. Approximately 1.1 million people currently use Drupal, to develop and manage hundreds of thousands of websites.

More general information on what to do if your Drupal site is hacked can be found here.

Have a nice (malware-free) day!

 

Related Posts:

• Alert: If you’re running WordPress, it’s time to


• Alert: All in One SEO WordPress Plugin Vulnerable


• Covert Redirect Security Flaw in Sites Using OAuth and…


• Zero Day Alert: Unpatched Vulnerability in Internet Explorer


• Warning: Dropbox and Box File Sharing Security Bug

Warning: All unpatched Drupal 7 sites assumed to be compromised

Using Gmail Drafts to… Command and Control your Computer?

For those who (over) think before they email, the Drafts folder can be both blessing and a curse. Anyone who has ever accidentally sent an unfinished draft to a coworker, new contact, or friend will probably even go one further: unfinished drafts that reveal what you’re thinking before the thought is polished and ready to be sent can be embarrassing and unprofessional. Thanks to the unending nefariousness of malware writers, the email drafts folder can now also be considered dangerous.

Researchers have uncovered a variant of the Icoscript RAT that uses Gmail draft folders to issue commands to and collect data from infected computers. Many types of malware do this latter part – that is, connect to a “command and control” server,  to provide updates and steal information – but the use of draft emails to make this happen adds a new layer of stealth to the process.

According to reports, attackers are able to pull this off because they can use the remote access trojan to open an invisible instance of Internet Explorer on the infected computer. Windows is built to allow programs to do this, to perform behind the scenes information gathering. With Icoscript, attackers are leveraging this capability to log into an anonymous Gmail account and issue C&C commands through an unsent draft. Conversely, the malware is also designed to place stolen data in drafts for cybercriminals to collect. In effect, attackers have created a malware communication channel, with a trusted program, where nothing is ever actually sent. This makes the malware much harder to detect than programs that perform C&C communication through other protocols, on many of which strange activity will be detected by anti-malware.

Those who have discovered this clever little draft trick – that’s also sometimes used by people who have affairs to exchange messages on a shared email -  stress that “there’s no easy way to detect its surreptitious data theft without blocking Gmail altogether.” For end users, this means that protection hinges on prevention. Icoscript may be good at hiding itself, but it still has to work its way onto your machine. If you’re using an anti-malware that processes roughly 225,000 new malware samples every single day, and you’re well-versed in all the ways cybercriminals use to trick people into installing their creations, it is very unlikely that this will occur.

You will still need to be careful about spilling your heart out in an email draft, though

Have a nice (malware-free) day!

For more information on Icoscript’s use of Gmail Drafts, see this article from Wired.

For a technical analysis, see Icoscript: using webmail to control malware by Paul Rascagnères.

 

 

Related Posts:

• 5 Million Gmail Usernames and Passwords Compromised


• New Sefnit Variant Adopts SSH to Commit Click Fraud


• ALERT: Google Drive Phishing Scam


• Zberp Banking Trojan: A Hybrid of Carberp and Zeus


• Emsisoft Malware Library

Using Gmail Drafts to… Command and Control your Computer?

Banking Trojan Alert: MS Word macros spreading Dridex

Within the last week, there have been a number of reports indicating an ongoing Dridex spam campaign primarily targeting people who bank in the United States and the UK. Like most banking trojan spam, the attack utilizes a malicious attachment; however, in a shift of strategy, Dridex’s distributors are now using Microsoft Word documents containing VBA macros to serve the malware and infect their victims.

What is a banking trojan?

The Dridex banking trojan is the type of malware that’s designed to steal your banking credentials, so that they can be used to log into your account and transfer your funds to criminals. Dridex essentially does this by ‘grabbing’ information you submit to certain websites. These websites are pre-specified by attackers, and they typically include those of popular banks. In any given distribution campaign – where a banking trojan is for example included in a malicious attachment and spammed to thousands of email addresses – these banking websites will vary, depending on the country in which the majority of targets reside.

How do you get Dridex?

This latest campaign began one week ago, when independent researchers noticed a number of fake Microsoft Word invoices, containing malicious VBA macros. These macros are small programs that instruct your computer to download Dridex from a legitimate website that has been compromised by the attackers. Once Dridex is installed, it can harvest credentials from any type of website you log into; however, in practice, banking credentials are most often collected.

How can I keep Dridex off my computer?

The first wave of this latest Dridex campaign saw a large amount of emails containing a fake MS Word invoice from Humber Merchants. This invoice had file name 15040BII3646501.doc, which downloaded Dridex from http://gpsbah[.]com/images/1[.]exe. To date, Emsisoft Anti-Malware is one of only a few products that prevents this variant of Dridex from executing.

For additional protection, users can also disable Microsoft Word macros, as this type of attack is relatively common and about a decade old. For MS Word 2013:

1. Open Word, click File, then click the Options tab


2. Click the Trust Center tab, then click the Trust Center Settings button


3. Click the Macro Settings tab, select the desired Disable all macros option, and click OK.

As always, caution when handling unsolicited emails with attachments and links can help prevent infection too.

What should I do if I have a banking trojan infection?

If you think you may have become infected by Dridex, DO NOT log into any account – financial or otherwise – via the compromised computer. For assistance, contact our experts at Emsisoft Support as soon as possible. Malware removal is always free, even if you aren’t an Emsisoft customer yet.

Have a great (Dridex-free) day!

For more information on Dridex, see this article from Palo Alto Networks.

 

 

Related Posts:

• Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre…


• ALERT: Watch out for new Emotet Banking Malware!


• Alert! Monster.com Serving Gameover Zeus


• Malware Alert: Dyre steals Salesforce login credentials, and


• Attack of the Qbot: 6 years, 800,000 online banking…

Banking Trojan Alert: MS Word macros spreading Dridex

CryptoWall Malvertisments on Yahoo, AOL, Match.com and More

A string of reports released Thursday indicate that a very large CryptoWall malvertising campaign has been affecting a number of top websites for approximately the last month. Affected sites include, but are not limited to: AOL, The Atlantic, Match.com, and the Sports, Fantasy Sports, and Finance subdomains of Yahoo. Internet users who visited these domains within the last 30 days may have been exposed to malicious advertisements designed to automatically install the CryptoWall ransomware – no clicking required.

How do you get infected?

The malicious advertisements used in this campaign were designed to exploit unpatched vulnerabilities in Adobe Flash. These vulnerabilities allowed the cybercriminals to install CryptoWall onto victims’ computers. CryptoWall is a ransomware, designed to encrypt your files and demand payment for recovery. Ransom payments in this latest campaign were found to be anywhere from $200-$2000. In some instances, victims who chose not to pay eventually had their files permanently encrypted, after a preset time period passed. In all, researchers estimate that during the last 30 days close to 3 million Internet users per day were potentially exposed to this threat.

How do you remove CryptoWall?

There is currently no known way to decrypt CyrptoWall without paying the ransom,  and even this method does not guarantee recovery of files. If your computer has become infected with CryptoWall, Emsisoft does not recommend paying the ransom unless you absolutely must recover the files. Sometimes, partial recovery is possible. Instructions on how this works have been published by Bleeping Computer, and can be found here. Anyone who needs assistance walking through these instructions is encouraged to contact Emsisoft Support.

How can I prevent a ransomware infection?

Minimize Application Vulnerabilities

This latest campaign exemplifies the importance of minimizing application vulnerabilities. As stated above, users who visited affected websites did not need to click on the malicious advertisements to become infected – they simply needed to have vulnerable versions of Flash on their computer. For more information on how to get rid of application vulnerabilities, see the Emsisoft Security Knowledgebase.

Backup your most important files

Losing access to your business or family files can be devastating, but CryptoWall can be rendered irrelevant by regular file backups. If you do so, make sure to use an external device that you can disconnect from your computer after each backup. CryptoWall has been known to spread through local networks and even encrypt files that are auto-synced with cloud storage.

Invest in protection

For a fraction of the cost of ransom payment, using a proactive antimalware can also help. After a vulnerability is exploited, cybercriminals use it as an open doorway to serve malware to your computer. An antimalware, such as Emsisoft Anti-Malware or Emsisoft Internet Security, will prevent this from happening by either: blocking connection to the malicious download website cybercriminals try to use; preventing the malware from running through signature recognition; or preventing the malware from running through Behavior Blocking if no signature is found.

More information on CryptoWall

Unfortunately, this is not the first time CryptoWall has been served through malvertisements. In fact, the same thing just happened earlier this month and also in June. In all instances, cybercriminals are taking advantage of what is a complex, automated, and somewhat unregulated online advertising environment, to cash in. For more information on this problem, and a full list of websites affected by this latest string of CrytoWall malvertisements, see the ProofPoint blog.

Have a great (CryptoWall-free) day!

Related Posts:

• Researcher claims Yahoo! servers have been compromised using


• Forscher behauptet Yahoo!-Server wurden von Shellshock…


• Un chercheur déclare que les serveurs de Yahoo! ont été…


• Ransomware Alert: Digitally Signed CryptoWall through…


• Emsisoft Malware Warning: Yahoo…

CryptoWall Malvertisments on Yahoo, AOL, Match.com and More

Widespread Windows Zero Day affecting Microsoft Office Files

Last week, Emsisoft published details on The Sandworm Team, and how this group of hackers has been using vulnerability CVE-2014-4114 to remotely execute malicious code through shared Microsoft Office files. Microsoft has since issued a patch for this vulnerability; however, it has been discovered that there is still a way to exploit Microsoft Office files to serve malware. This new zero day vulnerability has been designated CVE-2014-6352, and it allows attackers to remotely execute malicious code on all supported versions of Windows, excluding Windows Server 2003. This unpatched zero day has been used by The Sandworm Team, and it is currently also being used by cybercriminals across the Internet. Observed attacks have involved targeted emails containing malicious Powerpoint attachments. In theory, this vulnerability could also be leveraged in any scenario where Microsoft Office documents are shared.

How can I stay protected?

The most concerning aspect of CVE-2014-6352 is that it affects the most recently patched versions of Windows. Microsoft is currently investigating the issue, but it could be nearly 3 weeks before the vulnerability is formally patched. In the meantime, cybercriminals will be sure to exploit the vulnerability to serve malware to as many users as they can.

To stay protected, Emsisoft recommends:

• Avoiding unsolicited Microsoft Office documents whenever possible


• Implementing Microsoft’s Suggested Actions


• Using a proactive antimalware that can automatically prevent infection from unregistered threats

Due to the facts that 1) sharing Microsoft Office files is for many people an everyday task and 2) that Microsoft’s Suggested Actions are somewhat technical, it is likely that CVE-2014-6352 will allow cybercriminals to infect a lot of users with malware. Furthermore, because a vulnerability is essentially a doorway into your PC, the malware served in such attacks will widely vary.

User running Emsisoft should know that, as was the case with CVE-2014-4114  and The Sandworm Team, your security solution does offer automatic protection from this latest zero day. If you are running one of our products, no further action is required: simply allow your computer to update whenever Microsoft issues a formal patch.

For those not using protection, we recommend giving Emsisoft Anti-Malware a try. You can actually test it for 30 days, at no cost – meaning that even if you hate it (which we’re pretty sure you won’t it will guarantee protection from this latest zero day until Microsoft fixes the problem. After the vulnerability is patched, you can then simply uninstall your trial – or you can keep it, to ensure that you’re protected the next time an application vulnerability (inevitably) pops up.

Have a great (zero-free) day!

Related Posts:

• Alert: Microsoft Zero Day from Sandworm Cyberspies!


• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…


• Microsoft Word Zero Day Alert!


• Zero Day Alert: Unpatched Vulnerability in Internet Explorer


• Warning: Internet Explorer Zero Day CVE-2014-1776

Widespread Windows Zero Day affecting Microsoft Office Files

Android Outbreak: Koler ransomware has learned how to worm

With last week’s appearance of a new, wormable variant of Selfmite, it now appears that the makers of Android malware have found a new favorite propagation technique. This Tuesday, reports indicated the emergence of a new strain of the Koler Police Locker ransomware that also spreads by spamming every single person in your contacts list, through SMS.

How does Koler get on your Android?

When Koler first emerged it was only capable of infecting users through third-party apps proffered by shady porn sites. Now, the malware can also worm by automatically sending an SMS message to every single person on an infected device’s contact list. This message contains a malicious shortlink that leads to a Dropbox page hosting the malware, disguised as a “Photo Viewing App.” Users who install the app become infected.

What happens when you’re infected?

Reports indicate that once Koler is installed it locks the Android’s screen with a fake FBI webpage, which accuses the user of viewing child pornography and zoophilia. The user is then told that in order to unlock the screen, they must pay a ransom through MoneyPak. At some point, Koler will also perform its worm behavior and spam all contacts on the infected device with the malicious link, in order to continue the cycle of infection.

How can I keep my Android ransomware-free?

If your device has become infected with Koler, do not pay the ransom!

Unlike other forms of Android ransomware, this wormable Koler variant DOES NOT encrypt your files; it merely locks your screen. You can actually remove the malware by rebooting your device in Safe Mode and deleting the “Photo Viewing App” that was downloaded via Dropbox. Readers who require assistance with this process are encouraged to contact Emsisoft Support.

For additional protection against Koler and other forms of wormable Android malware, you can also consider Emsisoft Mobile Security, which automatically prevents infection from such threats. On top of this, simply avoid clicking mysterious shortlinks, even when they come from friends – especially if those friends are known to frequent some of the… more questionable parts of the web

Have a great (ransomware-free) day!

For additional information on Koler, see this article from Tech World by John E. Dunn.

Related Posts:

• Android Alert: Selfmite spams all your contacts through SMS


• Warning: File Encrypting Ransomware, Now on Android


• Watch out for iBanking Android Rogue on Facebook


• BadLepricon Mobile Malware Mines for Bitcoin Gold


• Copycat Ransomware “Locker” Emerges

Android Outbreak: Koler ransomware has learned how to worm

Point of Sale Alert: Staples Investigating Potential Data Breach

Readers who’ve recently shopped at a Staples office supply retail location may want to keep an extra close eye on their credit card balance. Late last night, Brian Krebs – an Internet security journalist who has closely followed and reported on point of sale data breaches throughout 2014 – wrote that a number of banks on the United States’ east coast believe that at least some of the retailer’s locations have been infected with point of sale malware. Locations mentioned in the initial report include Pennsylvania, New York City, and New Jersey; however, it is entirely possible that the breach may extend to all 1,800 U.S. based Staples stores. Staples, Inc. has yet to confirm or deny the breach, but a spokesperson has stated that the company is investigating a “potential issue involving credit card data and has contacted law enforcement.”

If confirmed, this latest breach will add to what is already an unprecedented series of point of sale malware attacks affecting U.S. big-box retailers, which began nearly one year ago with Target and peaked most recently with The Home Depot in a breach that affected approximately 56 million payment cards.

Readers who notice any suspicious credit or debit card activity are urged to contact their provider as soon as possible.

In related news, on October 17th U.S. President Obama signed and released an Executive Order in an attempt to remedy the nation’s ongoing POS problem. Accordingly, all U.S. government credit card transactions will make the switch to chip-and-PIN technology starting January 1st, 2015. This will include upgrading payment terminals at all government retail locations, and implementing the chip-and-PIN design on all payment cards issued to government employees. The order has been signed in hopes that the U.S. government will encourage businesses throughout the nation to make the switch as well, and it even makes mention of a number of private sector corporations that have already taken steps to do so, including: American Express, The Home Depot, Target, Visa, Walgreens, and Walmart.

Have a great (breach-free) day!

For initial coverage from Brian Krebs, see Banks: Credit Card Breach at Staples Stores.

Related Posts:

• Home Depot Data Breach – Might be bigger than Target


• Data Breach Alert: 51 UPS Stores Affected!


• Michaels Arts & Crafts Confirms Data Breach


• Home Depot – 56 million Cards, Largest Retail Breach…


• LaCie Data Breach – Part of a Larger Malware Trend

Point of Sale Alert: Staples Investigating Potential Data Breach

Warning: There’s a rabid POODLE running loose in SSL

This Wednesday, researchers at Google published a paper stating that there is a new Internet-wide security vulnerability affecting version 3 of the Secure Sockets Layer protocol. This is a protocol used to encrypt traffic between your browser and a web server or your email client and an email server. Attackers who leverage this vulnerability could use it to intercept and decrypt session cookies, which would enable them to log into your online accounts without a password.

POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, is primarily a concern for users who connect to the Internet through public networks. Attackers must be on the same network as you to leverage the vulnerability, and furthermore you must be using SSLv3 to communicate with a server. The good news is that unless you are using technology from about 13 years ago (namely, Internet Explorer 6 on Windows XP), your machine is most likely using the more modern and invulnerable TLS protocol to perform encryption. Researchers have indicated, however, that some computers will automatically downgrade to SSLv3 in instances where TLS communication fails. It is this last possibility that will give attackers the greatest opportunity to perform POODLE exploitation.

Besides acting as yet another nail in the XP coffin, POODLE may spell trouble for users who connect to the Internet through networks outside of their home. If that’s you, and you’re looking for more information on why vulnerabilities like POODLE can be a problem in public networks, check out our recent Security Knowledge article on firewalls, and consider adding a software-based firewall like Emsisoft Internet Security to your armory.

To find out if your browser is vulnerable to POODLE, you can now also navigate to PoodleTest.com.

Have a great (POODLE-free) day!

System administrators looking for technical threat mitigation measures, see a statement from Google on POODLE here.

 

Related Posts:

• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…


• Warning: Adobe Flash Zero Day CVE-2014-0515


• Zero Day Alert: Unpatched Vulnerability in Internet Explorer


• Patch Tuesday: It Doesn’t Apply to Windows XP


• Emsisoft Security Warning: 16 Million Email Accounts hacked…

Warning: There’s a rabid POODLE running loose in SSL

Alert: Microsoft Zero Day from Sandworm Cyberspies!

If you read the tech headlines Tuesday, you might have noticed that there was another “Russian hack.” This time, however, consumers and small businesses weren’t the target. This time, things were political.

Reports indicate the discovery of a brand new zero day vulnerability affecting all supported versions of the Windows operating system. That’s Windows Vista through Windows 8.1, but interestingly enough not Windows XP. In a nutshell, vulnerability CVE-2014-4114 allows attackers to remotely execute malicious code through shared Microsoft Office documents. In general, “malicious code” means instructions to download and execute any sort of malware. In observed cases, this malware is one called “Black Energy,” and it has been used in attempts to steal sensitive information. According to reports, a group of attackers used CVE-2014-4114 to serve Black Energy to the Ukrainian government through spear-phishing emails.

 

Screenshot of slide from malicious Powerpoint that leveraged CVE-2014-4114

More specifically, these emails contained an attached Powerpoint presentation that leveraged the zero day vulnerability. As yet, the extent to which information was exfiltrated from this attack is unknown – however, further investigation has revealed that the attackers in question have been using malware to spy on governments since 2009.

They’re called “The Sandworm Team”

According to independent researchers, September’s spear-phishing campaign was the first time CVE-2014-4114 was used; however, it was not the first time the group that used it has attacked. In fact, researchers claim that the group – known as “The Sandworm Team,” due to their penchant for making references within their code to Frank Herbert’s Dune  – has been targeting a number of governmental organizations for the last 5 years.

Notable targets have included:

• NATO


• Attendees of the 2014 GlobSec conference


• A “specific” yet undisclosed Western European government


• An undisclosed Polish energy firm


• An undisclosed French telecommunications firm

In all cases, methods to infection have been the same. Targets are first socially engineered into opening malicious attachments, under the pretense that they contain confidential or valuable political information. In reality, these attachments are weaponized exploits designed to download malware… that actually steals exactly the type of information the phish promises to provide.

In the specific case of CVE-2014-4114, we have a previously undisclosed vulnerability which actually leverages a design flaw in Microsoft Office applications. This flaw allows the attackers to download malware via Windows Network over the Internet.

 

Windows network share operated by The Sandworm Team

What is concerning about this exploit in particular is that typically recommended zero day counter measures, such as Microsoft’s Enhanced Mitigation Experience Toolkit, do not protect unpatched systems. Furthermore, the malicious server in use actually appears to be located in Stockholm, Sweden, despite claims that The Sandworm Team is Russian.

Protecting yourself from this zero-day

As an Emsisoft user, the most important thing you need to know about CVE-2014-4114 is that you are protected. As soon the news broke, our analysis team began testing the Black Energy payload served by the zero day exploit. They found that Emsisoft’s Behavior Blocking technology prevents Black Energy from executing automatically, without any user intervention required.

 

 

Despite the fact that you may just be an everyday user – without confidential, governmental documents saved on your computer – protecting yourself from this attack is still important. In the hours that follow any zero day disclosure, copycat cybercriminals will often emulate the reported attack to send out malware before the issue is patched. Utilizing a proactive anti-malware that can prevent infection from unregistered threats is one of the best ways to avoid this. Of course, not opening shady emails helps a lot too.

In the specific case of CVE-2014-4114, it is fortunate that the researchers who disclosed did so in a responsible manner. October 14th was Microsoft’s “Patch Tuesday,” the day on which all supported operating systems receive their monthly updates; and, due to collaboration, a patch for the zero day was included. For anyone using Emsisoft, this means that no direct action is required. Simply allow your computer to update the next time it asks to do so. In the meantime, we’ll have your back.

Have a great (Sandworm-free) day!

For the original disclosure, see iSight’s post on Sandworm.

Related Posts:

• Patch Tuesday: It Doesn’t Apply to Windows XP


• Attack of the Qbot: 6 years, 800,000 online banking…


• Warning: Internet Explorer Zero Day CVE-2014-1776


• Microsoft Word Zero Day Alert!


• IE Zero Day Update: Microsoft Issues Emergency Patch, Even…

Alert: Microsoft Zero Day from Sandworm Cyberspies!

Android Alert: Selfmite spams all your contacts through SMS

Texters beware: there’s a new variant of the Selfmite Android malware that aggressively circulates through SMS. Unlike earlier incarnations, however, Selfmite is now able to spam every single person in your contacts list through SMS messaging, in a continuous loop. This means that if you become infected, and you don’t have unlimited SMS messaging as part of your monthly plan, you could end up footing a very large bill.

How does Selfmite get on your Android?

Selfmite is an Android worm that spreads through spam. Though its origin is unknown, the malware is now spreading through malicious shortlinks sent from one infected Android to another uninfected Android. If an uninfected user clicks on a received link, they are brought to a website that asks them to download an APK file. This file is Selfmite, and if you proceed with installation you will become infected.

What happens when you’re infected?

Once a device is infected by Selfmite, it will automatically begin to spam every single person in the device’s contact list with links to download the malware, and it will continue to do so in a loop. Reports indicate that, on average, infected devices send about 1,500 Selfmite messages. In addition to worming itself among your friends, the malware also installs two new icons on your home screen. Both icons lead to websites of legitimate pay-per-install products. If you go to one of these sites and install an app, the distributors of Selfmite make a small profit. Ultimately, this small profit multiplied by 1000s of infected users is what Selfmite’s authors are after.

How can I keep my Android Selfmite-free?

Selfmite currently has a global reach. The original shortlinks that were used in its spam were created using GoDaddy’s x.co shortener, however GoDaddy has become aware of this abuse and has disabled the malicious links that were in use. This latest variant of Selfmite is flexible, though. Spammed links can be changed remotely through a configuration file, at any time. This means that Selfmite is still an active threat.

To avoid infection, avoid clicking on mysterious shortlinks received through SMS. In general, it is also good practice to avoid installing any APK that comes from an unknown source, such as the one proffered by Selfmite. If you believe you have become infected by Selfmite, please don’t hesitate to contact Emsisoft Support. As a courtesy to your contacts, you may also want to consider turning off your device until malware removal begins, or at least warn your friends of incoming spam.

Users running Emsisoft Mobile Security are automatically protected from this threat.

Have a great (mite-free) day!

For more information on Selfmite, see this article from PCWorld.

 

 

Related Posts:

• Watch out for iBanking Android Rogue on Facebook


• ALERT: Watch out for new Emotet Banking Malware!


• OldBoot Bootkits – Advanced Android Malware


• BadLepricon Mobile Malware Mines for Bitcoin Gold


• Warning: We Heart It Spreads Diet Pill Twitter Spam

Android Alert: Selfmite spams all your contacts through SMS

Watch out for this new iPhone infrared pin number hack

Yet another fine example of how cybercriminals exploit cool new technology for personal gain.

Basically, companies are now selling inexpensive infrared cameras that you can snap on to the back of your iPhone, and someone very clever realized that the non-metallic input keys found on ATM machines and point-of-sale card swipers conduct heat. This means – as the video shows – that potentially anyone standing behind you in the checkout line or the ATM could see what buttons you pressed after you’ve walked away. Since the amount of conducted heat present in a button fades over time, and since the camera uses different colors to represent different temperatures, a person with one of these devices could also determine in what order the numbers were pressed, to steal your pin code.

At first glance, this is scary stuff. Spy stuff. The type of stuff you see in movies. What’s even scarier, though, is that beyond debit card pin numbers, the camera could also be used to steal access codes to security doors or safes.

Fortunately, prevention is simple: just place an extra finger on extra buttons to leave a heat mark, but don’t press. In the case of debit card pin theft, it’s also important to note that a pin number is essentially useless on its own. A random stranger won’t be able to use your debit card without the actual card (or number, if they have the ability to manufacture a fake). This should mitigate a lot of the potential theft from wannabe-spy-hackers who see this video and go out and buy themselves a new toy. The hack could gain traction among acquaintances, though. If someone sees you on a daily basis, knows your routine, knows where you keep your debit card, knows where you shop, and doesn’t really consider themselves your friend, how hard would it be for them to pull this one off and pocket an extra $500 at your expense?

Might seem like a long shot, but this may be one to keep in mind the next time you checkout with debit or visit the ATM. If someone at the office starts bragging about their awesome-new-infrared-iPhone-cam, it might also be wise to keep an eye on them

Have a great (cybercrime-free) day!

Watch out for this new iPhone infrared pin number hack

Privacy Alert: Adobe’s Digital Editions eReader is tracking what you read

 

Do you use Adobe Digital Editions to manage your eBook collection? If so, you might be sharing a little more about yourself with the company (and potentially others) than you’d want to or expect. Earlier this week, a writer from the eBook community published an article on his blog claiming that the eBook and PDF reading software is logging every single document its users add to their hard disks, tracking what users do with documents after they are opened, and sending all of this information back to Adobe in unencrypted, plaintext form. Shortly after Hoffelder published this article, his claims were confirmed by an article from Ars Technica.

Adobe has denied Hoffelder’s claim that Digital Editions scans a user’s entire eBook library, but they have confirmed that the software does track information related to open eBook usage – including where the book is being read, how long it has been opened, and how many pages you’ve gotten through. The company has also acknowledged the issue of information being transmitted in plaintext form and states they are working on a patch.

Regardless of whether the software actually does scan its users’ entire libraries, many believe that the information Adobe does admit to tracking is still too much and are even comparing the issue to the Sony rootkit scandal of 2005. The fact that the software transmits data in plaintext form also makes it accessible to anyone who knows how to monitor network traffic. It’s this last part that is actually a legal problem, because there are actually laws that protect reader privacy – and brick-and-mortar libraries using Digital Editions for eBook sharing need to follow them.

The takeaway from all of this?

If you are using a software, you need to remember that your computer – and potentially any information held therein -  is interacting with other computers owned by that software company. In the interest of personal privacy, you should always know to what extent this interaction occurs.

Have a great (privacy-protected) day!

Related Posts:

• Hackers want to steal your Amazon account… using…


• Emsisoft: Quite Possibly The Most Privacy Conscious…


• ALERT: Fake ID Lets Malware Impersonate Legit Android Apps


• What is a Digital Certificate?


• So now the police are handing out spyware, for free…

Privacy Alert: Adobe’s Digital Editions eReader is tracking what you read

Attack of the Qbot: 6 years, 800,000 online banking transactions sniffed

 

What’s been around for 6 whole years, has infected roughly 500,000 Windows-based PCs, and has intercepted information from over 800,000 online banking transactions, including account credentials? Zeus? Guess again. iBanking? Nope. Dyre? No, it’s not that one either – although it does have an equally unusual name. This time around, the culprit is called Qbot, and according to researchers it’s a highly successful botnet operation specifically targeting people who use older versions of Windows in the United States and Europe.

What is Qbot?

Qbot is a family of malware that spreads through compromised WordPress sites. Once these sites are compromised, they are reprogrammed to exploit visiting computers that contain application vulnerabilities. Once these vulnerabilities are exploited, the computer is instructed to download Qbot, a malicious program that connects the machine to a botnet and that can steal banking credentials.

Who’s at risk?

According to recent reports, Qbot has an eye for the outdated.  Since 2008, 52% of observed infections occurred on Windows XP; 39% of observed infections occurred Windows 7; and, 7% of observed infections occurred on Windows Vista. In all that time, 59% of Qbot banking interceptions occurred when a user accessed a website of one of the 5 largest banks in the United States.

Every Q needs a U – Don’t become one

Qbot is currently alive and well, with 75% of its 500,000 infected bots residing in the United States.

With headlines reading that the security of nearly 83 million JPMorgan Chase accounts has been compromised by Russian hackers and that 56 million people who shopped at Home Depot between April and September 2014 will need to get a new credit card, 500,000 might not seem like a lot. But a stolen banking password is still a stolen banking password, and in addition to credential theft Qbot also allows attackers to rent out your computer to cybercriminals looking for a zombie horde to commit malicious deeds (think spam or taking down a competitor’s website by overloading it with traffic).

What can you do to stay protected?

Well, a quick look at the stats should make the steps to prevention pretty clear. Don’t run an outdated OS filled with applications that haven’t been updated in years… and if you do, don’t use it to bank online. If you’re unfamiliar with why doing so is generally unsafe, we’d recommend this article on application vulnerabilities. After that, you can also check out the Emsisoft Security Knowledgebase to learn How to perform online-banking securely.

Want an automated solution instead? Then check out the brand new Emsisoft Internet Security. It can block Qbot variants in 3 different ways and also features an online banking mode specifically designed to harden browser software against vulnerabilities the malware attempts to exploit.

Have a great (Qbot-free) day!

For more on Qbot, see this recent featured article from SC Magazine.

Related Posts:

• Banking Alert: JPMorgan Chase Hack Affects Over 76 Million…


• Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre…


• Emsisoft Security Warning: 16 Million Email Accounts hacked…


• Dangers to your bank account – how to perform…


• ALERT: 18 Million Email Accounts Compromised

Attack of the Qbot: 6 years, 800,000 online banking transactions sniffed

Apps like StealthGenie make mobile spyware accessible to anyone

 

We take our smartphones with us, basically everywhere. They are our personal assistants, our thought banks, our communicative links to others in our world. 22% of the world’s population uses a smartphone – and thanks to this awesome technology, all of those people are able to connect. There is a dark side to smartphones, though. A very dark side indeed. It’s the side where all that ‘everywhere’ and ‘everything’ device you carry around nearly 24 hours a day becomes completely accessible to someone else, without your knowledge or consent. And it’s not just malware fiction. It’s real.

Maker of StealthGenie spying app indicted by U.S. law enforcement

Right now, in Virginia, there is a federal indictment being brought against a man named Hammad Akbar for creating and selling a mobile spying app called StealthGenie. Akbar has been arrested by authorities for not only violating federal wiretapping laws, but also actively marketing his product to people who don’t own the targeted device – i.e., “people looking to surreptitiously monitor their spouse or romantic partner.”

What, exactly, do we mean when we say monitoring?

• Secretly recording mobile phone calls


• Secretly siphoning text messages


• Secretly collecting emails


• Secretly accessing a device’s address book, calendar entries, photos, and videos


• Secretly turning on a device’s microphone, to monitor conversations up to 15 feet away

Akbar is being indicted because he created and marketed a mobile spyware app. This is not much different than what companies like The Hacking Team and FinFisher do when they sell surveillance malware to governments. And yet, the makers of governmental malware do not currently face any legal repercussions at all.

Mobile. Malware. Morality.

Legally speaking, malware is a shotgun.

You can manufacture it, and you can sell it, but you have to be really careful about how you market it. “Shotguns for sale for your next murderous rampage!” doesn’t really fly in banner ads, but “Shotguns for Home Defense” does. Similarly, you can’t say, “Malware to spy on your cheating ex-”, but you can say, “Malware to monitor your children.”

As we all know, however, people use both shotguns AND malware for purposes other than their marketed use.

This use-outside-of-marketed-purpose is the real problem, and it’s why both malware and guns are so controversial. U.S. feds are pursuing StealthGenie because their marketing department goofed up. This is no doubt a positive development. There are plenty of other companies that will continue to create – and more subtly market – mobile spyware technologies, though. And individuals who wish to use such technologies will continue to do so – both with and without malicious intent.

Is spyware ever legitimate?

Should companies that make such technologies for monitoring employees, or children, or the elderly, be legally allowed to do so when their products are also used by others to secretly monitor anyone else whose smartphone they have physical access to?

Is this StealthGenie advertisement seriously real!?

Imagine what it would be like if your spouse, or your ex-, or even a college roommate decided to watch everything you did with your smartphone. Is that not creepier – and perhaps even more dangerous – than a government that keeps an eye on its citizens’ Internet behavior in the interest of national security?

Smartphone spyware like StealthGenie is just about as close to invisible mind reading as you can get. Legal authorities should be commended for indicting Akbar, but the publicity surrounding this indictment needs to be treated as a wake up call. Hacking and tracking is no longer the realm of shadowy geeks with decades of technical expertise, and it’s no longer just the government playing with the big guns. Mobile spyware is cheap, real, and so easy to use that anyone can pull the trigger.

Don’t rely on governmental intervention alone to prevent it. Get protected.

 

Related Posts:

• The Hacking Team, RCS, Qatif Today, and Lawful Interception…


• Metadata and Mobile Security


• Rat Warning: WinSpy and GimmeRAT


• Why you need an anti-malware app (but not a rogue one)


• Emsisoft Mobile Security 1.0 released!

Apps like StealthGenie make mobile spyware accessible to anyone

Researcher claims Yahoo! servers have been compromised using Shellshock

Early reports are indicating that at least two Yahoo! web servers have been hacked through use of the critical Shellshock Bash Bug.

Yahoo! has yet to release an official statement on the matter, however an analysis of the issue has been published by independent security researcher Jonathan Hall. According to Hall, Romanian hackers have used Shellshock to compromise the Yahoo! web servers and explore the company’s network. Hall writes that the attackers appear to be working towards accessing the Yahoo! Games servers, access which could potentially allow them to serve malware to millions of users. In addition to Yahoo!, the researcher also states that the hackers have compromised WinZip.com and Lycos.

As an immediate precaution, Emsisoft recommends that all Yahoo! users change their password as soon as Yahoo! confirms that the breach has been closed – that is, of course, if Hall’s findings are indeed true.

For more information, see the researcher’s statement and technical analysis.

Have a nice (malware-free) day!

Related Posts:

• Emsisoft Malware Warning: Yahoo…


• Emsisoft Malware Warning: Yahoo…


• Emsisoft Malware Warning: Yahoo…


• The Heartbleed Bug: A Critical Vulnerability in OpenSSL


• Critical Bash Bug “Shellshock” might be as big…

Researcher claims Yahoo! servers have been compromised using Shellshock

Banking Alert: JPMorgan Chase Hack Affects Over 76 Million Accounts

Thursday evening, JPMorgan Chase confirmed a system compromise by hackers that affects approximately 76 million households and 7 million small businesses. According to the official statement, both customer contact information and “internal JPMorgan Chase information” relating to users has been compromised.

There is currently no evidence that suggests account information, such as account numbers, passwords, user IDs, dates of birth, or social security numbers, was compromised. The bank also states that they have not found any instances of customer fraud related to the hack.

The extent of this intrusion makes it one of the largest financial data breaches in U.S. history, and the confirmed count of affected customers dwarfs the company’s original estimate of roughly 1 million when the hack was first discovered in July 2014. Speculation as to who carried out the attack currently points to hackers from Southern Europe, with possible ties to the Russian government.

For the full report, see The New York Times. For additional precaution, Emsisoft recommends that any JPMorgan Chase customer reading this alert change their password as soon as possible.

Have a great (cybercrime-free) day!

 

 

Related Posts:

• Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre…


• ALERT: 18 Million Email Accounts Compromised


• 5 Million Gmail Usernames and Passwords Compromised


• ALERT: You need to change your eBay password, now.


• Achtung: Zugangsdatendiebstahl und Infektionen mit der…

Banking Alert: JPMorgan Chase Hack Affects Over 76 Million Accounts

Trouble Ahead: BadUSB exploit code has been made public

Remember BadUSB? The proof of concept exploit from about 2 months ago which demonstrated that USB firmware could be reprogrammed to act as malware? Well, now the code that makes this possible has been released in the wild.

Researchers Adam Caudill and Brandon Wilson have published code that can make USB firmware act as a keyboard, which can issue malicious commands to any computer to which it connects. The researchers state that they have done so to place pressure on USB manufacturers so that the issue is fixed. Of course, as a side effect, the code is now freely available to malware writers and hackers around the world.

In an interview with Wired, the researchers also mention that they are working on an exploit that could invisibly inject malware into files that are copied from a USB to a computer. Such malware would then also be able to infect any other USB drive that connects to the infected computer. Furthermore, because it would exist in the invisible-to-user firmware portion of the device, instead of the flash memory, this malware would be extremely difficult for most people to detect, let alone remove. As yet, Caudill and Wilson have not released this more serious exploit, and do not know if they ever will because it would likely lead to a “USB-carried malware epidemic.”

Now that at least one type of exploit has been made public, though, it is likely that it will be adopted for malicious use. For this reason, we can only recommend USB file sharing with extreme caution – if at all – and only in conjunction with an anti-malware that is able to prevent unregistered threats through use of behavior blocking technology.

Have a nice (malware-free) day!

 

Related Posts:

• Research Compares USB devices to Dirty Needles – What…


• Firmware Vulnerabilities Discovered on Linksys and ASUS…


• PayPal Vulnerability Publically Disclosed


• Caphaw Trojan Found in Youtube Ads


• Caphaw Trojan Found in Youtube Ads

Trouble Ahead: BadUSB exploit code has been made public

So now the police are handing out spyware, for free…

Have you ever wanted to use malware, but were too afraid of all the hackers and underground forums? Do you want to spy on your children, your spouse, your neighbors, and your friends? Have you ever thought to yourself, “Man, if only there were a free and easy way to log all keystrokes and pass them in unencrypted plaintext to a third-party server so that anyone with the inclination could intercept the transmission and spy on my children without my consent”? Well, have we got a spyware for you!

ComputerCOP? That’s right, Computer-COP. And no, this isn’t just a parody of cheesy TV marketing circa 1996 – it’s real.

Ever vigilant, the Electronic Frontier Foundation has published nothing short of an indictment against the makers of the ComputerCOP Internet Safety software, a program that’s been distributed for free by approximately 245 U.S. law enforcement agencies in 35 states, to help parents keep their children safe online. The kicker? Well, in addition to featuring a near useless search functionality designed to find “bad words,” a browser monitor that only works on Internet Explorer and Safari, and a “bad image” finder that has a hard time discerning between desktop icons and boobs, premium versions of ComputerCOP come fully loaded with a keystroke recorder – that transmits logged information to third party servers… in plaintext form.

What this means is that anyone who wants to computer-spy on anyone else need only walk on down to the local police station and obtain the tool to do it, for free. Oh, and when you use it, you may also unknowingly be sharing what you find with your friendly neighborhood hacker, if they happen to be bored that day and are sniffing local networks for unencrypted goodies.

But wait! There’s more…

Got an extra $42,000 in cash laying around from that last drug bust? Why not send a copy of ComputerCOP to every parent in the county, and why not print the most photogenic portrait of the county sheriff you have right smack dab on the label of the disc?!

Source: Electronic Frontier Foundation

Yeah. That’s actually happening, too. And the icing on the cake is that ComputerCOP is actively marketing its product to law enforcement agencies as the “perfect election and fundraising tool,” using fraudulent endorsements from the U.S. Dept. of the Treasury, the American Civil Liberties Union (ACLU), and the National Center for Missing and Exploited Children (NCMEC).

As of today, the EEF estimates anywhere from a few hundred thousand to more than a million copies of ComputerCOP have been purchased by law enforcement agencies across the United States. Emsisoft does not endorse setting fire to any of these copies that you might find, but if you happen see ComputerCOP in use we trust you’ll know what to do.

For the full story, see the Electronic Frontier Foundation’s Deep Links Blog.

Have a great (subsidized-spyware-free) day!

 

 

 

 

Related Posts:

• Video review: Emsisoft Anti-Malware 9 vs real zero-day…


• Video-Review: Emsisoft Anti-Malware 9 verus echte…


• DARPA Dissecting The Internet Hive Mind


• Caphaw Trojan Found in Youtube Ads


• Caphaw Trojan Found in Youtube Ads

So now the police are handing out spyware, for free…

Ransomware Alert: Digitally Signed CryptoWall through Malvertising

CryptoWall Alert!

Earlier this week, independent researchers uncovered a malicious advertising, or “malvertising,” campaign serving a digitally signed variant of the CryptoWall ransomware through banner ads found on a number of Alexa top 15,000 websites. Affected sites included:

• hindustantimes[.]com


• bollywoodhungama[.]com


• one[.]co[.]il


• codingforums[.]com


• mawdoo3[.]com

Users who visited affected sites who clicked on malicious ads would be redirected to a website serving an exploit kit designed to look for and take advantage of vulnerabilities in common browser plug-ins and applications. If and when vulnerabilities were found, CryptoWall would be installed and the currently un-decryptable ransomware would execute, encrypting computer files and demanding payment for recovery.

Are Emsisoft Users Protected from this Threat?

Yes. Emsisoft users are protected from malvertising attacks and CryptoWall in a number of ways.

Our 3-layered protection approach:

1. Prevents users from visiting websites that serve malware, such as ones you could be redirected to by clicking on a malicious ad.


2. Recognizes over 100 million malware signatures using a database that is updated 24 times per day.


3. Utilizes Behavior Blocking technology to recognize derivative malware patterns, if 1) and 2) should ever fail.

Additionally, Emsisoft was one of the very first vendors to detect this new CryptoWall variant. PCWorld reports that initial vendor detection rates on VirusTotal.com were close to 0/55, but Emsisoft detection was actually registered in a mere matter of hours.

What Should I do if I have a CryptoWall infection?

CryptoWall is currently recognized as the most destructive ransomware threat on the Internet today. There is currently no known way to recover encrypted files without paying the ransom to cybercriminals – and even this method is not guaranteed. If your computer has become infected with CryptoWall, Emsisoft does not recommend paying the ransom unless you absolutely must recover the files.

Sometimes, partial recovery is possible. Instructions on how this works have been published by Bleeping Computer, and can be found here. Anyone who needs assistance walking through these instructions is encouraged to contact Emsisoft Support.

In addition to using an anti-malware that offers real-time protection, the risk of CryptoWall malvertising can be greatly minimized by regularly updating every application that you use, and keeping backups of your most important files on an external drive (since ransomware is meaningless if there’s nothing left to ransom).

Have a great (CryptoWall-free) day!

Related Posts:

• ALERT: Ads on Disney, Facebook, Guardian Lead to Ransomware


• ALARM: Werbung auf Disney, Facebook, Guardian führt zu…


• Warning: File Encrypting Ransomware, Now on Android


• Ransomware – The no. 1 threat for 2013


• Copycat Ransomware “Locker” Emerges

Ransomware Alert: Digitally Signed CryptoWall through Malvertising