Category: Virus


Symantec says hackers stole source code in 2006

Filed under: Applications, Computers, Cybersecurity, Internet, PC, RootKit, Security, Software, Trojan, Virus by Ryan Boese — 1 Comment
January 18, 2012

Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked.

The world’s biggest maker of security software had previously said that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated.

The unknown hackers obtained the source code, or blueprint for its software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, Symantec spokesman Cris Paden said.

Last week, the hackers released the code to a 2006 version of Norton Utilities and have said they planned to release code to its antivirus software on Tuesday. It was not clear why the source code was being released six years after the theft.

Source code includes instructions written in computer programming languages as well as comments that engineers share to explain the design of their software. For example, a file released last week from the source code of a 2006 version of Norton Utilities included a comment that said “Make all changes in local entry, so we don’t screw up the real entry if we back up early.”

Companies typically heavily guard their source code, which is considered the crown jewels of most software makers. At some companies access is granted on an as-needed basis, with programmers allowed to view code only if it is related to the tasks they are assigned.

The reason for all the secrecy is that companies fear rivals could use the code to figure out the “secret sauce” behind their technology and that hackers could use it to plan attacks.

Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software.

“They are protected against any type of cyber attack that might materialize as a result of this code,” he said.

Yet Laura DiDio, an analyst with ITIC who helps companies evaluate security software, said that Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software.

“What we are seeing from Symantec is ‘Let’s put the best public face on this,’” she said. “Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today.”

Symantec said earlier this month that its own network had not been breached when the source code was taken. But Paden said on Tuesday that an investigation into the matter had revealed that the company’s networks had indeed been compromised.

“We really had to dig way back to find out that this was actually part of a source code theft,” he said. “We are still investigating exactly how it was stolen.”

Paden also said that customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure.

“Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Ryan: This is one of the reasons I had been telling people for years not to use Symantec programs. I knew they had been hacked because Viruses had been disabling out Norton on machines I had been fixing and I was seeing a big trend with this.

Source: Reuters / Yahoo! News

Tags: , , , , , , , , , , , , ,
Comment

Researcher Says That 8% of Android Apps Are Leaking Private Information

Filed under: Android, Applications, Droid, Google, Malware, Technology, Telecom, Trojan, Virus by Ryan Boese — Leave a comment
July 21, 2011

Android has had its fair share of malware problems. Whenever malware are detected, Google reacts swiftly and remove them. However, according to security researcher Neil Daswani, around 8% of the apps on the Android market are leaking private user data.

Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th.

The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages.

Google needs to take charge

This malware problem on Android has become too much. One of the main reason that we see malicious apps in the market is because of the lack of regulation in the apps that get into the Android Market.

Sure, the lack of regulation can be good. It means that developers can make their apps without worrying if Google will accept their apps or not. It fits into the pre-existing application distribution model where anyone can develop and publish their own apps.

However, this comes at a price – the malware problem. Yes, most of the problems with these malicious apps can be avoided if only users read the permission requirements of the apps. But, what percentage of the users actually read the permission requirements of all the apps they download?

I think that it is time that Google make approval of the apps a requirement before it gets into the Market. They do not need to do it like Apple, but a basic security check before an app gets on the market will be nice.

If nothing is done about and this problem is allowed to grow, it will end up killing the platform.

Ryan:  I’ve been using Lookout Mobile Security on Android OS for awhile now and it appears to be working great. You can find it here.

Source: Digitizor

 

Tags: , , , , , , , , ,
Comment

Fake Anti-Virus Software Targets Firefox Users

Filed under: Exploit, FireFox, Internet, Malware, Trojan, Virus by Ryan Boese — 1 Comment
June 14, 2011

One of the most malicious types of Malware out there is the Fake Anti-Virus. These malware programs get onto your machine, post as anti-virus software, warn you that your computer is full of viruses and needs to be cleaned. Of course, it’s cleaned by entering your credit card number to buy the “anti-virus program.” Most people aren’t fooled by these programs, but they’re nasty anyway since they often make it difficult to access your real anti-malware programs.

Well, if you use Firefox on a Windows PC to surf the web, be warned. There’s a new species of Fake Anti-Virus malware targeting Firefox users. Sophos reports that it directs you to a screen that looks exactly like Windows Update — except that when you click the button to update your computer, you get a nice, tasty dose of malware instead.

The page is nearly an exact replica of the real Microsoft Update page with one major exception… It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.

The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.

Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.

They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.

As always when surfing the web, if something pops up, always be leery. And always verify what site you’re downloading any file from. Especially if you didn’t initiate the download.

Source: Forbes

Tags: , , , ,
Comment

Fake security software takes aim at Mac users

Filed under: Apple, Mac, Macbook, Malware, Trojan, Virus by Ryan Boese — 1 Comment
May 2, 2011

Scammers are distributing fake security software aimed at the Mac by taking advantage of the news that al-Qaeda leader Osama Bin Laden has been killed by U.S. forces, a security researcher said today.

A security firm that specializes in Mac software called the move “a very big step forward” for malware makers targeting Apple’s users.

Phony antivirus software, dubbed “rogueware” by security experts, has long plagued people running Microsoft Windows, but this is the first time scammers have targeted the Mac with a sophisticated, professional-looking security application, said Peter James, a spokesman for Intego, a Mac-only antivirus company headquartered in France.

“This is indeed a very big step forward for Mac malware,” said James.

The program, dubbed MAC Defender, is similar to existing “rogueware,” the term for bogus security software that claims a personal computer is heavily infected with malware. Once installed, such software nags users with pervasive pop-ups and fake alerts until they fork over a fee to purchase the worthless program.

Until now, rogueware has been exclusively targeting Windows PCs.

That’s changed, according to Kurt Baumgartner, a senior malware researcher with Moscow-based Kaspersky Lab, who today said that one group distributing MAC Defender has also been actively spreading Windows rogueware.

“They have been revving up for this for months,” said Baumgartner of the work to prep MAC Defender.

Last month, Baumgartner had reported that “.co.cc” domains — which are often used to spread malware and host attack code-infected Web sites — had begun to host fake security sites and deliver the “Best AntiVirus 2011″ rogueware.

During his early-April sweep through the .co.cc domains, Baumgartner found a URL explicitly aimed at Macs: “antispyware-macbook(dot)co(dot)cc”.

“It is very odd that this group is marketing ‘Fast Windows Antivirus 2011′ from ‘macbook’ domains,” Baumgartner said at the time in a blog post.

Today, Baumgartner said that a group using .co.cc domains was serving up fake security software for Macs as part of a broader campaign to trick Windows users into downloading and installing phony programs.

That campaign is currently exploiting the hot news topic of Bin Laden’s death to get people to click on links that redirect their browsers to the rogueware downloads. The scammers have used “black hat” SEO (search engine optimization) tactics to push links to rogueware higher on Google Images’ search results.

But that’s not the only way Mac owners have been duped into installing MAC Defender.

On Saturday — the day before President Obama announced the killing of Bin Laden — messages from infected users began appearing on Apple’s support forums.

“What is macdefender and why is it trying to install itself on my computer?” asked someone identified as “wamabahama” on April 30.

“FYI, my daughter said the program started after clicking on a ‘hair style photo,’” added “Mr. Fix It Home Services” on the same support thread. Others reported stumbling upon MAC Defender after searching for images of prom tuxedos or for pictures of a character in the movie “Princess Bride.”

On Monday, Intego published a detailed advisory about MAC Defender, noting that that it was “very well designed, and looks professional.”

Intego spotted MAC Defender and acquired samples on Saturday, said James, who pointed out that users must enter their administrative password to install the program. “So there’s still a social engineering angle here,” he said.

In fact, users see a generic Windows-oriented page when they first click a link to the rogueware. “They’re not even getting a Mac-specific page,” James said.

But unless users have Safari set not to automatically open files after downloading, MAC Defender’s installation screen opens without any user action. That’s been enough to con some into approving the install by typing their administrative password.

The program also relies on an unusual technique to make users pay up.

“Every few minutes, it opens a porn page in the browser,” said James of MAC Defender. “We think they’re doing this because most people will assume that that means they’ve got a virus on their Mac, and they need to get rid of it by paying for the program.”

MAC Defender demands $60-$80, depending on whether users select a one-year, two-year or lifetime “license.”

Ironically, there are only eight to 10 serial numbers that MAC Defender accepts, said James, and those are tucked into the binary file — unencrypted — where advanced users may be able to root them out.

James also called out the MAC Defender’s look and feel as an indicator that the criminals are serious about reaping profits from Mac users. “This was done by a very sophisticated Mac interface developer,” James said. “It’s an obvious sign that [scammers] are starting to target Macs. Earlier [scams], such as 2008′s MacSweeper just didn’t bother trying to look professional.”

Intego spotted MacSweeper, a fake Macintosh system cleaning program, in January 2008.

MAC Defender has also created some collateral damage: The rogueware uses the same name as a legitimate German company that develops Mac software.

“A new malware application named MAC Defender (MacDefender.app) for OS X surfaced a few days ago,” warned the MacDefender site. “If you see an application/installer named like this DO NOT DOWNLOAD/INSTALL it. I would never release an application named like this.”

The rogueware’s name choice was probably a twist on “PC Defender” and “Windows Defender,” phrases used in the titles of numerous Windows-based fake AV programs, said James.

Mac users running Safari can prevent MAC Defender from automatically opening after it downloads by unchecking the box marked “Open ‘safe’ files after downloading” at the bottom of the General tab in the browser’s Preferences screen.

Source: ComputerWorld

Tags: , , , , ,
Comment

Android Phone: New Virus Warning on Android Devices

Filed under: Android, Google, Malware, Security, Virus, Wireless by Ryan Boese — Leave a comment
March 1, 2011

An android phone virus has been spotted in China that is aimed at revealing users encrypted personal information. NetQin, a global leader in mobile security, warned today that the new malware, called Hong Tou Tou, is specifically aimed at Android devices. Hong Tou Tou was discovered on February 18.

The Hong Tou Tou virus has been discovered in two strains. The DB.HongTouTou.A hides itself behind a legitimate phone app. Once activated, the mobile malware connect to a network in the background and collects and encrypts the users private data, not excluding passwords, bank information and credit card information. This private information is sent to a remote server. BD.Hong Tou Tou.B lures users to download and install the app “Dynamic Footprint Wallpaper. After installation, the virus connects in the background and attempts to collect user data nd send it to a remote server.

Android users are encouraged to use NetQin Mobile Anti-Virus 4.6. NetQin Mobile Anti-Virus 4.6 can be downloaded at http://www.netqin.com/products/antivirus/  This application will, with a high scan capability, fully protect one’s most trusted device.

NetQin also advises smart and responsible smartphone use. Avoid downloading apps that are ‘cracked versions’ or ‘revised versions’ as these versions may contain the nasty virus. Over ten per cent of the apps on the Android Market were discovered to be cracked, repackaged or not submitted by the original developer. Download apps only from trusted and reputable sources – ignore the Android Alternate Markets. Never ever accept application requests without knowing the application’s source. Monitor closely an apps permission request; an app should never ask for more that what it offers in its official list of features. Be aware of unusual behavior on the smart device, such as stealthy network connection or sending SMS without authorizations.

Source: Thinking Clearly

Tags: , , , , ,
Comment

‘Most Sophisticated’ Android Trojan Surfaces in China

Filed under: Android, Malware, Mobile, Trojan, Virus, Wireless by Ryan Boese — Leave a comment
December 30, 2010

Geinimi, a highly sophisticated Trojan, has been detected in Android devices in China.

However, it appears to be more of a sign of things to come rather than a serious threat to U.S. Android users.

Dubbed Geinimi (a scrambulation of Gemini) by Lookout Mobile Security, a startup based in San Francisco, the botnet-like Trojan sends location information, device identity and even stored contacts to an unknown server.

According to Lookout co-founder Kevin MaHaffe, the most significant feature of Geinimi is its sophisticated command-and-control mechanism.

“A server can tell the Trojan what it can do, which makes it more advanced than other Android malware we’ve seen,” he said. ”

The mobile Trojan has been found in apps infected and repackaged to look like legitimate apps, and uploaded onto Chinese third-party app stores. Infections have been found in games like “Monkey Jump 2,” “Sex Positions,” “President vs. Aliens,” “City Defense,” and “Baseball Superstars 2010.”

GetJar and Android Marketplace have not reported any cases yet.

One quick and dirty method for detecting mobile Trojans, MaHaffe says, is to learn an app’s permissions and compare them to what the downloaded app is actually asking for. For instance, if the app’s description only lists requests for age and gender, a red flag should go up if your downloaded app suddenly asks for your home address, too.

Although the Geimini Trojan has yet to land in the U.S., MaHaffe warns smartphone users not to get lazy about protecting their phones as mobile malware becomes increasingly sophisticated.

“Attackers are still figuring it out on the mobile landscape,” he said. “There’s a lot of sophistication for PC malware, but smartphone users need to start protecting their phones as they do their computers.”

For starters, MaHaffe advises people to use the same level of discernment towards smartphone downloads as they would with PC downloads.

“People probably wouldn’t download software from nefarious Web sites,” he said. “Same thing with mobile apps—be careful where you download mobile apps from. Look at developer ratings, user reviews of the app.”

Source: PC Magazine

Tags: , , ,
Comment

Researchers Take Down Koobface Servers

Filed under: Exploit, Facebook, Hackers, Malware, Virus by Ryan Boese — 3 Comments
November 13, 2010

Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet.

Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. “Those are all on the same network, and they’re all inaccessible right now,” Villeneuve said Friday evening.

Coreix took down the servers after researchers contacted U.K. law enforcement, Villeneuve said. The company could not be reached immediately for comment.

The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers — typically Web servers that have had their FTP credentials compromised — that then redirect them to the now-downed command and control servers.

Friday’s takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they’ve also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts.

The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface.

Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer.

Koobface has turned out to be a pretty lucrative business since it first popped up on Facebook in July 2008. In a report published Friday, Villeneuve says that the botnet made more than US$2 million between June 2009 and June 2010.

Researchers found data stored on another central server, called “the mothership” used by the Koobface gang to keep track of accounts. This server sent daily text messages to four Russian mobile numbers each day, reporting the botnet’s daily earnings totals. Revenue ranged from a loss of $1,014.11 on Jan. 15 of this year to a profit of $19,928.53 on March 23.

Payments were made to Koobface’s operators through the Paymer payment service, similar to eBay’s PayPal.

The gang’s creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims’ search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims’ PCs.

Almost exactly half of Koobface’s income — just over $1 million [m] — came from the fake antivirus software. The other half came from online advertising fees.

Villeneuve doesn’t identify the Koobface gang in the report, but he thinks that at least one of the members lives in St. Petersburg.

Interestingly, Koobface’s operators could have caused more damage. They could have broken into online bank accounts, or stolen passwords or credit card numbers, but they didn’t.

“The Koobface gang had a certain charm and ethical restraint,” the report sates. “They communicated with security researchers about their intents and their desire not to do major harm. They limited their crimes to petty fraud, albeit massive in scale and scope. But the scary part is that they could have easily done otherwise.”

They may not be so friendly with researchers from now on, however.

Villeneuve has handed over information to the Royal Canadian Mounted Police, the U.S. Federal Bureau of Investigation, and U.K. authorities. And the researchers have also notified Facebook, Google and various ISPs about the fraudulent and compromised accounts. They have identified 20,000 fake Facebook accounts; 500,000 fake Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang.

They hope that these activities will disrupt the botnet’s operations, but Villeneuve has no illusions about Koobface being stopped. “I think that they’ll probably start up pretty soon, and they’ll probably try to recover as many of their bots as soon as they can,” he said.

Source: Yahoo! News

Tags: , , , , , , ,
Comment

Computer security expert shoots down ’10/10/10′ fears

Filed under: Computers, Malware, Security, Virus by Ryan Boese — Leave a comment
October 8, 2010

Computer security firm Sophos has shot down rumors that a “10/10/10″ virus will strike computers at 10:00 a.m. on Sunday — October 10, 2010.

“It’s just the kind of scare that people love to murmur about, and share with their online friends, but I’m afraid it has no basis in fact,” Sophos’ Graham Cluley wrote in a blog post.

“Focusing on particular dates is not the way to keep your computer protected against malware attack,” Cluley said.

“The truth is that there is malicious software which triggers every day of the year — so worrying about one particular date or time is actually counter-productive, as it implies that you should take less care on other dates,” he said.

“The reason why the 10th October has received a little more attention is because of the cute quirk of the numbers reading 10/10/10,” he said.

“But even that’s not a new idea. For instance, in the run-up to March 3 2003, I had to debunk rumours that the Internet would stop working at 03/03/03,” Cluley said.

“The 10/10/10 rumour, just like the 03/03/03 one, is utter codswallop.”

Source: AFP

Tags: , , , ,
Comment

Mouseover Exploit Spreads Porn on Twitter

Filed under: Exploit, Internet, Twitter, Virus by Ryan Boese — Leave a comment
September 21, 2010

Twitter users who read and write using the twitter.com website got a nasty surprise this morning: a JavaScript exploit was causing their accounts to retweet spam and porn, just by dragging their cursor over a link (or in some cases, anywhere on the Twitter.com screen).

The security flaw allowed popups and websites (like porn) to load in your browser just by mousing over infected tweets. Some tweets were even coded in colorful blocks of text to entice users, according to Sophos, a security vendor who discovered the exploit. The problem was confined to Twitter.com’s old interface — not the new Twitter website that launched last week.

Update: Twitter says it has patched the exploit.

It seems as though at least most users who read and post with clients using the Twitter API were unaffected — that is, apart from reading a bunch of garbage, linky tweets and retweets from their friends. The mobile version of the website appears to be okay, too.

This reinforces my longstanding belief that web browsers’ only legitimate use on the desktop is for viewing and watching porn (including, naturally, technology-and-gadget porn, like what you find here at Wired.com –TC); client applications, whether on a personal computer or a mobile device, are ideally suited for consuming and exchanging information.

All I’m saying is, if you’re going to buggy, information-hungry websites called things like “twitter.com,” you deserve what you get. Although, on the other hand, employees who are allowed (or professionally compelled) to read Twitter now have a perfect excuse: “No, I wasn’t trying to look at porn at work. Must be another Twitter hack.” Let’s hope the next hack redirects users to fantasy football sites.

Source: Reuters

Tags: , , , ,
Comment