Tuesday, 24 September 2013

Return of SpamSoldier Spam Bot Threatens Android Community

Android Spam Bot
Is that an Android phone in your pocket, or are you just spewing thousands of spam text-messages? That question has become relevant again with a resurgence of the spam bot dubbed SpamSoldier. Researchers at AdaptiveMobile, a provider of network-level security protection, noticed heightened activity last week after a lull since late 2012. AdaptiveMobile's Cathal McDaid spelled out the danger for SecurityWatch.
Signs of Life
"I'm head of security practices," said McDaid, "and our responsibility is to monitor and detect security threats like this worldwide. We've been monitoring this one for a long time because it caused a lot of spam when it emerged last December." McDaid explained that even a couple of infected devices could send as many as 10,000 spam messages each day. "That's a huge impact on the mobile network," he said, "and huge bills for the victim."
"A few weeks ago," continued McDaid, "we saw some signs that somebody was trying to resurrect the code." Actual evidence of SpamSoldier's return came last week. "We're seeing propagation by email and SMS, said McDaid. "Over the weekend, some of the devices we're monitoring went active and tried to contact new Command and Control servers." In other words, it's baaaack!
Simple Propagation
The actual working of the bot is quite simple. It spews out spam messages like "Download the Newest version of Angry Birds for Android phones for free at hxxp://[MALICOUS DOMAIN]gg.biz." Unwitting dupes who click the link may actually get the game installed. They also get a malicious bot that takes orders from the SpamSoldier Command and Control servers.
Periodically the C&C server will send a new spam messages template and a list of target numbers. At that point the bot goes into action, and a new round of infection begins.
The Good News
According to an AdaptiveMobile blog post about the revivified SpamSoldier, the new bot-herders aren't doing such a good job. The post states that "none of [the malicious APK files] was working due to the C&C server not being correctly set up" and goes on to say that "it seemed the spammers were struggling with repackaging the malware, and setting up the C&C server."
McDaid confirmed that the bot "can do more than what it's done so far. Right now it's just sending spam." He speculated that the bot-herders might work on monetization by driving traffic toward affiliate sites, or scam sites. But don't worry. "We're right there in the mobile operator's networks," said McDaid. "That's how we can block these types of spam and these types of messages before they get to the customers."
Not surprisingly, McDaid advised caution. "If someone is offering free games, don't trust them," he said. "Be suspicious. Only install apps from recognized sources. These apps are NOT on Google Play!" "We were happy to catch this at an early stage," concluded McDaid.

Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the SIM card on request

For years, cybercriminals have been abusing a rather popular, personally identifiable practice, namely, the activation of an online account for a particular service through SMS. Relying on the basic logic that a potential service user would not abuse its ToS (Terms of Service) for fraudulent or malicious purposes. Now that it associates a mobile with the account, the service continues ignoring the fact the SIM cards can be obtained by providing fake IDs, resulting in the increased probability for direct abuse of the service in a fraudulent/malicious fashion.
What are cybercriminals up to in terms of anonymous SIM cards these days? Differentiating their UVP (unique value proposition) by offering what they refer to as “VIP service” with a “personal approach” for each new client. In this post, I’ll discuss a newly launched service offering anonymous SIM cards to be used for the activation of various services requiring SMS-based activation, and emphasize on its unique UVP.

Sample screenshots of the inventory of anonymous SIM cards offered for sale:
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_01 Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_02 Next to the inventory of cybercrime-friendly non-attributable SIM cards, the cybercriminal behind this underground market proposition is also attempting to add additional value to his proposition, by not just offering the option to store the SIM cards in safe box, but also, destroy the SIM card by offering a video proof of the actual process.
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime Sample screenshot of a video proof showing the destruction of an already used SIM card courtesy of the service:
Anonymous_SIM_Cards_Russia_Service_Activation_Fraud_Scam_Cybercrime_03 The service also charges a premium price for sending and receiving SMS messages, due to the value added features.
The existence and proliferation of such type of services on the basis of false identifies, directly contributes to the rise of fraudulent and malicious schemes launched on behalf of their users. Now that a pseudo-legitimate identification has taken place on popular Web site, a fraudster is in a perfect position to not just start abusing its trusted infrastructure as a foundation for launching related attacks, but also, directly targets a particular Web service’s internal users through the trusted mechanisms offered by it.
We’ll continue monitoring this underground market segment, and post updates as soon as new services offering anonymous SIM cards emerge.

Cybercriminals sell access to tens of thousands of malware-infected Russian hosts

Today’s modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular questions the general public often asks in terms of cybercrime, what else, besides money, acts as key driving force behind their malicious and fraudulent activities? That’s plain and simple greed, especially in those situations where Russian/Eastern European cybercriminals would purposely sell access to Russian/Eastern European malware-infected hosts, resulting in a decreased OPSEC (Operational Security) for their campaigns as they’ve managed to attract the attention of local law enforcement.
In this post, I’ll discuss yet another such service offering access to Russian malware-infected hosts, and emphasize the cybercriminal’s business logic to target Russian users.

Sample screenshot of the service’s advertisement:
Malware_Infected_Hosts_Botnet_Sale_Buy_Purchase_Russia_Eastern_Europe_World_Mix The service is currently offering access to malware-infected hosts based in Russia ($200 for 1,000 hosts), United Kingdom ($240 for 1,000 hosts), United States ($180 for 1,000 hosts), France ($200 for 1,000 hosts), Canada ($270 for 1,000 hosts) and an International mix ($35 for 1,000 hosts), with a daily supply limit of 20,000 hosts, indicating an an ongoing legitimate/hijacked-traffic-to-malware-infected hosts conversion. We believe that the availability of Russian based malware-infected hosts is the direct result of either a greed oriented underground market proposition, the direct result of a surplus based proposition, or an attempt by the cybercriminal behind the the offer to differentiate their proposition from the rest of the commoditized services offering access to, for instance, U.S based hosts.
We’ll continue monitoring the service, and post updates as soon as new features — if any — are introduced.

Cybercriminals experiment with Android compatible, Python-based SQL injecting releases

Throughout the years, cybercriminals have been perfecting the process of automatically abusing Web application vulnerabilities to achieve their fraudulent and malicious objectives. From the utilization of botnets and search engines to perform active reconnaissance, the general availability of DIY mass SQL injecting tools as well as proprietary malicious script injecting exploitation platforms, the results have been evident ever since in the form of tens of thousands of affected Web sites on a daily basis.
We’ve recently spotted a publicly released, early stage Python source code for a Bing based SQL injection scanner based on Bing “dorks”. What’s the potential of this tool to cause any widespread damage? Let’s find out.

Sample screenshots of the Python script in action:
Android_Python_Bing_SQL_Injection Android_Python_Bing_SQL_Injection_01 Android_Python_Bing_SQL_Injection_02 In its current form, the tool isn’t capable of causing widespread damage, due to the fact that it doesn’t come with a pre-defined database of dorks for cybercriminals to take advantage of. Therefore, taking into consideration the fact that they’d have to manually enter them, greatly diminishes the tool’s potential for causing widespread damage. However, now that the source code is publicly obtainable, we believe that fellow cybercriminals inspired by the initial idea will further add related features to it, either releasing the modified version for everyone to take advantage, or monetizing the newly introduced features by pitching it as a private release.
We’ll be naturally monitoring its future development, and post updates as soon as new developments emerge.

Keep your Droid on a leash: Google lets users change passwords remotely

Apple’s new iPhone 5S has hit the headlines for its security features – but Google has quietly improved many of the features built into its Android mobile operating system, according to a report by Android Police.
Crucially, users will now be able to remotely add a password to a lost device, even if it’s locked, or already being used. Android police describe the new feature as “incredibly robust.”
The functionality is now built into Android Device Manager, one of the apps built into any device running Android 2.2 or higher. The tool already lets Android users find and remote-wipe data from any Android cellphone or tablet – but the new option allows users to change the password remotely, even if the phone is being used at the time.
“To activate the Lock and Erase options for your device, go to your device, open the Google Settings app, touch Android Device Manager and select Allow Remote Factory Reset,” Google says. The option is available via the google.com/android/devicemanager where Google will locate registered devices.
Select “Lock” and Google prompts users to add a new password.
“The functionality is incredibly robust,” says Android Police. “Even if you have your device locked with a pattern, PIN, or other method, the Device Manger will instantly override it. You’ll be asked to choose a new password when submitting the lock request, and that’s the code you’ll use to unlock the device when (hopefully) you have it in hand again.”
“This functionality will even turn off the screen if it’s on to get things locked down tight. If the device is in Airplane mode, the lock request will be completed as soon as the device is reconnected.”
Users have to activate the function on their phone – found under Google Settings and Android Device Manager.
Combined with the tracking abilities in Device Manager, provides an extra layer of security – although not a bulletproof one. A detailed ESET guide to how to make your Android device more secure can be found here.
“If you lose your phone or it becomes damaged, have a way to retrieve your contacts, files and other personal information,” says ESET’s Cameron Camp. “There are apps, such as My Backup Pro and Super Back up, that back up your data in case it happens to you.”
ESET Mobile Security offers additional security features such as live anti-malware scans and anti-phishing features.

“Do not keep sensitive data on iPhone,” group warns after latex-fingerprint hack

Apple iPhone 5S’s fingerprint sensor is not secure, a hacker group has said, and users should not trust the sensor to provide security. However, some security experts were quick to counter a number of the group’s assertions, such as the suggestion that “biometrics is fundamentally a technology designed for oppression and control”.
[Updated after initial publication with fresh commentary from Stephen Cobb, ESET security researcher.]
Germany’s Chaos Computer Club released a video showing how a “fake fingerprint” made from latex could be used to fool the sensor, allowing any attacker access to the handset. The group said that it hoped their demonstration video, “put to rest the illusions people have about fingerprint biometrics,” and that users should avoid storing sensitive information on iPhone 5S.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” the group said. The “key” to defeating Apple’s new technology uses a hi-res image which matches the resolution of Apple’s scanner, and allows the creation of a “fake” latex print to fool the sensor. Chaos Computer Club‘s method, does, however require access both to an iPhone 5S, and to a “fresh” fingerprint of the intended victim, for example, “lifting” a fingerprint from a home (Chaos suggest a doorknob or a glass surface such as “glasses, doorknobs, or glossy paper” and says that their attack relies on “well-tested forensic methods”).
However, Stephen Cobb, a security researcher with ESET, warns consumers and businesses to put this hack in context: “Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly.” Cobb adds:
There is a constant tension between claims of security and efforts to undermine that security. It is clearly true that having to supply a fingerprint as well as a password to access the iPhone 5S, or anything else, makes the data on the device more secure against certain types of attack than only requiring one form of authentication. Whether that added level of security is enough for your to trust “sensitive” information to your iPhone is a question for each user to answer. Would I put priceless IP on a mobile phone? No. But read what it takes to beat the fingerprint reader and ask yourself who would go to that trouble for the stuff you do have on your phone.
Chaos shows off their method in a video, saying, “The goal is to get an exact image of the fingerprint, for further use as mold, out of which the dummy is made. The easiest way is to print the image on a transparency slide (the ones normally used for an overhead projector) with a laser printer. The toner forms a relief, which is later used similar to letter press printing. Wood glue is suitable for producing the dummy,” the hackers write. The “fake fingerprint” is then cut to size, and attached to a fingertip.
This type of hack is nothing new for Chaos which has long maintained that “fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints…Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
According to Cobb: “Some security researchers would beg to differ.”

Grand Theft Android: Gamers warned to avoid fake “iFruit” GTA app

Android gamers have been warned to be wary of Grand Theft Auto V’s official “partner” app – Grand Theft Auto iFruit – after a slew of fake, malicious apps appeared online in advance of the real version.
The app, available now on iPhone, allows gamers to customise cars, and interact with a virtual pet – and several versions duly popped up on Google’s Play Store around GTA V’s launch date, according to a report by Destructoid. The problem, of course, was that they were fakes – released by cybercriminals to coincide with a demand. Rockstar had not released an Android version of the app.
Various versions of the fake app were removed from Google Play, but several remained in place over the weekend, with user reviews stating, “Do not install this,” or, “Fake”.
Gaming site Destructoid, which reported the “bad” apps, said, “With the immense and predictable popularity of GTA V, it’s not exactly surprising that there are some less than reputable characters that are looking to piggyback on its success. That’s the case with an imposter app that surfaced on the Android Marketplace.”
Rockstar says that an Android version is due shortly, stating that the app is, “Coming soon for Android devices via Google Play as well as for Windows Phone, PlayStation Mobile and Vita.”
The tactic is commonly used by cybercriminals for eagerly awaited apps, and in many cases used to serve useless apps filled with “adware.”
Earlier this year, cybercriminals cashed in on an internet rumor to fool 100,000 Android users into downloading a fake BlackBerry Messenger (BBM) app for Android.
The fake BBM app – masquerading as an eagerly awaited download, and released to coincide with a rumored release date – instead delivered adware. The app had been downloaded 100,000 times before Google removed it from Play Store, according to a report by CNET.
Spotting “bad” apps on Android is not always easy – with cybercriminals finding new tricks every month to fool phone and tablet users into downloading malware.
A detailed ESET guide on how to download and use apps safely on Android can be found here.

Cybercriminals trying new tactics, security body warns – and attacks could have “large impact”

Cybercriminals are switching tactics, a leading security body has warned – and the combination of anonymization technologies, mobile devices, and social media attacks could lead to cyberattacks with a “large impact”.
The interim Threat Landscape report released by the European Network and Information Security Agency is a “first taste” of a full report due by year end, and analyzes 50 reports to identify new and growing threats.
Drive-by exploits were identified as the number-one threat facing companies and computer users, but the company warned that other threats were rising in popularity – such as malicious browser extensions. “It is worth mentioning that an increase in malicious browser extensions has been registered, aimed at taking over social network accounts,” ENISA said. An ESET report on a malicious extension in the popular Orbit downloader can be found here.
“There is a shift from Botnets to malicious URLs as the preferred means to distribute malware. An advantage of URLs as a distribution mechanism lies in the fact that URLs are not such an easy target for law enforcement takedowns,” the report said.
The report also pointed out that cybercriminals were increasingly threatening infrastructure with targeted attacks, and an increase in the use of mobile devices and social media identity theft carried out via cloud services.
“It is clear that mobile technology is increasingly exploited by cyber-criminals. Threats of all kinds that were encountered in the more traditional arena of IT will affect mobile devices and the services available on these platforms. The wide spread of mobile devices leads to an amplification of abuse based on knowledge/attack methods targeting social media,” the report said.
The availability of cryptocurrencies and digital currencies also provided cybercriminals with an easy means to “launder” their gains, the report said – and also pointed out the increasing threat of cybercriminals offering “services” alongside malware.
“The availability of malware and cyber-hacking tools and services, together with digital currencies (e.g. Bitcoins) and anonymous payment services is opening up new avenues for cyber-fraud and criminal activity.”
This week, Russian cybercriminals reportedly offered a combination of a “hacked” PIN device and money-laundering service as a “package” to customers.
ESET Senior Research Fellow David Harley said, “The most worrying aspect   is the support services package. Unfortunately, developing such support networks is something for which Eastern European gangs have shown particular flair in recent years. I suspect that we’ll see similar packages associated with banking Trojans that have the functionality to access information from smart card readers attached to Windows machines. “
ENISA warns that the increasing use of attacks which combine various techniques – mobile, anonymised attacks, and “cyber services” such as money laundering, could lead to serious threats.
“There is a real possibility of large impact events when attacks combining various threats are successfully launched,” the report said.
Executive Director of ENISA, Professor Udo Helmbrecht said: “This short, interim report informs security stakeholders as early as possible about developments in cyber threats, so that they are able to take countermeasures”.

Can’t keep a bad man down: “Shylock” Trojan returns to attack U.S. banks

A stealthy banking Trojan known as Caphaw or Shylock has resurfaced -  and is attacking customers of 24 American banks. It’s armed with defensive and stealth abilities including the power to “restore” itself during shutdown.
The malware is described as “one of the few that can steal money while a user is accesing his bank acount,” by ESET Security Intelligence Team Lead, Aleksandr Matrosov, who published a detailed analysis of the malware this year.
“It is an interesting financial malware family: one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen,” Matrosov writes.
“This threat has many techniques for bypassing security software and evading automated malware samples processing.”
Zscaler said in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011.  You may recognize this threat from research done by WeLiveSecurity earlier this year in regards to this threat targeting EU Banking sites.  This time would appear to be no different.  So far, we have tied this threat to monitoring it’s victims for login credentials to 24 financial institutions.”
Security firm Zscaler reported an increase in detections of the malware this week, targeting 24 U.S. banks including  Chase Manhattan, Bank of America, Citi and Wells Fargo. First detected in 2011, the malware targeted European customers in the United Kingdom, Italy, Denmark and Turkey.
Zscaler researchers said that the malware was likely spreading via an exploit kit via vulnerable versions of Java.
At this moment, ESET Virus Radar shows an increase in infections in North America. Zscaler warns that the stealthy nature of the malware means it is difficult to detect – more details on the stealth capabilities of this malware can be found in Matrosov’s analysis.
“Caphaw can control the reboot/shutdown process and makes it possible for the malware to restore itself after some antivirus cleaning procedures have been carried out,” Matrosov said in his post.

Known unknowns – detecting rootkits under OS X

A rootkit is a piece of malicious software which has the advanced capability of hiding itself on an infected system. This is usually done by hooking system functions. For example a rootkit could be used to hide files from the user by hooking functions responsible for listing the contents of a directory. Rootkits are frequently used in combination with other malware, which it hides from users and security products. The number of malware families that have rootkit capabilities and target Microsoft’s Windows systems is well into double figures.
We think that there could be rootkits targeting the OS X platform, but we have very limited visibility into that threat right now: We know that we don’t know. We do know that various websites and even paperback books [1, 2] document how rootkits can work under OS X. We have seen OS X malware using rootkit techniques in the past. The most notable example being OSX/Morcut also called Crisis by other vendors. This malware was used to steal information from infected Macs and loaded a kernel extension so as to hide its files from the victim.
Detecting a rootkit under OS X currently involves dumping and analyzing kernel memory. It requires time and knowledge. It is not something accessible to everyone.
ERD_screenshot_infectedPNGToday, ESET is releasing a simple tool to detect rootkits on OS X. This tool, named ESET Rootkit Detector, can be downloaded from the following URL: http://eset.com/int/support/rootkit-detector/. The tool aims to detect modifications in the OS X kernel memory that might indicate the presence of a rootkit. Its usage is very simple, a user only needs to download and run the application. Since a kernel extension is needed to detect modifications to kernel memory, the user will be prompted for Administrator privileges. After a couple of seconds of scanning, the result is displayed to the user.
If a malicious module is found, you have the option to send a report to ESET and we would appreciate people doing that. We need your help to become better acquainted with what we don’t already know. Our team of reverse engineers will go through the submitted files and make sure users are properly protected if a new threat is discovered.
ERD_screenshot_prescanBear in mind that this tool is still in beta stage so we do not recommend running it on critical production equipment. On the other hand, we would love to have as many people as possible try it and work with it. This would allow us to see how well our new technology is working and, if something is found, this will be great research material to enable us to better track and document rootkits targeting the OS X platform. We always need to know more about the unknowns.
[1] Charlie Miller, Dino Dai Zovi, The Mac Hacker’s Handbook, March 2009, ISBN: 0470395362
[2] Paul Baccas, Kevin Finisterre, Larry H., David Harley, Gary Porteous, OS X Exploits and Defense, Elsevier 2008, ISBN: 978-1-59749-254-6

Filecoder: Holding your data to ransom

Trojans that encrypt user files and try to extort a ransom from the victim in exchange for a decryptor utility are nothing new: in fact, they have been around for several years. These “Filecoders”, as we call them, are a prevalent category of ransomware, the other common type of ransomware being lockscreen scareware – ransomware that locks your desktop, displays a massage designed to look as it comes from local law-enforcement and, again demands a payment in order to regain access to your computer.
The reason why we’re bringing up this old issue is that we’ve noted a significant increase in Filecoder activity over the past few summer months and in this blog post we hope to address the many questions we’re getting about this issue.
ESET detections of this malware category are usually flagged as Win32/Filecoder, Win32/Gpcode or in some cases other family names.


ESET LiveGrid® telemetry shows us that the weekly number of Win32/Filecoder detections have risen by over 200% since July 2013 from the average numbers in January through June 2013.
Time graph
The country most affected by these malware families is Russia, but spreading campaigns are active around different parts of the world:
2 country_graph

Infection Vectors

As is the case with other trojan families, cybercriminals using the Filecoder ransomware have a number of different methods of getting the malware onto victims’ system:
  • Through drive-by downloads from malware-laden websites
  • Through e-mail attachments
  • Installation by another trojan-downloader or backdoor (see 1st example scenario below)
  • Manual installation by the attacker through RDP infiltration (see 2nd example scenario below)
  • Other common infection vectors
In one infection scenario, we have seen Win32/Filecoder.Q (and later also Win32/Filecoder.AA and Win32/Filecoder.W) spread through backdoors, such as the Poison-Ivy R.A.T. In this scenario, the victims were sent the Poison-Ivy backdoor through email and if they were duped into executing the malware, it would contact a C&C server and wait for commands. The attacker would then send the Filecoder trojan to the infected machine, which would not be saved as a file to the hard drive, but run only in memory.
We have also seen different cases, when the attacker managed to install Filecoder ransomware onto the system manually through compromised Remote Desktop Protocol (RDP) credentials. We don’t have enough information as to how the “break in” occurred – exposed RDP ports, an existing infection with a keylogger, or bruteforcing a weak password are just some possible explanations. What’s important, though, is that in such a case the attacker can gain full access to the targeted machine just as if he was sitting behind the desk, disabling any antivirus protection and doing whatever they please, including installing malware.
In some of these cases, manual installation is also needed due to the fact that some variants require some “user interaction”, e.g. setting the encryption password.

Encryption Techniques

As mentioned in the introduction, this type of ransomware is more “dangerous” than the widespread ‘police’-ransomware category, as it also encrypts the victim’s files – usually pictures, documents, music and archives. A wide range of techniques and levels of sophistication has been seen in different variants over time:
  • The encryption can be implemented in the trojan code, or by using (legitimate) 3rd party tools (e.g. LockDir, WinRAR password-protected archives, etc.)
  • Some variants encrypt the whole file, others only parts of it (for example when slower RSA is used)
  • Various methods have been used to dispose of the original file: in some cases, the clean file is deleted and could be recovered by using “undelete” recovery tools, other times the file was deleted securely (e.g., by using Microsoft SysInternals SDelete) or simply overwritten
Different encryption methods are used:
…and also the encryption keys can be:
  • Hard coded in the binary
  • Entered manually (by command-line or through a dialog box, when the attacker has RDP access to the infected machine)
  • Randomly generated (using various random-functions) and sent to the attacker

Some active examples

A Filecoder family that has been spreading via RDP and has noticeably improved its tactics over time also uses scareware tricks and introduces itself as an “Anti-Child Porn Spam Protection” message or as being from the “ACCDFISA” (“Anti Cyber Crime Department of Federal Internet Security Agency”) – no such agency exists, of course. A comprehensive write-up of different versions can be found on Emsisoft’s blog. Although this particular variant, detected by ESET as Win32/Filecoder.NAC, has been around for quite a while, it is still active in the wild.
This trojan also stands out because of the amount of money it asks for. While other samples in this malware category usually request sums around 100 – 200€, Win32/Filecoder.NAC has been seen extorting up to 3000€. The high amount is consistent with the fact that the attacker usually targets businesses that can usually afford to pay higher ransoms than individuals.
Win32/Filecoder.BH, also known as DirtyDecrypt, features an interesting method of displaying the ransom notice to the user. During the encryption cycle the content of image files, as well as documents,  is overwritten with the notice followed by the encrypted original bytes.
Screenshot filecoder
Another recent variant, Win32/Filecoder.BQ, tries to put the victims under pressure by displaying a countdown timer showing how long it will be before the encryption key is permanently deleted. Interestingly, victims are given the option to pay the ransom with Bitcoins, along with usual ransomware payment methods like MoneyPak or Ukash. More details on this variant can be found in ESET’s Threat Encyclopedia entry: Win32/Filecoder.BQ.
Some Filecoder variants are even built by using a special builder utility, similarly to banking trojan builders sold on underground forums. The builder allows the attacker to select what file types are to be encrypted, the desired encryption method, displayed ransom message, and so on.

Crypto builder translation

A few words of advice

In some cases, when the Filecoder uses a weak cipher, or a faulty implementation, or stores the encryption password somewhere to be recovered, it may be possible to decrypt the files. Unfortunately, in most cases, the attackers have learned to avoid these mistakes and recovering the encrypted files without the encryption key is nearly impossible.
If remote access to a computer is required, proper security measures must be taken, RDP should not be open to the public Internet and a VPN with two-factor authentication should be used.
It is also a good idea to password-protect your anti-malware software’s settings to prevent them from being altered by an attacker.
5 ESS settings psw
The general computer security advice about being cautious and keeping your anti-virus and all software up-to-date applies, of course, but in this case, most importantly: backup regularly!

Hackers crack Apple iPhone 5S Touch ID fingerprint scanner

A group of hackers called the Chaos Computer Club claim to have cracked the iPhone 5S fingerprint Touch ID tool. This could be a blow to businesses that may have seen the service as a major step forward in smartphone security.
The group said in a blog post that by taking a photograph of a fingerprint from a glass surface they were able to create a “fake finger” that could then unlock a Touch ID security-enabled iPhone 5S.
“The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's Touch ID using easy everyday means,” it said.
The hacker who led the experiments, called Starbug, said the hack proved the security on the device was not as impressive as some have claimed.
“A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days. In reality, Apple's sensor has just a higher resolution compared to the sensors so far," he said.
“So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
The group could be in line for a reward of around $15,000, with donations submitted to the website istouchidhackedyet.com to try and find a hack of the security tool.
So far the status of the hack is set as a ‘maybe’ on the website, with the group assessing the video posted by the Chaos Computer Club to verify it definitely works before handing out the reward.
Security researcher David Emm at Kaspersky, said that if the hack was successful it would prove the downfall inherent in the fingerprint scanner technology.
“If the CCC has indeed found an easy way to circumvent the Touch ID technology, then it would suggest that Apple's 'highly secure' implementation may not be secure enough,” he said.
“Because of the nature of fingerprints, you effectively leave your password everywhere you go, so unless a fingerprint reader is able to fully distinguish between a real finger and a fake one, a fingerprint scan is a poor substitute for a password.”
Demand for Apple’s new devices broke new records this weekend after the firm revealed selling nine million devices. It also said that 200 million devices have updated to the new iOS 7 operating system.

Hackers renting 1,000s of UK malware-hosting machines for just $240

Cyber criminals are renting UK-based malware hosts for as little as $240 per 1,000 machines, according to security firm Webroot.
Webroot researcher Dancho Danchev reported uncovering a cyber black market that rents access to location-specific compromised hosts in a public blog post.
"The service is currently offering access to malware-infected hosts based in Russia ($200 for 1,000 hosts), United Kingdom ($240 for 1,000 hosts), United States ($180 for 1,000 hosts), France ($200 for 1,000 hosts), Canada ($270 for 1,000 hosts) and an international mix ($35 for 1,000 hosts), with a daily supply limit of 20,000 hosts, indicating an ongoing legitimate/hijacked-traffic-to-malware-infected hosts conversion," read the post.
Webroot manager George Anderson, told V3 the news is troubling as the malware-hosting stations can be used for a variety of harmful purposes.
"Compromised hosts are basically owned. They can be used by the cyber criminal for any activity that will make them money: as a spam relay, as spear-phishing of the host's friends, as a Command and Control point, or a relay to steal the host user's identity, their banking and financial access credentials. The list is pretty much inexhaustible," he said.
"The reason why spam botnets are commonly used is because they can be easily hidden on the host and can equally easily use the host as a launch platform for further compromises or to build botnets. Botnets can then be used to launch distributed denial of service (DDoS) attacks, where seemingly legitimate traffic floods a website to make it inaccessible to others – which is a major business loss for any company operating online."
He added that the location-based offering also means criminals renting the hosts can improve their schemes' profitability.
"Criminals are pricing hosts by location because it's an indication of an ‘economic value' of the host. For instance a US citizen will generally be better off than a Russian citizen, therefore targeting that host or using that host to mine others in that region (for example grabbing the email addresses of a US person's compromised host to then compromise their friend's PCs too) will most likely lead to a specific financial gain," he said.
Danchev said the location-based offering is likely designed to help differentiate the criminals' rental services from other similar black marketplaces.
"Today's modern cybercrime ecosystem offers everything a novice cyber criminal would need to quickly catch up with fellow or sophisticated cyber criminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware-generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem," wrote Danchev.
Cyber black markets selling attack tools and services have been a growing problem for the security community. For years numerous vendors have reported seeing a growth in the number of illegal online marketplaces selling attack tools and web user account passwords. Webroot researchers also discovered thousands of Twitter and Skype user account details for sale on a Russian cyber black market in April.

Facebook and Dropbox sparked hackers' malware renaissance

The Facebook logo
HELSINKI: The failure of online services such as Facebook, Twitter and Dropbox, to adequately test their security before launching helped to ignite the current cybercrime boom, according to F-Secure.
F-Secure web reputation service expert Christine Bejerasco claimed the rise of online services such as Facebook led to a renaissance in cyber criminals' malware development and distribution practices, during a briefing attended by V3.
"The internet is becoming very dynamic. More than ten years ago it was mainly meant for consuming content. Malware during those times was pretty simple: they'd attack the website, load [malware] onto it so people would get infected. The problem during those times was that hosting was quite expensive, so there weren't a lot of malicious websites. Those days are gone," she said
"The renaissance period came when blogging became normal, this really gained momentum when websites like Facebook and Dropbox arrived. it also helped when HTML5 came and made it so anyone could post anything, anytime they wanted."
Bejerasco said the platforms drew criminals' interest, offering them new and easy ways to host and spread malware. "This was actually a pretty good thing, as it opened up the internet. This has made us enter the age of empowerment on the internet – any individual can use any interface at their disposal to post and consume information online," she said.
"But lets say you're a newly minted bad guy and you want to start your career online. A simple search will show you what you need and lead you to these platforms. These guys are benefiting from this seemingly free way of posting information online."
She said social media sites are particularly useful tools for criminals, as they offer a variety of benefits to attackers. "A lot of the bad guys like to play on social media sites," she said.
"The audience is already there and these social platforms are powered by very powerful programme interfaces that allow the user to automate what they do. So for example, a bad guy doesn't even have to create a real profile anymore he can just go in and create a bot to do all his nasty tricks."
Bejerasco said services including Dropbox are also useful to criminals as they offer a free way to store malware and make it easier for them to drop payloads into infected sites or machines.
"File hosting Dropbox is one of those malware favourites. What a usual Trojan does when it gets into the system is just pull their payload from Dropbox into the system so they don't have to host their website."
The F-Secure expert cited criminals' use of the free web services as proof that software and web service providers need to build their products with security in mind from the start. "There is a responsibility for these guys to get secure when they get this big. Facebook in particular has been getting better in recent months," she said.
"But the problem now is the bad guys are always looking for the next hit. They [Facebook and Dropbox] started in garages and that is amazing, but now you have to know the moment you launch the bad guys are going to come into your playground."
Bejerasco's comments follow widespread warnings from the security community to businesses that using free web services – such as Gmail, Facebook and Twitter – leaves them open to attack.
AVG's SMB general manager Mike Foreman also told V3 that the use of the free services is leaving many small-to-medium-sized businesses one cyber attack away from bankruptcy.