Thursday, 29 August 2013

Nearly 7,000 Malicious Android Apps Infest China's Appstores

Android Malware
The independent testing lab AV-Comparatives has released the results of a six-month long study of third-party Android app stores. They found that most of the dangerous apps are concentrated in Chinese stores, and encountered about 7,000 dangerous apps in third-party stores. Now that's a number to worry about.
The study ran from November 2012 to May 2013, and looked at 20 major third-party app stores. Of these stores, most are known to be located in China and the region also boasts the most malware found in a single store (1,637 malicious apps in the Anzhi store, but more on that later).
In total, AV-Comparatives found 7,175 pieces of malware and greyware, the latter of which the company defines as things like spyware and adware which is risky but not necessarily malicious. Of the dangerous apps, 95 percent were concentrated in Chinese stores. The Anzhi and EoeMarket stores were the worst offenders.
Why So Concentrated?
"The investigations' findings suggest that the dramatic numbers of malicious apps present on the Asian market are closely linked to this market's booming activity," wrote AV-Comparatives, attempting to explain why Chinese stores seem glutted with malware. "From this point of view, European and US markets can be considered secondary targets, as they are entering a stage where growth is steady."
The concentration of malicious software is also likely tied to the official Google Play store being partly or entirely inaccessible in that region. In places were users can buy Android phones but can't reliably access Google Play, third party app stores flourish along with malware.
We've seen similar clusters of illegal and semi-legal activities based on law enforcement and malware business models. For instance, Russia has a hugely complex malware industry built on using SMS codes that are only valid in that region. Another example is spammers moving operations to Belarus when other countries started cracking down, resulting in over 25 percent of the country's IP addresses being blocked for spam
Staying Safe
The good news is that not all Android marketplaces outside of Google are nests of malware. AV-Comparatives found several stores with just a handful of dangerous apps and one store—F-Droid in the UK—had no malware or greyware.
Unfortunately, no store is completely safe—even the official Google Play store has had a few pieces of malicious software. The best way to stay safe is to think carefully about what you download and use some kind of security software on your device, such as our Editors' Choice award winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus. Also, consider what you're downloading: if it's a "free" version of a for-pay game, then you're taking a big risk.
Android users can also take advantage of a new service from AV-Comparatives called AVC UnDroid. This online scanner lets you submit suspicious APK files (apps) for scrutiny. For people without access to official app stores and few trustworthy security apps, this is a good first step to curbing malware infestations.
Hopefully, the scary numbers of today will spur more marketplaces and developers to provide safer stores and more robust security suites.

Hacking Heist Flummoxes French Banks

Image via Flickr user JasonBechtel
Bank robbery just isn't what it used to be. Cutting holes in walls, disarming security cameras, cracking safes... that's sooo 1990's. The modern robber needs cyber skills. A Remote Access Trojan (RAT) is more effective than a mole in the bank office. And why crack the safe when you can transfer the money wirelessly? A group of banks and multinationals in France got hit with just this sort of high-tech heist, and Symantec has documented the whole drama.
It all started with a simple email message directing a VP's administrative assistant to deal with a particular invoice. Given that the invoice was hosted outside the company, on a file-sharing site, the admin might have hesitated. However, minutes later that same assistant got a phone call purportedly from another VP urging her to expedite the invoice. Fooled by the fraudulent phone call, she opened it, thereby releasing a RAT within the company network. The aggressive combination of spear-phishing email and fraudulent phone call caught the interest of Symantec researchers; they dug deeper and found more, and worse, attacks on other French companies.
Defenses Defeated
In a blog post released today, Symantec revealed how attackers managed to defeat all of one company's protections against unauthorized money transfers. It really does read like the script for a heist movie.
For starters, they used the double-pronged social engineering attack described above to load a RAT onto the PC of an administrator's aide. The RAT harvested company information, including the company's disaster plan and its telecom provider details. Using the stolen information, the crooks invoked the disaster plan, claiming a physical disaster. This let them redirect all of the organization's phones to a new set of phones under their control.
Next they faxed a request to the company's bank for multiple large fund transfers to offshore accounts. Naturally the bank representative called to confirm; the crooks intercepted the call and approved the transaction. As soon as the money showed up in those offshore accounts, they siphoned it out. Mischief managed!
Symantec discovered quite a few other cases, many of them much less elaborate. For example, one attacker simply called the victim and stated that regular maintenance required disabling two-factor authentication for fund transfers temporarily. Another informed the victim that computer upgrades required a "test" fund transfer; the "test" actually wired real funds to an offshore account. Clearly gullible humans are the weak point in many security systems.
Whodunnit?
Knowing that this kind of chicanery was taking place, the Symantec team managed to get a lead on an in-process operation, a caper they dubbed "Francophoned." They managed to trace the command-and-control traffic through Ukraine to IP addresses originating in Israel.
Analyzing the IP addresses used, they noticed two oddities. First, the addresses came from a block assigned specifically to MiFi cards—GSM cellular radios that can be used to provide Internet access via the cellular network. Second, they were constantly changing, meaning that the bad guys were driving around, passing different cell towers. The telecom couldn't triangulate a moving target, and the MiFi connections were apparently anonymous and prepaid, so there was no way to catch the crooks.

The Powerloader 64-bit update based on leaked exploits

A few months ago on this blog I described PowerLoader functionality including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families. For example the Win32/Gapz dropper is based on leaked PowerLoader code. In August 2013 we have tracked a new modification of PowerLoader for 64-bit operating systems (detected by ESET products as Win64/Vabushky.A). This modification uses three exploits for local privilege escalation (LPE): MS13-053 (CVE-2013-3660), MS12-041 (CVE-2012-1864), and MS12-042 (CVE-2012-0217). Use of this set of LPE exploits was not previously observed in PowerLoader samples or by related malware families.
Win64/Vabushky is a good example of how cybercriminals update their projects with code based on leaked Carberp sources. Two 64-bit exploits (CVE-2012-1864 and CVE-2012-0217) from the updated PowerLoader update are based on the leaked code. Before this leak into the public domain, 64-bit exploitation code for these vulnerabilities was not available. It’s also worth noting that the PowerLoader code was leaked in April 2013 and initiated the wave of distribution of droppers based on PowerLoader leaked code.
The dropper for Win64/Vabushky is packed by MPRESS because this packer is one of the few free products that support x64 PE32+ files. After unpacking, the dropper extracted the original PE32+ header with the time of compilation:
1
All binaries include a payload compiled at the beginning of August, according to time stamp data. PowerLoader’s export table  also shows a few changes after unpacking when compared to the older version:
2
The most interesting part of latest changes provided concern the exploitation code for local privilege escalation.

LPE exploits update

After code injection into explorer.exe the modified version of PowerLoader tried to execute following local privilege escalation exploits into trusted process address space:
flow-graph
This set of LPE exploits can bypass some types of sandbox technologies used by security products. This is because direct manipulation of some kernel-mode structures is possible from user-mode using legitimate WinAPI calls.

CVE-2013-3660

Google researcher Tavis Ormandy discovered the MS31-053 vulnerability in March and exploitation details were disclosed in May. The patch only became available with July’s patch Tuesday. Before this modified version of PowerLoader, I hadn’t seen a 64-bit version of MS13-053 exploit in-the-wild. Only an x86 version of proof of concept code has been seen made available publicly, but PowerLoader uses 64-bit exploitation code. There is a good description of the way in which this vulnerability is exploited in the VUPEN blog.
Before the start of the exploitation process a second desktop is created for hiding visible artifacts by manipulating GDI objects.
second desktop
The main exploitation code for CVE-2013-3660 is presented in the following figure:
CVE-2013-3660
The shellcode which executed by nt!NtQueryIntervalProfile() looks like this:
shellcode
This exploitation code does not work for the 64-bit MS Windows 8 platform because it cannot bypass the Intel SMEP (Supervisor Mode Execution Protection) technology in modern CPU’s (for which support has been provided since the Ivy Bridge line of processors). Microsoft only started to support SMEP with Windows 8 and upwards. This technology blocks attempts to execute code from user-mode memory pages into kernel-mode. A good description of Intel SMEP as exploit protection technology can be found here. The SMEP technology in Windows 8 for x64 can be bypassed using a ROP (Return-Oriented Programming) technique. However, Intel announced the new protection technology SMAP (Supervisor Mode Access Prevention). Intel’s SMAP blocks attempts to read memory pages from user-mode into kernel-mode. SMAP and SMEP were developed to prevent exploitation of NULL pointer dereferences in kernel-mode but SMAP is not supported in Microsoft operating systems yet.

CVE-2012-0217 and CVE-2012-1864

The CVE-2012-0217 and CVE-2012-1864 exploitation code is based on leaked Carberp sources. The 64-bit versions of CVE-2012-1864 had never been made public before the source code leakage. The exploitation code for CVE-2012-0217 released on public doesn’t work reliably on 64-bit versions of operating systems. Neither exploit will work on Microsoft Windows 8 because of the restricted vulnerability of the platform. After observing the similarity to leaked Carberp source code I checked compiled exploit binaries found in the leaked archive. In both compiled exploits I found the same path to the build directory.
leak1
leak2
This finding points to the same developer and seller for these exploits. The exploitation code for CVE-2012-0217 is different in many respects to the publicly available Proof of Concept exploits. The leaked exploit works more reliably and supports 64-bits operating systems.
I’m going to check similarities in the code from the PowerLoader modification and the leaked exploit for CVE-2012-0217. The following flow graph shows the similarity of basic structural blocks (PowerLoader code on the left side):
CVE-2012-0217
It looks to be pretty much the same structure. All the differences are found only in additional debugging code which is not included in PowerLoader modification. Also there are some specific techniques for making the exploitation more stable that look exactly the same.
HalDispatchTable
This code provides modifications in nt!HalDispatchTable for avoiding 100% CPU activity with multiple threads in exploitation process.
The same thing was found with exploitation code for CVE-2012-1864 vulnerability. This exploit has never before been publicly available either. CVE-2012-1864 was discovered by Tarjei Mandt from Azimuth Security. The vulnerability details were disclosed on the slides “Smashing the Atom” at the Recon conference in June 2012 but exploitation code was not released to the public. The exploit code from PowerLoader looks more optimized and doesn’t have debugging code with console output. For example, as seen in this code (disassembly code from PowerLoader is the second image):
CVE-2012-1864 leak
CVE-2012-1864 PL
CVE-2012-0217 and CVE-2012-1864 are good examples of exploits that make it possible to bypass sandboxes in security software. Both of these exploits can manipulate kernel-mode structures from user-mode using standard WinAPI functions. A nice description of vectors for bypassing sandboxes using these types of vulnerabilities is presented in the research report “Application Sandboxes: A Pen-Tester’s Perspective” by Bromium Labs.

The Payload

After successful PowerLoader execution and privilege escalation, the ransomware (Win64/Vabushky.A) was downloaded in order to infect the system. Earlier this week my colleague Jean-Ian Boutin discussed another example of ransomware in the blog post “Nymaim – Obfuscation Chronicles”. The downloaded file was executed once escalated privileges were achieved to SYSTEM. The Win64/Vabushky installer uses the trick with a self-generated legitimate certificate and the following installation to the local trust store as a ROOT CA and TrustedPublisher. The following code shows this technique:
CA
This trick is not new and was mentioned in the blog post “The “Hikit” Rootkit: Advanced and Persistent Attack” by Mandiant. Also, during the installation process modifications are made to Boot Configuration Data (BCD) so as to activate test-signing policy for loading the unsigned driver module. The next figure presents registry keys with system configuration to allow the malicious driver to load (safeboot with various options is covered too):
Paths
The next steps are to install the malicious driver for locking the system and displaying a demonstration screen with the picture downloaded from the following URL’s, hardcoded into malicious code:
pic urls
After successful infection the locked desktop screen looks like this:
ransome
The user-mode part of Win64/Vabushky also encrypts the user’s files using the Microsoft CryptoAPI and uses the .crypted file extension for encrypted files. The driver code uses standard tricks for locking that don’t merit further discussion in this blog.

Conclusion

The Win64/Vabushky dropper uses an interesting modification to the PowerLoader code. However the PowerLoader modifications are based on leaked LPE exploits for 64-bit operating systems from Carberp code. All modules and components dropped by Win64/Vabushky target x64 versions of Microsoft Windows. Only one exploit, CVE-2013-3660, can attack MS Windows 8. However the exploitation code does not work for the 64-bit version of Windows 8 because it can’t bypass Intel SMEP technology. Microsoft is implementing better kernel-mode protection on Windows 8, making x64 exploits for this operating system more expensive. These security mechanisms can be bypassed in such cases with targeted attacks but this adds up to an expensive exploitation technique for run-of-the-mill cybercriminals.

Special thanks to R136a1 who reported the new modification of PowerLoader.
Aleksandr Matrosov, Security Intelligence Team Lead

SHA1 hashes for analyzed samples:
Win64/Vabushky.A (dropper)        – 110e23ce497d6cd1fd3dc570e50cd701c612b7ba
Win64/Vabushky.A (driver installer)    – 62a53ff68d1c862c9c68fb577b06fa261ef573e4
Win64/Vabushky.A (driver)        – 9434792df305f59a7b9deb99dd8b2617942513b0
Author Aleksandr Matrosov,

Mobile banking apps pose “serious” safety risks, financial watchdog warns

Mobile banking apps pose an “important risk” to consumers as banks increasingly offer access to banking services via smartphones.
The Financial Conduct Authority, a British watchdog, is to investigate the risks posed by banking apps, according to a report by This is Money - particularly the threat of malicious apps that pose as genuine banking apps.
“One of the most popular ways for consumers to access mobile banking is by downloading a mobile banking application, or app, for their smartphone,” the FCA said in a statement. “While this provides some consumers with a convenient way of managing their money, it can also lead to the risk of malware.”
“This can occur if a consumer downloads an application that appears to be from a genuine payment provider but is actually malware designed to capture sensitive financial information. Malware is an important risk for firms to consider, as it can result in financial loss and undermine consumer confidence in mobile banking.”
The FCA said that many banks are already aware of the risks involved in allowing consumers to access sensitive information via apps.
“Many of the firms we have spoken to are aware of these potential issues and we have seen firms take steps to manage them. Examples include firms providing clear security information to consumers, issuing warnings to only download applications from official stores and providing antvirus software.”
The FCA also warned that the use of third-party providers for IT solutions could spell risks.
“For firms to successfully provide mobile banking services to their customers, they will be dependent on IT systems, technical expertise and detailed knowledge of the payments system. Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”

More than 800,000 Facebook users fall victim to password-harvesting browser malware, researcher claims

Malware disguised as a Facebook video has infected up to 800,000 users’ machines, according to independent Italian security researchers. The malware hijacks web browsers to harvest passwords, using a fake browser plug-in for Google’s Chrome.
Speaking to the New York Times’ Bits blog, researcher Carlo de Micheli says that the malware spreads in links, emails or Facebook messages which tell users they have been “tagged” on the site. When users click the link, they are prompted to download a browser extension, Micheli says.
The extension is malicious – and can send any information stored in the browser to the attackers. Many web users store information such as passwords, Facebook and Twitter log-ins, and that information is instantly available to the attackers.
De Micheli says that the malware is spreading at a rate of 40,000 attacks per hour, and has infected 800,000 users. De Micheli claims that the attackers have now released a version targeting Firefox users.
“A few years ago, you’d tell your friends, don’t click on attachments,” Mr. De Micheli said in a phone interview. “Now, the same advice applies to browser add-ons.”
The tactic of disguising malware as browser add-ons is not new. ESET reported this week on a popular browser add-on, Orbit Downloader, which contained hidden remotely-updating DDoS functions.
“When we detect items containing malware or learn of them through reports, we remove them. In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” a Facebook spokesman said in a statement.  “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”

Data controllers failing to encrypt sensitive data, warns ICO

Data security
The Information Commissioner's Office (ICO) has criticised businesses for failing to adequately protect information they hold, claiming a lack of knowledge about encryption technologies is causing many to mishandle sensitive data.
ICO group manager of technology, Simon Rice, made the comment in a blog post, addressing businesses' lack of knowledge about security.
"Using appropriate encryption can be a simple and effective means to protect personal data in these circumstances, and one which we advise all organisations to take if the loss of the data could cause damage and distress to the individuals affected. However evidence shows that data controllers are still not addressing the problem," he wrote.
Rice added that the problem is largely down to education, with many firms thinking simple password protection is appropriate.
"A common misconception is that just requiring users to log in to a device or service with a username and password provides an equivalent level of protection to encryption. This isn't the case," he wrote.
"A password or PIN to control access to a device isn't encryption and it isn't enough to protect against unauthorised or unlawful access. In practice a password can be easily circumvented and full access to the data can be achieved."
Rice said there are a variety of encryption tools available offering a variety of security defences, and businesses handling sensitive data should consult an expert to decide what form of encryption is appropriate.
"The option that will be the most appropriate for your organisation will depend on the sensitivity of the information you are using and how it is being stored and processed," he wrote.
"For this reason it is difficult to provide a comprehensive list of software as everyone's needs are different. You can, however, look out for internationally recognised standards such as those described on the encryption section of our website."
He added that when encrypting data, businesses must also consider how to safely store the encryption key. "You wouldn't install high-end locks on your house, only to leave the front door key under the mat. The same applies for storing a laptop encryption key or password in the same bag as an unencrypted laptop, or equally, sending encrypted data as an email attachment with the means to decrypt it included in the body of the email," he wrote.
Rounding up, Rice said adding more robust encryption services will be of long-term financial benefit to UK industry.
"The time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn't used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people," he wrote.
The wider security community has welcomed Rice’s call for better security. Senior architect at FireEye, Jason Steer, told V3 the ICO statement is a good start, but added firms will need other security services to deal with the cyber threat facing them.

"The advice from the ICO is spot on in terms of encryption. However, in reality, some of these steps are difficult to implement as the onus is being put on the end user, and we cannot always rely on the end user to remember to implement all security measures when their main focus is trying to get their job done,” he said.

“Whilst implementing these security measures, organisations also need to add additional controls to their networks to ensure that if a user forgets about security there are controls in place within the system to ensure the organisation and its information and users remain still secure.”

ISACA Security Advisory Group (SAG) chair, Amar Singh mirrored Steer’s comments adding the blog does not address key problem areas like education.

“The article makes the right type of noise but misses a few critical points,” he said. “Even for most techies, encryption remains a dark science that only the academically inclined pursue. Vendors could work together to put a common encryption awareness/education session to educate the masses on what types of encryption are out there.”
The cost of cybercrime has been a growing problem facing businesses of all sizes. Most recently the Federation of Small Businesses (FSB) estimated that cybercrime costs small businesses £800m a year.

Security threats from spam and malicious texts are far greater than email menace

spam-spam-spam
Spam and malicious text messages pose a far bigger threat to consumers and businesses than email spam, according to security firm Cloudmark.
The firm, which runs the global spam reporting service on behalf of the GSMA, revealed earlier this year that there are six million spam texts sent everyday in the UK. It has now warned that the problem is getting worse due to a number of converging factors driving crooks to mobile spam.
The firm’s chief technology officer, Neil Cook, told V3 that the fact people are far more likely to open text messages than emails poses a major problem. “The open rate for an SMS is 80-90 percent within a minute, whereas email you may not look at all day,” he noted.
"As a result it is far easier to get someone to open a message telling them to ring a number or visit a website than on email."
He also said people are still not as wary about messages they receive on phones as they are via email.
“The phone is a more trusted medium, which is why we see more fraud as opposed to bulk spam selling, because fraud is much more easily monetised by getting people to ring a premium number from the text, or visit a malicious website," he said.
"There’s not so much screen real estate so it’s harder to tell what is a phishing message or something genuine."
Cook also pointed out that the high-end capabilities of smartphones and new, IP-based 4G networks, are ideal for criminals to compromise, something that is posing fresh concerns for operators.
“As more people move from fixed to mobile broadband and smartphones then problems from botnets and viruses are moving from PCs to smartphones so there is the potential for real issues here,” he said.

“This could also have a big impact on operators as it will chug the network. For fixed line this doesn’t affect people so much, but with mobile over the air resources are very precious, so if network is being chewed up with spam sending messages, that’s a concern.”
On top of this Cook cited the BYOD trend as a major risk to enterprises that fraudulent texts pose, noting that it only takes one handset to be infected to put an entire organisation at risk.

“BYOD is a big issue. One of the new areas we're getting into is helping protect phones from going to malicious websites or calling malicious phone numbers, which is an increasing concern as that’s a route to infect your phone or steal company secrets,” he said. “You only have to have one person infected with a phone running an application key logger or sending company data.”
The rising concerns over spam and malicious text messages come amid reviews by the government to tackle this menace, and a stronger stance by the Information Commissioner’s Office (ICO) to hurt the firms behind messages, with several notable fines levied by the watchdog.

Cyber criminals phishing for passwords with Google Docs bait

malware virus security threat scam
A new phishing message loaded with a malicious Google Doc is targeting Gmail users, according to security firm Sophos.
Senior security advisor at Sophos Chester Wisniewski reported the scam in a blog post, confirming that the message attempts to dupe users into clicking a suspect link by pretending to be a "Secure Document" from their bank.
Wisniewski said the attack is basic in principle, but it is dangerous as the message has been cleverly socially engineered to look like it is authentic and uses an atypical infection method.
"While those of us in the security industry might not be surprised, phishing attacks are consistently proving themselves to be one of the most effective ways to evade traditional defences. As many organisations move to the Google cloud, this type of phishing lure will continue to yield results for the criminals," he said.
"Many organisations are using Google and other cloud service providers to provide critical IT services. At first glance this could be very believable."
The attack reportedly links the victim to a phishing page hosted in Thailand, which attempts to dupe them into entering their password information for a variety of online services.
"The page not only asks for your Google credentials, it also suggests it will accept Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account. Of course filling out this form can only end in tears. Your details are sent off to the compromised servers for whatever purposes these thieves desire," he wrote.
Wisniewski said the password theft is likely to be the first stage in a wider attempt to steal more information, such as the web user's banking login details.
"You might think, so what, my Gmail isn't full of secrets that will destroy my nation/life/career. You would likely be wrong. Your email is the key to unlocking much of your online identity. Forget your banking password? No worries, they will email you a password reset link," he wrote.
He added that the high success rate of phishing means attacks like this will continue until businesses work harder to educate their staff about cyber best practice.
"As an IT administrator these are opportunities to educate your staff on the risks. This might not be the most convincing of the phishes that are out there, but it is a useful tool to educate your staff," he wrote.
Phishing is a growing problem facing businesses. Kaspersky Lab reported that the number of phishing messages hitting UK web users has tripled over the last year, with crooks targeting an average of 3,000 Brits every day.
The UK government has set up a number of resources to help businesses protect themselves against the influx of attacks. Most recently The GCHQ launched two cyber incident response and advice initiatives, designed to help businesses prepare for and mitigate the damage of cyber attacks.

Android malware makes up 79 percent of total threats, warns US Department of Homeland Security

Google Android Malware
The US Department of Homeland Security (DHS) warned law enforcement, security and government workers against using outdated versions of Google Android, claiming that 79 percent of all mobile malware targets the platform.
The DHS issued the warning in a Roll Call Release for US emergency services. The department said criminal interest in Android is due to a combination of its impressive market share, open architecture and fragmented ecosystem.
High malware figures were cited as proof that agents using smart devices must ensure their phones and tablets always run the latest software available.
"Android is the world's most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture," read the report. "The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OS patched and up to date."
Interestingly, despite being all but defunct, Nokia's ancient Symbian OS is the second most targeted, with the DHS finding that 19 percent of all mobile malware is designed for it.
While high, the 19 percent figure is probably a false indicator of criminals' interest in Symbian today, and is likely to be composed of older malware rather than dangerous new threats. Prior to the arrival of Android, Symbian was the OS of choice for criminals due to its ties to Nokia, but since buyers became more interested in Android and iOS, criminal interest in Symbian has waned.
Apple iOS and "other" operating systems were both listed as being the victims of 0.7 percent of all mobile malware. At the very bottom Windows Phone and BlackBerry were each listed as being the target of 0.3 percent of the world's mobile malware.
The low number of threats targeting Apple iOS, despite the popularity of its iPhone and iPad devices, is largely due to the closed security model. This model forces developers to sell their wares on Apple's official App Store, which closely vets all applications before allowing them into the marketplace.
Earlier this year F-Secure security expert Mikko Hypponen praised Apple for its robust security, listing the App Store as one of the security community's greatest achievements.
The findings mirror those of numerous security vendors. Kaspersky Labs reported detecting 100,000 mobile malware variants targeting Android during the second quarter of 2013, in its IT Threat Evolution report.

Hackers targeting Java native layer vulnerabilities to insert malicious code


Java logo
Criminal groups are using Java native layer vulnerabilities to infiltrate businesses and government systems, according to security firm Trend Micro.
Trend Micro threats analyst Jack Tang reported the shift in a blog post, confirming the new attacks on Oracle's Java platform are getting increasingly complex.
He wrote: "Java exploits can be divided into two types: Java layer exploits and Java native layer exploits. In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a three-to-one ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws."
Tang said the move to target Java Native Layer exploits is troubling as they show an advance in sophistication within the cyber criminal community.
"Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR [address space layout randomisation] and DEP [Data Execution Prevention]. In addition, the skills needed to create native layer exploits are more difficult to acquire," he wrote.
"This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common, one is to make use of a Java array length overflow to tamper with the JavaBeans. Statement object's AccessControlContext member."
Tang added that the exploits detected are doubly dangerous as they grant the attack a number of powers over successfully infected systems.
"An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following JavaBeans. Statement object's acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system."
Oracle's Java platform has been a growing target for cyber criminals. Over the last year the attacks have forced Oracle to release a number of out of cycle security updates.
Director of enterprise security at Trusteer Dana Tamir said despite having fixes available many firms are yet to release the updates, meaning criminals can and are still creating attacks to target them.
"Vulnerable versions of Java can still be found in many organisations. This is either because users haven't upgraded to the latest Java version available, or because some tools or applications bundle vulnerable versions of Java. This leaves an open window to attackers who exploit such vulnerabilities in order to compromise employee endpoints and gain a foothold in the network," sad Tamir.
Tang mirrored Tamir's sentiment calling for businesses to update their systems as soon as possible. "We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws," he wrote.
Java security issues have been a recurring theme throughout 2013 with numerous patches issued by the likes of Oracle and Apple.

KIS Shines in Independent Anti-Phishing Testing

Phishing is a dangerous type of Internet fraud that uses fake websites to swipe user logins and passwords to hijack their online accounts to steal money or spread spam and malware through compromised email accounts and social networking platforms. It is a very effective tool used by online attackers, and it is on the rise.
kis_title
The good news is that users have options to protect themselves, including Kaspersky Internet Security 2014, which recently blocked 99 percent of phishing urls in independent testing conducted by antivirus testing lab AV-Comparatives.
Kaspersky Internet Security 2014 recently blocked 99 percent of phishing urls in independent testing conducted by antivirus testing lab AV-Comparatives.
AV-Comparatives tested the anti-phishing protections of various security products in a simulation designed to replicate typical web browsing conditions. It was carried out using Windows 7 PCs with two scenarios. The first checked for false alarms on 400 popular banking sites, while the second assessed phishing URL detection rates. Those URLs targeted various types of personal data, including login credentials for PayPal, online banking and credit cards, email accounts, eBay, social networks and online games, among others.
Kaspersky’s product blocked 99 percent of the 187 phishing websites while producing zero false alarms among the 400 legitimate URLs, earning first place among its competitors with an Advanced + award from AV-Comparatives.
“Phishing websites pose a real threat to users,” said Nikolay Grebennikov, chief technology officer for Kaspersky Lab. “About 20 percent of all phishing attacks mimic banks and other financial organizations and can result in the very real loss of money. That’s why we are constantly improving our anti-phishing technologies, and independent tests like this one demonstrate just how effective our work is.”
A recent survey by B2B Communications, in conjunction with Kaspersky Lab, showed that the number of Internet users who encountered phishing attacks over the last 12 months grew from 19.9 million to 37.3 million, an increase of 87 percent. Kaspersky Internet Security 2014’s success in the anti-phishing testing wasn’t its first successful independent testing, having earned high marks from AV-Comparatives for its protection capabilities earlier this year. The product’s predecessor, Kaspersky Internet Security 2013, also excelled in multiple independent tests.

India Atomic Research,Space Center Hacked Documents leaked Online

The website of the Electronics Corporation of India Ltd (ECIL) was hacked and documents involving the Bhabha Atomic Research Centre (BARC) and Indian Space Research Organization (ISRO) were leaked by an online hacker on last Saturday.
They also claimed to have hacked Tata motors sites.
Two days later, the hacked documents were available on a website. They included a contract issued by ECIL to ISRO, Peenya Industrial Area, for design and development of antenna systems at Hassan, among other places.
They also included BARC's Rs 39-crore work order to ECIL for detailed design, supply, installation and commissioning of the MACE telescope in Ladakh, and agreement for design, development, fabrication, supply and acceptance of full motion antenna systems.

Syrian Electronic Army hit NYT and Twitter

The group of Syrian Electronic Army hackers is intensification its hacking campaign pro-Assad. Details of the attacks against the HuffingtonPost UK, Twitter and the NYT.

The Syrian Electronic Army once again successful in an attack, to be precise the popular group of hacker this time hacked into Twitter, Huffington Post and NY Times’ registry accounts modifying DNS records and contact details. The attack to a DNS could allow hackers to redirect target domain visitors to any other site, a technique usable to server malware hijacking victim is on compromised website.
The Syria Electronic Army, is considered the cyber unit of government of Damascus, during the last months they have conducted numerous operation against numerous organization and companies. The operation of the group notorious to be a pro the Syrian president Bashar al-Assad are intensifying  in conjunction with the escalation of the deep political and social crisis which affects the country.

Just to mention the latest events early August the group has announced that at least three White House employees personal Gmail accounts were hacked, In July the Syria Electronic Army conducted a series of attacks exposing account details of major Communications Websites such as Truecaller, Tango and Viber.
Following the detailed timeline published by FireEye on the attacks:
  • July 16: SEA hacked the Swedish site Truecaller, home to the world’s largest online telephone directory, with over a billion phone numbers in over 100 countries. SEA claimed this attack also gave it access codes to more than a million Facebook, Twitter, LinkedIn, and Gmail accounts. The initial attack vector was an older, vulnerable version of WordPress.
  • July 21: SEA hacked the video and text messaging service Tango, stealing more than 1.5 TB of data, including user information, true names, phone numbers, emails, and personal contacts for millions of accounts. Again, the attack vector was a vulnerable version of WordPress CMS (v 3.2.1), which gave SEA unauthorized access to the database server.
  • July 24: SEA hacked Viber, a free online calling and messaging application used by more than 200 million users in 193 countries. Viber acknowledged the attack, explaining that the initial compromise vector was an email phishing scam which enabled SEA to access two customer support sites. Thus far, the company has denied that private user information was lost.
The list of victims of the Syrian Electronic Army is very long and included also BBC, the Associated Press, The Financial Times and  the Guardian. Compression for social media accounts could be used to spread fake and disturbing news, the attack against  Associated Press Twitter account disseminated the news of an attack against the White House causing the fall of the stock markets and losses for more than $100 billion dollars. The group is politically motivated and many security experts consider its campaigns as part of PSYOPs campaign directed by the Syrian Regime.  The Syrian Electronic Army first emerged in May 2011, during the first Syrian uprisings, when it conducted various attacks against social media for pro-Assad propaganda.
The latest  attack against Twitter was announced in the popular social media with a post of the screenshot of the Whois records for Twitter.com domain
Syrian Electronic Army Twitter DNS record

The Syrian Electronic Army also provided evidence of the hacked Twitter accounts in a second tweet:

Syrian Electronic Army 2

The hackers of the Syrian Electronic Army also altered the DNS records for the domain twimg.com which Twitter uses to maintain CSS, JS, images and more, this caused problems in displaying avatars for some users. following the statement issued by the company:
“At 20:49 UTC, our DNS provider experienced an issue in which it appears DNS records for various organizations were modified, including one of Twitter’s domains used for image serving, twimg.com. Viewing of images and photos was sporadically impacted. By 22:29 UTC, the original domain record for twimg.com was restored.  No Twitter user information was affected by this incident.”
The hackers also hit the NY Times with serious consequences, they redirected homepage visitors, the popular journal confirmed that its website was disrupted in attack by hackers.
[The attack was carried out by a group known as] “the Syrian Electronic Army, or someone trying very hard to be them.” The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., we believe that we are on the road to fixing the problem.” said Marc Frons, chief information officer for The New York Times Company.
Syrian Electronic Army NYT defeaced

MelbourneIT sent an email to all its customers that indicate that the hackers seems have used a reseller account as part of the hack. The information hasn’t confirmed but it is possible that the hackers exploited a flaw in the reseller interface that allowed a privilege escalation to take over control of other MelbourneIT customers.
The group of Syrian hackers also hit the HuffingtonPost UK altering its DNS records but as 4pm PST both HuffingtonPost UK’s and Twitter DNS records have been corrected, also Twimg and NY Times records have been fixed.
Just a few minutes ago the group has announced on Twitter and Facebook that its website and domain are down.

SEA_down
A possible countermeasure
The CloudFlare company posted an interesting article on the incident, I desire to extract the suggestion related to a possible countermeasure against this kind of attacks.
“There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically. If you run a whois query against your domain, you can see if you have a registry lock in place if it includes three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.
Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult. However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place.”
The imminent strike of Syria by US and its allies will have serious repercussion also in the cyberspace .. It’s just the beginning.
Pierluigi Paganini
(Security Affairs – Syrian Electronic Army, hacking)
The post Syrian Electronic Army hit NYT and Twitter appeared first on Security Affairs.

Facebook to add 1b+ members' profile photos to facial recognition database

Facebook Inc is considering incorporating most of its 1 billion-plus members' profile photos into its growing facial recognition database, expanding the scope of the social network's controversial technology.
The possible move, which Facebook revealed in an update to its data use policy on Thursday, is intended to improve the performance of its "Tag Suggest" feature. The feature uses facial recognition technology to speed up the process of labeling or "tagging" friends and acquaintances who appear in photos posted on the network.
The technology currently automatically identifies faces in newly uploaded photos by comparing them only to previous snapshots in which users were tagged. Facebook users can choose to remove tags identifying them in photos posted by others on the site.
The changes would come at a time when Facebook and other Internet companies' privacy practices are under scrutiny, following the revelations of a U.S. government electronic surveillance program.
Facebook, Google Inc and other companies have insisted that they have never participated in any program giving the government direct access to their computer servers and that they only provide information in response to specific requests, after careful review and as required by law.
Facebook Chief Privacy Officer Erin Egan said that adding members' public profile photos would give users better control over their personal information, by making it easier to identify posted photos in which they appear.
"Our goal is to facilitate tagging so that people know when there are photos of them on our service," Egan said.
She stressed that Facebook users uncomfortable with facial recognition technology will still be able to "opt out" of the Tag Suggest feature altogether, in which case the person's public profile photo would not be included in the facial recognition database.
Facial recognition technology has been a sensitive issue for technology companies, raising concerns among some privacy advocates and government officials. Tag Suggest, which the company introduced in 2011, is not available in Europe due to concerns raised by regulators there.
Google's social network, Google+, also employs similar technology, but requires user consent. And it has banned third-party software makers from using facial recognition technology in apps designed for its Glass wearable computer.
Egan said Facebook was not currently using facial recognition technology for any other features, but that could change.
"Can I say that we will never use facial recognition technology for any other purposes? Absolutely not," Egan said. But, she noted, "if we decided to use it in different ways we will continue to provide people transparency about that and we will continue to provide control."
Facebook also amended its Statement of Rights and Responsibilities on Thursday, adding and tweaking the language so that members under 18 years of age are deemed to have affirmed that a parent or legal guardian has agreed to allow marketers to use some of their personal information in ads.
The language was the result of a recent court-approved legal settlement regarding its "sponsored stories" ads.

BREAKING: AnonGhost sniffed 10000 Twitter accounts from Japan

It looks like AnonGhost declared war on Twitter and Japan as AnonGhost hacker Mauritania Attacker and his team were able to steal 10000 Twitter accounts in a sniffing session.  Mauritania Attacker said that Twitter should get prepared for future attacks as this was just a demo to show how scared Twitter actually should be.
The .TXT file that has been shared on this hosting server has is free to download. The content however has been encrypted to ensure that Twitter needs to digg out the hacked accounts.
The first time Twitter got hacked by AnonGhost they declined the attack(src: TheGuardian) lets see how Twitter will catch up this little bugger.
The hacker claims to lead a hacking group called AnonGhost and to be defending the dignity of Muslims through his hack. The group is reckoned to have been behind the hacks of more than 10,000 sites in the past seven months, but none is as high-profile as Twitter.

Syrian Electronic Army (SEA) Leader named?

Evidence has emerged that the leader of the notorious Syrian Electronic Army (SEA), is a 19-year-old Syrian man called Hatem Deeb. However, SEA denies Deeb is anything other than an "innocent friend".
The SEA has been all over the news in the last few weeks, following hacks on several prominent media houses.
Although the group has remained anonymous, Vice.com reported that it is headed up by Deeb.
Vice claims that one of its hacking contacts in Syria was able to get his hands on SEA's IP in Damascus, and through that, access the SEA server. Through this access, the hacker claims to have gleaned about 140 e-mail addresses, allegedly belonging to SEA members.
The hacker said there is evidence that the group's leader, who goes by the handle "ThePro" is in fact Deeb. He claims Deeb listed his real name on one vital document - a receipt for the VPS he had rented for the organisation.
On the receipt, the e-mail address was listed as Admin@ThePro.sy, the same address associated with ThePro's blog. The credit card number used in the transaction was tied to Deeb.
The claim is compounded by a tweet on an SEA-related Twitter account, in which the identity of the SEA leader, using the handle "ThePro", was revealed as Deeb.
SEA denial
However, The Desk claims to have interviewed ThePro, who denied he was Deeb, referring to the 19-year-old as an "innocent friend".
During the interview, ThePro claimed that Deeb - who he described as a friend of the organisation - initially gave his permission for his name to be used on registration records of services obtained by the SEA.
The SEA leader now claims that Deeb has left Syria, and that the Vice.com article is endangering his life.
ThePro added that the organisation will do no more interviews with Vice, and said SEA will remove the offending article "in its own way" if Vice does not amend or remove it within 24 hours.

Syria, Aided by Iran, Could Retaliate Cyber Attacks Against More U.S. Companies

If the United States attacks Syria, it will be the first time it strikes a country that is capable of waging retaliatory cyberspace attacks on American targets.
The risk is heightened by Syria’s alliance with Iran, which has built up its cyber capability in the past three years, and already gives the country technical and other support. If Iran stood with Syria in any fray with the United States that would significantly increase the cyber threat, security experts said.
Organized cyber attacks have already been carried out by the Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad. It has disrupted the websites of U.S. media and Internet companies and is now threatening to step up such hacking if Washington bombs Damascus.
“It’s likely that the Syrian Electronic Army does something in response, perhaps with some assistance from Iranian-related groups,” said former White House cybersecurity and counter terror advisor Richard Clarke.
Little is known about the hackers behind the Syrian Electronic Army, and there is no evidence that the group is capable of destructive attacks on critical infrastructure.
However, former U.S. National Security Agency director Michael Hayden told Reuters that the SEA “sounds like an Iranian proxy,” and it could have much greater ability than it has displayed.
Thus far, the SEA’s most disruptive act was in April when it broke into the Twitter account of the Associated Press and sent fictional tweets about explosions at the White House. The false messages sent the stock market into a downward spiral that, for a short time, erased more than $100 billion in value.
In an email to Reuters on Wednesday, the SEA said if the U.S. military moves against Syria “our targets will be different.”
“Everything will be possible if the U.S. begins hostile military actions against Syria,” the group said in the note.
President Barack Obama vowed on Wednesday that the Syrian government would face “international consequences” for last week’s deadly chemical attack in Syria, but he made clear that any military action would be limited.
Asked about the threat of cyber retaliation, U.S. Department of Homeland Security spokesman Peter Boogaard said the government “is closely following the situation and actively collaborates and shares information with public and private sector partners every day.”
A U.S. Department of Defense spokesman said he could not discuss specific threats, while another source at the Pentagon said no unusual activity had been detected by late on Wednesday.
IRAN SHARPENS ITS GAME
Cyber experts have said that Iran increased its cyber capabilities after the United States used the Stuxnet virus to attack Tehran’s nuclear program.
U.S. intelligence officials have blamed hackers sponsored by Iran for a series of so-called distributed-denial-of-service attacks against many U.S. banking sites. In DDoS attacks, thousands of computers try to contact a target website at the same time, overwhelming it and rendering it inaccessible.
In three waves of attacks since last September, consumers have reported inability to conduct online transactions at more than a dozen banks, including Wells Fargo & Co, Citigroup Inc, JPMorgan Chase & Co and Bank of America Corp. Banks have spent millions of dollars to fend off the hackers and restore service.
Researchers have said that Iran has also infiltrated Western oil companies, and it could try to destroy data, though that would increase the risk of retaliation by the United States.
Things in cyberspace would get more complicated if Russia, an ally of Iran and Syria, were to step in. Former Obama administration officials have said that Russia, which has supplied arms to Syria, has cyber capabilities nearly as powerful as the United States.
Even if the Russian government did not act directly, the country’s private hackers rank with those in China in their ability and willingness to conduct “patriotic” attacks. Cyber experts have said that Russian hackers have struck at government and other sites in Estonia and Georgia.
The Syrian Electronic Army’s servers are based in Russia, and that alliance could strengthen if matters in Syria became more dramatic, said Paul Ferguson of the Internet security company IID.
“We already have a bad geopolitical situation,” Ferguson said. “This could play into the entire narrative I don’t want to see happen.”
It is unclear how much cyber damage Syria could or would want to inflict, said Dmitri Alperovitch, chief technology officer of security firm CrowdStrike.
“We haven’t seen significant intrusion capabilities from them or destructive capabilities,” he said.
Earlier this week, as the Obama administration pushed for more support for strikes on Syria, the New York Times, Twitter and the Huffington Post lost control of some of their websites. The SEA claimed responsibility for the attacks.
Security experts said electronic records showed that NYTimes.com, the only site with an hours-long outage, redirected visitors to a server controlled by the Syrian group.
The SEA had planned to post anti-war messages on the Times site but was overwhelmed by the traffic it received and its server crashed, the SEA said by email. Late on Wednesday, some users still could not access NYTimes.com.
The SEA managed to gain control of the New York Times web address by penetrating MelbourneIT, an Australian Internet service provider that sells and manages domain names.
It could have done much worse with such access, experts said, underscoring the vulnerability of major companies that use outside providers.
“Chief information officers need to realize that critical pieces of their online entities are controlled by vendors and that security policies should apply to them as well,” said Amichai Shulman, chief technology officer at security firm Imperva.

Australia Opposition Coalition says Chinese cyber espionage must be stopped

The Coalition has delivered a strong warning about the threat to Australia posed by China's cyber espionage and declared that the spying must be stopped.
Opposition defence spokesman David Johnson said bluntly yesterday it was clear that a notorious unit run by the People's Liberation Army in Shanghai had hacked into the computer systems of Australia's mining industry and into the federal parliament's website.
Senator Johnson, who may be defence minister after the September 7 elections, was speaking during a defence policy debate hosted in Canberra by the Australian Strategic Policy Institute.
Chinese hackers said to belong to a PLA group know as Unit 61398 have been accused of breaking into the computer networks of government and private buildings in Australia in recent years.
It has also been claimed that Chinese hackers managed to steal plans of the new ASIO headquarters in Canberra from a contractor involved in fitting out the building. However, senior officials have since denied that plans were in fact obtained by the hackers.
Senator Johnston and the Minister for Defence Materiel, Mike Kelly, who has been named by Kevin Rudd as the next defence minister if Labor retains government, were asked how they would protect Australia against the growing threat of cyber attack.
Senator Johnston said he'd been briefed on cyber attacks by the Defence Signals Directorate
"PLA 3 out of Shanghai is a problem," Senator Johnston said.
"Our miners know it. The parliamentary website knows it because that's been done over, hacked.
"The current status of the Chinese libertarian view on intellectual property and its capacity to be ripped off can not continue.
"That's the message we will seek to engage them on because as time goes by they themselves will acquire intellectual property that they will want to retain."
Senator Johnston said Australian authorities were doing a very good job of protecting the nation against such attacks.
Senator Johnston said such work was expensive.
He said incoming Coalition government would see if the work could be done better.
Dr Kelly said the Labor government had put a major effort into coordinating protection for Australia's cyber networks by setting up the Cyber Security Operations Centre.
And, he said, the National Broadband Network now being rolled out by Labor would be much more difficult to hack into than the Coalition's less sophisticated alternative.

Russia to create cyber-warfare units

"National interests on the Internet need to be protected, even if through vegetarian methods," said the Chairman of the State Duma Committee on Information Policy, Information Technology and Communications Alexei Mitrofanov. He talked about these methods in an interview with the head of the first RuNet online media, head of the media holding Pravda.Ru, Vadim Gorshenin.
Alexander, for the last few months you have been the chair of the committee, and had to deal with the legacy of the story with bloggers and the Internet. I do not think you were able to find a number of professionals and theorists who could understand the matter and offer solutions.
"You know, all what remains to be done in terms of legislation in the next three years is quite an innovative area. That is, we as the members of the committee who are working on it are pioneers. I would not say that we are moving blindly, there is an international experience, there are certain methods, but, nevertheless, this is an innovative area for the entire world.