Tag Archive: Malware


This Malware Can Hijack A Drone In Seconds

 

 

 

 

 

” If the White House wants to keep drones off the lawn, they might want to give Rahul Sasi a call. He’s developing malware that can hijack a drone in just a few short seconds.

  He calls his malware (fittingly enough) Maldrone, and it doesn’t gain control over its victims the way that previously-demonstrated attacks do. Most others have leveraged the APIs — like the one provided by Parrot for developers who want to tinker with their AR Drones — to do the hijacking.

  But a “Parrot drone is a toy,” Rahul says, and he went to work on an attack that was a bit more generic, able to wreak havoc on multitudes of drones regardless of whether or not the manufacturer exposes anything via an API. Maldrone is the result, and it’s impressive even though it’s very much a work in progress.”

 

    Read more about Maldrone here . In other drone news , DJI has upgraded their firmware creating a 15.5 mile radius no-fly zone around Washington DC .

 

 

 

 

 

 

 

 

 

 

 

 

 

No, North Korea Didn’t Hack Sony

 

 

 

 

 

” The FBI and the President may claim that the Hermit Kingdom is to blame for the most high-profile network breach in forever. But almost all signs point in another direction.
  So, “The Interview” is to be released after all.

  The news that the satirical movie—which revolves around a plot to murder Kim Jong-Un—will have a Christmas Day release as planned, will prompt renewed scrutiny of whether, as the US authorities have officially claimed, the cyber attack on Sony really was the work of an elite group of North Korean government hackers.

  All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.

  I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world’s leading mobile security company, Cloudflare, I think I am worth hearing out. “

 

 

Read more

 

 

 

 

 

 

 

 

 

Government Employees Cause Nearly 60% Of Public Sector Cyber Incidents

 

Fed Cyber Attacks

 

 

” About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon. The findings — stripped of identifying information — do not mention ex-contractor Edward Snowden’s mammoth leak of national secrets. 

  Even if Snowden’s leaks had been included in the tally of results attributed to insider threats, they wouldn’t have made much of a dent. 

” If that were recorded in here, that would be a single event,” said Jay Jacobs, a Verizon senior analyst and co-author of the report. 

  Most (34 percent) of the insider incidents in the global public sector during the past three years were miscellaneous errors such as emailing documents to the wrong person. Unapproved or malicious use of data by public servants accounted for 24 percent of reported incidents.

  Surprisingly, cyberspying and intrusions via security holes in websites, known to be big problems in government, represented less than 1 percent of the situations reported. “

 

NextGov has more

 

 

 

 

 

 

 

 

 

Researchers Uncover Government Spy Tool Used To Hack Telecoms And Belgian Cryptographer

 

 

Regin-Architecture

 

 

” It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.

  Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.

  Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater. “

 

 

 

 

 

” Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.

  The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.

“ It’s a threat that everyone has detected for some time, but no one has exposed [until now],” says Eric Chien, technical director of Symantec’s Security Technology and Response division.

  The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet. “

 

The whole story may be read at Wired

 

 

 

 

 

 

 

 

 

Masque Attack: All Your iOS Apps Belong To Us

 

 

 

 

 

 

” In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack,” and have created a demo video here: ” (see above)

” We have notified Apple about this vulnerability on July 26. Recently Claud Xiao discovered the “WireLurker” malware. After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.

  We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.

Security Impacts

  By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences:

  1. Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
  2. We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
  3. The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
  4. As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
  5. The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team. “

 

Read more on how to protect yourself from this latest iPhone privacy threat .

 

 

 

 

 

 

 

 

 

ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds Of Police Agencies Have Distributed To Families

 

 

 

 

 

 

” For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

 Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

  As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies.

  The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.”

 

 

Read the entire , exhaustively comprehensive dissection of this “child protecting” scam at EFF 

 

 

 

 

 

 

 

 

 

 

 

Russian Hackers Put ‘Digital Bomb’ In Nasdaq Computers

 

 

 

” Russian computer hackers placed a “digital bomb” capable of sabotaging data and derailing the US economy into Nasdaq’s computer systems, it has emerged.

  The cybercriminals slipped the “cybergrenade” into Nasdaq’s computer network in 2010 using malware capable of spying and stealing data, according to Bloomberg Businessweek.

  The bomb was never set off, but had the capability of derailing stock market computers. An FBI system monitoring of US internet traffic picked up the alert and found that the hackers had used “zero day” vulnerabilities.

  Zero days are previously unknown flaws in computer code that allow hackers to easily take remote control of a computer.

  A similar type of malware has been designed and built by Russia’s main spy agency, the Federal Security Service of the Russian Federation. However, Russian officials denied any government connection to the security breach.

  Investigators also discovered evidence that the Russian malware was being used by a sophisticated Chinese cyberspy known to be operating a thriving criminal business.”

 

IBT has more

 

 

 

 

 

 

 

 

 

 

Stuxnet: UK And US Nuclear Plants At Risk As Malware Spreads Outside Russia

 

 

 

 

” Security experts have warned the notorious Stuxnet malware has likely infected numerous power plants outside of Russia and Iran.

Experts from FireEye and F-Secure told V3 the nature of Stuxnet means it is likely many power plants have fallen victim to the malware, when asked about comments made by security expert Eugene Kaspersky claiming at least one Russian nuclear plant has already been infected.

“[The member of staff told us] their nuclear plant network, which was disconnected from the internet […] was badly infected by Stuxnet,” Kaspersky said during a speech at Press Club 2013.

Stuxnet is sabotage-focused malware that was originally caught targeting Windows systems in Iranian nuclear facilities in 2010. The malware is believed to originally have been designed to target only the Iranian nuclear industry, but subsequently managed to spread itself in unforeseen ways.

F-Secure security analyst Sean Sullivan told V3 Stuxnet’s unpredictable nature means it has likely spread to other facilities outside of the plant mentioned by Kaspersky.

It didn’t spread via the internet. It spread outside of its target due to a bug and so it started traveling via USB. Given the community targeted, I would not be surprised if other countries had nuclear plants with infected PCs,” he said.”

 

 

Here is a very thorough and detailed article for those readers interested in learning more about the history of Stuxnet .

 

Illlustration "How Stuxnet Worked"

 

 

” Computer cables snake across the floor. Cryptic flowcharts are scrawled across various whiteboards adorning the walls. A life-size Batman doll stands in the hall. This office might seem no different than any other geeky workplace, but in fact it’s the front line of a war—a cyberwar, where most battles play out not in remote jungles or deserts but in suburban office parks like this one. As a senior researcher for Kaspersky Lab, a leading computer security firm based in Moscow, Roel Schouwenberg spends his days (and many nights) here at the lab’s U.S. headquarters in Woburn, Mass., battling the most insidious digital weapons ever, capable of crippling water supplies, power plants, banks, and the very infrastructure that once seemed invulnerable to attack.

Recognition of such threats exploded in June 2010 with the discovery of Stuxnet, a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads on its own, often over a computer network.

This worm was an unprecedentedly masterful and malicious piece of code that attacked in three phases. First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. The worm’s authors could thus spy on the industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant. (Iran has not confirmed reports that Stuxnet destroyed some of its centrifuges.)”

 

 

Further reading :

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

Confirmed: US and Israel created Stuxnet, lost control of it

The History of Stuxnet: Key Takeaways

Stuxnet: Anatomy of a Computer Virus on Vimeo

 

 

 

 

 

 

 

 

International Space Station Infected With USB Stick Malware Carried on Board by Russian Astronauts

 

 

” Renowned security expert Eugene Kaspersky reveals that the International Space Station was infected by a USB stick carried into space by a Russian astronaut.

Russian security expert Eugene Kaspersky has also told journalists that the infamous Stuxnet had infected an unnamed Russian nuclear plant and that in terms of cyber-espionage “all the data is stolen globally… at least twice.”

Kaspersky revealed that Russian astronauts carried a removable device into space which infected systems on the space station. He did not elaborate on the impact of the infection on operations of the International Space Station (ISS). 

Kaspersky said he had been told that from time to time there were “virus epidemics” on the station.”

 

 

 

 

 

 

 

Security Concerns Abound Over Unofficial Android iMessage App That Uses Chinese Servers To Process Data

 

 

” An unauthorised app that lets Android users chat on Apple’s closed iMessage network is causing a big stir. It’s had viral downloads in the tens of thousands amid claims that it could be spreading malware; but the Chinese developer who developed the app tells us everything is cool.

[TechCrunch has opted not to include a link to the app page because of the security concerns]

It’s the latest security scare for Google’s popular mobile operating system, whose Play store in 2012 accounted for 79% of all smartphone malware – meanwhile Apple’s highly protected iOS App Store consisted of just .7% malicious apps.”

 

 

 

 

 

 

 

 

The Government Is Planting Child Porn On Your Computer

 

 

 

 

” A new virus has been cataloged, and it appears to be planting and distributing child pornography files. Hackers? No. The government is planting child porn on your computer, or so an alert published today indicates.

Before It’s News has interviewed a person, who spoke on condition of anonymity, that has been a victim of the virus implantation. The person was engaged in journalistic exposure of political corruption, and suddenly police appeared on his doorstep with a search warrant specifying a search for evidence of possessing and distributing child pornography. The story is a bit convoluted here, but basically the gentleman did a little more investigation and found rogue .exe files on his computer that appeared as normal emule sharing directories but contained “hundreds to thousands” of child pornography files. The potential whistleblower claims the virus was deliberately planted on his computer in order to stop his activity.

The article surmises the Internet Crimes Against Children task force may be behind the virus planting, though why is unclear.

ESET Virus Radar has recognized the virus, and calls it Win32/MoliVampire. The short description indicates, “Win32/MoliVampire.A is a trojan which tries to download other malware from the Internet. Win32/MoliVampire.A may be spread via peer-to-peer networks.”

The trojan contains an URL address. It tries to download a file from the address. Files are copied into a shared folder of various instant messengers and P2P applications, according to the description.”

 

 

 

 

 

 

 

Facebook Hit With ‘Sophisticated Attack’

 

 

 

 

 

” The social media site said its security team discovered the breach last month. It occurred when a small group of employees visited a mobile developer website that was compromised, Facebook said. The compromised website allowed malware to be installed on the employees’ laptops .”

A Chinese Hacker’s Identity Unmasked

 

 

 

 

 

Joe Stewart’s day starts at 6:30 a.m. in Myrtle Beach, S.C., with a peanut butter sandwich, a sugar-free Red Bull, and 50,000 or so pieces of malware waiting in his e-mail in-box. Stewart, 42, is the director of malware research at Dell SecureWorks, a unit of Dell (DELL), and he spends his days hunting for Internet spies. Malware is the blanket term for malicious software that lets hackers take over your computer; clients and fellow researchers constantly send Stewart suspicious specimens harvested from networks under attack. His job is to sort through the toxic haul and isolate anything he hasn’t seen before: He looks for things like software that can let hackers break into databases, control security cameras, and monitor e-mail.

Within the industry, Stewart is well-known. In 2003 he unraveled one of the first spam botnets, which let hackers commandeer tens of thousands of computers at once and order them to stuff in-boxes with millions of unwanted e-mails. He spent a decade helping to keep online criminals from breaking into bank accounts and such. In 2011, Stewart turned his sights on China. “I thought I’d have this figured out in two months,” he says. Two years later, trying to identify Chinese malware and develop countermeasures is pretty much all he does.

A big part of Stewart’s task is figuring out how malware is built, which he does to an astonishing level of detail. He can tell the language of the computer on which it was coded—helping distinguish the malware deployed by Russian criminal syndicates from those used by Chinese spies. The most important thing he does, however, is figure out who or what the software is talking to. Once inside a computer, malware is set up to signal a server or several servers scattered across the globe, seeking further marching orders. This is known in the information security business as “phoning home.” Stewart and his fellow sleuths have found tens of thousands of such domains, known as command and control nodes, from which the hackers direct their attacks.”

  “Researchers from the U.S. Naval Surface Warfare Center have developed malicious software that can remotely seize control of the camera on an infected smartphone and employ it to spy on the phone’s user.

The malware, dubbed “PlaceRaider,” “allows remote hackers to reconstruct rich, three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera,” the researchers said in a study published last week.”