Tag teaming malware, just what everyone needs

Subject: General Tech | July 3, 2013 - 01:16 PM |
Tagged: Vobfus, Beebone, Malware, security

Vobfus has been around the block a few times, some Visual Basic code that first popped up in 2009 which tried to download and install code to attack machines that managed to get Vobfus on their systems.  Beebone, aka Win32/Beebone is newer, a fairly common Trojan infection which is similar to Vobfus in that it attempts to download other malware as opposed to attacking your machine directly.  According to this story on The Inquirer, they have developed a symbiotic relationship, where when one infects you it immediately tries to infect you with the other.  That way it can fool anti-malware programs into beleiving that they've sanitized your machine of all infections when in fact you only remove one of the two infections and the remaining one immediately downloads and installs a different variant of the one you just removed.

rkill.jpg

"SOFTWARE HOUSE Microsoft's security researchers have discovered a pair of malware programs that help one another to avoid being detected by antivirus software.

Known as Vobfus and Beebone, the collaborating malware prove difficult to remove from infected machines as they work together, foiling the removal by regularly downloading updated versions of their respective partners."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Beware the click-jacking Captcha of Evil!

Subject: General Tech | July 2, 2013 - 01:29 PM |
Tagged: Malware, IE10, chrome, security

Just in case you weren't already getting tired of captchas there is a new click-jacking technique which works on both IE9 and 10 in Windows 7 and also on Chrome for Windows 8 so for the time being you might want to avoid any captchas that begin with an 'R'.  The new Smartscreen features on Win8 as well as UAC should give you at least some defense and require you to allow the exectuable to run and infect your machine but you can be guaranteed that some less observant users will click straight through without reading the messages which appear.  While this type of attack is nothing new, the particular technique mentioned at The Register does have some new tricks.

CAPTCHA.jpg

"A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.

The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a "run executable" dialogue box within a CAPTCHA challenge."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Beiber can be used for evil

Subject: General Tech | May 29, 2013 - 02:31 PM |
Tagged: cell phone, security, fud

If you are feeling safe and secure using your cellphone in public, some research out of the University of Alabama will shatter that confidence for you.  It seems that it is possible to use sound as a trigger to activate malware from a distance, even over low quality speakers.  You already know about Shazam and other apps you can use to identify songs simply by holding up your cellphone and have it successfully connect to a remote database to get the song data, even in a loud room.  This research shows that a previously infected phone could have dormant malware installed which can be remotely activated simply by music with a hidden message contained within it, inaudible to human ears.  Pair this with the known Autoconnect to Saved WiFi Profiles vulnerability and your phone could very easily start leaking information you would much rather keep private.   Follow the links from The Register to read the research paper and reactions to it.

shazam-iphone-android-app1-209x300.jpg

"Security researchers have discovered that specific music, lighting, vibrations or magnetic fields could all be used as infection channels to trigger the activation of mobile malware on a massive scale.

The paper, titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices, was presented in the eastern Chinese city of Hangzhou earlier this month by researchers at the University of Alabama at Birmingham (UAB)."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Careful connecting to those pub WiFis

Subject: General Tech | May 24, 2013 - 05:53 PM |
Tagged: cell phone, security, wifi, PNL

A security expert recently reminded people that the Preferred Networks List Bug which was identified in 2004 has only ever been addressed by Microsoft.  All other mobile OSes, from Apple to BlackBerry can accidentally expose their PNL to an eavesdropper who can then spoof it.  If you like setting up autoconnect on your devices you might want to double check the name of your active connections occasionally; if you are connected to your home WiFi while you are out you might have a problem.  Catch more at The Register.

war_standing.png

"Security expert Raul Siles has warned that years after it was first identified, the Preferred Networks List (PNL) Wi-Fi bug remains unaddressed on many an iPhone, Android phone, and Windows or BlackBerry handset."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

McAfee picks up Stonesoft, Intel continues to focus on network security

Subject: General Tech | May 7, 2013 - 03:16 PM |
Tagged: stonesoft, security, purchase, mcafee, Intel

A small security firm called Stonesoft was acquired by Intel, or rather McAfee, for just under $400m.  They provide not only software and services but actual network appliances which utilize their proprietary Stonesoft Security Engine to provide secure connectivity.  This makes a lot of sense when you think back on Intel's statements when purchasing McAfee, they are not interested in only providing security at the software level but are interested in moving to the hardware level.  You can find out a bit more at The Inquirer.

logo.png

"SECURITY VENDOR McAfee has bought software security firm Stonesoft to add to its range of network security products.

McAfee, which is owned by Intel, is one of the biggest security vendors but has so far been focused on end-point products such as anti-virus and firewall software that runs on consumer PCs. Now the firm has made a move to go deeper into the network, buying security software vendor Stonesoft for $389m in cash."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Java Releases Patch Addressing Vulnerability Used By McRat Trojan

Subject: General Tech | March 5, 2013 - 06:26 AM |
Tagged: security, patch, mcrat trojan, Java, exploit

Java developer Oracle recently released a patch to its Java Platform Standard Edition client to address two exploits used by attackers to install the McRAT trojan onto users machines. Specifically, Oracle is issuing the patch for vulnerabilities CVE-2013-1493 and CVE-2013-0809.

Java Logo.jpg

 

The vulnerabilities were related to Java running in a web browser. When users visit a malicious web site with vulnerable versions of Java installed, attackers are able to remote execute the McRAT trojan. That trojan was subsequently used to download additional malware to further compromise the machines in question. According to Oracle, the vulnerability was first discovered on February 1st, 2013 but did not make it in time to be rolled into that month’s scheduled update. As a result, Oracle slated it for inclusion in the Java platform update on April 16, 2013, but reconsidered after seeing exploits using these vulnerabilities in the wild. While servers and standalone Java installations are not affected, consumers will need to apply the patch via Java SE’s automatic updater or by manually installing the patch from this page. Currently, all Java SE versions prior to this patch are affected, including JDK and JRE 7 Update 15, 6 Update 41, and 5.0 Update 40 (or earlier).

Oracle states that the patch is a critically important update, and users should update as soon as possible. If you have not already applied the update (or given up on Java and uninstalled it completely--heh), start up Java and check for updates to grab the patch.

Source: Oracle

McAfee always checks the sandbox for feline footprints

Subject: General Tech | February 26, 2013 - 01:45 PM |
Tagged: mcafee, security, RSA 2013, sandbox

McAfee has been showing off their stuff at RSA 2013 specifically the new heuristic malware detection capabilities which they will be using instead of their current malware signature database which has over 113 million core samples.  That signifies a huge change for the antivirus company as it moves to real time monitoring of all the processes on your machine for suspicious activity instead of matching patterns directly.  While this could lead to some interesting side effects for verification software such as you find in some games, McAfee claims 100% effectiveness against current rootkits on Intel hardware compatible with Deep Defender, though they did not give many specifics about that test to The Register.

That is not all they are up to, McAfee just purchased Validedge's sandboxing technology to allow them to watch malware as it arrives and infects a machine to allow them to study its patterns.  Strangely, The Inquirer mentions that they will be recording the signature so it is possible that it is an exaggeration that they are completely abandoning their signature database altogether and will be using a hybrid database and heuristic monitoring.  The first software using this new option will be available in the second half of this year.  Also briefly mentioned in the story is a suggestion that McAfee will be able to repair infected computers automatically via the ePO Agent.

sandbox.jpg

"Signature-based malware identification has been around since the dawn of the computer security industry, but McAfee has said it's dumping the system – or rather, adapting it – in an upgraded security suite which will (it claims) virtually eliminate susceptibility to botnets."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Want some Raspberry Pi with a side of hashes?

Subject: General Tech | February 15, 2013 - 01:27 PM |
Tagged: WPAD, security, Raspberry Pi, fud

On this weeks Podcast, Ryan wondered what he could do with his new Raspberry Pi and Hack a Day has an idea for him, though it is a wee bit nefarious.  It seems that Travis over at MADSEC is using a Raspberry Pi in penetration testing, using the NetBIOS Name Service to get responses from the Web Proxy Auto-Discovery Protocol (WPAD); responses which can include LM hashes from Windows machines.  With the use of Rainbow tables you can crack those hashes and take control of existing accounts on the PCs.  This type of attack is well know, but automating the attack on something as small and easily modifiable as a Raspberry Pi adds a new layer.  Whether you use it for good or evil, you can read more about it at Hack a Day.

evilPi.jpeg

"Plug in the power and Ethernet and this Raspberry Pi board will automatically collect Windows hashes from computers on the network. With a couple of RPi boards on hand [Travis] was searching for more hacks to try with them. This made a great little test to see how the board performs with the well established attack."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Bad day for cellphone security

Subject: General Tech | February 14, 2013 - 01:47 PM |
Tagged: Android, iOS 6, apple, security, FROST

Two different mobile phone security concerns were revealed today, one for devices using iOS 6.1 and one for Androids.  DailyTech has posted text instructions as well as linking to a video which shows how an iPhone 5's password protection can be completely bypassed and allow anyone with physical access to your phone to log into the phone with full access.  The second vulnerability, tested with Android 4.0 but possibly wide spread, was discovered by a team at the Friedrich-Alexander University in Germany, and it allows you to recover  information from a phone which has used the Android disk encryption.  They used both a freezer to drop the temperature of the phone and a trick with the battery which puts the phone into 'fastboot' mode and allows the loading of a custom image via a Linux PC which installs their Forensic Recovery Of Scrambled Telephones tool, aka FROST.  As you can see from the images below, that gives you the ability to get the encryption key or even brute force some passwords. 

erlangen-frost_menu.jpg

"First part:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen.

Ok...ready for second part:
-Go to passcode screen.
-Keep pushing down the power button ...1...2...3...seconds and before showing the slider "turn off"...tap the emergency call button and ...voilá!
-Then without releasing the power button press the home button and ready..."

Here is some more Tech News from around the web:

Tech Talk

Source: DailyTech

That safe and secure Foxit plugin you use?

Subject: General Tech | January 14, 2013 - 02:00 PM |
Tagged: pdf, foxit, security, fud

The Register has some bad news about that PDF reader you prefer to Adobe's software, a new vulnerability which does not even stem from booby-trapped document but from a long link name.  It seems that you can cause a buffer overflow in Foxit simply by copying the entire URL into a fixed-sized buffer when the user clicks on a PDF which "pretty much lets you write to a memory location of your choice".  5.4.4.1128 and older version are vulnerable and we have yet to hear from the creators of Foxit.  Looks like no PDF reader is safe at this point.

foxit.JPG

"A new security bug in the popular Foxit PDF reader plugin for web browsers allows miscreants to compromise computers and install malware. There's no patch for this zero-day vulnerability.

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link. The plugin is kicked into action by the browser to handle the file and promptly bombs."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register