Google Acquires Malware-Scanning Site VirusTotal

Google Acquires Malware-Scanning Site VirusTotal

Google has acquired VirusTotal, a malware-scanning company that offered its services for free. Users can submit a file or an URL to be scanned and the site warns them if it contains any malware. The site relies on over 40 antivirus engines and other tools to scan the files.

The site will continue to operate as is as part of Google, the company said on its blog. However, it will benefit from the expertise and, more importantly, infrastructure and resources of Google.

 "Our goal is simple: to help keep you safe on the web. And we’ve worked hard to ensure that the services we offer continually improve," VirusTotal wrote.

"But as a small, resource-constrained company, that can sometimes be challenging. So we’re delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators," it said.

"VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them." 

It's not exactly clear what Google plans to do with VirusTotal, if anything. There's a number of places that could benefit from better malware scanning, the Play Store for one, not to mention the search engine. Chrome too could do with better built-in security tools.

But there don't seem to be any big plans for integration at this point, Google is happy leaving VirusTotal do its job. At the very least, it could benefit from an improved URL blocklist for the search engine.

"Security is incredibly important to our users and we’ve invested many millions of dollars to help keep them safe online. VirusTotal also has a strong track record in web security, and we’re delighted to be able to provide them with the infrastructure they need to ensure that their service continues to improve," Google commented on the acquisition.

Follow @thehackersmedia

Researchers Unable to Link Mysterious Wiper Malware to Flame

Researchers Unable to Link Mysterious Wiper Malware to Flame



After further analyzing the traces of the mysterious Wiper malware, researchers are still unable to precisely determine how it works. They also haven’t been able to find a clear link between it and Duqu, Stuxnet or Flame.
Back in April, the Iranian Oil Ministry reported sightings of a destructive piece of malware that attempted to extract information and then wipe it from the infected devices, hence the name Wiper.

Kaspersky was called in to analyze the attack that took place sometime between April 21 and April 30. The malware’s developers destroyed all the pieces of information that could be used to properly analyze Wiper. 

However, their investigation led them to another interesting thing: the now-infamous Flame.

“The malware was so well written that once it was activated, no data survived,” Kaspersky experts explained. 

“So, although we’ve seen traces of the infection, the malware is still unknown because we have not seen any additional wiping incidents that followed the same pattern as Wiper, and no detections of the malware have appeared in the proactive detection components of our security solutions.”

They claim that we may never find out precisely what Wiper was and although it led them to discover Flame, they believe that the two are not connected. 

Some common filenames indicate a possible connection to Duqu and Stuxnet, but there isn’t enough evidence to say this for sure. 

Furthermore, experts believe that the creators of Shamoon, the recently discovered malware, have been inspired by Wiper to develop their own Trojan. 

“The fact that the use of Wiper led to the discovery of the 4- or 5-year-old Flame cyber-espionage campaign raises a major question. If the same people who created Duqu/Stuxnet/Flame also created Wiper, was it worth blowing the cover of a complex cyber-espionage campaign such as Flame just to destroy a few computer systems?” experts concluded.

Naughty Nurse Sakura Shiratori tries to Infect Defence Firm with Malware

We’ve seen a large number of files spammed out to various organisations, exploiting the CVE-2012-0158 vulnerability.

Victims have not be

en limited to defence companies, but have also included government departments, charities and recruitment agencies.

One of the latest attacks we have seen was sent to a defence contractor, using the subject line “if you want sex pictrue!”.

Attached to the email is a file called sexpicture.rar that contains a number of naked pictures of Japanese model Sakura Shiratori.

Harmless enough you might think. However, alongside the seedy snapshots are two files.

An apparent screensaver, short-SEXGPJ_1.SCR, is malicious – and detected by Sophos products as Mal/Behav-043.

Another file, short-SEX_ST_1.DOC, is detected by Sophos products as Troj/DocDrop-AF, and attempts to install further malicious code onto victims’ computers by exploiting the CVE-2012-0158 vulnerability.

Although the email appears to have come from the Taiwanese branch of Yahoo, the “from:” address has been forged by whoever sent out the attack. I’m also going to make the fairly safe assumption that Miss Shiratori is not aware of how her images are being abused.

Make sure that the staff at your firm are wary of opening unsolicited email attachments, and that computers are defended with up-to-date anti-virus software and the latest security patches.

Microsoft released its patch for the vulnerability back in April – if you haven’t already rolled it out across your Windows PCs, do so now.

Follow @thehackersmedia

Android Trojan Attack 100,000 plus users

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile’s Mobile Market.

Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps. Few days ago Microsoft also confirm that Microsoft Confirm hackers Spam in Android Devices.

The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said.

Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile’s official Mobile Market online store without informing the user.

It is able to intercept China Mobile’s verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.

In the event of CAPTCHA being triggered at this stage, the malware will apparently send the relevant image to a remote server for analysis.

The advice from the security experts at TrustGo is for users to only download Android apps from trusted app stores and to have some form of real-time mobile security scanner installed on their device to prevent any dodgy downloads.

Visiting an apparently legit app store is no guarantee you’re going to get a malware-free experience, however.

Malware is frequently turning up on the official Android marketplace Google Play – although admittedly less frequently than on some of the more dubious third party sites.

The latest discovery came at the tail end of last week when researchers found malware that lifts the victim’s location data and address book info.

China in particular has been a hotbed of malicious Android activity for some time.

In April, the Chinese authorities were forced to publically reprimand the country’s two biggest mobile carriers, China Mobile and China Telecom, after uncovering “many problems” in their respective app stores.

Globally too, Android continues to be a favourite with cyber criminals.

Security firm Trend Micro is predicting the discovery of 129,000 malicious apps by the end of the year and has compiled this handy infographic detailing the main threats.

Follow @thehackersmedia

Power failure Across India, Hit by Malware Attack

India’s Northern power grid crashed on Monday morning wreaking havoc at airports, railway and metro stations, hospitals and across traffic congested roads, its worst power outage in a decade.

Indian power infrastructure under attack: India losing out millions in just hours same snag developed within just 24 hours of recovery reports say the system is infected by sophisticated malware.
Malware is spreading; today more than 67 crore people are without power. Cyber analysts suspect "PAK"- CHINA nexus behind this attack.

 Hundreds of millions of people have been left without electricity in northern and eastern India after a massive power breakdown.

There are some analyst saying that it is cyber Attack by a Malware but no Indian Authorities confirmed it yet. Authorities are restoring the service suggest the whole thing is out of their skills, meanwhile mainstream media has been barred from reporting as this could bring disgrace to security services of India.

Since the first power trip up on Monday, there have been discussions within the security establishment about the possibility of entities trying to carry out a sophisticated cyber-attack to cripple the grids.

Officials who carried out an audit of critical information infrastructure admit it is "theoretically possible" to cripple India's power grids through a cyber-attack.

Despite such a possibility, the shutdown did not seem to have led to a crisis management procedure that aimed at ruling out or confirming a cyber-attack.

"Given the fact that our grids are vulnerable to a cyber-attack, those responsible for managing grids should have a proactive policy to rule out cyber-attack as part of their crisis management procedures," a senior official said. "But none of it was visible," he added.

Sources aware of contacts among power ministry, power grid authorities and those in both CERT-IN ( Computer Emergency Response Team-India) and NTRO (National Technical Research Organisation) say there was no proactive effort by those responsible for power grids.

However, both CERT-IN and NTRO are believed to have established their own procedures to ensure the shutdowns were not a cyber-attack, having been brought on by massive over-the-limit withdrawals by states to supply electricity for pumps tapping groundwater in the absence of rainfall during this monsoon.

Officials said the government is now discussing possible ways to speed up the setting up of National Critical Information Infrastructure Protection Centre (NCIPC), which would act as the command and control centre for monitoring the critical information infrastructure of the country. NCIPC was recently approved by the National Security Council headed by the Prime Minster.

Sources said the government is also planning to hold a national consultation of all stakeholders involved in critical information infrastructure.

The government is already setting up dedicated CERT-INs for various critical sectors such as power and civil aviation.

Officials point out to breaches reported from power grids in the US, cyber intrusion into the Iranian nuclear network and other such incidents around the world to warn that India needs to have a more robust crisis management procedure that includes proactive ruling out of cyber-attacks.

Follow @thehackersmedia

Microsoft Names Two Zeus Botnet Operators

Three months after initially disrupting the Zeus botnet, Microsoft officials have named two of the people who they think are behind the malware network, a pair of Ukrainians who already are sitting in jail in the UK.
From the beginning of the anti-Zeus operation, which became public in March, Microsoft officials and lawyers from other organizations, including NACHA, have been trying to identify the dozens of John Does named in the initial legal complaint. Those efforts hadn’t met with any success, until last week when Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as two of the John Does behind the Zeus botnet. The company has told both the FBI and the authorities in the UK of their findings, and also included the men’s names in the amended legal complaint.

“In an amended complaint, filed last week, Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as defendants. Microsoft has learned that these particular defendants were already serving jail time in the United Kingdom for other Zeus malware related charges. Microsoft has advised the U.K. government of the criminal referral to the FBI. By referring this case to the FBI, as we did in September 2011 with our case against the operators of the Rustock botnet, we are affirming our commitment to coordinating our efforts with law enforcement. Our goal is always to work in ways that are complementary to law enforcement. Our hope is that the evidence we provided to the FBI in this case will lead to a criminal investigation that brings the perpetrators to justice,” Richard Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, said in an analysis of the operation.
The anti-Zeus operation is the latest in a line of botnet takedowns and anti-cybercrime actions undertaken by the Microsoft DCU, a relatively new gorup inside the company that’s devoted to investigating and helping stem cybercrime. The DCU also was involved in the takedown of the Rustock botnet, as well as operations against the Kelihos and Waledac botnets.The Zeus takedown hs been unique for a couple of reasons, chief among them the use of the civil section of the RICO anti-racketeering statute to aid in the investigation.
“In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the ‘organization’ were not necessarily part of the core enterprise,” Boscovich said at the time of the initial Zeus takedown.
Microsoft is working with ISPs to help them identify Zeus-infected machines and alert the users about the infection.

Hackers force Iranian nuclear facilities to blast AC/DC after Cyber Attack

A person inside the Atomic Energy Organization of Iran (AEOI) claimed this week in an email to a security researcher that a fresh hack is affecting two facilities, causing vital equipment to shut down and then playing AC/DC’s “Thunderstruck” on lab computers at maximum volume “during the middle of the night.”

Mikko H. Hypponen, chief research officer for the cybersecurity firm F-Secure, explained on the company’s website that he received an email from an unknown person within the AEOI who wanted to publicize details of the latest problems they’ve been running into.

“I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom,” the tipster wrote.

“According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used,” he continued. “The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert. ”

The email concluded: “There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.”

While the identity of whomever sent the email has not been confirmed, reports in recent months have pointed to the U.S. and Israel as leading cyber-sabotage efforts against Iran’s nuclear program.

Reporters cited unnamed administration officials who claimed that the creation of the “Stuxnet” cyber weapon was authorized by President George W. Bush and sped up by President Barack Obama, who also allegedly initiated other lines of attack against the same facilities cited by Hyppone’s mystery tipster.

New malware hits Middle East computers

Security researchers say they have discovered another piece of espionage malware infecting computers and targeting sensitive organizations in the Middle East.

Kaspersky Lab in Russia and Seculert in Israel said the malware on more than 800 PCs operated by critical infrastructure companies, financial institutions and government agencies has been siphoning e-mails, passwords, computer files and nearby conversations, ArsTechnica.com reported Tuesday.

The researchers have dubbed the malware Madi or Mahdi, which in Islam is synonymous with Messiah, because of several code strings and handles used by the attackers.

The discovery evoked comparisons to the Flame malware used to disrupt Iran's nuclear program, but both Kaspersky and Seculert said the malware contained amateur coding practices and relied on the gullibility of its victims, whereas Flame contained world-class cryptographic breakthroughs and other techniques that suggested state-sponsored developers.

"While we couldn't find a direct connection between the campaigns, the targeted victims of Mahdi include critical infrastructure companies, financial services and government embassies, which are all located in Iran, Israel and several other Middle Eastern countries," Seculert said. "It is still unclear whether this is a state-sponsored attack or not."

Madi can log keystrokes, capture screenshots and steal any messages sent to or from a variety of widely used services, including Gmail, Hotmail, Yahoo! Mail, Skype or ICQ, the researchers said.

Reference: Link

Cyber warfare: Fear of system failure

The discovery of Flame and Stuxnet leaves security experts concerned there are similar malicious software attacks already underway that their systems cannot detect.

It’s rare to hear someone admit to failure. Even rarer to admit that their company and the entire industry it represents is guilty of a “spectacular failure”. But that is just what Mikko Hypponen, “cyber-security Jedi” and chief research officer at anti-virus firm F-Secure, did recently.

In a candid article for Wired published at the start of June, he admitted that the antivirus industry had been caught with its trousers down by what has been described by some as the most complex piece of malicious software ever created.

Known as Flame, the software is an example of a “spyware” infection, designed surreptitiously to record and transmit a record of actions taking place on a compromised system – from video and audio to the individual strokes of a keyboard – as well as offering access to sensitive and supposedly private information.

More striking than these capabilities, however, are two crucial factors: the sophistication of Flame’s targeting, and its ability to evade detection. Flame’s targets were almost certainly a handful of computers operating sensitive aspects of nuclear programs in the Middle East. And, as soon became apparent after its discovery, it had been spreading across the world towards these machines for over two years, undetected.  Until its purpose was due to be served, one of the most important pieces of malicious code in existence had to all intents and purposes been invisible.

All of which marks out Flame as a tool not of mere criminality, but of cyber-espionage: one developed by a state-sponsored intelligence program with the intent of gathering technical information of the most sensitive kind. Hence Hyponnen’s remarkably frank assessment: “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Sophisticated scams

Cyber-crime used to feel, if not like a game with rules, then at least like an arena of knowable motivations. Thanks to the internet, every petty criminal in the world suddenly had access to your front garden (metaphorically speaking) and would muster as much cunning as possible to break into your house – or at least your bank account.

Just a day after Iran had announced the discovery of Flame, I was speaking at the Thinking Digital conference in northeast England, where I listened to Hypponen outline one of the more ingenious of such scams. Once infected by the malware in question, your computer produces an official-looking message on startup claiming to be from the FBI.

It has been detected, the message says, that your hard drive contains a treasure trove of illicit materials, incriminating you in everything from terrorism to child pornography. Your entire system has been frozen, leaving you only two options: either click here to take the claim to “court” (a bogus dead end); or pay an instant fine to unlock your system. Some users, Hypponen went on to explain, actually paid the fine even though they knew it was a scam – because they couldn’t face the potential humiliation and suspicion of explaining what was going on.

Such attacks can be destructive, disturbing and costly. Yet it is, at least, clear what’s going on once you see behind the deceiving veil: what the scammers want (money); how they aim to get it; and what your recourses may be (download a fix; contact the police or civilian digital security experts). Even when it effectively entails taking your computer hostage, financial gain remains a comprehensible motive.

Raising alarms

What, though, is to be done when the actors involved are states themselves; or digital aggressors acting with the resources of a state behind them? Shrouded by plausible deniability on all sides, it’s increasingly clear that a kind of silent war is beginning online: one whose battles even the experts may only recognize after they’ve been fought, and whose potential targets encompass almost every system or service plugged into a computer.

References: Link1

Malware may Show its magic on July 9

1,000's off Internet Users On Risk!
The warnings about the Internet problem have been spread like fire across Facebook and Google plus. Internet service providers have sent notices, and the FBI set up a special website.

Tens of thousands of Americans may still lose their Internet service Monday unless they do a quick check of their computers for malware that could have taken over their machines more than a year ago.

Despite repeated alerts, the number of computers that are probably infected is more than 277,000 worldwide, down from about 360,000 in April. Of those still infected, the FBI believes that about 64,000 are in the United States.

Users whose computers are still infected Monday will lose their ability to go online, and they will have to call their Internet service providers for help.

And as my own experiences a huge amount of internet user in Pakistan & India are also effected by this Malware. 

Reference: Link1

Bespoke 'web-inject' Software for Sale threatens bank

Malware 'suites' sold cheap online

Cyber criminals are offering low priced and customisable ‘web-injects’ for malware, which a security expert warns could wreak havoc with banks.
An evolving underworld market for malware has shifted to start offering more targeted and often bespoke updates to commonly found malware like Zeus and SpyEye.
Known as web-injects, they are generally used to create fake web pages which pop up when a victim infected with malware uses online banking or makes a transaction.
Just like any market, that of malware and web-injects is subject to changes, and Trusteer has found that, while bulk pricing has been popular in the past, web-inject software writers are producing code with specific features.

The Additional Passwords mechanism asks for more passwords from a victim, costing up to $200, while the TAN Grabber can capture one-time passwords that are sometimes used by some banks to authorise online transactions.

According to Trusteer, cyber criminals are essentially aping traditional software vendors, offering an a la carte suite of pricing options.

While the move away from bulk buying to tailor made web-injects means more cost, the customised software is also becoming more readily available - and cheaper.

This greater availability and improved ability to narrow attack areas is threatening to cause upheaval with financial defences.

According to George Tubin, Senior Security Analyst with Trusteer, many banks could find themselves at considerably greater risk than before.

“It is very concerning for a lot of banks which maybe haven’t been targeted before,” he said, speaking with TechEye. “Typically the malware will target larger institutions."

“Now you can target almost any bank you want, you could target banks that previously haven’t been target," he said. “These are often the ones that don’t have as good defences in places.”

Reference: Link1

DNSChanger Trojan Still Prevalent In 350K Computers

Over Ten Percent of Fortune 500 Still Infected by DNSChanger

Google is embarking on an effort to notify Internet users if their computers or home routers are still infected with the DNSChanger Trojan, a piece of sophisticated malware that has compromised an estimated 500,000 systems. The outreach campaign comes a little more than a month ahead of July 9, the date on which the FBI is set to take all computers corrupted with the malware offline.

The FBI ended a major online DNS threat last year, but the arrest of the criminals, and killing the servers would have left millions without internet service, so the servers were replaced. Here’s how to find out if you could lose your internet connection July 9th.

The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers.

Variant 

Trojan.Win32.DNSChanger.al 
Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 193.227.227.218 address. 

The Registry key that is affected by this trojan is: 

•  [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces] 
    "NameServer"

Registry Modifications 
Creates these keys:

•  HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} 
  DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
• HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} 
  NameServer = 85.255.xxx.133,85.255.xxx.xxx
• HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ 
  DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
• HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ 
  NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

Manual Way to Remove it:

If a manual check of the DNS nameserver system is desired, then here are the steps for Windows XP and newer:

•     Click on: Start-->run-->then type “cmd” in the box, no quotes.
•     Type in the command window, “ipconfig/all” again no quotes.
•     Scroll down through all the other data and find “DNS servers.” This will either look like this: 192.168.2.1, if it looks like this: fec0:0:0:ffff::1%1, then your router uses IPv6 and you can’t manually check the connection. Write the addresses of the nameservers you are using down.
•     Go to: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, and enter your DNS server addresses into the checker box and hit the “Check Your DNS” button. Your results will only take a few seconds.

If You Have DNSChanger In Your System

That all :)

Banking Trojan Cleans Out Your Account Silently

Researchers at Tokyo-based anti-virus firm Trend Micro have discovered a new twist on banking Trojans that doesn't interact with the victim at all.
Standard banking Trojans dupe an account holder to log into a duplicate of his bank's website, thereby conning him into giving up his username, password and account number, which they use to log in after he's done.
    This new variant, which can be grafted into the existing banking Trojans ZeuS or SpyEye, infects computers the old-fashioned way: It either infects Web browsers via a drive-by download or piggybacks as an attachment on a phishing email.

    It then hides in the Web browser and waits for the user to log into his bank's site. Once he does, it introduces special software that triggers an automatic transfer system that moves money out of the victim's account to another account within the same bank, and covers up the evidence so that neither the user nor the bank notice right away.

    "As long as a system remains infected with an ATS, its user will not be able to see the illegitimate transactions made from his/her accounts," wrote Trend Micro researcher Loucif Kharouni. "This essentially brings to the fore automated online banking fraud because cybercriminals no longer need user intervention to obtain money."

    Pulling off such a heist is complicated. The malware must often be custom-made for each bank website, which involves lots of research and coding on the part of the malware authors, and results in expensive prices for each piece in cybercrime bazaars.

    Destination accounts must also be created at the targeted banks so that the malware has a place to deposit the stolen money, and a network of "money mules" must be recruited to access the destination accounts and move the money again, this time out of the bank.

    Furthermore, writes Kharouni, the amounts transferred must be fairly small in order not to trigger alerts within the banking system. The Trend Micro researchers saw amounts ranging from 500 euro to 13,000 euro ($635 to $16,500 in U.S. dollars).

    The most commonly targeted banks are in Britain, Italy and Germany, countries where, according to Trend Micro, online-banking verification practices are strong — and hence necessitate the use of stealthy malware that needs no verification at all.

     American banks are apparently not on the menu yet. Kharouni cites two reasons: First, it's not easy for online criminals based in Eastern Europe to open up accounts in U.S. banks; and second, most American banks have weak verification methods that make the older, cheaper variants of banking Trojans still profitable on these shores.

     To avoid being hit by a banking Trojan, whether old or new, make sure to have robust anti-virus softwareinstalled on your PC or Mac, and set it to automatically update its malware definitions.

Reference : Link1