Zeus Virus Variants Targeting BlackBerry and Android

Researchers at Kaspersky Lab have shed light on new variants of Zeus that have struck both Android and BlackBerry mobile platforms.

While the Zeus trojan isn’t new, the attacks have changed, and ‘ZitMo’ is now built for attacking the BlackBerry platform, in addition to Android devices. From analysis, researchers have deduced that the bot is controlled from 2 different numbers tied to an operator, Tele2, located in Sweden. Once installed on a handset, the application gives full remote device control to an attacker via the cellular control channel, in the form of an SMS.

Zeus doesn’t pack much in terms of malicious capabilities, but eavesdropping on text messages is the name of the game here. The main purpose of ‘ZeuS-on-Mobile‘ is to enable an attacker to remotely enable forwarding of SMS or block the user from receiving calls.

The Android variant of Zeus masquerades as a certificate or security application. Once installed, the application starts listening to incoming messages from the control number, and acts on requests. Installed as “Zertificate”, it doesn’t make any serious attempts at hiding itself. It’s not included with a game, or application that actually provides anything useful. It’s a simple command-driven bot. Kaspersky Labs have dissected the APK and found an included self-signed certificate with a validity date starting July 19th, indicating the application was likely built and deployed less than a month ago.

There haven’t been any new reports of devices being compromised in the wild, while the variants are newer, they are not more sophisticated. For a more in-depth look at “ZeuS-on-Mobile”, take a look at the Facts and Theories page.

Using good judgement, ensuring your applications come from a vetted location, and never installing anything you don’t trust, are generally safe practices that will help keep your mobile device free of malicious applications.

Spam Wave hits Dropbox Users

Posts of frustrated users are pouring in at the Dropbox forum about receiving spams at email accounts connected to Dropbox.  Posts such as the following have been coming in since yesterday.

since today, I receive spam from [website link clipped] to an email address, that is in use at dropbox only ([email protected]).

So I guess you have a security problem with your useraccount data. And this sucks a lot.

Although it is possible for spamming software to randomly select email addresses to send spams, the number of affected users indicates some kind of breach on Dropbox’s side.

The initial reply from the Dropbox support was as follows,

Generally, it is possible that these email addresses got released to the general population when you either shared a folder or sent a referral invite. When you send these to other people, your email is attached in the reply-to field and it is possible that a compromised referral could have gotten their address book stolen by spammers. This is the most likely scenario.

But, apparently, users who haven’t used the referral system have also been receiving spams. This spam wave might be a result of a compromise of Dropbox’s mail server, but we can’t be certain of it yet. Last year, a security glitch had allowed anyone to login to any Dropbox account with an incorrect password.

We have contacted Dropbox to know more about the situation, but haven’t heard from them yet.

UPDATE: A spokesperson for Dropbox has sent us the following statement.

We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.

Beware of Dark Knight Rises Leaked Torrents on the Internet

I am a big fan of the Batman franchise movies and have watched them the day they released. To be honest, I can’t wait to watch the latest in the series “Dark Knight Rises” on July 20. Dark Knight Rises is definitely going to break box office records all over the world. However, even before the movie has even released, there are several torrent websites which have been filled up with fake torrents for the Dark Knight Rises.

Dark Knight Rises Movie Poster

While you might get into trouble legally for downloading the content, there is a high chance that the torrents available on the internet are infected with viruses and spyware which might put your computer at risk.

Also Read: What Are Magnet Links? How Are They Different From Torrents?

Back in 2010, Harry Potter Deathly Hallows Part 1 was leaked on Torrent websites and was downloaded millions of times. That leak was potentially intentional because it left off a good part of the movie out of the torrent thus driving users back to the theatre to catch up the rest of the movie. There were also several instances of fake torrents which infected users who downloaded them. The Dark Knight Rises torrents are fake and targeted towards gullible users who will be infected with malware and spyware.

While downloading torrents in itself is not illegal, it is always advisable to check your copyright laws before you download anything to your computer. While there are several tools which help you to download torrents anonymously, you should also use services which will tell you whether a torrent is infected or not.

And last but not the least, go ahead and check out some Dark Knight Rises Posters and Billboard ads and enjoy the Dark Knight Rises in theatres this week. It is definitely going to be worth it.

Yahoo Voice Hacked; 450000 Account Data Stolen

Reports are coming in that hackers have managed to hack into a Yahoo service and steal sensitive data of more than 453000 of its customers. According to a security firm, Trustedsec, who first reported the incident, the service that was compromised was Yahoo Voice.

The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).

The hackers have posted the database containing the email ids and passwords as a proof. According to the dump, the hackers used a method called union based SQL injection to hack the database. It is a method, where one enter codes to improperly protected text boxes which treat them as commands.

The most scary part, according to TrustedSec, is that the passwords were stored as plain text without any kind of encryption. If this was indeed the case, it would have been a highly irresponsible action on Yahoo’s part.

The hackers posted the following statement along with the dump,

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.

If you are a Yahoo Voice customer, I recommend you change your password immediately and if you are using the same passwords for any other service (which is a bad practice), it is better to change that as well.

Formspring Hacked, 420000 Passwords Leaked

FormspringSocial question and answer website Formspring has been breached, and a dump of 420,000 passwords is spreading around the interwebs. Formspring, which was founded in 2009, has more than 20 million registered users. It recently gained notoriety due to incidents of bullying leading to death of teenagers.

Formspring has confirmed that an unknown attacker managed to break into one of its development server to extract account information from a production database. Fortunately, Formspring had significantly better security practices than most other recently hacked web services. All the passwords were hashed using SHA-256 with salting. Thus, if you have a reasonably secure password, you will most probably be safe. However, users with insecure passwords still stand the risk of being exposed. As a precautionary measure, Formspring is forcing all of its users to change their password. It has also updated its authentication system to use bcrypt hashing function that is practically impossible to brute force.

Formspring needs to be applauded for employing a fairly strong hashing mechanism, and being quick to react. However, the security breach once again reinforces the belief that no web service is truly safe. Hence, it’s always a good idea to have a unique password for every website. If you use your Formspring password on other services also, it is advised that you change your password on those services too. Going forward, you might want to use a password manager like LastPass.

This Day MIGHT Just Be Your Last On The Internet [Editorial]

Does the name DNSChanger sound familiar? Well I’m quite sure it wasn’t to many until recently when the word went out on web, thanks to the-kinda-hyped initiative from ISPs and FBI. Most infected users were incognizant of the threat of getting disconnected from the internet. So before we get down to solving the problem, let’s get a formal introduction to the threat it possesses.

dns-changer-malware

What is DNS?

As per Wikipedia,

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. A Domain Name Service resolves queries for these names into IP addresses for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.

In plain English, DNS is an interpreter that translates human understandable domain names into IP requests readable by a computer server. So if they are absent, you are practically disconnected from the web unless you know the IPs for your daily Facebook and Twitter addiction. Think of a lone blind man in a blind alley. Without DNS an internet user is just that blind person.

So what’s DNSChanger?

Known by many names (TDSS, Alureon, TidServ and TDL4 viruses) the DNS Changer is a malware that changes your DNS for malicious intentions. So typing a URL, instead of taking you to an original website, will show you an altered version that serves the purpose of the perpetrators promoting fake and dangerous products. On November 8 last year, FBI and Estonian police arrested individuals operating under the name “Rove Digital”. This unearthed “Operation Ghost Click” that, so far, has victimized around 570,000 (while experts place the number somewhere around 250,000) computers.

Why is this sudden urgency?

While the incident is quite old, the good guys managed to hinder the actions of the DNSChanger by running an alternate server for the Rove Digital botnet so the infected users may continue to enjoy proper DNS redirection up to the time, they find a cure for the disease. Under court order, these(two) servers will be down from today and infected users won’t be able to browse internet in a way it actually works.

Cure for the Itch

DNS Changer Working Group(DCDW) has nice set of links which you can use to check if your computer is infected with DNSChanger and if so, how to remove DNSChanger malware. I’m not delving into more as the steps/tools illustrated there are not so theatrical and any average Joe can get them done.

If you are late to fix it and you can’t just visit websites for a query, here’s a IP to the URL (74.125.45.100/search?q=dns+changer+working+group) where you can find answers to fix DNS Changer malware.

What if I’m not so unlucky?

I’ve read a dozen pieces by now, and a hundred more updates on the social networks. That inspired me to come up with such a scary title for the article and as it may suggest ANY user might lose their much beloved internet connectivity. That’s a false underlying notion. Well, if you aren’t affected, YOU AREN’T GOING TO SUFFER. Keep enjoying the epic fail videos until the Internet really falls apart.

That’s one of the ugly sides of technology. Any average user is hardly aware of the existence of the complex mechanisms that work in background in order to make their computing task a breeze. So if anything goes wrong in the backstage they are only worried if something in the performance behaves weirdly. And if it isn’t, well they hardly even feel that it actually happened. That’s the case with this security threat which so far didn’t seem to be a trouble, although, it had serious implications like disabling antivirus features to do what it was intended for.

The internet community has always been judgmental and several conspiracy theories are already out. As they point out, like the Y2K crisis, as anticipated, this DNSChanger issue won’t actually mean a doomsday for the internet users. Frankly, a few thousand strong infected users can hardly be a dent in a crowd of billions. However, if you are one of them, you have big reasons to worry and perhaps it will be wise to get it fixed and now is a great time to do that.

Internet Shuts Down for those Infected with DNSChanger on July 9

The final deadline for those affected by the DNSChanger to reset their DNS servers is getting nearer. But reports suggest that there are still more than 500000 computers that use the rogue servers. And, as the date reaches July 9th, all of the computers that still use the rogue settings will be cut off from the internet, as the FBI shuts down the temporary servers that were allowing them to connect to the internet until now.

For those unaware, DNSChanger malware was used to alter the DNS settings of the infected system to certain rogue servers that redirected the infected users to rogue websites.  The FBI had raided those responsible and had obtained control of their rogue servers in an operation called Operation Ghost Click that we had reported earlier.

Even though the malware has been removed, many still use the same DNS settings. Up until now, the FBI had been using temporary DNS servers to let the infected users remain connected to the internet, by replacing the rogue servers with the temporary ones. The deadline to shut down these temporary servers had been extended once, in order to give ISPs more time to help their customers to remove the rogue settings. But apparently, a large number of computers are still using the same settings as mentioned before.

There are various ways to check if your computer is infected with DNSChanger. All major anti-virus vendors will detect it and will warn you. Also, sites such as dns-changer.eu and www.dns-ok.us have been setup to help anyone infected with the removal process.

Laughable Security Flaw in Cyberoam Packet Inspection Devices

A serious security flaw has been discovered in Cyberoam Deep packet Inspection (DPI) devices, which Cyberoam uses to intercept SSL packets. The device functions in a simple manner. It cloaks its presence by forcing users to install a fake CA in their browsers, and then using this CA to issue fake certificates for websites. The certificate contains a public key, and is quite easy to spoof. furthermore, the user’s consent to install the certificates makes the handshake possible. Cyberoam is extremely popular in corporate organizations, educational institutions and government agencies for varied reason, ranging from blocking access to websites to spying on users.

Cyberoam subverts the original CA and plants its own faux CA instead. But what are the implications of this? A TOR user in Jordan has found something interesting. Cyberoam uses the same fake CA across all devices, but the problem with their implementation, is that there is no intermediate key which the CA signs. Thus, all Cyberoam devices have the same private key and this opens a wide array of possibilities for tinkerers.

tor_logo

But the worst part is yet to come. The key from one device can be extracted, and can be used to intercept traffic from any other Cyberoam client. This is embarrasing for Cyberoam, and it has not responded publicly on this matter yet.

The Tor media page reports this, saying,

It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device – or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors.

Researchers Show Android 4.0 ClickJacking Demo

While Android is still one of the most rapidly growing mobile platforms, Google still has yet to address some of the more serious concerns regarding the security of their offerings. With devices being released and activated at a rate of 850,000 per day, coupled with the ability for users to use tools that allow for one-click rooting, Google has found themselves in one hell of a predicament. Google’s “Bouncer” is supposed to reduce the amount of malware present in the Play Store — which surprisingly has already been dissected by Duo Security.

Today, researchers from North Carolina State University have spilled the beans on clickjacking Android 4.0 Ice Cream Sandwich. In the demo, an application is installed on the phone which allows for redirecting application shortcuts. This means a user can launch an application, but another one is actually called instead — perhaps a malicious application. Instead of the stock Android browser launching, an identical browser launches, but all textbox entries are written out to a log file for later transporting to an attacker.

The demo device is a stock Google Nexus S running the last version of Ice Cream Sandwich available, 4.0.4.

If the name ‘Xuxian Jiang’ is familiar to you, it’s because he is also behind numerous research papers showing off the sad state of affairs with Android. While the chances that this has been fixed in the recently announced Android 4.1 (Jelly Bean) is slim, Jiang has a good track record with Google, as he is the founder of the Android Malware Genome Project. For the time being, you should probably put your Android phone in a shoebox and go back to using a Nokia 3310.

US Senate Republicans Revise Cybersecurity Bill

They will never stop, will they? A group of Republican senators in the USA introduced a revised version of a cybersecurity bill, called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT). This aims to be the less regulated alternative of yet another draconian bill called the Cybersecurity Act that the Democrats in the US Senate had proposed.

SECURE IT is basically the shelved CISPA act disguised under a new name. It would give the Government and private companies more freedom in sharing information about cyber threats and cyber criminals. While the original CISPA had laid down harsh punishments and accusations against any potential cybercriminal, the ‘verdict’, so to speak, of SECURE IT is as yet unclear.

The Republican representative from Texas, Kay Bailey Hutchison, who is a proponent of the bill had this to say:

Our bill focuses on giving companies and the government the tools and knowledge they need to protect themselves from cyber threats, and creates new important requirements for government contractors to notify their agencies of significant cyber-attacks to their systems.

The bill allows the Government or a private party to collect as much information as possible on a potential threat, violating his/her civil liberty of privacy, as long as they deem that said person is a threat to the normal functioning of the organization.

How annoying is this, you ask? Very. Very annoying.