Banking trojan Zeus Panda shambles into Brazil ahead of Olympics

This post is by from TechCrunch

Click here to view on the original site: Original Post

panda It seems there’s no limit to the perils being faced by athletes at the Rio 2016 Olympics: not just their competitors, but toxic water, poor accommodations, and impressive mobile bills. Add malicious pandas to the menu — virtual ones, at least. A nasty Trojan known as Zeus Panda has made its way to the Olympic host just in time for an influx of visitors. Read More

Malware that hit Occupy Hong Kong has an iOS counterpart

This post is by Ruth Reader from VentureBeat

Click here to view on the original site: Original Post

The malicious spyware that circulated the Occupy Hong Kong movement disguised as a protest coordinating app appeared to only target Android phones. But a new discovery from Lacoon Mobile Security shows that whoever deployed the malware also had a trojan built for iOS.

Last week, a number of protesters received a WhatsApp message inviting them to download an Android app purporting to coordinate the Occupy Hong Kong pro-democracy movement, according to the South China Morning Post. The movement responded quickly and said it had not released such an app. It was soon found to contain malware that exploits SMS, email, instant messages, call logs, location data, and usernames and passwords found on the device.

Lacoon CEO Michael Shaulov explained that his team found the iOS malware operated on the command and control server attached to the Android trojan horse. It’s unclear how many people, if anyone at all, was infected with the iOS malware. In the first place, people could only download the malware on a jailbroken phone.

Occupy Hong Kong with Peace and Love is a response to Beijing’s decision to choose candidates for Hong Kong’s 2017 elections. When Britain ceded Hong Kong back to China in 1997, the country promised Hong Kong could retain some of the freedom it enjoyed under British rule — including democratic elections.

Initial reports said it did not appear the Chinese government was involved in the malware. However, Lacoon says that the development of an advanced iOS trojan may indicate otherwise. “Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation-state,” the company said in blog post.

What’s really remarkable about this attack is that an entity in China, likely a well-resourced one according to Shaulov, has created trojan malware for iOS. “It’s the first time in the industry that we’ve actually see such a sophisticated trojan,” said Shaulov. It’s a particularly scary prospect, because iOS does not have antivirus software. Apple relies on its capability to keep a tight handle on what gets downloaded onto its devices, otherwise security goes out the window.

Also, if this is the work of the Chinese government and its cybersecurity team, as Lacoon seems to think, Hong Kong’s protesters have good reason to worry.

VentureBeat is studying the state of marketing technology. Chime in, and we’ll share the data.

FBI Ransomware trojan now tricking Mac users into paying $300 fines

This post is by John Koetsier from VentureBeat

Click here to view on the original site: Original Post

You’ve been caught viewing prohibited pornographic content. Now you need to pay $300 to “unlock” your Mac … or take your computer in for a potentially embarrassing servicing.


That’s the premise behind a new version of the FBI Ransomware browser trojan that is targeting Mac users. (No, it’s not actually from the FBI, that’s just the scam that it’s trying to get you to buy into.) And no matter how much your spouse might refuse to believe you, you don’t have to be viewing porn to get it. In fact, according to security expert Jerome Segura, all you have to do is search the web for a few popular keywords.

The secret of this “trojan?” There’s no actual infection, but the victim believes there is.

“That’s the beauty of the scam,” Segura told me. “You’re not actually infected – they make you think that you are, and most users believe it – and that’s the trick.”

Once your Safari browser hits the FBI ransomware, which is simply a few lines of Javascript code, you appear to be toast:


The browser window can’t be closed easily, and a force quit of Safari — which most Mac users don’t know how to do — will simply bring it right back when you open Safari again thanks to Apple’s helpful restore-from-crash feature. There are only four options to remove this.

First, Segura writes, you could close the page 150 times, each time clicking Leave Page when Safari asks you to confirm. That’s because the Javascript that makes up FBI ransomware spawns 150 iframes (layers in a web page) dynamically. Or you could reset Safari from the Safari menu — which will wipe all your history, saved names and passwords, autofill text, and more. Or you could simply quit Safari and start using Chrome or Firefox.

Or you could pay the $300.

FBI Ransomware is NOT related to the real FBI ...

FBI Ransomware is not related to the real FBI.

“The bad guys know how to use social engineering to entice victims as, for example, I was led to this locked page by doing a search for Taylor Swift nude on Bing images,” Segura writes. “The victim will feel they may have actually being doing something wrong and got caught and ashamed will pay the ‘fine.’”

There is another solution: Change your browser. Google’s Chrome browser, for instance is not vulnerable to this attack.

“If you’re using Chrome on a Mac, the chances of getting infected are almost nil,” Segura told me. “Chrome is usually safer because it’s a browser that’s been built with security in mind. There have been multiple contests targeting browser software, and Chrome has rarely ever failed.”

So unless you want to be socially engineered into paying $300, or want to have to reset your browser, you might consider other options. Traditionally, Segura told me, Safari, Internet Explorer, and Firefox have been much more vulnerable than Chrome.

Segura, security researcher though he is and whose work is keeping people safe, couldn’t stop a little bit of admiration from entering his voice when discussing FBI Ransomware:

“It’s all about the social engineering aspect,” he mused. “Using that trick … whoever designed it is smart.”

Here’s a tutorial on getting rid of FBI Ransomware:

Filed under: Business, Dev, Security


New Mac Trojan ‘OS/X Crisis’ discovered

This post is by John Koetsier from VentureBeat

Click here to view on the original site: Original Post

Mac security firm Intego has discovered a new Mac OS X Trojan, OS/X Crisis. The malware installs itself without user intervention and hides well if installed as root, but it has not yet been discovered on Mac users’ computers.

The threat is only in the last two versions of Mac OS X: Snow Leopard and Lion.

Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware that is disguised as a game, screen saver, or a music file. It installs itself without users even being aware and then attempts to cover its tracks and mask its existence.

“It makes a lot of effort to hide itself, which is not very common in Mac Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. ”[That effort] is much more common in Windows Trojans.”

Most of the files that the Trojan creates are randomly named in order to avoid easy detection and removal, but a number of names appear consistently, and users can search for them to check if they are infected.

If  the Trojan is installed on a Mac running in root or administrator mode, these files will be present on the system:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/
  • /System/Library/Frameworks/Foundation.framework/XPCServices/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

If you’re a bit more of a suspicious person, however, and don’t run your system as root or admin, only this file will be present:

  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Once installed, OS/X Crisis calls home to IP address every five minutes, presumably to await instructions. That IP address may change over time, as malware authors often build in features resistant to simple blocking.

One question you might be asking: If it’s not “in the wild” yet, how did Intego find it?

I asked Myers that question, and she said that, as security researchers, Intego personnel spend a lot of time in the dark, nasty recesses of the web. In addition, malware writers often upload their wares to forums and security sites to test if their software is detectable by security software.

Image credit: MG1408/ShutterStock

Filed under: security, VentureBeat

Apple removes first trojan app to be listed in the App Store

This post is by Meghan Kelly from VentureBeat

Click here to view on the original site: Original Post


“Find and Call,” the first malicious app to make it into the  iOS App Store was removed today, after reports surfaced of it stealing address books and spamming contacts.

The app was first noticed by security researchers at Kaspersky Lab, according to Wired. It paraded as a utility app and a way to organize your contacts, when it was actually stealing the phone’s address book and targeting friends and family with spam messages and e-mails.

This utility category in the Android Google Play store, where the app was also listed, is known to have issues with malicious app entries. Security analysts often caution people to know what they’re downloading when purchasing a utility app.

The spam was effectively a marketing ploy. Once it gained access to the address book, it sent messages to contacts posing as the user, prompting them to download the app.  The developers did include a request for access to the address book, however, saying the user could find more friends using the address book feature.

According to Forbes, the issue only affected Russian iOS users, and the developer is claiming it was the result of a bug. Apple confirmed to Wired that the app was removed from the App Store due to this specific problem.

The issue appeared right around the same time Apple started distributing corrupt app updates to users of Instapaper, Angry Birds Space, and over 100 other apps. The two are undoubtedly unconnected, however.

hat tip Wired; Rolodex image via Shutterstock

Filed under: mobile

“Incredibly sophisticated” cyber war tool unveiled today, hitting the Middle East

This post is by Meghan Kelly from VentureBeat

Click here to view on the original site: Original Post

Flame Virus

An extremely complex virus infecting computers in the Middle East called Flame was made public today. It’s being likened to the Stuxnet virus, which attacked Iranian nuclear systems in 2010.

“Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated,” said Alexander Gostev, Kaspersky Lab’s head of global research and analysis in a blog post. “It pretty much redefines the notion of cyberwar and cyberespionage.”

Kaspersky Lab, a Russian security research team, made light of the extensive virus today, saying it may have run unchecked since 2010 and continues to be developed today. Flame is a Trojan, but it’s point of entry is unknown for the time being. Once in, the virus unpacks 20 modules, each with a different tool. Types of tools include a screen capturing tool, which listens for when an “interesting” app is opened — such as an instant message box — and then takes a screen shot to record your conversation. Another turns on your computer’s microphone and records conversations happening in the room, within the mic’s audio reach. It can also watch and record what your type, sniff network traffic and more, sending all the information to the virus creator’s several command and control servers.

Flame is compared to Stuxnet because of its ties to the Middle East — some of the top countries it is targeting are Iran, Lebanon, Syria, and Israel — its complexity, and because researchers believe this is a state-sponsored attack. Researchers also note that Flame “is not designed to steal money from bank accounts,” and is too complex to be developed by hacktivists, who usually use less intensive attacks such as distributed denial of service attacks.

“It looks like the creators of Flame are simply looking for any kind of intelligence — e-mails, documents, messages, discussions inside sensitive locations, pretty much everything,” said Gostev in the blog post. “We have not seen any specific signs indicating a particular target such as the energy industry — making us believe it’s a complete attack toolkit designed for general cyber-espionage purposes.”

Stuxnet, which attacked Iran’s nuclear power infrastructure in 2010 was believed to be a government project, aimed at damaging infrastructure that may have been related to a nuclear weapons program. It does not look like Flame is attacking these systems, called SCADA systems, though it has the capacity to. The virus is also around 20 times larger than Stuxnet, installing at 20 megabytes, and was probably created by different parties.

Stuxnet and its recently discovered sister Duqu were built on the Tilded platform and are said to have three other siblings in the wild. Flame was not, however, built on this platform, according to Kaspersky, and is thus not a sibling.

Kaspersky Lab found the worm while digging around for more information about the Wiper virus — another piece of malware aimed at the Middle East. In this case, Wiper, also known as Viper, would infect a system and delete any number of files from it, wiping out anything that came in its path. At the time, Wiper infected Iran’s Oil Ministry, deleted whole hard drives within the ministry, and eventually caused it to shut down Internet access to all of its oil facilities and rigs.

Flame image via Shutterstock

Filed under: security

Bitcoin-stealing trojan spotted in the wild

This post is by from VentureBeat

Click here to view on the original site: Original Post

BitcoinA trojan horse virus that steals Bitcoins, a digital currency that people can use for transactions online, has been spotted in the wild, according to computer security software firm Symantec.

The new announcement today adds to concerns about the safety of investing in the digital currency, which faces the same security problems that anything else stored on a network or hard drive faces. The whole Bitcoin ecosystem is also inevitably linked to computer systems. And there have been plenty of instances where even some of the best online services like Amazon’s cloud computing have failed for significant periods of time.

The trojan, called Infostealer.coinbit, finds a Bitcoin owner’s “digital wallet” that contains information about the individual’s Bitcoins and mails it to the attacker. The hacker can then use a brute-force attack to discover the password for the Bitcoin wallet and steal the owner’s Bitcoins.

This is the second time Bitcoins have made news because of potential security concerns linked to the currency’s digital origins. A thief recently stole 25,000 Bitcoins — which amounted to roughly $500,000 at the time they were stolen — from a compromised Windows computer.

Geeks and tech-savvy individuals have heralded Bitcoins as the next evolution of currency because it is designed to remove the middle man in transactions. That can be a transaction provider like PayPal or a bank when someone makes a purchase with a credit or debit card. When someone makes a transaction, the Bitcoin is automatically transferred to the recipient through an encrypted transaction that ensures Bitcoins can’t be hacked or created artificially.

New Bitcoins are added to the market through the “Bitcoin Mining” — a process where individuals run servers that handle Bitcoin transactions and get paid in Bitcoins for doing so. The number of Bitcoins available to users is algorithmically limited — meaning the number of new Bitcoins introduced into the economy decreases over time and reaches a cap of somewhere around 21 million. That means that, similar to days on the stock market where there is low trading volume, smaller moves in the market are able to cause greater swings in the value of the Bitcoin. An 8 percent swing in the value of the Bitcoin throughout the day is pretty typical.

Symantec said that the whole method of generating Bitcoins was an open invitation to malware developers to exploit the system. Tech-savvy hackers that control botnets — a massive network of computers that they can send commands to — can use those huge botnets to generate nearly $100,000 a month through Bitcoin mining based on an exchange rate of $20 per Bitcoin.

Despite a lot of hype surrounding the new currency, the currency is facing growing pains with new reports of theft and heavy volatility in the Bitcoin trading market. The currency is unstable and is being used mostly as a speculative vehicle, according to the consensus answer on question-and-answer site Quora.

Filed under: mobile