On Monday, I provided steps on how to avoid your Mac being compromised by the Flashback trojan. Today I will provide information on how to locate a Flashback infection. To better understand the steps below, it is better to also know a bit about Flashback. It’s an OS X malware family that modifies the content displayed by web browsers. To achieve this, it interposes functions used by
A new Mac backdoor exploiting CVE-2011-3544 (a Java vulnerability) is being reported. The backdoor appears to be connected to GhostNet. The malware is being used in targeted attacks against non-governmental organizations (NGO).Greg Walton published details of targeted mails sent to NGOs related to Tibet. The message contains a link to: dns.assyra.com. Read more from Walton here. AlienVault Labs has posted a technical report.Based on today’s news, Brod, one of our Mac malware analysts, remembered this post by Microsoft: Backdoor
Variants of the SpyEye trojan target banks using a plugin called webinject.txt. We collected 1,318 samples in our back end that matched those from SpyEye Tracker’s RSS Feed. Taking a look inside, we discovered that this collection of samples contains 632 different bank domains and that commerzbank.com was the most targeted bank domain.Here’s a graph of the top 40 banks targeted by SpyEye:Click image to biggify.The Y-Axis represents the number
spyeye webinject, trend micro spyeye forty bank, webinject zeus/spyeye, zeus webinject
CERT-FI is warning about SMS messages being sent by GTradeInc which are about subscription confirmation to a premium value service. These messages are apparently being sent to random people who have not ordered such service or taken part in Facebook or other campaign that would ask phone numbers. The SMS messages contain the following content: Mainoskirje aktivoitu. Saat 3 mainosta/vko. Hinta 20e/kk, veloitetaan
gtradeinc, there are no billing agreements yet english-finnish
Last week, we advised readers to apply Microsoft update MS12-020 sooner than later. For those of you that have — good work. And if you haven’t yet applied the patch — stop delaying. Ever since MS12-020 was released, there’s been a flurry of activity attempting to “weaponize” the Remote Desktop Protocol (RDP) vulnerability. The race to an exploit
It’s been a while since we last wrote about Mac malware, so I thought it would be good to give our readers an update on what’s been happening during the last few months. Last year we detailed a possible Mac trojan in the making. At that time we were still speculating whether it would be
A couple of months ago, there was an overly polite variant of ZeuS circulating here in Finland. And while the Finnish localization was pretty good – it used “Suo anteeksi” within an error message. not typically the kind of thing you’d read via software.We continue to see decent localization within ZeuS variants (and not just Finnish). Clearly, some bad guys out there have evolved
WordPress.org is being targeted once again, and although this time there isn’t much sneaky sophistication, the infection is still prevalent enough for Internet users to be wary. Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit. Compromised websites would render any of the following pages upon visit: Simple and unsuspecting… but
First: Microsoft’s Remote Desktop Protocol is disabled on Windows by default. So most computers are unaffected by issues highlighted as a result of the month’s “Patch Tuesday”. However: If you administer RDP enabled workstations — then you probably should read Microsoft’s Security Research & Defense post about CVE-2012-0002. CVE-2012-0002 was privately reported to Microsoft, and there are no reports
File this in the “we shouldn’t be surprised” folder. This morning, one of our analysts, currently researching SpyEye, came across a new component name. And so, he did a Google search for that component. He found… a copy of the SpyEye Manual: Not exactly what he expected to find… But then, it really isn’t really that surprising (sadly) to just
This is the week! (No… that’s not an “iPad 3″ reference.) Back in November, the F.B.I. shutdown servers belonging to the DNSChanger botnet, operated by Rove Digital, which was based in Estonia. The Feds have been running substitute DNS servers since then, but their authority to do so expires on March 8, 2012. And that means tens of thousands
Two weeks ago, the “Cybersecurity Act of 2012” was introduced in the U.S. Senate. The bill (S.2105) is designed to protect critical infrastructure such as water, energy, and transportation. It directs the U.S. Department of Homeland Security (DHS) to coordinate with network operators on developing security standards. A related bill, the “Cybersecurity Information Sharing Act of 2012” (S.2102) was introduced on February 13th. Naturally, civil liberties group such as the EFF and EPIC
Scientific American’s March issue has an intriguing article which explores the efforts of digital activists to circumvent corporate and governmental control over the Internet. The aim of the moment is to configure and build a decentralized mesh network that cannot be blocked, filtered or turned off. Egypt’s Internet shutdown during last year’s Arab Spring played a significant inspirational role. Image: Scientific American Magazine With a “shadow” network configured, activists
AT&T recently released a film from its archive called “Computer Security: You Make The Difference“. While you might chuckle at the 1990′s music and production values – the truth is this – many of basic issues that the video (which is a series of films stitched together) attempts to illustrate are still with us today, 22 years
Avi Rubin, a Computer Science professor at Johns Hopkins University, recently gave an informative (and quite fun) presentation at TEDxMidAtlantic. Rubin’s talk summarized the results of efforts to hack various devices. Have you every wondered if you could wirelessly brake a car? TEDxTalks: YouTube
avi rubin hack, Avi Rubin talked about the computer securities, Avi Rubin: All your devices can be hacked
Cryptome.org is a website that has focused on publishing information about freedom of speech, cryptography, spying, and surveillance. In many ways, Cryptome is similar to Wikileaks – except it has been operating since 1996. The site is run by a New York -based architect called John Young. Cryptome has just announced it has been hacked. The hack planted an attack script on every page
Breaking: a faction of Anonymous has released an MP3 recording of an FBI conference call which took place on January 17th. During the call, which is currently posted on YouTube, members of the USA’s FBI can be heard discussing several Anonymous and LulzSec related cases with investigators from the UK. Today’s leak helps explain just how “Anonymous Sabu” (leader of the LulzSec group) appeared
sabu anonymous, ANONYMOUS AND LULZSEC MEETING, conference data recovery, virus sabu tweet
We’ve been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here’s another trojan that fits the bill. Opfake was first found on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app…whose only permission request is to send SMS messages: Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the
android fakelogo, android opfake picture, android: OpFake-N, opera mobile trojan android, opera mobile trojan android fake logo, trojan sms android opfake a
Amidst my usual adventure with Android malware analysis, I saw this snippet of code while skimming through a particular sample’s class modules. Figure 1 Late last year, I was looking deeper into Portable Network Graphics (PNG) image format, especially about the fields that hold textual information. Upon seeing the code, it immediately triggered my suspicion as to why would the application need to check for the existence of the
android resources png protection, chunk file on android, steganography android, view android png hidden
Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered). So, what’s an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of “cloud” services. Using Amazon’s S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon’s S3 web service is pretty inexpensive to set up, therefore they
data flow diagram of phishing, fake cpa facebook app installs
