Pre-installed RottenSys Malware Infected More Than 5 Million Android Phones

Pre-installed RottenSys Malware Infected More Than 5 Million Android Phones

RottenSys botnet has taken over 5 million Android phones

Almost 5 million Android phones preinstalled with an Android malware dubbed “RottenSys” were dispatched from the factory and received by the customers, according to a report published by Check Point Research, a company specializing in digital security.

“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.

The infected brands include the top Android phones in the market such as Samsung, Xiaomi, Honor, Oppo, Vivo, Huawei and Gionee. All the infected devices have been distributed by an outsourced mobile phone supply chain distributor called Tian Pai, which is in Hangzhou, China.

According to Check Point Mobile Security Team, who discovered the malware on a Xiaomi Redmi phone, say that RottenSys is an advanced piece of malware that disguises itself as a tool to help manage Wi-Fi connections. But, instead of securing Wi-Fi related service of the users, the application asks sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are not related to the Wi-Fi service.

“According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys,” the researchers said.

RottenSys uses two evasion methods. The first is to postpone any malicious activity to avoid connection between the malicious app and the malicious activity.

In the second evasive tactic, RottenSys contains only a dropper component, which does not display any malicious activity at first. Once the device is active and the dropper is installed, it starts communicating with its Command-and-Control (C&C) servers to get the list of required components, which contain the actual malicious code.

RottenSys malware downloads and installs the additional components silently, using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission that does not need any user interaction.

Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”

Currently, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.

“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks,” researchers said. The attackers earned more than $115,000 with their malicious ad operation within the last 10 day alone.

Besides displaying uninvited advertisements, the attackers are also testing a new botnet campaign via the same C&C server since the beginning of February 2018, says the Check Point Research Team.

“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet. This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices,” they added.

To check if your Android device is infected with the malware, go to the Android system Settings >> App Manager >> Check for the following malware packages and uninstall it.

  • android.yellowcalendarz (????)
  • changmi.launcher (????)
  • (??WIFI??)
  • system.service.zdsgt

Source: THN

read more

“Fakeapp” Android Malware Steals Facebook Credentials

"Fakeapp" Android Malware Steals Facebook Credentials

This new Android malware steals Facebook data directly from the device

Facebook is no stranger to spreading of scams and installation of malicious malware on its platform. Thanks to its large user base, the popular social media networking site has always been the favorite of cybercriminals and hackers.

In a newly identified scam detected by security company Symantec, a malicious app dubbed ‘Android.Fakeapp’, involves a new malware strain that is phishing for Facebook login credentials directly from the targeted devices. Once the Facebook user credentials are obtained, the malware logs into the account and collects account information and results using the Facebook mobile app’s search functionality.

According to the researchers, the Fakeapp malware is currently made available via malicious apps to English-speaking users on third-party app stores.

How does the Fakeapp malware work?

Once installed, the apps infected with the Fakeapp malware will immediately hide from the phone’s home screen, leaving only a service running in the background. The malware acts step-by-step (see below) since its installation to steal details from a Facebook user’s account:

  • It checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
  • If no account can be collected, it verifies that the app is installed on the device.
  • It then launches a spoofed Facebook login user interface (UI) to steal user credentials.
  • It periodically displays this login UI until credentials are successfully collected.

Besides sending the collected Facebook login credentials to the attacker’s server, the Fakeapp malware also immediately uses the login details to login into the compromised Facebook account. Once the malware is logged into the Facebook page, it can collect wide variety of information on education, work, contacts, bio, family, relationships, events, groups, likes, posts, pages, and so on.

“The functionality that crawls the Facebook page has a surprising level of sophistication,” Martin Zhang and Shaun Aimoto, the two Symantec researchers who analyzed Fakeapp say.

“The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,” Symantec explained.

In order to stay safe, Facebook users are recommended to regularly update the software and avoid installing applications from unknown sources. Only download apps that are from trusted sources.

Source: Symantec, Bleeping Computer

read more

New Versatile Android Malware Will Destroy Your Smartphone

New Versatile Android Malware Will Destroy Your Smartphone

Loapi: This malware is capable of destroying Android smartphones

Security researchers from cyber security firm Kaspersky Lab have discovered a new strain of malware that targets Android smartphones and is capable of performing a plethora of malicious activities, from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks and much more.

The new Android Trojan dubbed as “Loapi” has a complicated modular architecture that is capable of performing multiple attacks to such an extent that it can cause the battery to bulge and destroy the device within two days. According to the researchers, the cybercriminals behind this malware are the same responsible for the 2015 Android malware Podec.

Kaspersky Lab researchers have called Loapi a “jack of all trades” and unlike any malware they had seen before. The malware installs modules for advertisement, SMS, web crawling, proxy and a module for mining Monero.

“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” warn the security researchers.

According to researchers, Loapi is being distributed through third-party app stores and online advertisements. These usually hide as apps behind “popular antivirus solutions and even a famous porn site.”

After the malicious files are downloaded and installed, Loapi will ask for device administrator permissions in a loop until the user agrees. The malware also checks if the device is rooted, but it doesn’t use root privileges. After acquiring admin privileges, it performs various activities and aggressively fights any attempts to revoke device manager permissions by users. The user will be spammed with endless stream of popups until the user is forced to agree and deleted the application.

The malware communicates with the module-specific command and control (C&C) servers, including module which displays continuous ads and videos, Monero cryptocurrency miner, and a module that allows attackers to send HTTP requests from the victim’s device. Researchers suggest the latter can be used to organize DDoS attacks against specified resources.

In order to get rid of Loapi, users will need to boot to safe mode. Or else, Loapi-infected apps will repeatedly close the Settings window so that users cannot deactivate admin privileges. The process to boot into Safe Mode differs from one smartphone model to another.

For analyzing a Loapi sample, the researchers carried out a test on an Android smartphone. The device was completely destroyed after two days of testing. They noted, “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”

Fortunately, Loapi has not made it onto the official Google Play Store, which means that users who download from the official app store are not affected by the malware. However, users are advised to stay vigilant.

Source: The Hacker News , CSO

read more

7 Worst Cyberattacks in Recent History

Malware and hacking tactics are becoming more advanced, and users need to be prepared against attack

Malware and hacking tactics are becoming more advanced, and users need to be prepared against attack

It’s one thing to click the wrong link and accidentally download some annoying adware on your personal 7 Worst Cyberattacks in Recent Historydevice. It’s another thing to watch as hospitals, train stations, nuclear power plants, and private businesses fall victim to a devastating cyber attack that obliterates their networks and decimates their data.

While viruses and worms of the ‘90s and early ‘00s might be memorable, the malware of the past few years have been unbelievably destructive. Because the internet is everywhere these days, hackers are finding it easier than ever to spread malicious software and gain access to highly sensitive information. If you need more proof that recent cyber attacks are some of the worst in history, the following devastating attacks should be evidence enough.


While a spate of similar malware programs has spread in its wake, WannaCry is certainly the most talked-about attack this year. Using a vulnerability developed by none-other than the U.S. National Security Agency, WannaCry was able to infiltrate computer networks running outdated operating systems, taking them and their data hostage. As a result, more than 230,000 machines in more than 150 countries fell victim to the attack, including dozens of hospitals and care centers in the U.K., a train system in Germany, and a telecommunications provider in Spain. Fortunately, most home users can stay safe from WannaCry by updating their software whenever there is an update and by installing strong internet security software.

Shamoon or Disttrack

A computer virus that targeted devices linked to the energy sector, Shamoon was developed in 2012 by a hacker group known as “Cutting Swords of Justice.” The group’s goal was to destabilize Saudi Amarco Company, an energy giant in the Middle East – and it was somewhat successful. More than 30,000 workstations were impacted by the virus, which prevented machines from connecting to the web and communicating with each other. Also affected were Qatari RasGas Company and LNG Company, though it’s unknown whether they were additional targets of the attack.

Operation Olympic Games or Stuxnet

At the end of President Bush’s administration, the U.S. government attempted to disrupt and sabotage Iranian nuclear facilities with a concentrated cyberattack. Working in conjunction with Israel, the U.S. developed a worm, named Stuxnet, that could take command of devices and use them to control machinery connected to them. Stuxnet was ruthless in its attack, incapacitating over 1,000 centrifuges in just one Iranian nuclear plant; it is a powerful digital weapon, and security experts believe it is being traded around black hat hacker circles – which means the most physically damaging cyber attack is likely on the horizon.

Operation Shady RAT

Operation Shady RATAs you read, a cyber attack is being waged. In 2008, a cybersecurity professional uncovered a series of similar attacks, which he dubbed Operation Shady RAT, launched against government institutions and private agencies in 14 different countries. Though investigations have yet to determine the source of the extensive attack, many analysts believe the operation is sponsored by the Chinese government.

Titan Rain

In the early 2000s, American computer systems experienced an onslaught of epic proportions. Contractors working with the Department of Defense, to include dozens of private businesses like Lockheed Martin and Redstone Arsenal, lost an inordinate amount of sensitive information to attackers, who most security professionals believe were working for China. The attacks continued for three full years before cybersecurity received enough funding to build proper digital defenses. The British Ministry of Defense endured similar attacks, though on a smaller scale.


Beginning on Holocaust Remembrance Day in 2013, a series of cyber attacks coordinated by anti-Israeli groups and individuals began taking down Israeli websites. The hacks ranged from annoying defacements to disruptive database hijacking and devastating leaks. Unfortunately, the attack debilitated schools, newspapers, small businesses, nonprofit groups, and banks – many of which were not Israeli in origin, effectively working counter to the attackers’ main goal of showing discontent with Israel.

July 2009 Cyberattacks

Though they still lack a flashy name, these attacks propagated against South Korea and the U.S. affected more than 100,000 computers. It seems that attackers targeted governmental websites, including the South Korean National Assembly, the White House, and the Pentagon, as well as a handful of media outlets. To this day, the source and intention of the attacks are unknown, though many experts believe the North Korean telecommunications ministry is to blame.


read more

Google found an Android App made by Israel to spy on phone calls, text messages

Google found an Android App made by Israel to spy on phone calls, text messages

Google discovers an Israel made Android App which can snoop on your phone calls, text messages and spy on you

Google has recently revealed that it has unearthed a new spyware that can track information of calls, messages and internet history as well as spy on people through their smartphones’ camera and microphone – making it possibly the most dangerous smartphone malware ever made.

Made by an Israeli Company

Researchers on the security front at Google and Lookout have come across the spyware that has the ability to spy on users by hacking their smartphones’ camera and microphone, as well as track calls, messages, internet history and more – christened Chrysaor. The spyware appears to have some link to Pegasus – a program that was known to be targeting iPhone users back in 2016. Pegasus was developed by an Israeli firm NSO Group technologies.

Google and Lookout announced their discoveries last week. The app is not available on the Google Play store. Yet, it has been detected on 36 devices – mainly in the country of Israel followed by Georgia, Mexico, Turkey, Kenya & others. NSO Group Technologies has been accused of developing Smartphone hacking software and selling them to spy agencies all across the world – as they did with Pegasus.

“To install Chrysaor, we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device,” said Google.
“Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS.”

Reason it has stayed hidden

Chrysaor has also been found to have a self-destruct mode.  “If it feels like it’s going to be found, it removes itself,” said Lookout mobile security researcher Michael Flossman. This can explain why the researchers took so long to detect the malware. This could also mean that the spyware has been around for much longer than Pegasus and could’ve infected many more than the 36 devices currently known. Lookout and Google have acknowledged that though the samples are from 2014, there was evidence the spyware was still working on some victim Android phones when discovered in the last few months.

Though the probability that your smartphone might be infected with such malware is very small, it is still recommended to stay cautious. Do not install software from sources you don’t know about & always update your phone with the latest security patches.

Source: Ynet

read more

Hackers Can Hack Your Computer If It Has Blinking LED Lights

Hackers Can Hack Your Computer If It Has Blinking LED Lights

Hackers can steal your information from a PC’s blinking LED

Researchers at the Ben-Gurion University of the Negev, Israel have found a way to hack into isolated “air-gapped” computer’s hard disk drives (HDDs) by aiming drones at the blinking LEDs found on most of the desktops, laptops and servers. On February 22, 2016, the team released a YouTube video showing the ‘hack’ in action.

“Air-gapped” computers are isolated – separated both logically and physically from public networks – ostensibly so that they cannot be hacked over the Internet or within company networks.

The LED indicators of the isolated computers are taken control of, which are then forced to blink up to 6,000 times a second to send a signal containing data to a camera mounted on a drone near the targeted computer.

“Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors,” the team, led by Dr Mordechai Guri, head of R&D at the Cyber Security Research Centre, said in its paper.

“We show how the malware can indirectly control the status of the LED, turning it on and off for a specified amount of time, by invoking hard drive’s ‘read’ and ‘write’ operations,” the paper continued.

“Our method is unique in two respects: it is covert and fast.”

The LED control method, which makes it possible to steal data from isolated computers while raising minimum suspicion, was devised by researchers of the Negev (BGU) Cyber Security Research Center at Ben-Gurion University.

“The LED is always blinking as it’s doing searching and indexing, so no one suspects, even in the night. It’s very covert, actually,” Guri said.

In a demonstration video, a drone with a camera is flown up multiple storeys outside of an office building until it locates the blinking HDD LED. Once it is in the line of sight of the LED, it records the blinks and steals the data.

According to the researchers, the data can be transferred at rate as fast as 4,000 bits per second with a specialized Siemens photodiode sensor on the drone. Later, the blinking can be recorded by a camera and deciphered.

The LED can be forced to blink at up to 6,000 blinks per second, which is a rate that isn’t able to be perceived by the human eye, but potentially readable for light sensors.

The paper explained what a theoretical attack would look like once infection had taken place. The team wrote: “The malware gathers sensitive information from the user’s computer, e.g., keystrokes, password, encryption keys, and documents.

“Eventually it starts transmitting the binary data through the blinking HDD LED using a selected encoding scheme. A hidden video camera films the activity in the room, including the LED signals. The attacker can then decode the signals and reconstruct the modulated data.”

It added: “We examined the physical characteristics of HDD LEDs […] and tested remote cameras, extreme cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Our results show that it is feasible to use this optical channel to efficiently leak [data].”

“It’s possible for the attacker to do such fast blinking that a human never sees it,” Guri noted.

The researchers found they could read the signal from 20 meters away from outside a building. That range could be even longer with an optical zoom lens.

“The fact that headphones, earphones and speakers are physically built like microphones and that an audio port’s role in the PC can be reprogrammed from output to input creates a vulnerability that can be abused by hackers,” says Prof. Yuval Elovici, director of the BGU Cyber Security Research Center (CSRC) and member of BGU’s Department of Information Systems Engineering.

Of course, the technique depends on the computer being infected prior to the transmission, which can be accomplished using a USB stick or SD card.

While this type of attack is novel and hard to detect, it has one obvious drawback: the computer’s LEDs can simply be covered with black tape. Also, you can restrict staff access to such air gapped computers or ban all forms of video cameras near the computer.


Source: Wired

read more

The Locky and Zepto Evolving Threats – Advanced Forms of Ransomware

Locky and Zepto, The Two Deadly Ransomware

Martin Beltov

Two of the most popular and devastating ransomware variants have emerged this year – Locky and Zepto, the notorious malware that have plagued computer users and business owners worldwide. Both threats are extremely dangerous and use all popular distribution methods. Fortunately, Zepto removal instructions have recently been released.

The situation with Locky is quite different – this ransomware has shown that it can evolve and change. In fact, cyber security experts no longer speak of Locky as a single type, but a whole family of related threats that are spread across the world. The most recent discovery is that Locky infects with DLL files now.  This feature is known to the expert community as “The Locky Trick” due to the fact that the ransomware hides its signature and makes it harder to detect for the anti virus and anti spyware software solutions.

Locky Troubles

Locky has grown to become one of the most popular and devastating ransomware strains in the last year. The threat was identified in February 2016 by the leading security vendors and experts and it has been used successfully against individual users, companies, and even government institutions. This malware uses a strong encryption method that renders all brute force decryption attempts useless.

Notable Locky targets so far include world-leading universities, major hospitals across all continents, government facilities and large corporations. Campaigns against individual users tend to be automated, while the most sophisticated attacks are set up against bigger targets.

The ransomware is spread mainly through spam email messages. Most of the analyzed campaigns so far indicate that all of them share the same content and structure. The Locky executable is sent either as an attachment or as a malicious message. Phishing attacks with the malware are becoming more common as the criminals utilize various social engineering schemes to fool the user into downloading and executing the file. The malicious attachments often contain infected Microsoft Office Documents (Word documents and Excel spreadsheets) that contain obfuscated Visual Basic Script Macros. When they are run by the user, the Locky infection is activated.

The mechanism of action follows this generic pattern:

  1. The Locky binary is copied to the %TEMP% location and renamed as exe, mimicking the Windows system process to avoid user detection. The file then removes several flags from its properties to bypass the “File Downloaded from the Internet” notification.
  2. The binary sets up other defense mechanisms such as renaming its binary files and supplements (depending on the strain).
  3. Registry entries are added to the victim host to restart the encryption process in case of a restart or shutdown of the computer.
  4. Locky deletes all local Volume Shadow Copies to prevent data restoration.
  5. The remote C&C servers are contacted and the infection is reported.
  6. The encryption process is started. A unique set of keys is used for each infected host. This means that manual decryption without the private key is impossible.

The Locky ransomware encrypts 164 of the most commonly used file extensions across 11 categories such as: Microsoft Office documents, media files, archives, image files and etc. The encrypted files are renamed with .locky extension and a ransomware note with the name “_Locky_recover_instructions.txt”  is created in every folder that contains an affected file. Ransom instructions are also generated in a BMP file that is set as the wallpaper. The ransomware works on all connected drives, including removable storage and RAM disks.

The ransom payment website is located in the TOR network and the criminals expect their fee paid in BitCoin. Depending on the strain and encrypted files, the decryptor may cost the user different amounts of money.The usual minimum, however, is at least 0.5 BitCoins.

Locky has spawned a whole family of related ransomware that are spread across the Web. Some of them use the malware’s name or add other letters or combinations. Security experts have even warned computer users that there are counterfeit Locky variants that impersonate its behavior.

Unfortunately, there is no public decryptor available for Locky. As the ransomware deletes the Shadow Volume Copies on the victim computer, a safe backup of all sensitive data is the only way to restore access to the user files at this moment.

Enter Zepto

Zepto is another popular ransomware that is actually a variant of Locky. Most of the Zepto attacks are carried out by spam emails containing the malicious binary. The malware itself is activated by a Javascript code that is placed inside the malicious executable. The encryption process is hidden from the users view. This is extremely dangerous as the ransomware does not provide any indication of its presence and the victims are alerted upon successful encryption.

Like Locky, Zepto also adds a registry entry to the Microsoft Windows systems to ensure that it will autorun upon system start. Zepto follows the behavior of Locky in terms of its infection encryption technique. The files are renamed using the .zepto file extension and like Locky, it deletes all Shadow Volume copies of the victim machine.

As Zepto is a variant of Locky and uses the same ciphers and techniques, there is no public decryptor available yet.

Major Zepto attacks were carried out against individual users and companies in June this year.

Locky and Zepto Are Part of Every Hacker Arsenal

The Locky and Zepto ransomware have spawned numerous discussions and analyses by both security vendors and their customers. Their popularity has urged the criminal developers to include them in exploit kits and add new features that add even more damage potential.

The newer Locky variants can infect users by DLL files, which makes it harder to detect by security software. Custom packers, layers of encryptions and other methods are also among the favorite mechanisms that malicious users utilize against the target victims.

Security researchers estimate that the total number of ransomware damages number 209 million US dollars in the first half of 2016. One of the leading causes of financial losses for many companies and organizations has been the cyber security issues, especially ransomware attacks. Many recent vulnerabilities also allow for malware such as Locky and Zepto to infiltrate target systems or even whole networks.

In August one of the biggest security breaches has occurred at Banner Health, a leading healthcare institution. 3.7 million customers were affected by the intrusion attack. The security analysis revealed that the majority of hospitals often don’t encrypt their sensitive data – patient files, clinical research, financial documents and other critical information.

Ransomware can produce collateral damage against the infected machines that include: modification of system configuration, permissions change, spying on users and even locking them out of their computers. As the ransomware distribution methods continue to expand, so are the dangers of contracting a new strain of Locky or Zepto.

Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion.


read more

Security breach at Oracle, POS clients affected

Oracle hacked; POS clients affected

Cyber hackers breach Oracle’s MICROS payments division

MICROS systems, an Oracle-owned division that’s one of the world’s top three point-of-sale (POS) services, has been hacked by a Russian organized cybercrime group known for hacking into banks and retailers, reports KrebsOnSecurity, a security news site. According to “sources close to the investigation” tell Brian Krebs that the hack was as large as 700 other computers.

Confirming the breach to Krebs, Oracle said that it had “detected and addressed malicious code in certain legacy MICROS systems,” and is advising its customers to reset username and passwords for the MICROS online support portal. The MICROS systems are credit card processing terminals used by banks, hotels, restaurants, and hundreds of thousands of other businesses.

The breach is rumoured to be carried out by the same hacking group that stole $1 billion from banks and retailers in 2015.

While there is no warning what the hackers’ goal was in the attack, there is some sign it may have been robbery. According to Krebs’s source, the Micros customer service portals were seen communicating with a server owned by the Carabanak Gang, a Russian cybercrime group that digitally stole $1 billion from U.S. and Middle Eastern banks.

It is not known when attackers first gained access to Oracle’s systems. However, KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a possibly large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us. In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

According to Krebs’ sources, the attack started with a single infected system that was then used to compromise others. From there, “intruders placed malicious code on the MICROS support portal, and that malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in to the support website.” Worst-case scenarios would involve malware being uploaded to customers’ POS terminals, which could be used to skim the card details of millions of customers. Currently, MICROS devices are deployed at over 330,000 sites across 180 countries.

The point-of-sale systems operated by dozens of retailers, hotels, and other types of merchants have been hit by a spate of breaches over the past few years. Two well-known names to be hit are Target and Home Depot. Malware installed on cash registers are used by attackers to remotely capture payment card data when customers make purchases, which then can be later used or sold to the highest bidder.

read more

Raspberry Pi was offered money for installing malware on their computers

Raspberry Pi was offered money for installing malware on their computers

Raspberry Pi was offered money to infect millions through their mini computers

Liz Upton from the Raspberry Pi Foundation made a shocking revelation that someone had offered cash to pre-install malware on the insanely popular mini-computer, Raspberry Pi before they were shipped out.

The Foundation’s director of communications, Liz Upton revealed the photo content of an email from a “business officer” called Linda, who promised a “price per install” for a suspicious executable file. However, the name of the company represented by Linda was not disclosed.

“Amazing. This person seems to be very sincerely offering us money to install malware on your machines,” said Liz.

Certainly that it is not the real name as in the picture and unforeseen success of Raspberry Pi has brought them into the limelight. It wouldn’t be wrong to say Linda’s approach wasn’t exactly professional. However, the offer seems genuine, and it throws light on the dark world of paid-for malware distribution.

This situation once again raises the question regarding the necessity of hardware validation. The prospect that a persistent attacker installs malicious implants and software onto consumer devices is a serious threat.

Sometimes, there are people who are willing to pay to distribute malware, while sometimes the developer directly inserts unauthorized code in their software. However, in the majority of cases, the malware is served by a third-party with the intent to compromise end-customer’s devices.

The Raspberry Pi Foundation has declined Linda’s offer, and described her company as “evildoers.” Well, the offer does not come as a surprise at all considering that an estimated $70 million the torrent piracy sites are raking in from serving malware to free media seekers.

Till now, the Raspberry Pi Foundation has sold over 5 million units of their affordable DIY computer and the number is still rising.

read more

Microsoft leads FBI and Interpol Coalition to destroy millions of Botnets

Microsoft leads FBI and Interpol Coalition to destroy millions of Botnets

Microsoft, FBI and Interpol team up to but a Dorkbot botnet

Microsoft helped FBI and other agencies in destroying massive botnets, which were in a number of millions

Before we start, some of you may want to ask “What is botnet?”. Well, Whenever a malicious code is installed on a remote victim by the ways of phishing or exploiting software vulnerabilities, the victim’s machine becomes a “zombie”. A collection of such zombies in a network is called a botnet.

Discovered in 2011 the Win32/Dorkbot malware has spread to over a million Windows PCs worldwide. During the last six months alone it had been infecting over 100,000 machines a month. Microsoft announced on Wednesday they had teamed up to enact a coordinated malware eradication campaign to disrupt the botnet.

The malware has been spread via a number of routes including USB drives, IM clients, Social Networks, Email and Drive-by downloads. Its primary aim was to steal online user credentials and any information that can personally identify you. It is also able to install yet more malware to your PC from command and control servers.

In order to take down Win32/Dorkbot, Microsoft worked with a number of organizations including ESET, Department of Homeland Security, Europol, FBI and Interpol. The take-down joins a long list of ongoing successful efforts to disrupt malware networks.

Whilst not much was given away on actual specifics of the dismantling technique used, we do know it’s based on their established Coordinated Malware Eradication initiative. The CME program aims to co-ordinate information exchange and response from six key sectors. The goal being: Prosecute, Starve, Identify & Block, shun and set policies. Microsoft strategically cooperating with a diverse set of businesses and institutions, with each having their own role to prosecute in the operation.

  • Security vendors: By sharing detection methods, malware behavior, and unpacking techniques, vendors can more quickly identity and block the malware families as they appear on network-connected endpoints and servers.
  • Financial institutions, online search, and advertising businesses: With better fraudulent behaviour identification, these organizations can starve malware authors of their ill-gotten gains.
  • CERTs and ISPs: Armed with vetted lists, CERTS and ISPs can block and take down deploy sites, and command and control servers.
  • Law enforcement: Using correlated evidence, law enforcement can prosecute the people and organizations behind the malware.

Microsoft’s own real-time security such as Windows Defender is equipped to remove this threat automatically. Advice on how to not become infected remains very much the same.

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Microsoft also provides some additional tools which can scan and remove this family of malware. Microsoft Safety Scanner & Malicious Software Removal Tool.

Keep on checking out us for updates and practical tips to stay safe online.

read more