Viry a Červi

Turla APT Revamps One of Its Go-To Spy Tools

VirusList.com - 26 Květen, 2020 - 17:28
An updated version of the ComRAT malware was discovered in attacks on governmental targets.
Kategorie: Viry a Červi

Docker Desktop danger discovered, patch now

Sophos Naked Security - 26 Květen, 2020 - 16:56
Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service.

Unmanned drones to slash NHS delivery times to one-fifth of road 'n' rail transport

The Register - Anti-Virus - 26 Květen, 2020 - 16:41
Scottish trial will courier PPE and COVID-19 tests to remote hospital

Remote-control drones are to be used to deliver coronavirus testing kits to a remote Scottish hospital – and they're being flown outside of the operators' direct line of sight.…

Kategorie: Viry a Červi

Unmanned drones to slash NHS delivery times to one-fifth of road 'n' rail transport

The Register - Anti-Virus - 26 Květen, 2020 - 16:41
Scottish trial will courier PPE and COVID-19 tests to remote hospital

Remote-control drones are to be used to deliver coronavirus testing kits to a remote Scottish hospital – and they're being flown outside of the operators' direct line of sight.…

Kategorie: Viry a Červi

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

The Register - Anti-Virus - 26 Květen, 2020 - 14:39
Fraud is a big issue for etailer, but there are privacy and consent concerns too

Updated  Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine.…

Kategorie: Viry a Červi

eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

The Register - Anti-Virus - 26 Květen, 2020 - 14:39
Fraud is a big issue for etailer, but there are privacy and consent concerns too

Updated  Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine.…

Kategorie: Viry a Červi

New iOS Jailbreak Tool Works on iPhone Models iOS 11 to iOS 13.5

VirusList.com - 26 Květen, 2020 - 14:10
Latest version of UnC0ver uses unpatched zero-day exploit to take complete control of devices, even those running iOS 13.5.
Kategorie: Viry a Červi

Galaxy S20 security is already old hat as Samsung launches new safety silicon

The Register - Anti-Virus - 26 Květen, 2020 - 12:32
Passport-grade chippery to help mobile devices prove their identity

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today.…

Kategorie: Viry a Červi

Galaxy S20 security is already old hat as Samsung launches new safety silicon

The Register - Anti-Virus - 26 Květen, 2020 - 12:32
Passport-grade chippery to help mobile devices prove their identity

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today.…

Kategorie: Viry a Červi

Spam and phishing in Q1 2020

Kaspersky Securelist - 26 Květen, 2020 - 12:00

Quarterly highlights Don’t get burned

Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.

Scammers tried to make their website as close as possible to the original — even the page with the ticket description looked genuine.

There were just three major differences from the original: only the main page and the ticket purchase section were actually operational, tickets were “sold” without prior registration, and the price was a steal ($225 versus $475).

Oscar-winning scammers

February 2020 saw the 92nd Academy Awards ceremony. Even before the big night, websites were popping up offering free viewings of all the nominated films. Fraudsters targeted users eager to see the short-listed movies before the presentation of the awards.

To promote these sites, Twitter accounts were created — one for each nominated film.

Curious users were invited to visit the resource, where they were shown the first few minutes before being asked to register to continue watching.

During registration, the victim was prompted to enter their bank card details, allegedly to confirm their region of residence. Unsurprisingly, a short while later a certain amount of money disappeared from their account, and the movie did not resume.

Users should be alert to the use of short links in posts on social networks. Scammers often use them because it’s impossible to see where a shortened URL points without actually following it.

There are special services that let you check what lies behind such links, often with an additional bonus in the form of a verdict on the safety of the website content. It is important to do a proper check on links from untrusted sources.

ID for hire

US companies that leak customer data can be heavily fined by the Federal Trade Commission (FTC). For example, in 2019 Facebook was slapped with a $5 billion penalty; however, users whose data got stolen do not receive any compensation. This is what scammers decided to exploit by sending a fake e-mail offering compensation from the non-existent Personal Data Protection Fund, created by the equally fictitious US Trading Commission.

Inspired by the idea of services for checking accounts for leaks, the cybercriminals decided to create their own. Visitors were invited to check whether their account details had been stolen, and if so (the answer was “yes” even if the input was gibberish), they were promised compensation “for the leakage of personal data.”

To receive “compensation,” the victim’s citizenship was of no consequence — what mattered was their first name, last name, phone number, and social network accounts. For extra authenticity, a warning message about the serious consequences of using other people’s data to claim compensation popped up obsessively on the page.

To receive the payment, US citizens were asked to enter their Social Security Number (SSN). Everyone else had to check the box next to the words “I’am don’t have SSN” (the mistakes are a good indicator of a fake), whereupon they were invited to “rent” an SSN for $9. Interestingly, even if the user already had an SSN, they were still pestered to get another one.

After that, the potential victim was redirected to a payment page with the amount and currency based on the user’s location. For instance, users in Russia were asked to pay in rubles.

The scam deployed the conventional scheme (especially common in the Runet) of asking the victim to pay a small commission or down payment for the promise of something much bigger. In Q1, 14,725,643 attempts to redirect users to such websites were blocked.

Disaster and pandemic Fires in Australia

The natural disaster that hit the Australian continent was another get-rich opportunity for scammers. For example, one “Nigerian prince”-style e-mail scam reported that a millionaire dying of cancer was ready to donate her money to save the Australian forests. The victim was asked to help withdraw the funds from the dying woman’s account by paying a fee or making a small contribution to pay for the services of a lawyer, for which they would be rewarded handsomely at a later date.

Besides the fictional millionaire, other “nature lovers” were keen to help out — their e-mails were more concise, but the scheme was essentially the same.

COVID-19 “Nigerian prince” scheme

COVID-19 was (and continues to be) a boon to scammers: non-existent philanthropists and dying millionaires are popping up everywhere offering rewards for help to withdraw funds supposedly for humanitarian purpsoses. Some recipients were even invited to help finance the production of a miracle vaccine, or take part in a charity lottery, the proceeds of which, it was said, would be distributed to poor people affected by the pandemic.

Bitcoin for coronavirus

Having introduced themselves as members of a healthcare organization, the scammers appealed to the victim to transfer a certain sum to the Bitcoin wallet specified in the message. The donation would allegedly go toward fighting the coronavirus outbreak and developing a vaccine, as well as helping victims of the pandemic.

In one e-mail, the attackers played on people’s fear of contracting COVID-19: the message was from an unnamed “neighbor” claiming to be dying from the virus and threatening to infect the recipient unless the latter paid a ransom (which, it was said, would help provide a comfortable old age for the ransomer’s parents).

Dangerous advice from the WHO

One fraudulent mailing disguised as a WHO newsletter offered tips about staying safe from COVID-19.

To get the information, the recipient had to click a link pointing to a fake WHO website. The design was so close to the original that only the URL gave away the scam. The cybercriminals were after login credentials for accounts on the official WHO site. Whereas in the first mailings only a username and password were asked for, in later ones a phone number was also requested.

In addition, we detected several e-mails supposedly from the WHO containing documents with malware. The recipient was asked to open the attachment (in DOC or PDF format), which allegedly offered coronavirus prevention advice. For example, this message contained Backdoor.Win32.Androm.tvmf:

There were other, less elaborate mailings with harmful attachments, including ones containing Trojan-Spy.Win32.Noon.gen:

 

Corporate segment

The coronavirus topic was also exploited in attacks on the corporate sector. For example, COVID-19 was cited in fraudulent e-mails as a reason for delayed shipments or the need to reorder. The authors marked the e-mails as urgent and required to check attached files immediately.

Another mailing prompted recipients to check whether their company was in a list of firms whose activities were suspended due to the pandemic. After which it asked for a form to be filled out, otherwise the company could be shut down. Both the list of companies and the form were allegedly in the archives attached to the message. In actual fact, the attachments contained Trojan-PSW.MSIL.Agensla.a:

We also registered a phishing attack on corporate users. On a fake page, visitors were invited to monitor the coronavirus situation across the world using a special resource, for which the username and password of the victim’s corporate mail account were required.

Government compensation

The introduction of measures to counter the pandemic put many people in a difficult financial situation. Forced downtime in many industries has had a negative impact on financial well-being. In this climate, websites offering compensation from the government pose a particular danger.

One such popular scheme was highlighted by a colleague of ours from Brazil. A WhatsApp messages about financial or food assistance were sent that appeared to come from a supermarket, bank, or government department. To receive the aid, the victim had to fill out the attached form and share the message with a certain number of contacts. After the form was filled out, the data was sent to the cybercriminals, while the victim got redirected to a page with advertising, a phishing site, a site offering a paid SMS subscription, or similar.

Given that the number of fake sites offering government handouts seems likely only to increase, we urge caution when it comes to promises of compensation or material assistance.

Anti-coronavirus protection with home delivery

Due to the pandemic, demand for antiseptics and antiviral agents has spiked. We registered a large number of mailings with offers to buy antibacterial masks.

In Latin America, WhatsApp mass messages were used to invite people to take part in a prize draw for hand sanitizer products from the brewing company Ambev. The company has indeed started making antiseptics and hand gel, but exclusively for public hospitals, so the giveaway was evidently the work of fraudsters.

The number of fake sites offering folk remedies for the treatment of coronavirus, drugs to strengthen the immune system, and non-contact thermometers and test kits has also risen sharply. Most of the products on offer have no kind of certification whatsoever.

On average, the daily share of e-mails mentioning COVID-19 in Q1 amounted to around 6% of all junk traffic. More than 50% of coronavirus-related spam was in the English language. We anticipate that the number of phishing sites and pandemic-related scams will only increase, and that cybercriminals will use new attack schemes and strategies.

Statistics: spam Proportion of spam in mail traffic

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in global mail traffic, Q4 2019 – Q1 2020 (download)

In Q1 2020, the largest share of spam was recorded in January (55.76%). The average percentage of spam in global mail traffic was 54.61%, down 1.58 p.p. against the previous reporting period.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Proportion of spam in Runet mail traffic, Q4 2019 – Q1 2020 (download)

In Q1, the share of spam in Runet traffic (the Russian segment of the Internet) likewise peaked in January (52.08%). At the same time, the average indicator, as in Q4 2019, remains slightly lower than the global average (by 3.20 p.p.).

Sources of spam by country

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Sources of spam by country, Q1 2020 (download)

In Q1 2020, Russia led the TOP 5 countries by amount of outgoing spam. It accounted for 20.74% of all junk traffic. In second place came the US (9.64%), followed by Germany (9.41%) just 0.23 p.p. behind. Fourth place goes to France (6.29%) and fifth to China (5.22%), which is usually a TOP 3 spam source.

Brazil (3.56%) and the Netherlands (3.38%) took sixth and seventh positions, respectively, followed by Vietnam (2.55%), with Spain (2.34%) and Poland (2.21%) close on its heels in ninth and tenth.

Spam e-mail size

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Spam e-mail size, Q4 2019 – Q1 2020 (download)

Compared to Q4 2019, the share of very small e-mails (up to 2 KB) in Q1 2020 fell by more than 6 p.p. and amounted to 59.90%. The proportion of e-mails sized 5-10 KB grew slightly (by 0.72 p.p.) against the previous quarter to 5.56%.

Meanwhile, the share of 10-20 KB e-mails climbed by 3.32 p.p. to 6.36%. The number of large e-mails (100–200 KB) also posted growth (+2.70 p.p.). Their slice in Q1 2020 was 4.50%.

Malicious attachments in e-mail

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Number of Mail Anti-Virus triggerings, Q4 2019 – Q1 2020 (download)

In Q1 2020, our security solutions detected a total of 49,562,670 malicious e-mail attachments, which is almost identical to the figure for the last reporting period (there were just 314,862 more malicious attachments detected in Q4 2019).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious attachments in mail traffic, Q1 2020 (download)

In Q1, first place in terms of prevalence in mail traffic went to Trojan.Win32.Agentb.gen (12.35%), followed by Exploit.MSOffice.CVE-2017-11882.gen (7.94%) in second and Worm.Win32.WBVB.vam (4.19%) in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 malicious families in mail traffic, Q1 2020 (download)

As regards malware families, the most widespread this quarter was Trojan.Win32.Agentb (12.51%), with Exploit.MSOffice.CVE-2017-11882 (7.98%), whose members exploit a vulnerability in Microsoft Equation Editor, in second place and Worm.Win32.wbvb (4.65%) in third.

Countries targeted by malicious mailshots

 

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of Mail Anti-Virus triggerings by country, Q1 2020 (download)

First place by number of Mail Anti-Virus triggerings in Q1 2020 was claimed by Spain. This country accounted for 9.66% of all users of Kaspersky security solutions who encountered e-mail malware worldwide. Second place went to Germany (8.53%), and Russia (6.26%) took bronze.

Statistics: phishing

In Q1 2020, the Anti-Phishing system prevented 119,115,577 attempts to redirect users to scam websites. The percentage of unique attacked users was 8.80% of the total number of users of Kaspersky products in the world.

Attack geography

The country with the largest proportion of users attacked by phishers, not for the first time, was Venezuela (20.53%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geography of phishing attacks, Q1 2020 (download)

In second place, by a margin of 5.58 p.p., was Brazil (14.95%), another country that is no stranger to the TOP 3. Next came Australia (13.71%), trailing by just 1.24 p.p.

Country %* Venezuela 20.53% Brazil 14.95% Australia 13.71% Portugal 12.98% Algeria 12.12% France 11.71% Honduras 11.62% Greece 11.58% Myanmar 11.54% Tunisia 11.53%

* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky products Anti-Phishing component. This component detects pages with phishing content that the user gets redirected to. It does not matter whether the redirect is the result of clicking a link in a phishing e-mail or in a message on a social network, or the result of a malicious program activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

The largest share of phishing attacks in Q1 2020 fell to the Online Stores category (18.12%). Second place went to Global Internet Portals (16.44%), while Social Networks (13.07%) came in third.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of organizations affected by phishing attacks by category, Q1 2020 (download)

As for the Banks category, a TOP 3 veteran, this time it placed fourth with 10.95%.

Conclusion

Glancing at the results of Q1 2020, we anticipate that the COVID-19 topic will continue to be actively used by cybercriminals for the foreseeable future. To attract potential victims, the pandemic will be mentioned even on “standard” fake pages and in spam mailings.

The topic is also used extensively in fraudulent schemes offering compensation and material assistance.

It is highly likely that this type of fraud will become more frequent.

The average share of spam in global mail traffic (54.61%) this quarter decreased by 1.58 p.p. against the previous reporting period, while the number of attempted redirects totaled nearly 120 million.

Top of this quarter’s list of spam-source countries is Russia, with a share of 20.74%. Our security solutions blocked 49,562,670 malicious mail attachments, while the most common mail-based malware family, with a 12.35% share of mail traffic, was Trojan.Win32.Agentb.gen.

Vývoj nezastavíš

VIRY.CZ - 26 Květen, 2020 - 11:26

V tomto článku hovořím o vývoji havěti typu ransomware, která zašifruje fotografie, dokumenty a další soubory a následně požaduje po uživateli zaplacení výkupné až ve výši několika stovek tisíc Kč za jejich obnovu. Novější kousky ale dělají ještě zákeřnější věci!

Ransomware ušel už opravdu dlouhou cestu. Původně šlo o stupidní havěť, která jen zablokovala přístup do Windows hlášením přes celou obrazovkou (havěť bylo možné „odstřelit“ v nouzovém režimu Windows). Celé se to tvářilo jako policejní zpráva informující o tom, že jste se dopustili řady smyšlených trestných činů typu: porušení autorského práva, šíření dětské pornografie, podpora terorismu, šíření škodlivých programů, použití nelegálního software, zneužití platební karty, šíření spamu, … To vše v „designu“ kriminalistických ústavů daného státu. V ideálním případě byla autenticita utvrzena i vaším portrétem, pokud se havěti podařilo převzít kontrolu nad webkamerou. Prostě styl „Policie všechno ví a nemáš šanci!“. U Policie ČR jste si tehdy mohli zaplatit „odpustku“ ve výši několika tisíc Kč a vyhnout se tak trestnímu stíhání, vyšších pokut a žaláři. Rok 2012 se tak zapsal do dějin novým pojmem „Policejní virus„.

Prezident nesmí chybět Ransomware „pomáhá“

Období „policejních virů“ přineslo i úsměvné situace, kdy se našli jedinci, kteří autenticitě útoku naletěli natolik, že se šli přímo na policii udat, neboť některé ze smyšlených trestných činů opravdu vykonávali! Toto byl fakt, zatímco situace, že někdo chodil platit „odpustky“ přímo na policejní stanici, to ke mě dorazilo spíše ve stylu „jedna bába povídala“…

Začínáme šifrovat

Po éře „policejních virů“, které bylo možné z Windows bez následků odstranit, přišel na řadu ransomware, využívající šifrování. To už je scénář, který známe dnes. Tedy, že havěť zašifruje dokumenty, fotografie a další cenné soubory a za jejich obnovu do použitelného stavu, vyžaduje zaplacení „výkupného“ v Bitcoinech. I zde proběhl vývoj, přičemž na začátku se šifrovalo vždy stejným klíčem, který si ransomware nesl s sebou, případně sadou několika šifrovacích klíčů. Po analýze havěti tak bylo možné vytvořit dekryptor a výkupnému se vyhnout. Později se začalo využívat toho nejlepšího ze světa symetrického i asymetrického šifrování. V současnosti je tak téměř nemožné soubory dešifrovat (bez kontaktování útočníků) a útočník často drží v hrsti všechny oběti třeba i pomocí jediného hlavního klíče. Pokud je dešifrování bez výkupného možné, pak pouze ze dvou důvodů: technická chyba (havěť zapomněla klíč u oběti, …) a nebo si už útočníci nahrabali dostatek peněz a klíče úmyslně zveřejnili.

Dneska už takhle marketingově vychytané kousky nepotkáte. Zde i s možností odšifrovat jeden soubor zdarma a slevou za rychlý nákup. Zálohujou jenom srabi

Útočníci ještě nedávno sázeli na výše uvedené pravidlo a spoléhali na absenci záloh. Situace se ale patrně mění a „srabů“ je zřejmě méně a méně, neboť jinak si nelze vysvětlit, že některé „rodiny“ ransomware požadují výkupné hned dvakrát. Nejen za obnovu dat po zašifrování, ale i druhé výkupné za nezveřejnění nakradených dat na internetu! Havěť před samotným procesem šifrování tajně vynese třeba i několik desítek GB dat (souborů). Prostě zaplať a my to nezveřejníme!

Pokud firma zálohuje a zašifrované soubory obnoví ze záloh, placení prvního výkupného se efektivně vyhne. Jaký dopad ale bude mít publikování firemního know-how veřejně na internetu, čemuž se lze vyhnout zaplacením druhého výkupného?

První takový případ nastal koncem roku 2019 v souvislosti s ransomware Maze. Více například zde. Podobné chování přebral i ransomware z rodin REvil / Sodinokibi, Nemty, BitPyLock, Ako či Snake.

Technické vychytávky

Vychytávky nemusí být pouze „filozofického“ charakteru. Například některé rodiny ransomware se snaží šířit agresivně i po lokální síti, skrze systémová sdílení (typicky share C$, ideálně s právy doménového administrátora). Havěť Ryuk to dotáhla k dokonalosti ještě tím, že zasílá po síti signál „Wake on LAN“, čímž dokáže probudit některá spící zařízení a zašifrovat i ta.

Ransomware Ragnar využívá pro páchání škod legitimní aplikace, čímž může omezit účinnost součástí antivirových řešení, které se snaží odhalit anomálie v chování systému. Pokud jsou tyhle anomálie vykonávány skrze legitimní a rozšířené aplikace s vysokou reputací, účinnost detekce klesá (antivirus je více „tolerantní“). Ragnar zde vyrukoval rovnou s těžkým kalibrem. Pokud se totiž do počítače dostane, nainstaluje rovnou virtualizační nástroj Oracle VirtualBox a do něho miniturní „imidž“ s Windows XP, odkud šifrování probíhá. Než ale s tímto procesem začne, do virtuálu s Windows XP si pomocí dávkového souboru namapuje všechny fyzické disky počítače. Více informací lze najít na https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus/.

Příště u něčeho veselejšího

The post Vývoj nezastavíš appeared first on VIRY.CZ.

Kategorie: Viry a Červi

Contact-tracing app may become a permanent fixture in major Chinese city

The Register - Anti-Virus - 26 Květen, 2020 - 08:02
Hangzhou wants a 'health and immunity firewall'

One of China's major tech hubs is planning to make a health and movement tracking system developed to fight the COVID-19 epidemic a permanent fixture in daily life.…

Kategorie: Viry a Červi

Contact-tracing app may become a permanent fixture in major Chinese city

The Register - Anti-Virus - 26 Květen, 2020 - 08:02
Hangzhou wants a 'health and immunity firewall'

One of China's major tech hubs is planning to make a health and movement tracking system developed to fight the COVID-19 epidemic a permanent fixture in daily life.…

Kategorie: Viry a Červi

ThreatList: People Know Reusing Passwords Is Dumb, But Still Do It

VirusList.com - 25 Květen, 2020 - 15:00
Even seeing data breaches in the news, more than half of consumers are still reusing passwords.
Kategorie: Viry a Červi

70 Percent of Mobile, Desktop Apps Contain Open-Source Bugs

VirusList.com - 25 Květen, 2020 - 15:00
A lack of awareness about where and how open-source libraries are being used is problematic, researchers say.
Kategorie: Viry a Červi

What is the dark web? Your questions answered, in plain English

Sophos Naked Security - 25 Květen, 2020 - 12:06
Watch this new video from our YouTube channel - the dark web explained without jargon or judgment.

Aggressive in-app advertising in Android

Kaspersky Securelist - 25 Květen, 2020 - 12:00

Recently, we’ve been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we will look into a few examples of suspicious-looking ad modules that we discovered in popular apps earlier this year.

One of the applications we researched was a popular app that allows users to ask questions anonymously. Integrated into the code of an earlier version of the app was the module com.haskfm.h5mob. Its task was to show intrusive advertising (in breach of the Google Play rules) when the user unlocked the phone.

Code for displaying ads when the screen is unlocked

In other words, the module can show ads whether the app is running or not. The ad can simply pop up on the main screen all on its own, causing a nuisance for the user. We passed our findings to the app developers, who promptly removed com.haskfm.h5mob. However, this module remains interesting from technical point of view.

In this application to receive advertising offers, the module connects to the C&C servers, whose addresses are encrypted in the app code.

Decrypting the C&C addresses

The C&C response contains the display parameters and the platforms used to receive ads.

{"status":1, "msg":"Success", "data":{"rqect":0, "ldfr":1, "tifr":1, "appintset":43200000, "swpa":1, "ssjp":1, "tcap":86400000, "ctoftime":3600000, "jtslist":[{"domain":"app.appsflyer.com","format":"&android_id={android_id}&advertising_id={gaid}"}, {"domain":"app.adjust.com","format":"&android_id={android_id}&gps_adid={gaid}"}, {"domain":"app.adjust.io","format":"&android_id={android_id}&gps_adid={gaid}"}, ……

The most interesting parameter here is appintset, which specifies the delay before displaying the first ad after installation of the app. In our example, it was set to 43.2 million milliseconds, or 12 hours. This delay makes it much harder for the user to find the culprit for all the ads that suddenly appear on the screen. Also, this technique is frequently used by cybercriminals to trick automatic protection mechanisms, such as sandboxes in app stores. The main parameters are followed by an extensive list of addresses of advertising providers with request parameters for receiving offers.

Earlier we detected a similar ad module in apps without a payload. For example, the code in the app com.android.ggtoolkit_tw_xd, which we detect as not-a-virus:AdWare.AndroidOS.Magic.a, contains the same features and is managed from the same C&C as the com.haskfm.h5mob module. However, this adware app has no graphical interface to speak of, is not displayed in the device’s app menu, and serves only to display intrusive ads as described above. It looks something like this: adware_in-app_video.mp4

While, as previously mentioned, the creators of the application described in the first example, promptly removed the ad module, not all Android developers are so conscientious. For example, the Cut – CutOut & Photo Background Editor app does not hesitate to treat users to a half-screen ad as soon as the smartphone is unlocked, regardless of whether the app is running or not.

Likewise the Fast Cleaner — Speed​Booster & Cleaner app.

In both apps, the library com.vision.lib handles the display of advertising.

Display of advertising

At the time of writing this article, the developers of both apps had not responded to our requests.

Note, however, that adware is not always about greed. Often, app developers are not versed in advertising SDKs and lack the necessary skills to test an integrated advertising library, and therefore may not fully understand what they are adding to their code. The danger for users here is that a dubious library could unexpectedly make its way into an app as part of a rank-and-file update. And it becomes extremely difficult to figure out which of a dozen recently updated apps is the source of intrusive advertising.

IOCs MD5

1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner

С&C

ti.domainforlite[.]com/st/hg
uu.domainforlite[.]com

Pre-authentication, remote root hole in call-center software? Thanks, Cisco. Just what a long weekend needs

The Register - Anti-Virus - 25 Květen, 2020 - 11:31
This and more bits and bytes from infosec world

Roundup  It's once again time to catch up on the latest happenings from the world of infosec.…

Kategorie: Viry a Červi

Pre-authentication, remote root hole in call-center software? Thanks, Cisco. Just what a long weekend needs

The Register - Anti-Virus - 25 Květen, 2020 - 11:31
This and more bits and bytes from infosec world

Roundup  It's once again time to catch up on the latest happenings from the world of infosec.…

Kategorie: Viry a Červi

Monday review – the hot 16 stories of the week

Sophos Naked Security - 25 Květen, 2020 - 11:04
From virtual machine ransomware to changes in Signal secure messaging - and everything in between. It's your weekly roundup time.
Syndikovat obsah