Trojan Porn-Clicker Infests Android Apps for Hundreds of Thousands of Downloads

by:  Tara Seals US/North America News Reporter, Infosecurity Magazine

A fake Dubsmash application, which is actually a porn clicker Trojan, has been uploaded to the Google Play Store—again.

According to ESET, this same piece of malware has been uploaded to the app store at least nine times in the form of various fake Dubsmash apps, resulting in tens of thousands of installs. It has also found that there are another 51 Trojan porn clickers out there as well: Four of them had more than 10,000 installs and one of them had more than 50,000 installs. Download Manager, Pou 2, Clash of Clans 2, Subway surfers 2, Subway surfers 3, Minecraft 3, Hay Day 2, and various game cheats and video downloaders are being infected with the same Trojan clicker. The malicious apps pretend to be arcade games like Flappy Birds Family, board games or system applications, and don’t add an app icon to the desktop.
So let’s do the math: That means 60 different Trojan clicker applications have been available from Google Play—which together were downloaded at least 210,000 times in the last three months. Google has removed the apps, but it’s likely only a matter of time before more are uploaded: The apps are managing to evade Google’s Bouncer malware filter.

“Even though the malicious applications were available for download for at most a week, tens of thousands of people still installed them,” ESET said in a blog post. “Hopefully, Google is doing its best to fix this issue and find a way to prevent the developers of these porn clickers from publishing them to the Play Store. To reduce the risk from malicious apps that may have slipped through Google’s filtering, we advise Play Store customers to take careful note of reviews by other customers, and to ensure that their security software is kept up to date.”

Source

How Attackers Use Social Networks for Command and Control Operations

In August 2009, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter as a command and control mechanism. Since then, other examples of attackers taking advantage of Web 2.0 sites have continued to sporadically pop up.

The tactic remains quite rare, but there are a number of reasons why attackers may increasingly look to such sites for hosting purposes.

"Attackers are taking advantage of the ability with these social networking platforms to hide their activities in plain site," a spokesperson for EMC's RSA security division told eWEEK. "Because of the millions of social networking users, cyber-criminals can simply blend their illegal activities and content and get lost in the crowd. And they can do so using encryption to cover their tracks."

In a lengthy analysis, RSA's FraudAction Research Lab examined how attackers used an unidentified social networking site to send commands to a Brazilian banker Trojan.

According to RSA,

This is how it worked:

1. The cybercriminal behind the crimeware set up a bogus profile under the name of "Ana Maria", and entered the crimeware's encrypted configuration settings as text uploaded to the profile.
2. After infecting a user's machine, and installing itself on it, the malware searched the profile for the string EIOWJE (underlined in the above screenshot). The string signified the starting point of the malware's configuration instructions.
3. All the encrypted commands following the EIOWJE string were decrypted by the malware and executed on the infected computer.

The method described above "allows the cyber-criminal to issue encrypted commands without renting a dedicated, bulletproof server or registering a domain for the malware's communication points," RSA researchers noted in the blog post.

"We do see the trend continuing because social networks offer free and resilient platforms to host this information," the RSA spokesperson told eWEEK. "The postings themselves are difficult to detect ... on the part of the social networking operators and also difficult to detect from the user computer side. A user could have an infected computer as part of a botnet and their security monitoring software may still never detect any illicit activity.

"The infected PC would be communicating to an account that is hosted on a legitimate social network rather than with a botnet mother ship server," the spokesperson continued. "Even if that social network account gets taken down, it's still much faster and easier for the cyber-criminal to set up new accounts for free and evade detection of that account rather than having the botnet mother ship server end up on an IP address blacklist."

The good news for users is that, once detected, the removal of this type of command and control points is relatively simple and quick.

Source: http://blogs.eweek.com/

Dell Accidentally Sent out Malware-Riddled Motherboards

A hiccup at Dell’s service parts department saw a number of motherboards with malware-infected firmware go out the door to customers.

Like patients who enter the hospital for a simple tonsillectomy and end up leaving with pneumonia, it seems like customers seeking help from Dell’s service parts department may have made things worse for themselves, while trying to make things better. The company admits it may have sent out a number of motherboards with malware lurking within their firmware.

According to Dell itself, the infection affects only a “small number” of motherboards, which were sent out through service dispatches. The malware in question has shown up on the embedded server management firmware on the PowerEdge motherboards.

“To date we have received no customer reports related to data security,” a Dell representative said on the company’s own support forums. “Systems running non-Windows operating systems are not vulnerable to this malware and this issue is not present on motherboards shipped new with PowerEdge systems.”

Since all the boards were sent out through service dispatches, Dell apparently has a list of customer e-mails and will be contacting owners of potentially infected boards directly. Since the issue has been limited to the company’s enterprise-level PowerEdge servers, consumers have nothing to worry about.

Source: Nick Mokey - http://www.digitaltrends.com/

Rescuecom Releases 5 Tips to Detect Phishing

SYRACUSE, N.Y. - July 22, 2010 -- Phishing attacks threaten our Internet security and can be hard to detect. They can lead to identity theft, viruses, or the need for computer repair. To help protect your Internet security, RESCUECOM's computer repair experts offer five simple tips for detecting phishing attacks.

1.) Avoid Action - Phishing attacks work when you take action. An email that requests information or features clickable links may be an attack against your Internet security. Legitimate emails include cut and past style links to help you avoid clicking. If there are only clickable links, the email is likely a phishing scam.

2.) Beware of Overly Technical Content - Phishers frequently include highly technical jargon in their emails to scare you into believing them. An email that discusses your Internet security in great detail, or sounds as if it was written by a computer repair technician, is probably a phishing attack. Legitimate businesses send out emails that can be read and understood by typical customers, not just computer repair specialists.

3.) Check the URLs - Phishing attacks violate your Internet security by providing links to apparently legitimate sites. Protect your Internet security by checking the URLs of all links. The URL is the address of a website, www. some bank.com for example. If you move the cursor over the link in an email, the URL that link connects to will be displayed at the bottom of the web browser. Make sure the URL corresponds to what it's claiming to be. Otherwise, your Internet security may be at risk.

4.) Read Carefully - Emails from legitimate businesses are screened carefully, so mistakes can be signs of phishing. Many of these mistakes are small -spelling "computer repair" as "computer rapair", for example - and hard to notice. Read carefully to protect your Internet security. A poorly written email is a sign of phishing.

5.) Verify - Many of us worry that phishing emails might be real. Overcome this fear by contacting the "sender" directly, by using an alternate web address or phone number. This will protect your Internet security, guard against viruses or the need for computer repair, and put your mind at ease. If you even suspect phishing, RESCUECOM's computer repair specialists remind you to never click on an unverified link.

Phishing is a common Internet security threat. RESCUECOM's computer repair experts recommend screening emails carefully and following these tips to protect your Internet security.

Source: RESCUECOM

Windows left open to viruses?

Windows left open to viruses? / 150,000 PCs using old OS vulnerable as service period ends

With the recent expiration of Microsoft Corp.'s technical support for its Windows 2000 operating software, more than 150,000 computers running on the system at local governments and corporations in this country are exposed to computer virus infections, it has been learned.

The 10-year-long support period for Windows 2000 expired on July 13, but many local governments said they must continue to use the system because they lack funding for a replacement. However, using computers running on an OS whose technical support has been terminated means that users will be vulnerable to cyber-attacks. For instance, local governments could run the risk of having personal information about residents leaked on the Internet.

Experts have warned the public to take precautions against the problem. In fact, seven years ago, many computers were infected with computer viruses after the technical support for their operating systems expired.

"The day I feared has arrived," an official in charge of his city's computer system in the Kanto region said. The city has a population of about 30,000.

There are about 400 computers in the city office, with 60 of them equipped with Windows 2000. The official said it would cost about 150,000 yen each to replace the computers with ones that have the latest operating system. "I want to replace the computers [with Windows 2000] with new ones as soon as possible, but it is unlikely that money will be spent from the budget. IT matters are always dealt with last," he said.

"All I can do is to pray that the computers will not be exposed to cyber-attacks," he added.

A precision instrument maker listed on the Tokyo Stock Exchange's First Section has 280 servers and 12,000 terminals running Windows 2000 in their offices. The company said it gave up a plan to update the operating system after learning it would cost about 50 million yen to replace their existing equipment with new computers that run on newer versions of the Windows OS.

The company said it instead spent 3 million yen to purchase security software that will protect the operation system for two years as a stopgap measure. An official in charge of the issue said, "We can't take a drastic measure to fix the problem unless the economy recovers."

The Japanese subsidiary of Microsoft's estimates more than 150,000 computers with Windows 2000 remain in use in Japan. Users can still use such computers, but if they are subjected to new cyber-attacks, Microsoft will not take measures against the attacks, in principle.

Thus, there is an increased risk of personal information being leaked on the Internet as a result of computer virus infections that may go unnoticed by the user, or that computers may be used as relay points to attack third parties.

Yoji Okuten, a senior official of Internet security company Fourteenforty Research Institute, said: "Many people have the wrong idea that the computer will be safe after installing antivirus software even if the operating system's support period has ended, but the antivirus software will not function as expected if the operating system used in a computer that runs such a program has a lot of loopholes."

According to Okuten, about 10 million computers worldwide have been infected with a computer virus named Blaster since it was first detected in August 2003. Computers with Windows NT were especially hard-hit because its supporting period had ended, Okuten said.

To make matters worse, the main users of Windows 2000 are local governments and companies, as the operating system was designed for business use and for servers of companies' main information systems.

If servers of local government are vulnerable to cyber-attacks, the danger of residents' personal information being leaked through the Internet increases.

The Information-Technology Promotion Agency, an independent administrative institution based in Tokyo, said: "Ideally, users should refrain from using Windows 2000. However, we hesitate to instruct companies and local governments to do so because it may obstruct their operations."

Yasuhira Ikeda, president of Shohisha Shiko Kenkyu-sho (Institute of consumer taste), who previously worked for a major consumer electric appliance maker, said: "Companies also need to take measures to address the problem, such as lowering the price of updating operating systems when the support period for the OS expires. Users need to be more alert to possible defects in the operating system they are using, and stop leaving problems to other people."

A spokesman for the Japanese subsidiary of Microsoft said: "It is impossible to provide support on operating systems forever, and we think a 10-year support period is appropriate. We'll urge users to update operating systems."

An operating system is the basic software that regulates a computer's essential internal elements, such as a hard disk. It provides a platform for running application software such as word-processing software and communications software.

Microsoft Windows series operating systems are often the target of cyber-attacks as the damage from one attack can spread widely because many people use the series on their computers.

Source: The Yomiuri Shimbun - Daily Yomiori Online

Microsoft debuts beta of new Security Essentials

Microsoft released a beta of the new version of its Security Essentials antimalware software on Tuesday, sporting a few changes and enhancements.

Following version 1.0 of the free Security Essentials released in September, the folks in Redmond outfitted the 2.0 beta with an updated antimalware engine. The new engine is smarter at detecting and removing security threats and offers a better performance, according to a Microsoft blog. The software also now integrates directly with Windows Firewall and gives users the option to turn the firewall on or off.

By integrating with Internet Explorer, the Security Essentials beta provides greater protection against Web-based threats, Microsoft said. It can also watch for attacks that come via a network, though this option is only available in Windows Vista and Windows 7. Users of Windows XP can't take advantage of this particular feature because XP lacks the necessary Windows Filtering Platform.

You can find and download the new beta at Microsoft's Connect page where you'll need to log in with a Windows Live account. You'll then be directed to the download page where you choose whether to grab the 32-bit or 64-bit version.

Microsoft has promised to keep the beta current with the latest virus and spyware definitions and also provide ongoing updates to the software itself. To receive the software updates, you'll need to subscribe to Microsoft Update and set your preferences to automatically download and install new updates, according to the company.

The beta is only for people in the U.S., Israel (English only), China (Simplified Chinese only) and Brazil (Brazilian Portuguese only). And it's available on a first-come, first-served basis, apparently just until a certain quota has been reached.

The initial release of Security Essentials garnered mostly positive feedback, faring well in a challenge by testing firm AV-Test and bringing home positive reviews from CNET and other tech sources.

Source: Lance Whitney - CNET News

Hello World