News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
July 30, 2014, 05:08:39
Pages: 1 ... 7 8 [9] 10
 81 
 on: June 23, 2014, 05:19:55  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

270 Domains (Etumbot, phishing, tds, fragus, redkit)
- http://www.malwaredomains.com/?p=3612
June 23rd, 2014 - "Added 161 domains on 6/18 and 106 domains on 6/22. Sources include app.webinspector.com, arbornetworks.com, safebrowsing.google.com amd others..."

 Exclamation

 82 
 on: June 20, 2014, 14:21:36  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

SYM14-011 - Symantec Encryption Desktop for OS X World-Writable Files Insecure File Handling
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140620_00
June 20, 2014 - "Overview: Symantec’s Encryption Desktop for OS X installs some temporary files with world-writable attributes during installation.  In a multi-user environment, a malicious user could manipulate these world-writable files to read and write files or create files with another user’s permissions..
Symantec Response: Symantec engineers verified these finding and have released an update in Symantec Encryption Desktop 10.3.2 maintenance pack 2 for OS X addressing the issue.
Update information: Customers may obtain Symantec Desktop Encryption maintenance updates through their normal Symantec support locations...
Best Practices: As part of normal best practices, Symantec strongly recommends:
- Restrict access to administration or management systems to privileged users.
- Disable remote access if not required or restrict it to trusted/authorized systems only.
- Where possible, limit exposure of application and web interfaces to trusted/internal networks only.
- Keep all operating systems and applications updated with the latest vendor patches.
- Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.
- Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities..."

 Exclamation Exclamation

 83 
 on: June 20, 2014, 03:16:39  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Password Protected Malware
- http://blogs.appriver.com/Blog/bid/103018/Password-Protected-Malware
Jun 18, 2014 - "... a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, whcih should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.
> http://blogs.appriver.com/Portals/53864/images/pwpzipmainemail-resized-600.PNG
The attached file contains 2 actual files inside. One is an scr file and the other is a pdf file of a fake invoice. The first interesting thing was that the file had a .zip extension, but it was actually a Rar file (First few bytes are RAR! instead of PK for zip).This could have been on purpose as some attempt to avoid some scanner, or an accident when they created the archive. Rar malware is much less common that zip malware since zip files work natively on most systems... The -fake- Spreadsheet in the archive is the scr executable. The file shows a compile date of 5/25/2014 and has a VirusTotal score of 3/52 AV engines. Upon opening the file, it turns out it is a Trojan downloader and it reaches out to the internet (62.76.43.110; Russian IP) and downloads a 220kb “1.exe” file that had an Amazon logo for an icon. This file has the same compile date as above and a capture rate of 5/52 on VirusTotal. The AV engines classify it as a Zbot. When running this exe, it tries to reach out to another Russian IP but no connection could be established... The zbot is a common piece of malware we see due to its main purpose of being built to steal money, meaning it can be very profitable for the people behind malware campaigns. A good bit of advice with password protected zips is that if the password is in the email, that sort of defeats the whole reason of being secure and having a password. I would suggest people be cautious of any files from unknown senders but especially wary of password protected zips with the password in the body. Using a protected zip is a common way for malware authors to try and sneak through any malware filtering a company may be using. Currently we are blocking this malware with over 40,000 hits so far this morning."
(More detail and screenshots at the appriver URL above.)

62.76.43.110: https://www.virustotal.com/en/ip-address/62.76.43.110/information/
___

Spamvertised ‘Customer Daily Statement’ emails lead to malware
- http://www.webroot.com/blog/2014/06/20/spamvertised-customer-daily-statement-themed-emails-lead-malware/
June 20, 2014 - "... persistent spamvertising of tens of thousands of fake emails, for the purpose of socially engineering gullible end users into executing the malicious attachments found in the rogue emails. We’ve recently intercepted a currently circulating malicious campaign, impersonating Barkeley Futures Limited, tricking users into thinking that they’ve received a legitimate “Customer Daily Statement”.
More details: Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-content/uploads/2014/06/Spamvertised_Malware_Malicious_Software_Social_Engineering_Customer_Daily_Statement_Berkley_Futures.png
Detection rate for a sampled malware: MD5: b05ae71f23148009c36c6ce0ed9b82a7 – detected by 29 out of 54 antivirus scanners* as Trojan-Ransom.Win32.Foreign.kxka
* https://www.virustotal.com/en/file/9e15df950e6d723f02c2b9d210750e70f36cd99bae861a434574a014c68542ee/analysis/
Once executed, the sample drops the following malicious MD5 on the affected hosts: MD5: ed54fca0b17b768b6a2086a50ac4cc90 **
** https://www.virustotal.com/en/file/fb117dbc8e74d1f94266a8ecf0a489a5d4c9e5b2fb79ce8ac0428bd7318f44c8/analysis/
It then phones back to the following C&C servers:
62.76.43.110
62.76.185.94

Related malicious MD5s known to have phoned back to the following C&C server (62.76.43.110):
MD5: c02e137963bea07656ab0786e7cc54de . Once executed, the dropped MD5: ed54fca0b17b768b6a2086a50ac4cc90 starts listening on ports 35073.
also phones back to the following C&C servers:
62.76.185.94
23.62.99.40

Related malicious MD5s known to have phoned back to the following C&C server (23.62.99.40)..."

23.62.99.40: https://www.virustotal.com/en/ip-address/23.62.99.40/information/
___

Fake ACH/Bank form – PDF malware
- http://myonlinesecurity.co.uk/ach-bank-account-information-form-fake-pdf-malware/
20 June 2014 - "ACH – Bank account information form pretending to come from Bettye Cohen [Bettye.Cohen@ jpmchase .com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...
Email reads:
   Please find attached the business account forms 9814285.
    If you are unable to open the attached file, please reply to this email with a contact telephone number. The Finance Dept will be in touch in due course.
    Bettye_Cohen
    Chase Private Banking Level III Officer
    3 Times Square
    New York, NY 10036
    T. 212.804.3166
    F. 212.991.5185


20 June 2014: Important Chase Private Banking Forms.zip (93 kb)  Extracts to: Important Chase Private Banking Forms.scr
Current Virus total detections: 3/54* . This ACH – Bank account information form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b79abbe4b457e1c17139a56040a88d993c7a0f779584ca45be78b8c421085a24/analysis/
___

Fake Cloud Storage Mails lead to Pharmacy Sites
- http://blog.malwarebytes.org/fraud-scam/2014/06/fake-cloud-storage-mails-lead-to-canadian-pharmacy-sites/
June 20, 2014 - "We’re seeing a number of emails claiming that image files have been uploaded to the web, or have simply been damaged somehow. Here’s one claiming to be from “Box”, which as you may already know is a Cloud content management service:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/06/boxspam1.jpg
The large “View Images” button leads clickers to a Canadian pharmacy spam page:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/06/canadianpharma.jpg
We’ve seen a few others like the above but in those cases the final destination was already offline, so it’s hard to say exactly what they were trying to send people to. Here’s one stating that your files have been uploaded, this time from “Drive”. SkyDrive / OneDrive? Google Drive? I have no idea, but here it is anyway:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/06/drivespam.jpg
Don’t panic if confronted with mysterious messages about damaged files or uploads you know nothing about. It’s just a slice of spammy -clickbait- which can be safely ignored."
___

Lloyds/TSB – Phish...
- http://myonlinesecurity.co.uk/lloydstsb-important-update-notification-phishing/
20 June 2014 - "We all get frequent phishing emails pretending to come from a bank or other financial institution. Todays offering shouldn’t really fool anybody, but it will as usual, when you don’t check carefully the address the link sends you to in your browser address bar. Subject says:
Important Update Notification ... and pretends to come from LloydsTSB

Any customer of the bank knows that Lloyds and TSB have now split up and you either have Lloyds Bank or TSB bank . Most of us still have a credit/debit car and cheque book that says LloydsTSb, but all communications from these banks have been Lloyds or TSB specific for some considerable time now. Email looks like:

Dear Valued Customer,
The update to our mobile banking app for iPhone and Android users is coming this summer.
We’ve made some big improvements, so it’s easier and quicker to use with enhanced security. You’ll need an up-to-date phone number so you can complete
device registration the first time you use it.
Please ensure your phone numbers are up to date today by checking your details now.
CHECK MY DETAILS NOW
Sincerely,
Lloyds Bank plc ...


If you follow the link you see a webpage looking -identical- to the genuine Lloyds bank log in site..."

 Evil or Very Mad Evil or Very Mad  Sad

 84 
 on: June 20, 2014, 03:14:18  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2960358
Update for Disabling RC4 in .NET TLS
- https://technet.microsoft.com/en-us/library/security/2960358
V1.1 (June 19, 2014): Added link to Microsoft Knowledge Base Article 2978675* under Known Issues in the Executive Summary.
* https://support.microsoft.com/kb/2978675
June 19, 2014 - Rev: 1.0

 Exclamation

 85 
 on: June 19, 2014, 01:31:05  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

VMSA-2014-0006.2 - VMware product updates address OpenSSL security vulnerabilities
- http://www.vmware.com/security/advisories/VMSA-2014-0006.html
Updated on: 2014-06-17
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
Relevant Releases:
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
Horizon Mirage Edge Gateway prior to 4.4.3
vCD prior to 5.5.1.2
vCenter prior to 5.5u1b
vCSA prior to 5.5u1b
Update Manager prior to 5.5u1b
VDDK prior to 5.0.4
VDDK prior to 5.1.3
VDDK prior to 5.5.2 ...

 Exclamation Exclamation

 86 
 on: June 19, 2014, 01:19:52  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Netflix – Phish...
- http://myonlinesecurity.co.uk/netflix-phishing/
19 June 2014 - "An email received with a subject saying Your Netflix Account Requires Validation  that is -spoofed- to appear to come from NETFLIX [secure@ netflix .co.uk]. This is a new one on us. It is the first time I have seen a phish trying to get your Netfix log in details. The site in the link looks at first glance to be genuine. But if you look carefully, you will see the genuine Netflix site is - https://www.netflix.com/Login?locale=en-GB
This -fake- phishing site is http ://netflix-user .com/<lots of random characters>/Login.htm

The urls are very similar and show how careful you must be to make sure that you are on a genuine site and why you should -never- respond to emails asking for log in details...
Dear Customer,
We recently failed to validate your payment information we hold on record for your account, therefore we need to ask you to complete a brief validation process in order to verify your billing and payment details. Click here to verify your account Failure to complete the validation process will result in a suspension of your netflix membership. We take every step needed to automatically validate our users, unfortunately in this case we were unable to verify your details. The process will only take a couple of minutes and will allow us to maintain our high standard of account security.
Netflix Support Team


If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2014/06/netflix_phishing-site.png ..."

 Evil or Very Mad  Sad

 87 
 on: June 19, 2014, 00:50:49  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

237 domains added
- http://www.malwaredomains.com/?p=3609
June 17th, 2014 - "Added 237 domains from vrt-blog.snort.org, labs.sucuri.net, gist.github.com and others..."

 Exclamation

 88 
 on: June 18, 2014, 04:24:32  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Asprox Botnet campaign spreads Court Dates and Malware
- http://www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html
June 16, 2014 - "Executive Summary: FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers. And this is certainly a high-volume business, with anywhere from a few hundred to ten thousand malicious emails sent daily – usually distributing between 50 and 500,000 emails per outbreak... In late 2013, malware labeled as Kuluoz, the specific spam component of the Asprox botnet, was discovered to be the main payload of what would become the first malicious email campaign. Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys. Previously, Asprox malicious email campaigns targeted various industries in multiple countries and included a URL link in the body. The current version of Asprox includes a simple zipped email attachment that contains the malicious payload “exe”...
Overall Asprox Botnet tracking:
> http://www.fireeye.com/blog/wp-content/uploads/2014/06/fig5.png
... Conclusion: The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals. And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware..."
(More detail at the fireeye URL above.)

 Evil or Very Mad Evil or Very Mad  Sad

 89 
 on: June 18, 2014, 02:41:30  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Customer Daily Statement - XLS malware
- http://myonlinesecurity.co.uk/customer-daily-statement-fake-xls-malware/
18 June 2014 - "Customer Daily Statement pretending to come from Berkeley Futures Limited [trade@ bfl .co.uk] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers... This email has a zip attachment that requires you to use the password in the body of the email to open the zip file ( hopefully this will slow down & make you think and help protect you). The zip contains 2 files: what appears to eb a genuine PDF statement and a file suggesting it is a Microsoft XLS (Excel) file which is in fact a renamed .exe malware. Email reads:

   Attached is your daily statement and payment request form for May 2014.
    Please fulfill payment request form and send it back. The attached zip archive is secured with personal password.
    Password: XL6Fs#
    Berkeley On-line and Berkeley Equities are trading names of Berkeley Futures Limited. Berkeley Futures Limited is authorised and regulated by the Financial Conduct Authority (Registered no. 114159) © 2012 Berkeley Futures Limited


18 June 2014: XCU01.zip : Extracts to   request_form_8943540512.xls.exe
Current Virus total detections: 3/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper xls file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9e15df950e6d723f02c2b9d210750e70f36cd99bae861a434574a014c68542ee/analysis/1403073130/
___

Pinterest and Tumblr Accounts Compromised to Spread Diet Pill Spam
- http://www.symantec.com/connect/blogs/pinterest-and-tumblr-accounts-compromised-spread-diet-pill-spam
Updated: 18 Jun 2014 - "Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter... The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.
Are Twitter accounts compromised?
It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users:
- Make sure your password on all these services are strong and unique*
- Tumblr users should enable two-factor authentication**
- Twitter users should revoke and reauthorize access to the Pinterest application "
* https://identitysafe.norton.com/password-generator

** http://www.tumblr.com/docs/en/account_security
___

Fake Wells Fargo SPAM - malicious PDF file
- http://blog.dynamoo.com/2014/06/wells-fargo-important-docs-spam-has.html
17 June 2014 - "This -fake- Wells Fargo spam comes with a malicious PDF attachment:
   From:     Raul.Kelly@ wellsfargo .com
    Date:     17 June 2014 18:50
    Subject:     Important docs
    We have received this documents from your bank, please review attached documents.
    Raul Kelly
    Wells Fargo Accounting
    817-713-1029 office
    817-306-0627 cell Raul.Kelly@ wellsfargo .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 ...


The attachment is account_doc~9345845757.pdf which has a VirusTotal detection rate of 5/51*. The Malwr report doesn't say much but can be found here**."
* https://www.virustotal.com/en/file/42e12d3d45629c036aca781881867a4a77b7b3a5bc574df4d4c0126a016cb36f/analysis/1403031721/

** https://malwr.com/analysis/M2ViODNlNzI5Yjc5NDQyODk1NzkxYzdmMDA5YzZkN2I/
___

Fake Payment Overdue SPAM - PDF malware
- http://myonlinesecurity.co.uk/payment-overdue-please-respond-fake-pdf-malware/
18 June 2014 - "Payment Overdue - Please respond pretending to come from Payroll Invoice [payroll@intuit.com] is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
   We have uploaded previous month reports on dropbox, please use the
    following link to download your file:
    https ://www.cubby .com/pl/Document_772-998.zip/_666f6271a7a8418a9881644fdcae6e1f
    Sincerely,
    Gabriel Preston
    This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY...


18 June 2014: Document_772-998.zip (8kb) : Extracts to Document_772-998.scr
Current Virus total detections: 2/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."    
* https://www.virustotal.com/en/file/0d28d2dff106109c2510c2c4ea74432d5927c51f5a464961cddc60331ad79ab7/analysis/ 
___

Fake Lloyds Bank SPAM
- http://blog.dynamoo.com/2014/06/lloyds-bank-commercial-finance-customer.html
18 June 2014 - "Sent to the same targets and the same victim as this HSBC spam, this fake Lloyds Bank message comes with a malicious payload:
    From:     Lloyds Bank Commercial Finance [customermail@ lloydsbankcf .co.uk]
    Date:     18 June 2014 12:48
    Subject:     Customer Account Correspondence
    This attachment contains correspondence relating to your customer account with Lloyds Bank Commercial Finance Ltd.
    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
    If you have received this email in error please contact the individual or customer care team whose details appear on the statement.
    This email message and its attachment has been swept for the presence of computer viruses.
    Lloyds Bank Commercial Finance, No 1 Brookhill Way, Banbury, Oxfordshire OX16 3EL | www.lloydsbankcommercialfinance .co.uk


Ensuring that your PDF reader is up-to-date may help to mitigate against this attack."
___

Fake Xerox WorkCentre Spam...
- http://blog.dynamoo.com/2014/06/scanned-image-from-xerox-workcentre.html
18 June 2014 - "The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
   From:     Xerox WorkCentre
    Date:     18 June 2014 13:41
    Subject:     Scanned Image from a Xerox WorkCentre
    It was scanned and sent to you using a Xerox WorkCentre Pro.
    Sent by: [redacted]
    Number of Images: 0
    Attachment File Type: PDF
    WorkCentre Pro Location: Machine location not set
    Device Name: [redacted]
    Attached file is scanned image in PDF format...


The payload is a malicious PDF that is identical to the HSBC and Lloyds spams."
___

Fake Electro Care SPAM - XLS malware
- http://myonlinesecurity.co.uk/invoice-electro-care-electrical-services-ltd-fake-xlsmalware/
18 June 2014 - "Invoice from Electro Care Electrical Services Ltd is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email looks like :
   This invoice is the oldest and we did receive a cheque if £4900.00 On the 16/04/14
    Please not that they have deducted CIS at 20% on the above payment so the total amount applied to this invoice is £5400.00.
    Any question then please call me.
    This message contains Invoice #03974 from Electro Care Electrical Services Ltd.  If you have questions about the contents of this message or Invoice, please contact Electro Care Electrical Services Ltd.
    Electro Care Electrical Services Ltd
    Unit 18
    Lenton Business Centre
    Lenton Boulevard
    Nottingham
    NG7 2BY
    T: 01159699638 F: 01159787862 ...


18 June 2014: ECE03974.zip (57kb) : Extracts to Electro Care Electrical Services Ltd invoice.scr
Current Virus total detections: 3/54* . Invoice from Electro Care Electrical Services Ltd is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper XLS  file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9202caba3971b255d182a161a59f81a3723876515682be3d00c7b539413b51f8/analysis/
___

Fake HSBC SPAM...
- http://blog.dynamoo.com/2014/06/hsbc-unable-to-process-your-most-recent.html
18 June 2014 - "This convincing looking bank spam comes with a malicious PDF attachment:
From:     HSBC.co.uk [service@ hsbc .co.uk]
Date:     18 June 2014 12:33
Subject:     Unable to process your most recent Payment
HSBC Logo
You have a new e-Message from HSBC .co.uk
This e-mail has been sent to you to inform you that we were unable to process your most recent payment.
Please check attached file for more detailed information on this transaction.
Pay To Account Number:   **********91
Due Date: 18/06/2014
Amount Due: £ 876.69 ...


Attached is a malicious PDF file HSBC_Payment_9854711.pdf which has a VirusTotal detection rate of just 6/53*. The Malwr report does not add much but can be found here**."
* https://www.virustotal.com/en-gb/file/31edb5f3f59bee534715dad5aa81cf6aa26c9cc132a520c5a258dc622709222d/analysis/1403092029/

** https://malwr.com/analysis/ZDZmNTFjOTA4ZjAyNDkzMmJiNDA1MGY3OGI5MzdiOWM/
___

Android ransomware uses TOR
- http://blog.trendmicro.com/trendlabs-security-intelligence/android-ransomware-uses-tor/
June 17, 2014 - "... samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device. Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores... The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping pop out, thus preventing the user from being able to use their device properly... we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware... How to Remove this Ransomware: For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK*, which can be freely downloaded from the Android website..."
* http://developer.android.com/tools/help/adb.html

 Evil or Very Mad Evil or Very Mad  Sad

 90 
 on: June 17, 2014, 13:30:38  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2974294
Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service
- https://technet.microsoft.com/library/security/2974294
June 17, 2014 - "Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft. The vulnerability could allow denial of service if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted... See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products...  automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration..."

- https://www.us-cert.gov/ncas/current-activity/2014/06/17/Microsoft-Releases-Security-Advisory-Microsoft-Malware-Protection
June 17, 2014
___

- http://www.securitytracker.com/id/1030438
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2779
Jun 17 2014
Impact: Denial of service via local system, Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1.10600.0 and prior...
Solution: The vendor has issued a fix (1.1.10701.0).
The vendor's advisory is available at:
- https://technet.microsoft.com/en-us/library/security/2974294
___

- https://atlas.arbor.net/briefs/
High Severity
June 20, 2014
Analysis: If the engine scans a specially crafted file, the vulnerability could be exploited to cause a denial of service condition, stopping the engine from monitoring affected systems. A specially crafted file could be delivered via email or instant messenger, or by visiting a site hosting a malicious file; alternatively, a malicious attacker could use a website that hosts user-provided content to upload a malicious file, which would be scanned by the engine running on the hosting server. [ https://technet.microsoft.com/library/security/2974294 ] Microsoft has updates for affected products, which will automatically be pushed to Microsoft Malware Protection Engine...

 Exclamation Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 1.419 seconds with 16 queries.