Feed aggregator

Cloned Android Banking App Hides Phishing Scheme

Threatpost for B2B - Wed, 06/25/2014 - 14:49
A cloned banking application targeting customers of a large bank in Israel has been removed from Google Play after it was discovered to be stealing users' log-in credentials.

VMware Patches Apache Struts Flaws in vCOPS

Threatpost for B2B - Wed, 06/25/2014 - 13:59
VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.

Use the force Luuuk

Secure List feed for B2B - Wed, 06/25/2014 - 13:14

Stealing more than half a million euro in just a week - it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk's control panel it immediately got in touch with the bank and launched an investigation.

On January 20th 2014 Kaspersky Lab detected a suspicious server containing several log files including events from bots reporting to a command and control web panel. The information sent seemed to be related to a financial fraud; it included details of the victims and the sums of money stolen.


Figure 1: Example of log file

After further analysis we found additional files in the server containing logs with different content and showing potentially fraudulent banking transactions, as well as source code in JavaScript related to the C2 infrastructure. This information provided valuable data about the bank that had been targeted and other details such as the money-mule system and operational details used in this scheme.


Figure 2: Source code control panel

Once we analyzed all the available data, it was clear that the C2 was the server-side portion of a banking Trojan infrastructure. We believe the fraud was being perpetrated using Man-in-the-Browser techniques and was also capable of performing automatic transactions to pre-set money mule accounts.

We decided to name this C2 luuuk after the path the administration panel used in the server:/server/adm/luuuk/

Below is a summary of the relevant information extracted from the server side component:

  • Around 190 victims, mostly located in Italy and Turkey.
  • Fraudulent transactions worth more than 500,000 € (according to logs) .
  • Fraudulent transfer descriptions.
  • Victims' and mules' IBANs.

The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 109.169.23.134 during the analysis.

The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time.


Figure 3: Fraudulent transaction log example.

This kind of injections are very common in all the variations of Zeus (Citadel, SpyEye, IceIX, etc.) and all of these are well-known in Italy. During our investigation it was not possible to find the infection vector, however banking Trojans use a variety of methods to infect victims including spam and drive-by downloads.

The attackers used the stolen credentials to check the victim?s balance and perform several malicious transactions automatically, probably operating in the background of a legitimate banking session. That would be consistent with one of the malicious artifacts (a VNC server) we found binded to the malicious server used by the attackers.

Despite the "usual" techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money.

According to the transaction logs, there were 4 different money-mule (or drop) groups:

  • 13test: The limit that the drops in this group can accept is between 40,000 and 50,000 Euros, although there are some drops that have different limits, between 20,000 and 30,000.
  • 14test: The limit that the drops in this group can accept is between 15,000 and 20,000 Euros, although there are some drops in this group that have different limits, between 45,000 and 50,000.
  • 14smallings: The limit that the drops in this group can accept is between 2,500 and 3,000 Euros.
  • 16smallings: The limit that the drops in this group can accept is between 1,750 and 2,000 Euros, although there are drops in this group that can accept a quantity between 2,500 and 3,000 Euros (as in the group 14smallings).

This could be an indicator of a well-organized mule infrastructure. Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them.

The operators of this control panel removed all the sensitive components on January 22nd, two days after our investigation started. Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation.

In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered.

Kaspersky Lab is maintaining contacts with different LEAs and the affected financial institution in order to prosecute the criminals.

Kaspersky Fraud Prevention vs. the Luuuk

The evidence uncovered by Kaspersky Lab's experts indicates that the campaign was most probably organized by professional criminals. However, the malicious tools they used to steal money can be countered effectively by security technologies. For instance, Kaspersky Lab has developed Kaspersky Fraud Prevention - a multi-tier platform to help financial organizations protect their clients from online financial fraud. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions.

UPDATE

After the publication of the post, our colleagues at Fox-IT InTELL sent us some potentially related information regarding this campaign. According to this new information, the Luuuk server could be related to the ZeusP2P (aka Murofet) infrastructure as we originally suspected.

We received two decrypted configuration files belonging to the ZeusP2P with a reference to the same server where Luuuk was hosted:

The configuration belongs to a botnet named "it" (for Italy). The Luuuk server is being used to host the code that is injected in the victims´ browser. It also manages the automatic transfers to a predefined set of money mules (drops) accounts.

We were also able to analyze the binaries using these configurations. The first one (c8a3657ea19ec43dcb569772308a6c2f) is a ZeusP2P (Murofet) sample that was first seen back in August 2013, months before the malicious transactions were made. It tries to connect to several of the sinkholed servers used to take down GameOver.


Sinkholed domains used by the sample.

This additional data reinforces the theory that the Zeus family is behind the Luuuk server - in this particular case it appears to be of the ZeusP2P flavor. However, this is not definitive proof that the malicious transactions in the campaign were performed by this family, as the injected code on the server was not there when we analyzed it.

Still, it would be quite unusual for two different malware campaigns to use the same server almost simultaneously to provide the necessary infrastructure. So we will continue our investigations based on the hypothesis that this Luuuk campaign used ZeusP2P samples for their infections and malicious transactions. Now we will try to get the Javascript code injected to close the circle.

We would like to thank Fox-IT for sharing this information.

Flaw Lets Attackers Bypass PayPal Two-Factor Authentication

Threatpost for B2B - Wed, 06/25/2014 - 11:39
There's a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim's account to any recipient he chooses.

Crowdsourcing Finding its Security Sweet Spot

Threatpost for B2B - Wed, 06/25/2014 - 09:41
Private and commercial businesses are starting to find some comfort in crowdsourcing security research into application vulnerabilities,.

Luuuk Fraud Campaign Steals €500K From Bank in One Week

Threatpost for B2B - Wed, 06/25/2014 - 08:27
A fraud campaign stole more than half a million dollars from a European bank in a week earlier this year, researchers with Kaspersky Lab announced this week.

HackingTeam 2.0: The Story Goes Mobile

Secure List feed for B2B - Tue, 06/24/2014 - 13:04

More than a year has passed since the release of our last article on HackingTeam, the Italian company that develops a "legal" spyware tool known as Remote Control System, or short, RCS. In the meantime a lot has been happened, so it's time for an update on all our current research findings on the RCS malware.

Locating the command servers

One of the most important things we've uncovered during our long and extensive research is a specific feature than can be used to fingerprint the RCS command servers (C2s). We presented details of this method at the Virus Bulletin 2013 conference.

To summarize, when a special request is sent to a "harmless" HackingTeam RCS C&C server, the RCS C&C responds with the following error message:


Slide from our VB presentation with HackingTeam's C2 fingerprint

First of all, the codename 'RCS' is there, all right. What we weren't sure about was the 'Collector' referred to in the response. This probably refers to the fact that the server "collects" information from the victims. We used this particular fingerprinting method to scan the entire IPv4 space, which allowed us to find all the IP addresses of the RCS C2s around the world and plot them nicely to a map showing their locations. šWe pinpointed a grand total of 326 C2s.

Count of C2s Country name 64 UNITED STATES 49 KAZAKHSTAN 35 ECUADOR 32 UNITED KINGDOM 24 CANADA 15 CHINA 12 COLOMBIA 7 POLAND 7 NEW ZEALAND 6 PERU 6 INDONESIA 6 BRAZIL 6 BOLIVIA 6 ARGENTINA 5 RUSSIAN FEDERATION 5 INDIA 4 HONG KONG 4 AUSTRALIA 3 SPAIN 2 SAUDI ARABIA 2 MALAYSIA 2 ITALY 2 GERMANY 2 FRANCE 2 EGYPT 1 UKRAINE 1 THAILAND 1 SWEDEN 1 SINGAPORE 1 ROMANIA 1 PARAGUAY 1 MOROCCO 1 LITHUANIA 1 KENYA 1 JAPAN 1 IRELAND 1 HUNGARY 1 DENMARK 1 CZECH REPUBLIC 1 CYPRUS 1 Other 1 BELGIUM 1 AZERBAIJAN


Map showing the countries of the current HackingTeam servers’ locations

The largest amount of identified servers was in the US, Kazakhstan and Ecuador. Unfortunately, we can’t be sure that the servers in a certain country are used by that specific country’s LEAs; however, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.  Nevertheless, several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.

Mobile modules

It was a well-known fact for quite some time that HackingTeam products included malware for mobile phones. However, these were rarely seen. In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story. Earlier this year, we discovered a number of mobile malware modules coming from HackingTeam for the following platforms:

  • Android
  • iOS
  • Windows Mobile
  • BlackBerry

All these modules are controlled by the same configuration type, which is a good indication that they are related and belong to the same product family.


Configuration file from the RCS mobile modules

Certainly, our main interest during the analysis of the mobile modules was in iOS and Android, due to their popularity. The iOS module works only on jailbroken devices. Here is a description of the main functionality of the iOS module:

  • Control of Wi-Fi, GPS, GPRS
  • Recording voice
  • E-mail, SMS, MMS
  • Listing files
  • Cookies
  • Visited URLs
  • Cached web pages
  • Address book
  • Call history
  • Notes
  • Calendar
  • Clipboard
  • List of apps
  • SIM change
  • Live microphone
  • Camera shots
  • Support chats, WhatsApp, Skype, Viber
  • Log keystrokes from all apps and screens via libinjection


Disassembled code of the iOS module

The Android module is protected by the DexGuard optimizer/obfuscator and is therefore extremely difficult to analyze. However, we discovered (see the trace below) that the sample has all the functionality of the iOS module listed above - plus support for hijacking information from the following applications:

  • com.tencent.mm
  • com.google.android.gm
  • android.calendar
  • com.facebook
  • jp.naver.line.android
  • com.google.android.talk


Trace of an RCS Android sample

Mobile infectors

Another aspect of particular interest to us was the way the malware samples are installed on mobile devices. We discovered several modules that infect mobile devices connected to infected Windows or Mac OS X computers.

As already mentioned, the iOS module can only be used on jailbroken devices. That is why the iOS infector uses the AFP2 protocol to transfer. The "infector" has a nice GUI that enables installation if there is physical access to the victim's device or remote admin access to an infected computer.


Main window of the iOS infector

iPhone1,1 iPhone1,2 iPhone2,1 iPhone3,1 iPhone3,2 iPhone3,3 iPhone4,1 iPhone5,1 iPhone5,2 iPad1,1 iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6 iPhone iPhone 3G iPhone 3GS iPhone 4 iPhone 4 iPhone 4 (cdma) iPhone 4s iPhone 5 (gsm) iPhone 5 iPad iPad2 (Wi-Fi) iPad2 (gsm) iPad2 (cdma) iPad2 (Wi-Fi) iPad3 (Wi-Fi) iPad3 (gsm) iPad3 iPad4 (Wi-Fi) iPad4 (gsm) iPad4    

List of Apple devices supported by the iOS infector

After successfully connecting, the iOS infector copies several files to iOS and runs an install.sh file:


Part of the install.sh file that is run on an infected iOS device

As mentioned above, remote admin access to an infected computer is one of the possible ways for the malware to be installed on a connected mobile device. The fact that only jailbroken iOS devices are supported can be a limiting factor. However, this is not a huge problem since an attacker can also run a jailbreaking tool such as Evasi0n via the same infected computer. In this case the only thing that can protect a user from a remote jailbreak and infection is the mobile device’s passcode. However, if the device is unlocked while connected to the infected computer, it can be infected by the attacker.

Another interesting mobile infector is the one for BlackBerry devices, which uses the JavaLoader application to load malware samples on BB 4.5 and 5.0. In its disassembled code, we found a path to the PDB debug file, which appears to have been mistakenly forgotten by the authors. The original project was located in the ‘C:\HT\RCSBlackBerry\Workspace\RCS_BB_Infection_Agent\’ when this malware was created.


Part of the code of a Blackberry infector with a path to the PDB file

Summary

In this latest installment of our ongoing research, we uncovered a huge infrastructure that is used to control the RCS malware implants. Our latest research has indentified mobile modules that work on all well-known mobile platforms, including as Android and iOS. These modules are installed using infectors - special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target - which is much more powerful than traditional cloak and dagger operations.

The new data we are publishing on HackingTeam’s RCS is extremely important because it shows the level of sophistication and scale of these surveillance tools. We like to think that if we’re able to protect our customers from such advanced threats, then we’ll sure have no trouble with lesser, more common threats like those posed by cybercriminals.

Appendix:

MD5s of mobile infectors:

  • 14b03ada92dd81d6ce57f43889810087 - BlackBerry infector
  • 35c4f9f242aae60edbd1fe150bc952d5 - iOS infector

MD5s of Android samples:

  • ff8e7f09232198d6529d9194c86c0791
  • 36ab980a954b02a26d3af4378f6c04b4
  • a2a659d66e83ffe66b6d728a52130b72
  • 9f06db99d2e5b27b01113f78b745ff28
  • a43ea939e883cc33fc766dd0bcac9f6a
  • a465ead1fd61afe72238306c7ed048fe

MD5s of Windows samples:

  • bf8aba6f7640f470a8f75e9adc5b940d
  • b04ab81b9b796042c46966705cd2d201
  • 1be71818a228e88918dac0a8140dbd34
  • c7268b341fd68cf334fc92269f07503a

List of active C2s on 19.06.2014:

  • 50.63.180.***
  • 146.185.30.***
  • 204.188.221.***
  • 91.109.17.***
  • 106.186.17.***
  • 119.59.123.***
  • 95.141.46.***
  • 192.71.245.***
  • 106.187.99.***
  • 93.95.219.***
  • 106.187.96.***
  • 124.217.245.***
  • 23.92.30.***
  • 82.146.58.***
  • 93.95.219.***
  • 209.59.205.***

RCS modules (using Kaspersky Lab’s classification names):

  • Backdoor.OSX.Morcut
  • Rootkit.OSX.Morcut
  • Trojan.OSX.Morcut
  • Backdoor.Win32.Korablin
  • Backdoor.Win64.Korablin
  • Rootkit.Win32.Korablin
  • Rootkit.Win64.Korablin
  • Trojan.Multi.Korablin
  • Trojan-Dropper.Win32.Korablin
  • Backdoor.AndroidOS.Criag
  • Trojan-Spy.AndroidOS.Mekir
  • Trojan.Win32.BBInfector
  • Trojan.Win32.IOSinfector
  • Trojan.OSX.IOSinfector
  • Trojan-Spy.IphoneOS.Mekir
  • Trojan-Spy.WinCE.Mekir
  • Trojan-Spy.BlackberryOS.Mekir

Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks

Threatpost for B2B - Tue, 06/24/2014 - 11:39
95 percent of vulnerable NTP servers leveraged in massive DDoS attacks earlier this year have been patched, but the remaining servers still have experts concerned.

AskMen Site Compromised by Nuclear Pack Exploit Kit

Threatpost for B2B - Tue, 06/24/2014 - 09:10
Users who visit AskMen.com, a men’s entertainment and lifestyle portal, are being hit with malicious code – possibly stemming from the Nuclear Pack exploit kit - researchers announced today.

Researchers Go Inside HackingTeam Mobile Malware, Command Infrastructure

Threatpost for B2B - Tue, 06/24/2014 - 09:03
Researchers from Kaspersky Lab and Citizen Lab released a report today with extensive details on the HackingTeam's controversial RCS spyware, in particular its extensive global command infrastructure and mobile malware.

OpenSSL Heartbleed Patch Progress Slowing Two Months Later

Threatpost for B2B - Mon, 06/23/2014 - 16:51
More than two months after it emerged, more than 300,000 machines on port 443 remain vulnerable to the OpenSSL Heartbleed security vulnerability.

Threatpost News Wrap, June 23, 2014

Threatpost for B2B - Mon, 06/23/2014 - 15:17
Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft’s new information sharing platform, the FBI’s cybercrime task force and the US team’s crushing tie with Portugal. Download: digital_underground_156.mp3 Music by Chris Gonsalves  

Blog: The Rise of Cybercrime in Dubai and UAE

Secure List feed for B2B - Mon, 06/23/2014 - 13:20
Dubai today has become a global city and a business hub, same is going for threats and malware attacks, UAE is the most attacked country in the Middle East. In this report we highlight the most popular and dangerous threats and attacks, in addition to possible solutions to handle such threats.

The Rise of Cybercrime in Dubai and UAE

Secure List feed for B2B - Mon, 06/23/2014 - 12:35

A lot of our everyday communication and commercial activities are now taking place online, the threat from cybercrime is increasing, targeting citizens, businesses and governments at a rapidly growing rate.

Organizations and individuals are worried about the increase of Cybercrime, not just because of financial damage, but loss of privacy and intellectual property, in addition to reputation problems.

Recent statistics have shown dramatic growth in the Cybercrime in the UAE. Emerging markets have long been of interest for Cyber criminals.

Official statistics from Dubai have shown a dramatic 88% increase in the number of electronic crime cases reported in 2013 compared to the year before. The cyber investigation department of Dubai Police received a total of 1,419 reports in 2013, 792 in 2012 and 588 in 2011.

Kaspersky malware statistics in the UAE and worldwide

The increase in the number of attacks in the UAE and the region is also reflected by the number of attacks and infection attempts detected by Kaspersky Security Network in the region. The KSN cloud network uses the latest intelligence technologies to enable the reporting and analysis of threats around the world.

Kaspersky top Malware detections statistics for 2014 in the world Adware.Win32.Amonetize.heur 3,700,000+ Worm.VBS.Dinihou.r 1,800,000+ Virus.Win32.Sality.gen 1,780,000+ AdWare.Win32.BetterSurf.b 1,500,000+ AdWare.Win32.Yotoon.heur 1,500,000+ Exploit.Win32.CVE-2010-2568.gen 1,388,000+ Worm.Win32.Debris.a 1,094,000+ Trojan.Win32.Starter.lgb 1,007,000+ AdWare.Win32.Skyli.a 883,000+ Exploit.Java.Generic 850,000+ Trojan.Win32.AntiFW.b 829,000+ Virus.Win32.Nimnul.a 713,000+ Trojan.WinLNK.Runner.ea 676,000+ Why is cybercrime surging in the UAE?

The last few years have seen huge increase in the use of smart electronic devices and Internet services, all these devices are connected to the Internet.

Increasing use of online services

According to recent statistics Internet penetration has reached 92% in the UAE. Most people now use online services, including the transfer of financial and personal information to fulfill their day-to-day needs, and the most popular services are as follows:

  1. E-Government transactions, e-bills
  2. E-banking
  3. E-shopping

While the benefits of using online services are obvious, there are also threats that target user information.

Smartphone Threats

Many people in the UAE and Gulf region have smart mobile devices. These have many benefits and allow anyone to easily access services and activities online. These devices are expensive, so users often wrongly assume they have some kind of default protection.

Android is the most targeted mobile platform. At Kaspersky Lab we now have more than 10 million unique Android malware samples in our databases.

In Q1 2014, more than 99% of all mobile malware targeted Android devices. Detections over the past three months included:

  • 1 258 436 installation packages,
  • 110 324 new malicious programs for mobile devices,
  • 1 182 new mobile banking Trojans.
Financial Motivation

The huge increase in the use of online payment and e-services, in addition to the wide availability of unprotected smartphones, has encouraged cyber-criminals to target users with malware and phishing attacks affecting all types of devices.

Just like offline crime, money is a prime motive, especially when the risks of a criminal life are less apparent when you're hiding being a computer screen. The perception of low risk and high financial reward stimulates many cyber criminals to participate in identity theft and fraudulent activities.

Personal Motivation

Human beings and the crimes they commit are often motivated by personal emotions and vendettas. From irritated employees to jealous boyfriends, many crimes have their roots in powerful passions.

Ideological and Political Motivation

These kinds of attacks are carried out for moral, ideological or political reasons, damaging or disabling online services and networks to protest against individuals, corporations or governments. Anonymous group is a popular example of ideologically motivated hackers.

The most dangerous attacks on users in the UAE Banking Malware

The UAE is a country well known for its concentration of financial resources. Banking malware targets user devices to steal financial information like credit card details and bank account passwords. The criminals then use this stolen information to transfer money from the compromised accounts.

The most popular banking malware in the UAE are as follows:

  • Zeus (Windows)
  • Carberp (Windows)
  • mToken (Android)

Zeus and Carberp have long been popular malware for Windows computers and widely available public source code has enabled criminals to develop many variants of these. Zeus Gameover, the latest variant of Zeus has hit hard in the UAE, the third most affected country in the world. Zeus Gameover was taken down by the FBI and Microsoft on 2nd of June 2014.


Number of Zeus and Carberp attacks, and files blocked between 5 and 12 June 2014 in UAE

mToken was first recognized and reported by the Intercrawler organization. This is a different type of malware that mainly targets Android devices. It is used to steal banking usernames and passwords, in addition to stealing SMS token messages from the banks. There were 513,000 mToken attacks in Q1 2014 in the GCC region according to statistics from the Telecommunications Regulatory Authority. The mToken disguises itself as a banking token generator for some of the most popular banks in KSA and UAE Most of its victims are in the United Arab Emirates and the Kingdom of Saudi Arabia.

Kaspersky Lab products have detected and blocked Zeus variants since 2010 and Mtoken variants since 2012.

Ransomware: Lockers and Crypters

Lockers and Encrypters are ransomware trojans. An attack may come from several sources; one example is disguised as an authentic email attachment.

Some Lockers can be removed with no damage to the system or files, others harm files by encrypting them using RSA public-key cryptography where only the hackers have the keys to decrypt and recover the files.

The malware displays a message which offers to unlock/decrypt the device and data if a payment is made by a stated deadline (through either Bitcoin or a pre-paid coupon), and threatens to delete the key if the deadline passes.

Lockers and Encrypters mainly target Windows devices but recently we have seen versions for Android.


Number of ransomware attacks and files blocked between 5 and 12 June 2014 in UAE


Even though it is old, CashU malware is still active in the UAE


Cryptolocker encrypts your files and they can only be recovered using the hacker's key


Ransomware targeting Android devices, disguised as a protection application

The most popular attacks in the UAE

The total number of attacks from Jan-May 2014 is 12,713,890

Top 3 Adware in the UAE in 2014 AdWare.Win32.BetterSurf.b 1,228,000+ AdWare.Win32.BrainInst.u 1,189,000+ AdWare.Win32.BHO.batb 680,000+ Top 3 malware attacks in the UAE in 2014 Virus.Win32.Sality.gen 378,000+ Net-Worm.Win32.Kido.ih 348,000+ Exploit.Win32.CVE-2010-2568.gen 339,000+

Sality virus: blocks some security functions and utilities on Windows computers. It also tries to download malware from other servers. It infects Windows files and copies itself to removable and remote drives.

Kido worm: also known as conficker, is malware that targets the Windows operating system, mainly attacking the MS08-067 vulnerability; it also uses dictionary attacks on administrator passwords to spread and create a botnet.

CVE-2010-2568 is one of the most popular weaknesses in the Microsoft Operating system. When exploited by malware attacks, it allows a user to execute code via shortcut file (.lnk) that is not properly handled by the operating system.

Sality virus, Kido worm and the CVE-2010-2568 exploit are legacy attacks which were used to infect millions of machines worldwide. They are still widespread because they can easily infect new machines or they are publicly available for the criminals to use which explains the high success rates if a device is not protected.

These recent statistics suggest that the most popular malware and adware in the UAE are not new:

First Date of malware detection by Family BetterSurf adware Oct 2013 BrainInst adware Dec 2013 BHO adware Mar 2006 Sality virus Oct 2009 Kido worm Nov 2008 CVE-2010-2568 exploit Jul 2010

The main reasons why old attacks are still very successful are as follows:

  • The absence of correct patching on the user operating systems
  • The use of unlicensed software
  • The lack of security software to protect the user devices against the latest threats
  • The lack of good practices for handling smart devices, like good passwords and awareness on cyber security
Conclusion and future expectations

Most malware works in stealth mode. It doesn't announce itself on a PC or mobile device, preferring to monitor and steal information and then use it to steal your money or reveal themselves while extorting money. In most cases criminals are not very interested in the information on most personal or business computers. But this data is vital to the owner, and criminals manipulate the need for confidentiality, integrity and availability to cause financial and reputational damage to victims.

The UAE has a diverse, cosmopolitan and multicultural society and the accelerated economic growth in the region has encouraged cyber-criminals to excessively target citizens, using and adapting the latest trends in global cybercrime.

The increasing number and complexity of threats targeting users and businesses in the UAE requires better protection and awareness to defend against various cyber-threats.

You can follow me on twitter: @mahasbini

Google’s BoringSSL Latest OpenSSL Fork to Surface

Threatpost for B2B - Mon, 06/23/2014 - 11:06
Google announced its fork of OpenSSL called BoringSSL, a version of the crypto libraries that will now import changes from OpenSSL.
Syndicate content