Cybercriminals continue targeting U.K based Internet users in an attempt to trick them into thinking that they’ve received a legitimate email from Vodafone U.K. We’ve intercepted two, currently circulating, malicious spam campaign that once again impersonate Vodafone U.K, this time relying on a bogus “Copy of Vodafone U.K” themed messages, the ubiquitous ‘MMS Message Received‘ campaign, as well as the most recent ‘Your Monthly Vondafone Bill is Ready‘ theme.
More details:
A newly launched managed ‘HTTP-based botnet setup as a service’ aims to attract novice cybercriminals who’ve just purchased their first commercially available malware bot — or managed to obtain a cracked/leaked version of it — but still don’t have the necessary experience to operate, and most importantly, host the command and control server online.
More details:
To view this protected post, enter the password below:
Cybercriminals continue releasing new, commercially available, stealth Bitcoin/Litecoin mining tools, empowering novice cybercriminals with the ability to start monetizing the malware-infected hosts part of their botnets, or the ones they have access to which they’ve purchased through a third-party malware-infected hosts selling service.
What’s so special about the latest mining tool that popped up on our radar? Let’s find out.
More details:
German Web users, watch what you install on your PCs!
Our sensors just picked up yet another rogue/deceptive ad campaign enticing visitors to install the bogus PC performance enhancing software known as ‘PCPerformer’, which in reality is a Potentially Unwanted Application (PUA), that tricks users into installing (the Delta Toolbar in particular) on their PCs.
More details:
By Michael Sweeting
After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct file or package type. So what’s the trick you may ask? Well, in order for malware authors to get around this built in OSX security feature, they are implementing what is called “right-to-left encoding” using the built in Mac OSX Character Viewer. OSX Character Viewer allows the user to very easily insert a vast array of characters and text input methods, which in this case, gives the malware author the ability to insert a fake file extension using the “right-to-left” encoding character. read more…
Recently we’ve seen a new fake security product running around that has made improvements to the standard rogue. Typical rogues are annoying, but relatively easy to take care of. Previously, all you had to do was boot into safe mode with networking and remove the files and registry entries (or install an antivirus product). Support forums everywhere use safe mode with networking as the “go to” mode for virus removal as non-core components are not loaded at start up and it’s easier to isolate problems. In the vast majority of the rogues we see, they are not loaded in the few modules which start up in safe mode. Antivirus System does, however, and it also applies some new and improved social engineering tactics to fool you into thinking it’s a real program trying to help you.
Once loaded onto your system, any executable you try and launch will be stopped and flagged as malicious – pretty standard. Eventually the interface will come up and will start scanning. What’s unique about this variant is it does actually scan your system. I do not mean it removes malware or does anything beneficial, but the infections it reports are real files on your computer. This variant flagged Dell drivers that are exclusive to my laptop model and one of my chrome extensions. This indexing of real files is a big improvement over the transparently fake “scan” buttons on previous rogues that just lead to an animation of a loading bar along with a generic list system files. Antivirus System also has many “features” which appear on most legitimate security applications. It has Internet Security which is similar in description to Webroot’s Web Threat Shield. Their Personal Security attempts to spoof features like Webroot’s Identity Shield, and Proactive Defense fakes features similar to Webroot’s Real Time Protection. This rogue even has configuration settings like “Concede resources to other applications” alluding that it can lower how much of a resource hog it can be – if you pay for it. Of course none of these “features” do anything, and if you try and switch them on you’ll just be presented with their purchase screen.
Most experienced users would immediately go into safe mode with networking after seeing this. This won’t work, as the rogue is attached to the explorer shell, which is a module loaded in safe mode, and it will lock you down after you launch any executable (regedit, task manager, standalone virus removal tools, ect.). This is probably the point where most people have run out of options and consider taking their PC to a 3rd party technician where you’ll likely pay double the ransom cost of the Rogue. There is no need to do this as there are plenty more tricks to get around these rogues.
If you already have Webroot installed, then you shouldn’t even have to scan as we should block this in real time. If you happen to come across a new zero-day signature that doesn’t yet have a determination, then you should know about Webroot’s ability to remediate infections without a database determination. All you have to do is open your client, click the “System Tools” tab, and then click “Start” under Control Active Processes. You’ll then be presented with the screen below, which shows all the active processes that are running:
Anything running under the “monitor” column should be scrutinized. If you find anything randomly named under AppData or ProgramData, then you would set it to “block” and run a scan. Upon finishing the scan, Webroot will remove the file and roll back any changes made by the malware.
Webroot support is always more than happy to help with removal and any questions regarding infections.
Thanks to the fact that users not only continue to use weak passwords, but also, re-use them across multiple Web properties, brute-forcing continues to be an effective tactic in the arsenal of every cybercriminal. With more malicious underground market releases continuing to utilize this technique in an attempt to empower potential cybercriminals with the necessary tools to achieve their objectives, several questions worth discussing emerge in the broader context of trends and fads within the cybercrime ecosystem.
What’s the current state of the brute-forcing attack concept? Is it still a relevant attack technique, or have cybercriminals already found more efficient, evasive and effective tactics to compromise as many Web sites/servers as possible? Let’s discuss the relevance of the attack concept in 2013, by profiling a recently released WordPress/Joomla brute-forcing and account verification tool.
More details:
We’ve intercepted two, currently circulating, malicious spam campaigns enticing users into executing the malicious attachments found in the fake emails. This time the campaigns are impersonating Vodafone U.K or pretending to be a legitimate email generated by Sage 50’s Payroll software.
More details:
By Nathan Collier
Last Friday we blogged about the radical Android OS bug 8219321, better known as the “Master Key” bug, which was reported by Bluebox Security. Check out last weeks blog if you haven’t already: “The implications are huge!” – The Master Key Bug. We mentioned how we have been diligently working on protecting those not yet covered by patches or updates, and finding a solution for older devices as well. We are happy to report we have the solution! The newest version of Webroot SecureAnywhere Mobile with a patch for the “Master Key” bug can be found on the Google Play store now: Webroot SecureAnywhere Mobile.
Malware is always evolving, and so are we. No matter what new exploits are thrown our way, we have you covered. From all of us at the Webroot Mobile Team, stay safe.
By Dancho Danchev
Looking for legitimate online gambling services? You may want to skip the rogue online casinos that I’ll highlight in this post. Over the past few days, we intercepted multiple spam campaigns launched by the same party, enticing users into downloading fake online casinos most commonly known as the Win32/PrimeCasino/Win32/Casonline PUA (Potentially Unwanted Application).
More details:
By Nathan Collier and Cameron Palan
Last week, Bluebox Security reported they’d found a new flaw with the Android OS, saying “The implications are huge!”. The bug, also known as the “Master Key” bug or “bug 8219321”, can be exploited as a way to modify Android application files, specifically the code within them, without breaking the cryptographic signature. We call these signatures the “digital certificate”, and they are used to verify the app’s integrity. Since the bug is able to modify an application and still have the certificate appear valid, it is a big deal. read more…