Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

Monday, December 12, 2016

New Ransomware Offers Free Decryption Key to Victims if They Infect Others


Ransomware threats are getting more difficult and twisted in recent times. Over the past few months, malware-related attacks have been carried out around the world at an alarming scale. The most recent case allegedly involves a Syrian group that wants more than just a ransom.

A ransomware named "Popcorn Time" encrypts your Windows files with an AES-256 encryption. To unlock the files, the victim will need to pay one Bitcoin ($780 or roughly Rs. 52,600). However, the malware offers an alternative way to unlock the files as well.

The victim is also given the choice to infect two more people via a referral link. If they get infected and pay the ransom, then the original victim will receive a free decryption key to unlock the files. It is additionally found that entering the decryption code more than a few times can permanently lock the files.

The ransomware encrypts files in Documents, Pictures, Music, and Desktop folders as well as a number of file extensions after a recent update. The ransomware is reportedly still in development and certain details may change based on the updates.


Ransomware such as "Popcorn Time" have been a common sight and traditionally victims had no way out other than paying up. However, offering a free decryption key by infecting others is something quite new, and serves the group's purpose of widely spreading the ransomware.

The ransomware, spotted by the MalwareHunterTeam, was reportedly made by a group of computer science students from Syria, who claim the ransom will be used as food and shelter in Syria.


"We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living," said the ransomware note.

Source: BleepingComputer
Follow Me on Twitter>>>> @iamBhavish
And like us on Facebook>>> The Gud1
Posted by at No comments:
Labels: , , , , , , , , , ,

Wednesday, November 30, 2016

More Than 1 Million Google Accounts Breached by Gooligan; Here's How to Check If Your Device Is Infected


Google's Android OS has always faced public wrath for its security vulnerabilities and looks like that it's bound to continue for some more time now. Security researchers from Check Point Software Technologies have found this new malware family, that it is calling Gooligan, has comprised about 1 million accounts.

It is found in at least 86 apps that are available in third-party marketplaces. Once installed, it uses a rooting process to gains an insider access to your system. It is said to affect devices running Android versions 4+. It should be noted that the vulnerable versions account for 74 percent of users.

So, the rooted devices will then download and install the software that steals authentication tokens and gives it access to the device owner's Google-related accounts without the need to enter the password. These tokens will work on several Google products including Gmail, Google Photos, Google Docs, Google Play, Google Drive and G Suite.

Basically, a Google authorization token is a way to access the Google account and the related services of a user that is issued by Google. Once stolen by a hacker, they can use this token to access all your Google services.




Is my Device Affected?

If you have been downloading apps from sources apart from the official Play Store, and want to check if your account is compromised, you can do so at gooligan.checkpoint.com .


You could also Check this list of apps, if you have downloaded any one of these then your device is infected.

Oh No, My Device is Affected. What do I do now?

Check Point reports lists out two things that you would have to do. Firstly, a clean installation of the operating system on your mobile device i.e. "flashing" a cleaner operating system. 

This is a complex process, and it is recommended that users approach a certified technician/mobile service provider if they have no knowledge. Secondly. change your Google account passwords as soon as possible.

I would personally like to advise all the readers to not download Android apps from third-party stores.

Source: Check Point Software Technologies
Follow Me on Twitter>>>> @iamBhavish
And like us on Facebook>>> The Gud1
Posted by at No comments:
Labels: , , , , , ,

Wednesday, November 23, 2016

Caution: Hackers Could Be Using Your Headphones to Spy on You


Malware that can covertly transform headphones into a pair of microphones can turn your personal computer into an unremitting spying device, warn researchers.

Using the malware called SPEAKE(a)R, the researchers at Ben-Gurion University of the Negev (BGU) in Israel demonstrated how most PCs and laptops today are susceptible to this type of attack.

Researchers Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici have also published a paper demonstrating its proof-of-concept software, SPEAKE(a)R. This software can covertly turn the headphones connected to a PC or laptop into a microphone. In their video, they demonstrate an attack scenario where the malware can use a computer as an eavesdropping device, even when the microphone is not present, muted, taped, or turned off.

Over-suspicious users often open up their laptops/PCs to remove the inbuilt microphone, or tape their web cameras to prevent their devices from being used to spy on them. However Guri explains, "People don't think about this privacy vulnerability. Even if you remove your computer's microphone, if you use headphones you can be recorded."


The report explains that the Ben Gurion researchers demonstrated this hack by using a RealTek audio codec chip feature to switch the PCs output channel as an input channel. The researchers further claim that these RealTek chips are extremely common and work on almost every computer out there - be it running on Windows or macOS. "This is the real vulnerability. It's what makes almost every computer today vulnerable to this type of attack," explains Guri.

Through the loophole, the researchers claim that hackers can record audio coming from as far as 20 feet away, and then compress it to make it easily shareable on the Internet. Many users are paranoid about their devices being hacked, and they take different measures to prevent it. For example, Facebook CEO Mark Zuckerberg tapes his web camera to prevent hackers from spying in through the lens.

However, its good to keep in mind that a simple quick fix won't eradicate this vulnerability. The researchers claim that replacing and redesigning the RealTek chip on all current and future computers is the only effective solution for now.

Source: Research Paper
Follow Me on Twitter>>>> @iamBhavish
And like us on Facebook>>> The Gud1
Posted by at No comments:
Labels: , , , , , , , , , , ,

Friday, September 16, 2016

Pokemon Go Related Malware Found on Google Play, Says Kaspersky Lab


Pokemon Go has been in the spotlight for the majority of year 2016 and the augmented reality game seemingly doesn't like staying out of the news. Niantic recently announced that the game has been downloaded around 500 million times since its launch, but the latest reports suggest that the game has also received the unwanted attention of hackers.

Security software group Kaspersky Lab recently reported a Pokemon Go related malicious app on Google Play named 'Guide for Pokemon Go" that was capable of giving root access of Android smartphones to hackers. According to Google Play, the app had been downloaded over 500,000 times before being pulled.


However, only 6,000 out of around 500,000 devices have been affected as the malware doesn't get activated right away. It is important to note that India is among the locations where successful infection has taken place.

Kaspersky elaborates on the the activation delay, saying, "It waits for the user to install or uninstall another app, then checks to see if that app runs on a real device or on a virtual machine. If it turns out that it's dealing with a device, the Trojan will wait for a further two hours before starting its malicious activity."

According to Kaspersky Lab, its analysis of the app revealed that it included a 'malicious' piece of code that downloads rooting malware, which is capable of gaining access to core Android operating system. The company's software detect the Trojan as 'HEUR:Trojan.AndroidOS.Ztorg.ad.'


The company claims that there at least one more version of this app was also available through Google Play in July 2016. It further said that it has tracked at least nine other apps infected with this Trojan and available through Google Play "at different times since 2015."

It is recommended that users pay attention while downloading apps that are related to popular applications and games as hackers might take advantage of slight carelessness shown by you.

Source: Kaspersky Lab

Do Subscribe on YouTube!
Follow Me on Twitter>>> @iamBhavish
And like us on Facebook>>> The Gud1
Posted by at No comments:
Labels: , , , , , , , , ,

Monday, May 13, 2013

[Hook Analyser 2.5] Application (and Malware) Analysis tool


Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.


Changelog v2.5

This has now five (5) key functionalities:
  1. Spawn and Hook to Application – This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
    1. PE validation (with XOR bruteforce)
    2. Static malware analysis.
    3. Other options (such as pattern search or dump all)
    4. Type of hooking (Automatic, Smart or manual)
    5. Spawn and hook

Currently, there are three types of hooking being supported –
  • Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
  • Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
  • Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.

2. Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –
  1. List all running process
  2. Identify the running process executable path.
  3. Perform static malware analysis on executable (fetched from process executable path)
  4. Other options (such as pattern search or dump all)
  5. Type of hooking (Automatic, Smart or manual)
  6. Hook to a specific running process
  7. Hook and continue the process

3. Static Malware Analysis – This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -
  1. PE file validation (with XOR bruteforce)
  2. CRC and timestamps validation
  3. PE properties such as Image Base, Entry point, sections, subsystem
  4. TLS entry detection.
  5. Entry point verification (if falls in suspicious section)
  6. Suspicious entry point detection
  7. Packer detection
  8. Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
  9. Import intel scanning.
  10. Deep search (module)
    Online search of MD5 (of executable) on Threat Expert.
  11. String dump (ASCII)
  12. Executable file information
  13. Hexdump
  14. PEfile info dumping
  15. …and more.

4. Application crash analysis – This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).

5. Exe extractor – This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

More Information:

Posted by at No comments:
Labels: , , , ,

Sunday, April 14, 2013

[REMnux] A Linux Distribution for Malware Analysis

REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.

REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Originally released in 2010, REMnux has been updated to version 4 in April 2013.


What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

New tools added to REMnux:

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.

If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.

Posted by at No comments:
Labels: , , , , ,

Monday, March 18, 2013

[Dexter] A Free Tool for Mobile (Android) Malware Analysis


Bluebox Labs just released Dexter, a free tool which wants to help information security professionals and malware analysts to analyze Android mobile applications in order to find malware and vulnerabilities.


Dexter combines manual and automatic static program analysis to provide a better understanding of an Android application. Since the original application source code is not required, Dexter is useful during third party binary application analyses and malware reverse engineering.


The following core features are provided to the analyst:
  • App statistics and direct access to all program entry points
  • Package graph visualization
  • Class and inheritance diagrams
  • Class decompilation
  • Method bytecode graph visualization
  • A relational query language and text search feature
  • APK file browser
  • Coloring, tagging and commenting on package, class, method and even basic block layer
  • String listing including code cross reference resolution
  • Automated semantic annotation of program elements
  • Integrated multi-user support for collaboration

More info Here.
Posted by at No comments:
Labels: , , , ,

Tuesday, March 5, 2013

[Hook Analyser v2.4] Application (and Malware) Analysis tool


Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.


Changelog v2.4
  • Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
  • The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
  • Exe extractor – This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
  • The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
  • Minor bug fixes.

More Information:

Posted by at No comments:
Labels: , , , ,

Tuesday, January 22, 2013

[6Scan] Búsqueda de Vulnerabilidades y Malware en Páginas Webs


Los servicios que se encargan de buscar vulnerabilidades o malware en las páginas webs.

Una de esas webs que ofrecen ese servicio es 6scan. Esta web posee un servicio gratuíto y otro de pago, que ofrecen distintas alternativas.

Para configurar un escaneo es muy sencillo, solo deberemos de hacer para empezar poner nuestro correo electrónico y la páginas web que escanearemos.

Si el servicio de 6scan encuentra una vulnerabilidad o malware seremos avisados por correo en la versión FREE y por SMS en la versión PREMIUM.

Se lanza el escaneo a la web en cuestión:

El escano como bien dice, nos avisará en el caso de encontrar una vulnerabilidad.

Podemos añadir mas sitios en el servicio:


Como bien decía dependiendo de si escogemos el servicio gratuito o no, tendremos unas caraterísticas u otras.

Buen servicio que nos ayudará a mitigar en gran medida vulnerabilidades que puedan salir en una fase de desarrollo mal echa o incluso también poder mitigar malware que nos salga.

6scan

[Fuente]
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)