This week Mike and Chris talk about the recent security news, the new landscape of malware and much more.


HD Apple HD Apple SD Audio MP3 Android

Below are notes and links to the items we talked about in this weeks show….


Pirated App Stores on iOS?

  • Uses Apple’s system for corporations to distribute their own apps internally
  • Not a big security risk
  • Can be distributed via email links
  • Apple will fix this issue soon

Software update out for iOS! Make sure to update your devices

  • Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
  • Description: Several intermediate CA certificates were mistakenly issued by TURKTRUST. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue was addressed by not allowing the incorrect SSL certificates.
  • Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
  • Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • Impact: Copying and pasting content on a malicious website may lead to a cross-site scripting attack
  • Description: A cross-site scripting issue existed in the handling of content pasted from a different origin. This issue was addressed through additional validation of pasted content.
  • Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
  • Description: A cross-site scripting issue existed in the handling of frame elements. This issue was addressed through improved origin tracking.


Free Windows 8 Activator? Think Again


Will we see more malware propagating via Skype in the future?

Another malware using Skype plugins for propagation:

  • Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.
  • Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected asWORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected asWORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.
  • The other threat we found on Skype, detected asWORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.
  • WORM_PHORPIEX.JZ also downloads the pluginWORM_PESKY.A, which generates the Skype message containing
  • skype no stranger to malware

Yahoo and Windows Messenger

Remote Access Trojan disguises network traffic to look like those from Windows Messenger and Yahoo! Messenger traffic:

An RAT that makes their network traffic look like various protocols:

Hiding in Plain Sight: The FAKEM Remote Access Trojan

  • To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found afamily of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.
  • However, while there appears to be links between certain FAKEM RAT attacks and known campaigns (especially those involving Protux), it remains unclear if all the attacks that used this malware are connected. It’s possible that there are separate threat actors using the FAKEM RAT.
  • While it is possible to distinguish the network traffic FAKEM RAT variants produce from the legitimate protocols they aim to spoof, doing so in the context of a large network may not be not easy. The RAT’s ability to mask its traffic may be enough to provide attackers enough cover to survive longer in a compromised environment.

APTs (Advanced Persistent Threats)  SKIP – not news, use in future episode on how to


Some tips to help IT administrators trace APTs:
Throwing Some Light on APT Hacktools

  • Password recovery tools – tools for extracting passwords or password hashes stored by applications or the operating system in the local drive or in registry entries. These are typically used to clone or impersonate user accounts for obtaining administrator rights.Pass the hash technique is one common method for attackers to gain administrator rights via stolen password hashes.
  • User account clone tools – used to clone a user account once password has been obtained by the attacker. Upon acquiring enough privileges, the attacker can then execute malicious intent while bypassing the system’s security measures.
  • File manipulation tools – tools for manipulating files such as copying, deleting, modifying timestamps, and searching for specific files. It is used for adjusting timestamps of accessed files or for deleting components to cover tracks of compromise. It can also be used for searching key documents for extraction where the attacker can search for files with specific file extensions.
  • Scheduled job tools – software for disabling or creating scheduled tasks. This can help the attacker to lower the security of the infected system by disabling scheduled tasks for software updates. Likewise, it can also be used maliciously. For instance, the attackers can create a scheduled task that will allow them to automatically steal files within a certain timeframe.
  • FTP tools – tools that aid in FTP transactions like uploading files to a specific FTP site. Since FTP transactions would look less suspicious in the network, some APT threat actors prefer to upload stolen data to a remote FTP site instead of uploading them to the actual C&C server. It should be noted that there are several legitimate FTP applications, which may also be utilized by cybercriminals.
  • Data compression tools – these tools are neither malicious nor considered as hacking tools. In most cases, these are legitimate file compression tools, such as WinRAR, being utilized by attackers to compress and archive multiple stolen files. This aids the attacker in the data exfiltration phase where they can upload stolen documents as a single archive. In a few cases, however, we have seen these applications being packaged and configured to compress a predefined set of files.

What cybercriminals do with your data

Cybercriminals buy electronic devices with hacked credit cards then sell them for a discounted price:

Have you ever wondered what cybercriminals do with stolen information?

“Fullz” contain victim profiles, containing lots of personal information:

  • Would it be surprising to know that it would merely cost $5 (USD) to buy all of your personal information on underground forums and sites? Some of you may also be surprised to find out the information for sale isn’t just your name and address-it’s far more than that.
  • “Fullz”, as it is referred to in underground forums contain not just credit card numbers, names, and date of births. “Fullz” are typically delivered in one of several methods. First, it could be a text or .CSV file containing all of the information in a comma separated file. All of the details of the compromised individuals would be included in the file for easy perusal. In addition, “fullz” could be delivered via a portable database format, like a .MDF file for easy local database import. You can also find personal questions asked during account registrations as well asdriver’s license information, social security number, and other information.
  • These scammers also offer the sale of “dumps”, which is the raw data off the magstrip of your credit cards. In addition to dumps, they sell “plastics”, which are blank cards that are used for writing dumps too.
  • And finally, to make scamming even easier, attackers are selling direct logins for bank accounts as well as the transportation of high-end electronics. Bank accounts are being sold for direct access to the money- no more buying dumps and plastics, just use your bank login information and transfer the money.
  • High-end electronics are also peddled on the black market for reasonable prices. These scammers buy devices at retail price using stolen credit card information, and proceed to sell it at discounted rates online for cash.
  • Attackers will make use of your information in one of several ways. First, they could make clones of your credit cards magstrips, and make large purchases with it. They can then sell those stolen goods for a smaller price online. In addition, they will likely re-sell your information to other crooks to use in the same type of scheme.
  • In addition to cloning your data, a scammer may use your information to clone your identity or purchase bulletproof hosting. Bulletproof hosting allows for massive leniency on what is uploaded to the servers, and doesn’t have many constraints on sourcing activities from the hosting server. These servers are often used to bypass laws in many locations. Furthermore, using stolen information, makes the originators behind these bulletproof servers very hard to locate. As such, your information could be sold on the black market 10’s of hundreds of times.
  • We are also seeing an increased marketability for all the mentioned items as well as increased ability to sell. These sellers are using sites that don’t require registration for purchasing, thus opening the door for more buyers to enter the market.
  • In addition, we are seeing increased usage of “escrowing” these goods. It’s no surprise that scammers even scam each other, and this is a common concept in these forums. To prevent this from happening, escrowing has been coming back in force. The buyer of these scammed products pays the escrow agent, who tests the dump to ensure they work. Once testing has been confirmed, payment is sent to the seller, and likewise, the data sent to the buyer.


What should SMBs look out for?

2013 #SMB Security Predictions – what to watch out for as a small business:

  • Small and Medium Sized Businesses moving to the Cloud and Smart Mobile Devices
  • Moved beyond computers and laptops
  • More devices means more to secure and harder to secure
  • More working environments
  • BYOD growing in popularity
  • Data Breaches will remain an issue even with data in the cloud
  • Cybercriminals will start to heavily abuse cloud services
  • Attacks will become more sophisticated

Fake version of Temple Run 2

Fake Versions of Temple Run 2 Sprint Their Way to Users

Just days after its release on the Apple App Store, some sites are already offering their own dubious versions of Temple Run 2 for Android.
With 20 million downloads just 4 days after its release on the Apple App Store, Temple Run 2 is indeed highly-anticipated among Temple Run fans and gaming fanatics. While the Android version of the game is scheduled for release this Thursday, we already found certain websites peddling what appears to be Temple Run 2 for Android.
We downloaded a supposed Temple Run 2 app and analyzed it. Luckily, the apps (detected by Trend Micro as ANDROIDOS_FAKETEMPLRUN.A) do not exhibit any noteworthy malicious routines. However, they do send ad notifications to users. And to rub salt to wound, both apps do not run the actual Temple Run game.

Android Again

#Android #Exprespam Potentially Infects Thousands of Devices –

  • Android.Exprespam
  • about 2 weeks old
  • great success for the malware authors
  • Thousands of devices infected
  • 75,000 – 450,000 pieces of personal information has been stolen
  • More domains found so the malware creators are just getting started

Android will hit a million malicious apps

The Android malware used for the “mobile botnet”:

  • The related samples we analyzed (detected by Trend Micro asANDROIDOS_KSAPP.A, ANDROIDOS_KSAPP.VTD, ANDROIDOS_KSAPP.CTA, ANDROIDOS_KSAPP.CTB, and AndroidOS_KSAPP.HRX ) were from a certain third-party app store, though we suspect there are other available several sites. Typically, these apps are marketed as gaming apps, some of them bearing or are repackaged versions of popular gaming titles.
  • The first batch of samples we analyzed was packaged using the same app title, purportedly from the same company.
  • Once any of these malicious apps is installed in a device, it communicates to the following remotes sites to acquire compressed script then parses the said script:
  • http://{BLOCKED}y.{BLOCKED}
  • http://{BLOCKED}n.{BLOCKED}
  • http://{BLOCKED}

Think you’re safe from malware on Android? Think again.  @TrendMicro

  • Mobile Threats: 350,000 and Growing
  • By the end of 2012, the number of Android malware grew to 350,000. This was a monumental growth from the 1,000 mobile malware we saw at the end of 2011. Much of this growth was driven by adware and premium service abusers, which accounted for a sizable majority of the seen growth.
  • The popularity of Android in the mobile space means that it is now facing threats similar to what has faced Windows in the desktop space. This threat grew and became more sophisticated throughout the entire year, and we expect that this will continue into 2013.

New post: Android Malware Found to Send Remote Commands  @TrendMicro@TrendMicro


IE6 usage in USA is down to less than one half of one percent. Call your grandparents, we can end this scourge tonight.

  • 0.4% in US
  • 21.3% in China
  • 4.7 in Japan

Red October

Why Red October malware targeting governments worldwide is the Swiss Army knife of espionage …

  • Swiss army knife
  • over 1000 separate components
  • undetected for 5 years
  • Recon: Short for reconnaissance, these modules are used during the first stage of an attack, immediately after a computer has been infected. They collect general information about the target system so operators can understand how valuable it is and decide what other modules they want to install. These modules also collect browsing history, stored passwords, and FTP client settings using the one-time task method described earlier.
  • Password: Modules in this category extract credentials from an array of programs, including from the secure temporary folder of Microsoft Outlook, and Agent, a popular free application available from Modules also collect Windows account hashes, apparently for offline cracking.
  • E-mail: Specific modules extract messages and data stored locally by clients such as Outlook and Thunderbird, as well as from remote POP3 or IMAP mail servers. They’re capable of dumping message headers and bodies, in addition to attachments with pre-defined file-name extensions.
  • USB Drive: Steals files from drives attached over USB connections. Modules have the ability to collect files with pre-defined extensions, sizes, or dates. They can also use a file-system parser to recognize, restore, and copy deleted Microsoft Office files.
  • Keyboard: Records keystrokes, grabs text entered into password fields, and makes screen captures.
  • Persistence: Contains installers and payload code for Word and Reader plugins used to regain control of previously compromised computers that may have been partially disinfected.
  • Spreading: Scans for hosts on a local network, and then infects them using previously extracted credentials or attacks that exploit unpatched vulnerabilities. One module in this group can use SNMP commands to dump Cisco network router configuration data.
  • Mobile: Dumps valuable information from attached smartphones, including contacts, calendars, SMS and e-mail messages. Some modules can check to see if a device is jailbroken.
  • Exfiltration: Transfers data stored on local hard drives and available FTP servers and remote network shares to command servers controlled by the attackers. Unlike the Recon modules above, these modules run repeatedly.
  • USB Infection: Copy execution logs and other data files related to the current malware family from USB drives. This is the only one of the categories that Kaspersky has not been able to retrieve modules for.

Cisco Router Bug

Cisco Confirms Existence of Root Access Vulnerability in One Linksys Router Model

  • WRT54GL
  • “At this point, no other Linksys products appear to be impacted. We have developed and are testing a fix for this issue, and will release it for our customers as soon as possible,” the company stated.
  • “Until this time, customers using the WRT54GL can stay safe by ensuring their wireless network is securely configured, and the only people using an Ethernet cable for connecting to the router arefriends.”
  • When researchers from DefenseCode made their findings public, they said that Cisco initially claimed that the vulnerability had been fixed some months ago.

Cisco Selling Linksys to Belkin

POS System Breach

zaxby’s announces POS system breach

Future of Malware

Why data breaches and politically motivated attacks will continue, if not become more destructive

How law enforcement will respond to cybercriminals in the coming years:

Raimund explains why Africa will be the next safe harbor for cybercriminals

  • Consumers will use multiple computing platforms and devices. Securing these will be complex and difficult.
    • The Windows-centric computing environment of the past has been replaced with a diverse, multi-screen environment thanks to tablets and smartphones. Each operating system brings its own unique usage model and interface. Because of this, it becomes a challenge for users to secure each and every device they own.
    • It’s quite possible that many users will simply give up and leave the defaults are in place. However, these may not be the most secure or private settings.
  • Conventional malware threats will only gradually evolve, with few, if any, new threats. Attacks will become more sophisticated in terms of deployment.
    • Malware authors already have a wide variety of tools at their disposal to carry out their objectives. Because of these, I expect conventional malware to evolve relatively slowly. Developments here will largely revolve around refinements to existing tools, or as a response to moves by security vendors. (A good example of the latter case in 2012 was the release of Blackhole Exploit Kit 2.0, a direct response to successful efforts to block attacks that used the previous 1.x version.)
    • What will change is how the attacks are conducted. What we will see is an increase in the sophistication, skill, and cunning in how victims are made to click on links, open e-mails, and download attachments.
  • Africa will become a new safe harbor for cybercriminals.
    • There are two factors that will drive this development. First of all, the continent’s Internet infrastructure is gradually improving. Secondly, local law enforcement of anti-cybercrime laws is still weak. This combination could make cybercrime a “growth industry” in Africa.
    • These are just some of my predictions for 2013 and beyond. The rest of my predictions can be found in our full predictions document titled Security Threats to Business, the Digital Lifestyle, and the Cloud, which you can read by clicking the cover below.

Anti-virus makers struggle to address today’s next-generation viruses (via @nytimes):

  • Anti-Virus software does not work very well
  • Malware is moving too fast
  • in `2000 there were less than 1,000,000
  • in `2010 there were 49,000,000
  • Changed from being annoyances to profit making
  • Anti-Virus is re-active
  • Looking at new techniques

Spam Malware targets Austrailians

Downloader Targets Down Under

  • subject: Tax Agent Report – Delayed Tax Returns

Mega sending cleartext passwords in confirmation emails

Cracking tool milks weakness to reveal some Mega passwords


You must be logged in to post a comment.