Since March 20, the @Anonw0rmer Twitter account has been silent. Its owner, w0rmer, is known as a member of the CabinCr3w group, a hacker team linked to Anonymous.

In early February, as part of the Operations PiggyBank and PigRoast, the CabinCr3w members were suspected of hacking various police department- or law enforcement-related websites including:

• West Virginia Chiefs of Police Association website (February 5)
• Salt Lake City Police Department
• Texas Police Association (February 8′)
• Syracuse Police Department
• Newark Police Foundation
• Wisconsin Chiefs of Police Association
• Dallas Police Department
• Alabama Department of Public Safety (February 9)
• Alabama Houston County (February 20)

Among the leaked data are login credentials, badge numbers, addresses, home/mobile/office phones, and social security numbers. They information was leaked to the public and posted on pastebin, pastebay, or pastehtml. The data were generally posted on Twitter account @CabinCr3r, which has been silent since March 12.

On February 5, the first post appeared Twitter account @higochoa. More appeared on @Anonw0rmer, which was created the following day.

In the Alabama case, the leaked data were posted on pastehtml by someone named w0rmer. The user’s Twitter profile picture was at the top of the document. At the bottom, our hacker added a photo exhibiting a woman’s breasts with a sign attached to her belly.

Unfortunately, w0rmer was not concerned with what was revealed by the exchangeable image file format (Exif) metadata that accompanied these images. The police, however, were.

I found that downloading the picture and using Phil Harvey’s ExifTool was very informative. I discovered the photo was taken with an iPhone 4 on February 5. Most interesting is the embedded GPS information. It came from a home in Southern Australia.

As mentioned in the affidavit in support of a criminal complaint, the hacker left some other clues that I followed:

• Two IP addresses assigned to computers located in Galveston, Texas
• Five other images (Exif free) posted on the i.imgur.com website, where one finds the same woman in various states of undress holding various other statements by w0rmer or CabinCr3w

A screenshot in another image shows a computer desktop running an IRC chat client (KVIrc) at the bottom right. In its window, the user @higochoa is logged on.

Following the username, I found two posts retrieved via an open-source search on the website gmane.org. One is signed Higino Ochoa AkA w0rmer.

I next retrieved a photo via open-source search for @Higochoa that showed an individual geocaching in Texas. This picture, compared with the one displayed on the driver’s license of the suspect, was of the same individual.

The same person had a Facebook account and another identifiable portrait. According to the profile, the suspect resides in the Galveston area.

On his Facebook profile he states that he is in a relationship with a woman whose Facebook profile indicates she lives in New South Wales, Australia.

Thus we come full circle. Be careful before breaking the law. Using only open-source searches, even an Anonymous member can be unmasked.

Continue reading here:
Hacker Leaves Online Trail, Loses Anonymity

Darkmegi was in the news a couple of months back; it was the first known threat to be delivered through the Microsoft vulnerability CVE-2012-0003 (MIDI Remote Code Execution Vulnerability) exploitation. More recently Darkmegi has been seen in CVE-2011-3544 (Java Runtime Remote Code Execution) drive-by attacks as part of the Gong Da Pack exploit kit. Darkmegi uses a kernel rootkit component to maintain a stronghold on infected systems.

Hook Installation

It’s common for rootkits to deny read and/or delete access to its files and/or registry keys, and Darkmegi is no exception.  The Trojan drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which gets injected into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files.

Hook Impact

Once the rootkit has compromised the operating system, attempts to copy or read protected files are rejected.

Attempting to copy rootkit driver to another directory.

Recently we discovered a new Android Trojan in the official Google Play market that displays a video downloaded from the Internet–but only if some sensitive information is previously sent to a remote server. The malicious applications are designed for Japanese users and display “trailers” of upcoming video games for Android. Here’s one example:

Or anime/adult Japanese videos:

When the application is about to be installed, two suspicious permissions–read contact data and read phone state and identity–are requested. Neither is needed for the principal purpose of the application, which is to display a video from the Internet. The reason for these requests becomes clear because the first action that the malware takes when it executes is to obtain, in the background, the following sensitive information from the device without the user’s consent:

• Android ID: Unlike most Android malware and PUPs (potentially unwanted programs) that gather the IMEI to uniquely identify a device, this malicious application obtains the android_id which according to the Android API is a “64-bit number that is randomly generated on the device’s first boot and should remain constant for the lifetime of the device.”
• Phone number: Obtains the phone number of the device. READ_PHONE_STATE permission is required to gather this information.
• Contact List: Gets the name, telephone number, and email of every person in the contact list.

While the data is harvested, the victim sees this “loading” message:

Once the information is obtained, the malicious application sends it to a remote server in clear text:

If the data was sent successfully, the application requests a specific video to the same server and displays it using a VideoView component. If the malware fails at its background theft (for example, the device does not have an Internet connection), a message in Japanese says that an error has occurred and the video has not loaded:

So far we have discovered 15 applications from two developers that, according to Google Play statistics, have been downloaded by at least 70,000 users. Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market. McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.

View post:
Android Malware Promises Video While Stealing Contacts

Unless you have been living under a nondigital rock recently, you have probably heard of the Flashback Trojan, which attacks Macs. Around April 4 we saw reports of more than 500,000 infections by this malware. Further, McAfee Labs has recently come across a new variant making the rounds. This is no surprise: Whenever a piece of malware or attack is successful, we are bound to encounter copies and variations.

A key thing to remember is that this is a Trojan. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the guise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels often include email, malicious web pages, Internet Relay Chat (IRC), peer-to-peer networks, and other means. As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that redirects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.

OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.

The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.)

Infected users unwittingly download a variety of fake-AV packages. To avoid that fate, make sure you are running the latest security software on an up-to-date system, use a browser plug-in to block the execution of scripts and iframes, and use safe-browsing add-ons that help you avoid unwanted or suspicious websites.

My thanks go out to colleagues David Beveridge, Abhishek Karnik, and Kevin Beets for letting me pass along their analysis!

Read the rest here:
Variant of Mac Flashback Malware Making the Rounds

Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks. McAfee Labs recently analyzed a few new samples that turned out to be variants of Darkshell, and we found extensive variations in network traffic and control commands.

The Darkshell bot follows a fairly standard installation process by copying itself into the System32 directory with a name that appears to be legitimate, for example, C:WINDOWSsystem32WinHe803.exe. It then sends the system information of the infected machine to its control server in encrypted format. Once the control server receives the information, it responds with the victim’s address and the type of DDoS attack to perform.

Here are a few of the MD5 hashes we analyzed:

• aff00fac695971c1aea37ce51f4d6228
• beec4de4740da867ed44c666d283c4f2
• b3e28fc05514abbaea1e12b676bef2a8
• bc47ff49ba8ea1bc0c028edd7262c0ac
• bcb210972648719e7d53223fbb7210ab
• beec4de4740da867ed44c666d283c4f2
• bf56f97511c4c4bc23d92c17d5e976fe
• c008c851bef86764943f7a4a2a16d7c6
• c74890f5a5400e70ff40da0493a933d7

Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks. McAfee Labs recently analyzed a few new samples that turned out to be variants of Darkshell, and we found extensive variations in network traffic and control commands.

The Darkshell bot follows a fairly standard installation process by copying itself into the System32 directory with a name that appears to be legitimate, for example, C:WINDOWSsystem32WinHe803.exe. It then sends the system information of the infected machine to its control server in encrypted format. Once the control server receives the information, it responds with the victim’s address and the type of DDoS attack to perform.

Here are a few of the MD5 hashes we analyzed:

• aff00fac695971c1aea37ce51f4d6228
• beec4de4740da867ed44c666d283c4f2
• b3e28fc05514abbaea1e12b676bef2a8
• bc47ff49ba8ea1bc0c028edd7262c0ac
• bcb210972648719e7d53223fbb7210ab
• beec4de4740da867ed44c666d283c4f2
• bf56f97511c4c4bc23d92c17d5e976fe
• c008c851bef86764943f7a4a2a16d7c6
• c74890f5a5400e70ff40da0493a933d7

As mobile phones allow us to carry our money in an electronic “wallet,” they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone.  Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks against Google Wallet and Square’s credit card readers have prompted improvements in security.

Square's credit card readers recently added encryption for credit card data.

Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.

Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.

NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.

These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.

Follow this link:
Mobile ‘Wallets’ Attract Greater Interest From Thieves, Researchers

This is one of these days that make me really proud to be a member of the McAfee family. I just received the very latest third party test results from AV-TEST.org. AV-TEST has built a reputation for doing very thorough, “real world” tests of endpoint security products. They’ve been testing consumer endpoint products for a long time and just last year instituted a very good enterprise endpoint-testing program.

For the third quarter in a row, both McAfee’s consumer product, Total Protection 2012 and our enterprise product, VirusScan Enterprise 8.8, achieved certification. Not only did both of our flagship endpoint solutions achieve certification, but they both received better evaluations than any McAfee products in the history of AV-TEST’s reports.

AV-TEST evaluates endpoint products on three different metrics: core protection, repair and usability. They assign each product tested a score from 1 to 6 in each of the three metrics. While we tend to focus on the core protection metric, the repair and usability scores are important variables in the purchase decisions made by customers large and small.

Besides certifying both products, AV-TEST gave Total Protection 2012 a protection score of 5 out of 6 points marking only the second time in two plus years of testing that McAfee’s consumer product scored this well for core detection. On the enterprise side VSE 8.8 got a protection score of 5.5…the highest protection score ANY McAfee product has ever received from AV-TEST.

For comparison, Total Protection 2012 outscored the comparable products from AVG, Trend Micro, and Microsoft among others. VSE 8.8 outscored the enterprise solutions offered by F-Secure, Sophos, Trend Micro…and, of course, Microsoft.

From a total evaluation perspective, this quarter was also record setting. Both Total Protection 2012 and VSE 8.8 received a total score of 13 of 18 points, both of which are historical highs for McAfee products.

As McAfee’s Senior VP of Product Management for McAfee Labs, Rees Johnson, observed, “These latest results from AVTEST.org represent the third test cycle in a row for which both our Enterprise AND Consumer products have been certified and each of the three results demonstrates material progress over the previous test cycle. This clearly demonstrates the progress being made within McAfee Labs across all technologies including the core detection engine, remediation, False Positive rates and the Trusted Source functionality that can be found in SA/SAE and the results we can achieve when we attack an issue like this with focus and energy.”

See the article here:
New Endpoint Test Results from AV-TEST.org

It’s been over a year now since McAfee became an Intel company and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in-the-news validates what we’ve been working on and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally Signed Malware has received the media attention recently.  Indeed over 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies.  Much of this malware is signed with stolen certificates, while other binaries are self-signed, or “test signed”.  Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer:  Well, they’re both real and valid certificates, but one is test signed.

Test Signing

Test Signing is particularly useful to attackers on 64bit Windows, where Microsoft enforces driver signing. By default such drivers will not load.  However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same.  64bit rootkits such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex use this approach to compromise the operating system. To combat this, Deep Defender v1.0.1 blocks Test Signed drivers by default, while allowing EPO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection of course.  Security is about “defense in depth”, from network to silicon.  Real time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get passed obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows over 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, 0day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (2 out of 43 scanners detecting):

More to Come

For some time now we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes and we are likely seeing the fruits of that labor. With so much malware on the line, we are sure to see this signed malware trend continue higher.

P.S. Deep Defender v1.0.1 is currently in beta and is expected to hit the market in Q2.  If you’re interested in helping protect the world beyond the OS, we’re hiring.

Read the rest here:
Signed Malware – You can run…But you can’t hide

On March 6, the widely recognized institute AV-TEST published a long awaited review of Malware Protection for Android–with really disappointing results for us And the report was widely quoted in the media.

An analysis on our side quickly showed that an outdated version of McAfee Mobile Security had been tested. Yesterday AV-TEST announced that they had run a retest and they released an update of the results. This time, the current version of McAfee Mobile Security (2.0.1.366) and the new results reflect where we (and you) expect us to be: At the top.

In the test the top 10 products are rated with a >90 percent detection rate. A more detailed report of malware family detection shows we were one of just three products with flawless detection through all malware families. You can read all about the test and download the full report at AV-TEST.org.

We are happy that the confusion could be cleared up. If you ever needed a compelling reason to update to the latest version, then this test is one.

Visit link:
Android Malware Retest Puts McAfee Mobile Security at Top of Class