When we relayed the FBI/IC3 warning to travelers about a threat involving hotel Internet service overseas last week it produced a lot of requests for advice on how to respond to the threat. So a few of us researchers at ESET came up with a list of data security tips for travelers. These tips will help you keep your data safe while travelling in general, and defeat this particular threat (IC3 says a pop-up appears as you are signing in to the hotel Internet and asks you to update perform a software which is actually a malware infection).

Below the list are some additional strategies and one example of what not to do with your laptop and your car, wherever you happen to be driving. If you have more suggestions we would love to hear them. Please use the Comment section below to share.

1. Make sure your operating system and antivirus software are updated before you go on the road.
2. Backup your data before you head out (and store the backup in a safe place).
3. Consider leaving some data behind or move sensitive data from your laptop hard drive to an encrypted USB stick.
4. Make sure you have password protection and inactivity timeout engaged on all devices including laptops, tablets, and smartphones.
5. If possible, only use reputable hotel Internet service providers (ask the hotel who their provider is before you book).
6. If the hotel Internet asks you to update software in order to connect, immediately disconnect and tell the front desk.
7. If you use hotel Internet to connect to your company network use a VPN.
8. Do not use WiFi connections that are not encrypted with WPA (avoid WEP encrypted connections which are easily hacked).*
9. Consider getting a 3G or 4G hotspot and using that instead of hotel Internet.
10. Avoid online banking and shopping while on any hotel or public Internet connection.
11. Disable pop-ups in your web browser.

Bonus tip #1: If you are on the road and suspect that your Windows laptop has become infected you can get a free online scan from ESET.

Bonus tip #2: Don't assume your laptop is safe from malware when traveling just because it is a Mac. Consider installing a reputable antivirus product, for example, you could install a free 30-day trial of ESET Cybersecurity for Mac OS X before you head out on your travels.

What not to do when on the road with your laptop

Do not park your car and then place your laptop in the trunk. Place your laptop in the trunk before you reach the place you are going be parking. The reason? Someone who sees you place a computer in the trunk and then walk away from the vehicle knows the car is worth breaking into or stealing. A former colleague learned this the hard way in Venice Beach in 1996, back when a high-end laptop could cost over three grand.

WEP/WPA? How to know which encryption scheme an access point offers

If you are using a Windows 7 laptop you can see the encryption type for any available access point when you display the list of access points from the network icon in the Taskbar (typically lower right of the screen). You may have to hover over the point in the list to see the information. If you are using a MacBook you can Option-Click the Airport icon for a list that will display the encryption type of your current connection, and other connections, on hover.

(With many thanks to Aryeh Goretsky and Cameron Camp for their contributions to the tip list.)

The Android:FakeInst family of malware seems to be never ending story. Its creators have been trying to trick users into sending premium rate SMS messages for several months now. Just a few days ago, we discovered 25 more apps placed on alternative markets that are all based on very similar concepts as was the one in the story we wrote about before Christmas.

This time malicious Android applications are hosted on several domains:

Go here to read the rest:
Don’t think alternative markets save your money

Avast! Free Antivirus 7 has the distinction of being the only free antivirus to receive the Advanced Plus certification rating from the annual “On-Demand Detection of Malicious Software” test from Anti-Virus Comparatives.

Approximately 300,000 pieces of malware were used in the testing, and avast! Free Antivirus 7 detected 98% of them; the highest detection rate of all tested free solutions which outperformed a number of paid-for products from other AV vendors. Complementing the high malware detection rate, avast! was also recognized for detecting few false positives during the test. The number of avast! false alarms was 14. The average was 48 false positives. Avast! Free Antivirus 7 is the only free antivirus to receive the Advanced Plus certification rating.

AV-Comparatives chooses which antivirus products are to be tested from a field of internationally well-known, up-to-date antivirus products. In order to ensure that test results give a complete and accurate picture of a product’s capabilities, AV-Comparatives has strict rules about which tests every product must take part in, and which tests are optional. A dynamic “real world” protection test is conducted which measures file-detection rates, the number of false positive alerts raised, as well as other tests that cover different features of the products.

Read the original here:
AVAST gets Advanced Plus rating in AV-Comparatives’ Test

Unless you have been living under a nondigital rock recently, you have probably heard of the Flashback Trojan, which attacks Macs. Around April 4 we saw reports of more than 500,000 infections by this malware. Further, McAfee Labs has recently come across a new variant making the rounds. This is no surprise: Whenever a piece of malware or attack is successful, we are bound to encounter copies and variations.

A key thing to remember is that this is a Trojan. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the guise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels often include email, malicious web pages, Internet Relay Chat (IRC), peer-to-peer networks, and other means. As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that redirects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.

OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.

The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.)

Infected users unwittingly download a variety of fake-AV packages. To avoid that fate, make sure you are running the latest security software on an up-to-date system, use a browser plug-in to block the execution of scripts and iframes, and use safe-browsing add-ons that help you avoid unwanted or suspicious websites.

My thanks go out to colleagues David Beveridge, Abhishek Karnik, and Kevin Beets for letting me pass along their analysis!

Read the rest here:
Variant of Mac Flashback Malware Making the Rounds

It’s been over a year now since McAfee became an Intel company and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in-the-news validates what we’ve been working on and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally Signed Malware has received the media attention recently.  Indeed over 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies.  Much of this malware is signed with stolen certificates, while other binaries are self-signed, or “test signed”.  Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer:  Well, they’re both real and valid certificates, but one is test signed.

Test Signing

Test Signing is particularly useful to attackers on 64bit Windows, where Microsoft enforces driver signing. By default such drivers will not load.  However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same.  64bit rootkits such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex use this approach to compromise the operating system. To combat this, Deep Defender v1.0.1 blocks Test Signed drivers by default, while allowing EPO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection of course.  Security is about “defense in depth”, from network to silicon.  Real time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get passed obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows over 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, 0day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (2 out of 43 scanners detecting):

More to Come

For some time now we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes and we are likely seeing the fruits of that labor. With so much malware on the line, we are sure to see this signed malware trend continue higher.

P.S. Deep Defender v1.0.1 is currently in beta and is expected to hit the market in Q2.  If you’re interested in helping protect the world beyond the OS, we’re hiring.

Read the rest here:
Signed Malware – You can run…But you can’t hide

For 2012 our AVG Mobilation™ team will put together weekly reports on the latest threats to Android mobile devices. The reports are written by one of our in house experts called Elad Shapira, a short bio on him will be up in the near future.

This week, the AVG Mobilation research team found a new variant of ‘FakeInstaller‘ malware that is not in the wild yet named ‘SMSFraudInstaller’.

‘SMSFraudInstaller’ is a Trojan horse for Android devices that sends SMS messages to premium service numbers.

The spread of this malware is mainly in Russia websites and forum and mainly targets Russian users.

Technical details about the new variant

Below you can see the manifest file of the variant:

In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.

When the Trojan is installed, it will have the Opera icon:

And upon opened it will display the following message on the device:

If the user chooses to press ‘Next’ (right button) on the screen above, then it will send an SMS to service premium number.

The service premium number that the SMS is sent to will be depending on the country where the SIM card is registered (more on the SMS fees later).

Below we can see the code that is responsible for sending the SMS:

Most of the users will press ‘Install’ at this point without knowing that the application will charge them as they are not aware it is being displayed in the ‘Rules’ button.

The users that press ‘Conditions’ button will see a very hard to read screen with a lot of text that mention in it the payment of sending up to 3 SMS messages:

If there’s no SIM within the device the application will display the following screen:

In the past we published detailed information about the way those Russian SMS installers work.

Information about ‘Android SMS Fake installer’ can be found in the following link:

http://www.droidsecurity.com/securitycenter/secuirtypost_20111110.html#tabs-2

The story behind the massive FakeInstaller malware instances

We have seen recently a burst of application that used to send SMS from the targeted devices to a premium numbers.

The common to all those application is that they have the same origin – the malware author’s website.

As you can see from the picture above there are devices flying in the air throwing golden coins from the devices to a heap of golden coins.

The money that was taken from those devices belong to the users and taken from their targeted devices.

The malware author offers developers to add his malicious payload to their app and earn money out of it.

The malware author will split money between the application author and him leaving the application developer most of the money.

The malware author’s website contain forum where the malware authors offer help services and give detailed explanations how to use it.

Initially the malware author spread malware for Symbian based phones but as there are more and more users own an Android based phones, they are moving to target Android based devices.

Analysis of the malware author’s java code file given to the developers who want to join

Below you can see code snips taken from the jar file the malware author offers the developers to use – in this case SMS sending mechanism:

And also:

Technical details about the spread mechanism of the malware – different devices

When the user browse to the page of the malicious application, the server hosting the app on the other side determines which operating system the user have – Symbian, Android etc and then offer the user to download relevant file type of the malware – each file for each operating system detected.

Below you can see the ‘default’ behavior when identifying it’s a Symbian OS:

Below you can see the behavior when identifying it’s an Android OS:

Technical details about the spread mechanism of the malware – different countries

We could see that the malware instances can check which country the device is operational and then send SMSs to premium service number that is local to that device.

For example you can find below a text taken from user agreement (link marked with red square) in Russian website that give details what is the cost of each SMS in each country that malware is operational in:

That is the reason you always need to read and verify what you are downloading.

How to remove

AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.

In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.

The RSA Conference – the largest gathering of security vendors and the companies who buy their products – was held in San Francisco last month. Avast was in attendance, and I had the pleasure of moderating a panel on mobile security. Mobile security was also one of the top topics permeating the entire event. What I heard on the panel and throughout the conference, and what has been reinforced from my discussions with analysts and consultants to businesses, should have you all pretty worried.

The good news is that businesses want to embrace employees use of mobile phones and tablets. And it’s not just the biggest companies doing so: even small businesses are eager adopters of mobile technologies. After all, employees are more accessible and more productive when they can use their mobile devices for work. However, these are your devices; they are not the company’s and shouldn’t be treated as such. And that’s the challenge.

Businesses have legitimate concerns that these devices are inherently insecure, and that consumers don’t always secure their devices to the same level businesses do their PCs. They are also concerned about all the corporate data that these devices contain or can access, and that their loss or theft can compromise a company. And they are concerned that people will misuse their access to this data now that it’s on their person device.

The problem is that businesses want more security and control over your phone then they should have or even need: even more control than they have over the PCs they provide you.

• Because there are malicious apps, they want to keep a catalog of every app you install and be able to remove those applications without prior notice to you.
• Because mobile devices can hold private corporate data, they want the ability to wipe all data on your phone, also without prior notice to you.
• Because you could potentially misuse the phone by transferring corporate data between a business app (like email) and a personal app (like Facebook), they want to be able to monitor everything you do on that phone: your call logs, your text messages, all your social networking activity, all your browsing activity.

This blatant company disregard for employees’ privacy and property all in the name of security has gotten completely out of hand. One product that was given prominent attention at the conference basically rooted your device to put a monitoring and management layer underneath the operating system. Besides taking any semblance of control of your device away from you, this procedure would likely lead to voiding the warranty for many of your devices, especially Apple devices.

Using your mobile devices for work purposes should not require you giving up all your privacy rights or giving your company effective ownership of your device, without having to pay for it. If your company is letting you use your phone or tablet for work purposes, especially if it’s for more than email, then you should take a close look at your organization’s mobile policies – not just for what you should or should not be doing, but for what your company could be doing.

Read more here:
The Latest Threat To Your Mobile Phone: Your Employer

Recently I blogged about some exploit packs. In that post I showed a table that had 10 common malware kits. I listed the vulnerabilities used, referenced by their Common Vulnerabilities & Exposures (CVE) names. There were 45 vulnerabilities in the table.

From the data, this idea was taken up by Mila Parkour via her Contagio malware blog. Making use of data from other researchers blogs (MalwareIntelligence, Kahu Security, XyliBox, etc) her latest version (the 15th) lists 64 kits and more than 100 vulnerabilities.

The first of these packs appeared around 2006-2007. Many people remember Icepack, Mpack, and Web Attacker as prolific during this time!

One of the most prolific years, in vulnerability terms, was 2010–with 28 vulnerabilities exploited in one or across several kits. For exploit packs, the big year was 2011, with 15 kits and 23 versions named on the Mila list.
Vulnerabilities disclosed in 2010 were rapidly included in exploit packs (Crimepack, from March 2010). However, we needed to wait until May 2011 to encounter the first pack (Eleonore) using an exploit from that year. As of February 2012, one of the first vulnerabilities of the year (CVE-2012-0003) is already exploited in the wild (Zhi Zhu exploit pack). It is a good entry for a 16th version, I think!

So far in 2012 most of these packs include 10 or fewer exploits. That figure is slightly lower than in 2011. That year, ironically, the Zero Exploit Kit was announced with 62 exploit PDFs on a hacker forum. The most common vulnerabilities encountered in exploits packs are CVE-2006-0003 (MDAC), CVE-2007-5659/2008-0655 (PDF Collab), CVE-2008-2992 (PDF Printf), and CVE-2009-0927 (PDF GetIcon). But the most interesting fact (for me, anyway) is the high number of new exploits packs since December 2011, after the October disclose of the Java Rhino vulnerability (CVE-2011-3544).

Next to the regular updates of some well-known packs (Phoenix, Blackhole), are five newcomers: Zhi Zhu, Yang Pack, Techno Xpack, Hierarchy, and Sakura.

The following table shows the latest status (click the image to enlarge it). Packs from Eastern Europe are still predominant, but the number of Chinese packs is increasing.

As always, make sure you stay updated and educated about the latest threats!

Continue reading here:
Another Overview of Exploit Packs

In late 2011, the FBI released documents and data focusing on “Operation Ghost Click“.   This malicious operation, leveraging a variety of DNSChanger-type malware, was defined as an “International Cyber Ring That Infected Millions of Computers.”

Associated malware samples and events can be traced back  several years, and multiple platforms were targeted, and to this day remain affected/infected and are still open to compromise.

There amount of helpful data around this issue is plentiful.  Even the FBI has provided a tool to Check to see if your host/IP is affected.

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So, fast-forward to the present  day. . . .

Within McAfee Labs we have been flooded with queries (<— intentional DNS pun) on what is to be done on March 8th, and what other impacts might ripple through their environment as the FBI takes the next steps towards conclusion of Operation Ghost Click.

The Good News!

On March 5th,  a US District Court (New York) signed an order to extend the March 8th deadline to July 9th.

This extension will allow for all affected entities to continue to track-down and remediate agains hosts which are still compromised.   Current data indicates that there are still several million infected/affected hosts world-wide dealing with this issue.

Also, as a handy reminder, the offensive Netblocks are well documented:

• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

To learn more about how to maintain your online connection and to protect against this malware family, read our new Threat Advisory.

https://kc.mcafee.com/corporate/index?page=content&id=PD23652

For McAfee Customers – Detection for associated malware is provided under the DNSChanger Trojan family.

Example - http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=141841

Other Resources:

• McAfee Labs Security Advisory: MTIS11-219
• McAfee Labs Threat Advisory – DNSChanger
• McAfee Labs – DNSChanger Description Search
• FBI – DNSChanger Malware
• United States District Court Southern District of New York Post-Indictment Protective Order (extending the March 8th date).
  

  Court Ordered Date Extension

Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.

“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”

AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.

In this case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.

While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. He found evidence of a BlackHole Exploit Kit attack that had taken place three days previously. The script shown in the image redirects visitors to web-media-stats-analyse.[REMOVED].php?id=07a1509e7e5d828d, a well-known malware distribution domain.

Sorting out this particular infection has required some cooperation between the site developer, the hosting company, and the owners. While the specifics vary for each website, Jiri pointed out four most common sources of malware infections:

• 1. Old and vulnerable software (e.g. old versions of WordPress, Joomla,…) and plugins for this software.
• 2. Plugins and themes downloaded from untrustworthy sources (already contains infections or backdoors)
• 3. Weak passwords.
• 4. Stolen passwords.