Bugs / Virus Article (1)
Free Anti-Virus Comparison Review
» April 8, 2013 05:00PM
PC Doctor Service Center 6 Review
» December 16, 2007 05:00PM
Bugs / Virus News (149)
Posted: March 25, 2017 02:15PM
Researchers at Cybellum, a security company focused on zero-day attacks, have discovered a means to use a Microsoft tool to inject malicious code into processes, including security processes. The tool is the Microsoft Application Verifier, which has been a part of Windows since XP and is meant to help developers find programming errors. It does this by loading a "verifier provider DLL" into the process for runtime testing, and once this has been done the DLL is added to the registry as a provider DLL for that program. After this happens, Windows will automatically inject the DLL into every process with the registered name. What Cybellum discovered is that it is possible to register a malicious DLL that will then be loaded into a security product or any program, hijacking it for a variety of purposes. This means it could be used to turn a piece of malware into an advanced persistent threat that survives reboots.
The researchers have named this attack DoubleAgent and it works in every version of Windows, including Windows 10. Also, because it is a legitimate tool there is no way to block the technique from being used, just the malicious attack. Cybellum has made several vendors aware of the issue, but not all have responded yet. AVG, Kaspersky, Malwarebytes, and Trend Micro have already responded to fix this vulnerability. Other notified vendors include Avast, Avira, Bitdefender, ESET, F-Secure, McAfee, Panda, Quick Heal, and Symantec (Norton). Comodo was also notified but claimed they were not vulnerable, however it has been demonstrated that they are, but it is more difficult and involves a different, unreleased proof-of-concept of the DoubleAgent attack. Cybellum published its findings after the vendors had more than 90 days to check if their products were vulnerable.
Cybellum has also stated that it is possible to stop DoubleAgent attacks using protected processes, a concept from Windows 8.1 that protects anti-malware services. This protection has only been added to Windows Defender though. The video below demonstrates the attack on Norton.
Posted: April 12, 2016 06:34PM
Author: Brentt Moore
Mike Olsen, a security researcher that runs a blog on the topic of hacking, recently purchased a set of six power over Ethernet outdoor surveillance cameras for his friend's home. After receiving the devices, he unfortunately was greeted with an interface that failed to provide access to normal controls and operations. In order to see if a bad style was hiding the controls that he needed, he took a look at the code that made up the interface page and noticed an iframe that linked to a strange looking host name. After some research, Olsen immediately found that the domain was related with malware that had quite a bit of a history.
While it is unknown if the seller of the PoE cameras had any idea that the malware was indeed present within the interface of the camera, Olsen's experience does serve as a good reminder that even when a seller has a good rating, a product is a good deal, and Amazon is the retailer, malware can still exist without knowledge to the consumer.
Source: Mike Olsen
Posted: February 14, 2016 10:28PM
Author: Leo Ohayon
After a recent update, the Mac version of Adobe’s Creative Cloud could potentially delete user data with no warning. A script created by the update deletes the first directory in the root directory once the user signs in after updating. The users at the highest risk are BackBlaze customers. BackBlaze is a data backup service that stores user data in a directory named .bzvol, which is typically the first directory in the root directory. Due to this, BackBlaze was the first to report the issue and include it in its FAQ. After a storm of complaints from upset users, Adobe has released a fix for the update, which you can download below.
Posted: December 19, 2015 08:39AM
If you use Microsoft Outlook to manage your email, make sure it is updated to the latest version. Earlier this month security researcher Haifei Li reported an Outlook bug named BadWinmail to Microsoft and this issue could be exploited to compromise a machine without end-user interaction.
The issue revolves around Windows Object Linking and Embedding (OLE) system, which is used for objects embedded in Office documents, including Outlook emails, and Flash. Due to a flaw with how Outlook sandboxes embedded Flash, it is possible for malicious Flash code to be executed and use Flash vulnerabilities to install other pieces of malware on a user's computer. Because Outlook will use OLE to run the embedded code when viewing or even previewing an email, there is little the end-user has to do to be attacked. It is even possible for the end-user to do nothing but have Outlook open, if it is set to preview the most recent email, and it happens to be carrying the malicious code.
While this is a serious issue, Microsoft has already patched it, so if you update Outlook to a version newer than December 8, you should have the fix.
Posted: August 17, 2015 04:23AM
Author: Brentt Moore
Moscow-based Kaspersky Lab, which is one of the largest security companies in the world, continues to develop some of the best security suites available for consumers and businesses. Despite their excellent reputation, former employees of the company have just recently went public with details that surround unethical practices. The former employees claim that for more than a decade, with activity peaking between 2009 and 2013, Kaspersky Lab went on a mission to damage the reputation of its rivals by developing fake malware. The fake malware would trigger security suites developed by companies such as Avast, AVG, Microsoft, and others into classifying the harmless files as viruses. The former employees noted that some doctored files were even sent to VirusTotal, a website that provides free virus, malware, and URL online scanning through the use of 40 antivirus solutions.
Eugene Kaspersky, the co-founder of Kaspersky Lab and the individual that former employees say ordered some of the attacks due to his anger over companies emulating his software, has publically denied the allegations and stated that "Such actions are unethical, dishonest and their legality is at least questionable." Despite this, Reuters was previously told by executives at Avast, AVG, and Microsoft that someone had attempted to introduce false positives in recent years, though the each company had no comment on Kaspersky Lab possibly targeting them.
Posted: June 12, 2015 09:51AM
At long last, the Ask Toolbar is on its way out, as Microsoft has recently started classifying older versions as a piece of unwanted software. Its malware programs have been automatically updated to detect and remove outdated Ask Toolbar installs, which should make many of us quite happy. It will certainly please security and IT professionals, as the Ask Toolbar has caused a host of problems for years. The toolbar tends to piggyback onto other installers and can be quite hard to spot how to not install it, with perhaps the most egregious offender being the Java installer. Unchecking the Ask Toolbar install has to be done during each and every Java update, and if you happen to just keep clicking next, odds are you'll have an unwanted addition to your browser. Now, all but the most recent edition of the Ask Toolbar is considered unwanted software, with the likes of Microsoft Security Essentials, Microsoft Security Scanner, and Windows Defender automatically removing the older Ask Toolbars automatically.
Considering Microsoft has recently started to get tougher on which apps with a search function get approved, the classification of older Ask Toolbars as unwanted software is just part of the process.
Posted: April 21, 2015 06:31PM
Author: Brentt Moore
Hundreds of thousands of mobile applications for the iPad, iPhone, and iPod utilize a networking software known as AFNetworking. It was recently revealed by cybersecurity firm SourceDNA that a particular version of the AFNetworking software, which is used by roughly 100,000 applications, contains a vulnerability that allows hackers to easily bypass SSL, meaning that data such as login credentials and banking information could be leaked. Luckily not all 100,000 applications that run on Apple devices are vulnerable, as SourceDNA acknowledged that currently, about 1,000 applications remain vulnerable to the security flaw. Some of the affected iOS applications include Uber, OneDrive, and Yahoo Finance.
Source: CBS News
Posted: March 12, 2015 03:59PM
Author: Nick Harezga
In the past year, cryptography based "ransomware" has become more widespread with variants such as CryptoLocker and CryptoWall encrypting files and photos on infected computers. If the users refuse to submit to the hackers demands and pay up, their files are deleted. New malware known as TeslaCrypt follows the same protocol, with the added "feature" of specifically targeting the files of 40 PC games. Games targeted include a number of current and older games including StarCraft 2 and Dragon Age: Origins. The malware is delivered by a Flash exploit after navigating to an infected website. The hackers behind the malware are demanding $500 in Bitcoins to release the encrypted files.
Source: Ars Technica
Posted: February 11, 2015 12:51PM
Author: Brentt Moore
VirusTotal, a website that was acquired by Google in 2012 and offers free checking of suspicious files using multiple antivirus engines, has announced an initiative to combat false positives generated from antivirus programs. In order to do this, the company encourages software developers to share files found within their software catalogue, which VirusTotal then marks accordingly. If a false positive is generated by an antivirus program, VirusTotal contacts the respective antivirus vender to correct the error. Microsoft has already partnered with VirusTotal to help kick start this initiative of combatting false positives in antivirus programs, and the partnership thus far has enabled VirusTotal to remedy over 6,000 false positives thanks to the sharing of metadata about software collections.
Source: VirusTotal Blog
Posted: January 26, 2015 03:25PM
Author: Brentt Moore
According to Adrian Ludwig, the Chief of Security for Android at Google, the company has no plans to patch a WebView vulnerability that affects the default Web browser found in Android 4.3 and older. According to Ludwig, the number of devices running affected Android versions are shrinking every day as users upgrade or get new devices. Unfortunately, about 60 percent of all Android users are still utilizing Android 4.3 and older, according to Android usage numbers provided by Google, meaning that over half of all Android users remain vulnerable.
With Google leaving the WebView issue unpatched, Ludwig has recommended that Android users begin to utilize browsers that are unaffected by the vulnerability and that are updated from the Google Play Store, such as Google Chrome and Firefox. Despite the change in browsers, an application may still make use of the WebView API, and as a result, can still pose a risk to smartphones running Android 4.3 and older.
Posted: August 20, 2014 02:44PM
Author: Brentt Moore
It was recently reported that Community Health Systems suffered a data breach, resulting in the loss of patient names, addresses, birthdates, telephone numbers, and Social Security numbers of 4.5 million individuals. Security experts at the time noted that malware was used to attack systems, and while that still seems to be true, it looks like the major security flaw known as Heartbleed is partially to blame for allowing Chinese hackers to circumvent security measures. According to David Kennedy, the founder of TrustedSec LLC, hackers were able to make use of the Heartbleed flaw in order to steal usernames and passwords, which then gave them access to private communications channels within Community Health Systems. Although Kennedy is not involved with the ongoing investigation in any way, he has noted that the information linking Heartbleed to the stolen data comes from three people close to the matter.
If Heartbleed is in fact connected to the data breach that Community Health Systems recently suffered, it will be the first known breach of a company by use of the vulnerability.
Posted: June 23, 2014 06:21PM
Author: Brentt Moore
Although it has been a little over two months since the initial discovery of Heartbleed, which at the time affected around 600,000 systems, it still continues to pose a threat to users worldwide. Robert Graham from Errata Security noted that there 309,197 servers still vulnerable to the OpenSSL bug, which if exploited, can leak account login details. What is surprising is that last month around the same amount of servers were still vulnerable to the attack, which indicates that people have stopped attempting to patch affected systems. While the amount of affected systems will surely decrease over time due to lifecycle replacements, Robert Graham still expects to find thousands of systems still vulnerable even a decade from now.
Source: Errata Security Blog
Posted: April 14, 2014 07:37AM
Author: Brentt Moore
The Heartbleed security flaw, which has been one of the most influential web security issues in recent history, has hindered many websites since its initial revelation. Even though the code was supposedly an accident and not intentional, it has affected a large number of websites that make use of OpenSSL. One network provider that has been hindered by Heartbleed, Akamai, provided a patch to its systems recently that was supposed to address the security flaw entirely. The company has gone back on that claim now as Willem Pinckaers, a security researcher, has uncovered that the patch released by Akamai for its systems only addressed half of Heartbleed. According to Pinckaers, and confirmed by Akamai chief security officer Andy Ellis, the patch that was released for the Akamai network only covered three out of six critical values found in an RSA key.
In order to protect customers following this news, Akamai is rotating SSL certificates that are vulnerable. In the meantime, the company is working on a patch that will address Heartbleed in its entirety, thereby protecting one-third of the Internet's traffic that the network provider processes.
Posted: April 11, 2014 10:22AM
Author: Nick Harezga
The programmer responsible for checking in the code that led to the Heartbleed bug in OpenSSL has described it as an accident, not a malicious activity. The bug was found in an area of the code that pertained to security and was caused by "missing validation on a variable containing a length." The code went through a peer review process and neither the original programmer or peer reviewer were able to catch the bug. There is a published list of some sites that have been impacted by the bug, but it would probably be a good idea to change all of your passwords anyway.
Posted: April 10, 2014 08:21AM
Earlier this week, news broke out about a major security flaw called Heartbleed that affected two thirds of the web, allowing hackers easy access to usernames, passwords, and other seemingly encrypted data through an OpenSSL hole. Sites utilizing the OpenSSL protocol have been patching the hole, but very few are actually reaching out to customers to let them know. There's a site to check for Heartbleed vulnerability, but it doesn't tell you if the site you're checking was ever vulnerable, just whether it is or isn't at the time you check. That's where Mashable comes in.
Mashable has compiled a list of some of the major sites, providing the information users need to know:
- Was it affected?
- Is there a patch?
- Do you need to change your password?
- What did they say?
Since the hole has existed for years, despite first being publicly disclosed Monday night, Mashable basically recommends changing the password for any site that was ever affected and patched, even if a site says no data was compromised. If there is a silver lining, the good news is that it appears no major banking or brokerage sites were ever affected, as they all seem to use different encryption and security protocols.
Posted: April 8, 2014 03:20PM
A major vulnerability called Heartbleed was discovered Monday night in the open-source software called OpenSSL, which is widely used to encrypt communications, such as logins. In fact, it's so widely used that the vulnerability affects some of the biggest and most popular sites in the world, including Yahoo, Imgur, OKCupid, and Eventbrite. According to SteamDB.info, even Steam was affected!
The good news is that Yahoo, Imgur, and Steam have already fixed the issue as of a couple hours ago.
Officially called CVE-2014-0160, security firm Codenomicon gave it the more recognizable and memorable name of Heartbleed, which the firm discovered along with Google researcher Neel Mehta. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content," Codenomicon said. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users."
There is some conflicting information as to just how much information can be obtained, with Codemnomicon saying it was able to steal "the secret keys used for [...] X.509 certificates" in its tests, but Google security expert Adam Langley claiming that his testing didn't reveal such information as sensitive as secret keys. Langley was one of the experts who helped close the OpenSSL hole – a fix which can be implemented by sites using OpenSSL to block Heartbleed, and presumably what Yahoo, Imgur, and Steam used. There is nothing a user can do on their end, other than not using affected sites until the hole is patched.
If you're concerned about entering your sensitive information on a site that you suspect uses OpenSSL, developer and cryptography consultant Filippo Valsorda published a tool that allows people to check sites for Heartbleed vulnerability. Unfortunately, the site's servers are under such heavy load by people constantly checking that it often gives a timeout.
While the SteamDB.info Twitter account advises Steam users to change their passwords and "deauthorize computers" (essentially resetting Steam Guard without ever turning it off), it's important to note that SteamDB.info has absolutely no affiliation with Valve, so it's probably best to wait for an official statement. Since Valve is supposedly resetting all its certificates, it would make sense to change passwords after the new certificates are issued anyway so that there's a new key. SteamDB.info supplied instructions on how to reset Steam Guard since it seemed to cause confusion among many users.
Posted: January 4, 2014 07:46AM
Author: Brentt Moore
Previously a Trojan which relied on user interaction to spread the ransomware and infect a user's computer, CryptoLocker has morphed into a new worm variant. Researchers at Trend Micro have found that CryptoLocker is able to be spread from computer to computer by using a USB drive or by being downloaded from unsafe sites such as P2P file sharing websites. By utilizing a USB drive that is infected, the ransomware spreads to files on the computer that the drive is attached to and even looks for other computers on the network to infect, if connected. The ransomware can also spread itself by being a fake activator for software such as Adobe Photoshop and Microsoft Office, which are generally shared on P2P websites. CryptoLocker encrypts various files on a computer system and makes users pay a ransom to unlock their files. Since the affected files are encrypted, removing the malware does not aid in retrieving the files for accessibility and one of the only ways to remove the ransomware at this time is by doing a complete system format.
Trend Micro is advising users to keep away from P2P file sharing sites in order to retrieve illegal copies of software. Additionally, Trend Micro is cautioning the use of USB drives, especially those of unknown origin.
Source: PC Magazine
Posted: January 11, 2013 04:29PM
A malware exploit has been reported named Mal/JavaJar-B. The malware exploits a vulnerability in Java 7 that is already being used against systems and distributed among hackers, but has not yet been patched. The malware allows hackers to run code remotely on infected machines running Windows, Linux, and Unix, although Mac OS X remains safe as of now. The U.S. Department of Defense has advised users to disable Java on any systems running the software.
Users with the software installed can easily disable the software from running in the browser through unchecking 'Enable Java content in the browser' under 'Security' in the Java Control Panel. Java has recently played victim to a number of exploits that have used its broad implementation for more sinister purposes. Despite this, Java also provides a great platform for small developers to deploy their software, and has played host to many well-known titles such as Minecraft.
Posted: December 12, 2012 10:10PM
Security vulnerabilities of any kind are never a good thing, and today's revelation is certainly one to be wary of. Analysis company Spider.io has identified a vulnerability in Internet Explorer 6 through 10 that allows mouse movements to be tracked, even if the browser is minimized or inactive. A particularly bad part of this vulnerability is it even tracks movement across virtual keyboard and keypads, like you'd find on touchscreen devices. Spider.io says it's "already being exploited by at least two display ad analytics companies across billions of page impressions per month," which isn't the best thing anyone wants to hear. An attacker can purchase an ad on any website to gain access, even on sites like YouTube, and then track your mouse movements so long as the page with the ad is open.
Spider.io submitted the vulnerability report to Microsoft at the beginning of October, but the company said there are no "immediate" plans to patch it. Hopefully soon there is a resolution for it to make the browser safe once again.
Posted: November 9, 2012 06:12PM
Posted: August 16, 2012 02:59PM
Author: Nick Harezga
Google will be offering up to $2 million in prizes the for the Pwnium 2 contest at the Hack In the Box security conference in Malaysia on October 10. This represents a doubling of the $1 million prize pool from last year where only $120,000 was claimed. A prize of $50,000 will be awarded for exploits that take advantage of code that runs natively on Chrome, while $40,000 will be offered for "non-Chrome exploits." Google is already one of a handful of companies that offers bounties to researchers that report security bugs, with up to $10,000 being given out for severe bugs.
Posted: July 25, 2012 10:30AM
Stuxnet, Duqu, and Flame are all pieces of malware which have been covered by the larger news outlets for their apparent design to target and damage Iranian nuclear facilities. After investigation by security researchers it has been determined that Stuxnet and Duqu are directly related, while Flame is more indirectly related. Now a new piece of malware has struck some of these facilities, but it probably isn't connected to the three before it.
The report of the new malware comes from a Finnish computer security firm which claims a scientist at the Atomic Energy Organization of Iran had contacted them about their systems being infiltrated again. The malware was able to shut down the automation network at two facilities but did a little more than just this sabotage, and that bit more is why it is not as likely that this is related to the malware described above.
Supposedly several workstations were on in the middle of the night at these facilities blaring what the scientist believes is Thunderstruck by AC/DC. As the other three previous pieces of malware operated more secretly, this attack more likely is from a thrill seeking hacker. Until the story is officially confirmed and analysts can examine the malware, we cannot be sure.
Posted: May 29, 2012 10:19AM
Normally the discovery of a computer virus is not big enough news to warrant coverage by large media outlets, but in the past few years there have been some too important to not cover. First it was Stuxnet, a Trojan of uncertain origin that attacked the nuclear facilities in Iran and destroyed equipment there. Another Trogan named Duqu was found later and it shows a higher level of complexity than Stuxnet, though many believe the two are related. Unlike Stuxnet though, Duqu has not been activated yet, so no one knows what its purpose is, except for those who wrote it. Now another virus has been found and it, like its predecessors, has been found attacking targets in Iran and the Middle East.
As researchers at Kaspersky Lab analyzed Duqu they found it had some coding in it that they were not familiar with. After asking for help from the Internet the solution was found, and it indicated that whoever made the malware is very experienced with programming. This new virus, named Flame, surpasses both Stuxnet and Duqu in complexity and size.
Most computer viruses are small, making it easy for them to go undetected. Duqu and Stuxnet at 500 KB were heavyweights, but Flame comes in at an astounding 20 MB, with one module alone 6 MB in size. Considering the large scope of what Flame can do, this is not entirely surprising. The virus not only is capable of stealing your passwords as it records keystrokes, but it can also activate and record voices with a computer's microphone, take screenshots, monitor network traffic, and communicate with BlueTooth devices.
This level of complexity has led every research group that has analyzed it to the same conclusion about Flame's origin. The virus was likely written by a nation-state because the level of expertise required for this piece of malware would necessitate a large budget. Also, as English text was found in the code, the researchers believe it was created by native English speakers. Both Duqu and Stuxnet are alleged to have been made by nation-states, but it has not been conclusively proven.
Posted: May 1, 2012 05:33PM
Author: Nick Harezga
According to Symantec, the group behind the Mac Flashback malware was making roughly $10,000 per day through the use of the botnet created by the malware. The botnet had spread to nearly 700,000 computers at its peak, and those computers were generating revenue for those in control of the system. The Mac Flashback exploit was loaded into Chrome, Firefox, and Safari and targeted searches done through Google. The malware allowed the search to be hijacked and redirected to a different page, depriving Google of the ad revenue and instead putting it into the pockets of the hackers. Symantec also noted that Apple had a particularly slow response time in fixing the exploit, waiting nearly two months after the fix had been issued by Oracle to release it to users.
Posted: March 20, 2012 12:42PM
There are reasons some pieces of computer malware are called viruses, just like influenza and HIV which infect humans. Both biological and computer viruses attack vulnerabilities in whatever they infect and most are then designed to spread, sometimes with mutations. These similarities have security researchers intrigued, such as those at Fortinet’s Threat Research and Response Center.
Though biological viruses are considerably simpler than some computer virus, which can be encrypted and utilize antidebugging techniques, they still have tricks of their own which virus programmers are using as well. For example, HIV targets and attacks the human immune system, thereby making it difficult to defend against HIV and other viruses, and when AIDS is developed, the immune system is essentially destroyed. Several computer viruses will actually disable antivirus programs and give themselves an opening in the firewall, making it impossible to defend the compromised machine from further attacks.
Hackers learning from biological viruses are not the only concern though, with electronic prosthetics and it may be possible to encode a computer virus into DNA. Electronic implants do not always need to connect to an external computer, but occasionally they do, and when this happens they are open to attacks. Also the systems that sequence and store DNA could be vulnerable to a creative attack that encodes a virus into a piece of DNA. It would be like visiting a compromised website and a piece of malware being downloaded and installed while you are there. If a virus was actually written for human biology though, the effects could be quite destructive as our immune systems would have no guaranteed way to protect against the attack, and we do not have restore points.
Posted: March 20, 2012 08:55AM
Not very long ago the security researchers at Kaspersky Labs found some code in the Duqu virus they were not familiar with. To solve the mystery they crowd-sourced it by posting the code on their Secure List blog and the Internet succeeded.
Among the suggested languages was Object Oriented C, or OO C, and that a version of Microsoft Visual compiler (MSVC) was used. The use of MSVC was spotted because of certain commands in the code that are not typical of other compilers. This got the Kaspersky team working with the software and eventually they found that MSVC 2008 with the minimize size (/O1) and expand only __inline (/Ob1) options produced similar code to Duqu.
This proves that some form of OO C was used, but oddly the closest match was not published until after Duqu was released. This finding also sheds some light on the programmers of Duqu. How computer code works has been changing ever since it was first developed, and OO C uses an older custom that code like C++ does automatically. With many modern day languages, if not all, memory allocation is done automatically while in OO C this would have to be done manually. Some programmers prefer OO C for this reason, as they do not trust all of the features in newer languages. Also there was a time that different C++ compilers would give different results, while OO C was a standard with all systems.
Regardless of the reasons behind the use of OO C, this shows a great deal of skill and experience in the making of Duqu. As described in the Kaspersky blog post, "Duqu, just like Stuxnet, is a "one of a kind" piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see."
Posted: March 12, 2012 10:48AM
Some of you may recall from the past two years news about some malware that had apparently targeted Iranian nuclear enrichment centers. The Stuxnet worm destroyed 400 centrifuges, which are critical to enriching uranium, and later the Duqu trojan was found. Duqu’s purpose is not yet known as it has not been activated yet, but it could potentially steal, corrupt, or run certain files.
While analyzing the code, security researchers at Kaspersky Labs have found some mysterious code. It does not conform to any programming language the researchers have compared it to, such as C++, Objective C, Java, Python, Ada, and Lua. Some crowd-source suggestions are that the language is related to LISP, a programming language for AI, or a version of C++ for old IBM systems.
Needless to say, this use of an unknown programming language has security analysts concerned. If more malware starts using unique languages like this, it will become much harder to dissect them and discover their origins. As it is, no one is sure about where either Stuxnet or Duqu came from, though many believe they are related and were even made by the US National Security Agency or the Israeli Mossad intelligence agency. However, Stuxnet had no unusual code like this, so perhaps the two pieces of malware are not related.
Posted: March 5, 2012 08:42AM
Apparently there is no honor among thieves and hackers. Some of you may remember that after the site Megaupload was taken down, the hacker group Anonymous decided to attack other websites, such as the US. Department of Justice, in retaliation. To hit the sites even harder, instructions and software for joining in the distributed denial-of-service (DDoS) attacks were posted online. Well, it turns whichever Anonymous member posted the information was interested in hurting more than the DoJ.
Zeus is a piece of malware meant to enslave its host computer and steal data, and was contained in the Slowloris DDoS software. According to Symantec, the computers in the voluntary Anonymous botnet were compromised, and information, such as banking details, was sent to someone.
I am not sure if "ironic" is descriptive enough.
Posted: February 15, 2012 02:55PM
In the wake of the discovery that an iOS app was collecting and transmitting contact information without permission, Forbes magazine has put together an article on a University of California at Santa Barbara report (pdf) from last year. At the time researchers found that roughly one fifth of free apps available from the iOS App Store were collecting private information, while apps available through the Cydia market for jailbroken iOS devices were collecting the same information only 4% of the time.
What the researchers considered private information included the Unique Device Identifier (UDID), location information, address book, phone number, Safari history, and photos. Of the 825 free apps tested from the App Store, 170 (21%) collected the UDID, 35 (4%) collected location information, 4 (0.5%) accessed the address book, and only 1 (0.1%) grabbed the phone number. Of the 526 from the Cydia market though, only 25 (4%) took the UDID, 1 (0.2%) got the location, 1 got the address book, 1 got the Safari history, and 1 took photos. It is worth noting though that the one Cydia app that captured location information, and also contact information, was designed for this and is called MobileSpy.
Remember, every app available through the Apple App Store is first approved by Apple. The Cydia market however does not have such strict rules on what can be downloaded from them. However, they do have a clientele of privacy-ware people and developers. After the revelation that Path, an iOS app, was collecting and uploading contact information to the developer’s servers, a developer made and released ContactPrivacy to Cydia, which allows a user to deny apps from uploading contact information. Another app, PrivaCy, was developed to prevent any specific app from uploading usage statistics.
Apple will, of course, start taking longer looks at apps it is sent, in light of the Path scandal, but until then, consider carefully what you install. Also, jailbreaking is not necessarily a better way to stay secure, but it is likely worth remembering what it offers you.
Posted: February 9, 2012 12:30PM
About a month after source code for the Norton 2006 antivirus software was released by hackers, source code for Symantec’s pcAnywhere software has been published. As this software is currently in use, the danger of exploitation is far greater. However, the sequence of events has allowed Symantec prepare, at least partially, for this.
Starting on January 18, a hacker claiming to have the source code started negotiations with Symantec. The email thread of the negotiations has been posted online for everyone to see, which is, supposedly, what the hacker wanted. YamaTough, the hacker, has stated he never intended to accept any payment from Symantec and was going to post the source code regardless. The negotiations were just to embarrass the company by showing what it would do to protect itself. However, YamaTough actually was not in communication with Symantec, but law enforcement.
As the negotiations were taking place, Symantec used the time to patch the software as best it could, to make the code dump as useless as possible. Despite the company’s efforts though, these two recent hacks are surely going to hurt it.