Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
malware « The FORWARD project blog

Posts Tagged ‘malware’

Malicious Android apps double in 6 months

Tuesday, January 10th, 2012

Lookout mobile security has identified 1000 malicious applications in less than six months.
Previously the most of the malicious apps where located on third-party app stores, and alternatives to the official Android Market.
Lookout mentions that the likelihood of an Android user encountering malware increases from 1 to 4 percent yearliy and the U.S. is placed in the middle of mobile malware, compared to other countries.
Another malware action is when Android users are convinced to click on untrusted links that lead to malware and phishing sites.
The global yearly likelihood of an Android user clicking on an unsafe link is much higher and reaches 36 percent (6 percent higher than July 2011) and the likelihood in the U.S. is 40 percent.
Another issue that Lookout detected is “mobile pickpocketing”, which is applications and malware that charges the phone owner without his knowledge.
There are also the RuFraud applications that pretend to be free wallpapers finder and popular games, but hide terms that allow the service to charge the phone owner, without his knowledge.
Lookout believes that many of these incidents will be reported, and also botnets, malware that exploits weaknesses in mobile operating systems, browser-based attacks , malware hiding in mobile advertisements and tools that allow automatic repackaging of legitimate applications to add malware.
Lookout finally suggests to avoid using third-party application stores, avoid clicking on in-app advertisements, and beware when clicking on apps that ask you to click “OK”. Users should first check any reviews before downloading any application, and mainly those related with games, ulitities and porn, which are most likely to contain malware.

Sources :
RuFraud Apps

$120 to decrypt your files (ransomware attack)

Friday, January 7th, 2011

According to researchers at SophosLabs hackers are trying to spread a new ransomware in order to extort $120. More specifically this ransomware encrypts media and Office files on victim’s computer. As a result victims cannot access these files (because they have been encrypted by the malicious code) until they pay the hackers.

It seems that this ransomware attack has hit many computers via a drive-by vulnerability on compromised websites. Many users reported that they have received the attack via a malicious PDF which downloads and installs the rensomware.

The attack changes the Windows desktop wallpaper to show the first part of the ransom message.


The “HOW TO DECRYPT” txt-file on the desktop contains the message:


All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The above message contains an email address to contact if the victim wants to recover the encrypted data. Moreover it contains a fingerprint hex-string which changes between runs. It is used as a unique victim id and it must be quoted when victim contacts the hackers.

File types which can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

Windows shortcut flaw goes wild?

Wednesday, July 21st, 2010

On July 16, Microsoft released Security Advisory 2286198 confirmed the Windows shortcut flaw that exposes all windows user of all current versions of Windows system to very serious attacks, including fully patched Windows 7 system.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.


Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

Malware threatens victims using copyright laws

Monday, April 19th, 2010

A trojan ,which spreads itself through a peer to peer network called Winni, commonly used by Japanese people, is responsible for gathering personal data from the victims and publish them into the web, according to BBC’s artice.

The Kenzero Trojan is included in a fake adult anime game which is shared through Winni P2P network. When a victim downloads and executes the file, the malware scans victim’s computer for personal information, such us Computer name, browsing history, downloaded files, favourite pages, OS version and clipboard dump while it opens a registration installation window demanding personal information. After gathering all posible information, it publishes them on a public web page and sends an email from a company “Romancing, Inc.” which accuse victims for downloading copyrighted material. The mail includes a law threat to the victims to settle the copyright violation and offers to resolve it for a 1500 yen (~16$) fee. Also, as noted in Trend Micro’s Blog article, it also downloads ,in victim’s computer, 3 copyrighted MP3 files, possibly to extend the threat.

More than 1500 people reported that fell victims of the malware, according to local paper Yomiuri Shimbun, however its unknown how many payed the copyright infringement fee.

That’s the second similar issue this week as earlier was reported, here, a fake ICCP Foundation which demanded 400$ for copyright issues.

FIFA World Cup – themed malware

Saturday, March 27th, 2010

Major events often used by spammers to fuel their scams.

While the World Cup soccer tournament is still more than two months away, researchers from Symantec are reporting on a targeted malware campaign using a FIFA World Cup theme. Attackers changed Greenlife’s PDF document to include malicious code. Emails contain this attached PDF file claiming to provide a guide to the first African edition of football’s most prestigious tournament.


Zeus botnet’s C&C through Amazon EC2

Thursday, December 17th, 2009

A variant of the Zeus bot (Zbot) was found using Amazon’s Elastic Computer Cloud (EC2) infrastructure for Command&Control commands to infected machines.

Zbot is a password-stealing software, logs financial data and sends them to the botnet. Last year more than 100M US fraud was linked with Zeus malware variants. It was also held responsible for the “destruction” of 100.000 infected computers by deleting registry key data, making them inoperable. Zeus botnet is estimated to consist of millions of infected computers around the world.


H1N1 malware epidemic

Monday, December 7th, 2009

Earlier this week, the Center for Disease Control (CDC) issued a new malware scam, to warn citizens about a large malware campaign exploiting the public awareness of phishing attacks and the interest in H1N1 vaccinations.

The E-mail security company AppRiver detected a large amount of  fake CDC e-mails which were sent at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone, according to the company’s blog post.

The e-mails claim users to register for a new state vaccination programm by creating a personal H1N1 vaccination profile at a fraudulent web page of CDC. However, anyone who clicks on the link, his computer is infected with malware, an executable copy of ZBot trojan horse. This trojan, also known as Zeus, powers one of the most active botnets which steal data of compromised machines.

According to the security company Sunbelt Software’s report,  ZBot is listed as the second most prevalent malware threat.

Malware propagation can be succesful in a situation where social engineering is dominatinated by technology due to the public awareness and fear.

BIOS Attack

Tuesday, April 28th, 2009

A BIOS level malware attack was presented last month by Alfredo Ortega and Anibal Sacco from Core Security Technologies.

The attack does not take advantage of any system’s vulnerability, thus a system can be compromised silently. The most important fact is that the attack “survives” reboots, hard-disk wipes, or even re-installations of operating system.

Although the execution of the attack needs either root privileges or physical access to the machine, once the attack successfully executed, attacker gains complete control of the machine forever.

Source: ZDNet