Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
May 202013
 

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer


Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Security Week
by Ramida Y. Rashid
May 16, 2013

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist's Computer

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer

 

Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Independent security researcher Jacob Appelbaum discovered the “new and previously unknown backdoor” on an African activist’s Mac during a workshop at The Oslo Freedom Forum, F-Secure’s Sean Sullivan wrote on the company blog. The workshop, ironically, was on how activists could secure their devices against government monitoring.

“Discussion at the #OsloFF just turned to discuss the backdoor I found on an Angolan dissident’s computer. Poor guy,” Appelbaum wrote on Twitter.

F-Secure is currently investigating the sample, but the backdoor application appears to take screenshots of the user’s computer and stores them in a folder in the user’s home directory called MacApp, Sullivan said. F-Secure researchers believe the application is related to an older sample, “HackBack,” and suspect it was commercially developed, Sullivan told SecurityWeek.

OSX/HackBack-A is an information-stealing Trojan designed to look for specific types of files, compress them into a zip file and upload them to a remote server. HackBack looks for various documents and images, including .txt, .doc, .eml, .pdf, .jpg, .xls, .log, .mbox, .pages, .tiff, and .ppt, among others.

While it’s not yet known how macs.app got on the activist’s computer, once installed, the application appended itself to the current user’s list of log-in items. This way, the app would run whenever the user is logged in. The application is designed to upload the screenshots to two remote servers, one in the Netherlands and the other in France. One of the servers is not responding and the other is returning a “public access forbidden” error message, Sullivan said.

Appelbaum called the malware “lame” since it was pretty simple and easily detected, but “deadly” because it was still able to spy on the activist. “The problem is that the author was good enough to get someone into mortal danger,” Appelbaum wrote on Twitter.

The fact that the application, macs.app, was signed with a valid Apple Developer ID, may be a sign that the developer was trying to bypass Apple’s Gatekeeper. Designed to protect Macs from malicious applications downloaded and installed from the Internet, the execution prevention technology from Apple exists in OS X Mountain Lion and OS X Lion v10.7.5.

Since the backdoor is not making any attempt to hide itself, users can look for the MacApp folder in their home directories to figure out whether the malware has infected their Macs. Users should also remove the macs.app program from the computer completely, and make sure it’s not included on the log-in items list.

“As we all know, the problem isn’t good malware or lame malware. The problem is being spied upon,” Morgan Marquis-Boire, a security researcher at the Citizen Lab, wrote on Twitter. Marquis-Boire, also a security engineer at Google, has done extensive research on FinFisher and FinSpy, “a remote monitoring” program used by government agencies to intercept communications.
Direct Link:  http://www.securityweek.com/malicious-mac-os-x-backdoor-signed-valid-developer-id-found-activists-computer

Android Trojan Used in APT Attacks

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
Mar 312013
 

Android Trojan Used in APT Attacks

New Attacks Targeting Tibetan and Uyghur Activists Found Using Android Trojan


Security Week
by Mike Lennon
March 26, 2013

 

Targeted attacks against Tibetan and Uyghur activists are nothing new, but attackers appear to be expanding their arsenal of attack tools to the Android platform.

While attacks against the activists in the past have targeted both Windows and Mac OS X-based platforms, researchers from Kaspersky Lab have discovered an APT that successfully leverages Android to compromise targets. 

According to Kaspersky researchers, a high ­profile Tibetan activist had his email account hacked on March 24th, 2013.

Attackers then used the hacked account to send spear phishing e­mails to the victim’s contact list that included a malicious Android Package (APK) attachment named “WUC’s Conference.apk”.

New Attacks Targeting Tibetan and Uyghur Activists Found Using Android Trojan

New Attacks Targeting Tibetan and Uyghur Activists Found Using Android Trojan

 

 

As seen above, the theme of the attack email was a human rights conference event in Geneva, something Kaspersky says has been used in previous attacks targeting Windows users.

Once the Android package is successfully installed, an application called ‘Conference’ shows up on the Android desktop as depicted in the screenshot to the right.

 

Android Trojan Used in APT Attacks

Android Trojan Used in APT Attacks

If the victim launches the malicious app, text about the upcoming event is displayed, appearing to be written by “Dolkun lsa
Chairman of the Executive Committee Word Uyghur Congress”. Note that the attackers incorrectly used “Word” instead of “World” in the text.

As the victim reads the fake message, the malware silently contacts a C&C server located in Los Angeles, California and then starts to harvest data stored on the device.

The stolen data includes contacts, call logs. SMS messages, geo­location and other phone data such as phone number, OS version, phone model, and SDK version, Kaspersky said.

Oddly, the researchers found that the stolen data isn’t sent to the C&C server automatically by the malware, but instead waits for incoming SMS messages that contain one of the following commands: “sms”, “contact”, “location”, “other”. If any of these commands is found, the malware proceeds to encode the stolen data with Base64 and sends it off to the command and control server.

Throughout the code, Kaspersky said, attackers log important actions, likely for debugging purposes, indicating the malware may be an early prototype version.

Kaspersky researchers also discovered a domain that points to the same C&C server IP address: “DlmDocumentsExchange(dot)com”, which was was registered on March 8th, 2013 to “peng jia”, using the email address bdoufwke123010(at)gmail.com.

Also of interest, is that researchers found that the C&C server is hosting an index page that serves up an APK file named “Document.apk”, which has the same functionality as the one Conference.apk but uses text in Chinese, about relations between China, Japan and the disputed “Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands”.

The command ­and­ control server is running Windows Server 2003 and is configured using the Chinese language, indicating that the attackers are likely Chinese speaking.

“Every day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters,” the researchers noted. “The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE­2012­0158, CVE­2010­3333 and CVE­2009­3129.”

“Until now, we haven’t seen targeted attacks against mobile phones, although we’ve seen indications that these were in development,” the blog post explained.

“[The attack] is perhaps the first in a new wave of targeted attacks aimed at Android users,” the post continued. “So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”

Kaspersky detects the Android malware used in the attack as “Backdoor.AndroidOS.Chuli.a” with an MD5 of 0b8806b38b52bebfe39ff585639e2ea2.

Additional technical details on the malware and the attacks can be found here.

Direct Link:  http://www.securityweek.com/android-trojan-used-apt-attacks

Largest “DDoS” Attack on Record Slowing Internet: Security Experts

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Science & Related Space Technology, Social Media, Technology & Digital Security  Comments Off
Mar 272013
 

Largest Attack on Record Slowing Internet: Security Experts

‘Bazooka’ Attacks Slowing Internet: Security Experts

Security Week
March 27, 2013

Largest "DDoS" Attack on Record Slowing Internet: Security Experts

Largest “DDoS” Attack on Record Slowing Internet: Security Experts

 

WASHINGTON,  March 27, 2013  (AFP)  –

The Internet may have been slowed by one of the largest cyber attacks ever seen, which targeted a European group that patrols the Web for spam, security experts said Wednesday.

The attacks targeted Spamhaus, a Geneva-based volunteer group that publishes spam blacklists which are used by networks to filter out unwanted email, and led to cyberspace congestion which may have affected the overall Internet, according to Matthew Prince of the US security firm CloudFlare.

The attacks began last week, according to Spamhaus, after it placed on its blacklist the Dutch-based Web hosting site Cyberbunker, which claimed it was unfairly labeled as a haven for cybercrime and spam.

While the origin of the attacks has not been identified, some experts pointed the finger at Cyberbunker, possibly in coordination with Eastern European cyber-criminals.

CloudFlare, which was called for assistance by Spamhaus, said the attackers changed tactics after the first layer of protection was implemented last week.

“Rather than attacking our customers directly, they started going after the network providers CloudFlare uses for bandwidth,” Prince said.

“Once the attackers realized they couldn’t knock CloudFlare itself offline… they went after our direct peers.”

Prince said the so-called denial of service attack, which essentially bombards sites with traffic in an effort to disrupt, was “one of the largest ever reported.”

Over the last few days, he added, “we’ve seen congestion across several major Tier 1 (networks), primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare.”

“If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why,” he said in a blog post.

Prince noted that these attacks used tactics different than the “botnets” — these came from so-called “open resolvers” which “are typically running on big servers with fat pipes.”

“They are like bazookas and the events of the last week have shown the damage they can cause,” he said. “What’s troubling is that, compared with what is possible, this attack may prove to be relatively modest.”

A spokesman for the network security firm Akamai meanwhile told AFP that based on the published data, “the attack was likely the largest publicly acknowledged attack on record.”

“The cyber attack is certainly very large,” added Johannes Ullrich of US-based SANS Technology Institute, saying it was “a factor of 10 larger than similar attacks in the recent past.”

“But so far, I can’t verify that this affects Internet performance overall,” he told AFP.

Spamhaus, which also has offices in London, essentially patrols the Internet to root out spammers and provides updated lists of likely spammers to network operators around the world.

CloudFlare estimates that Spamhaus “is directly or indirectly responsible for filtering as much as 80 percent of daily spam messages.”

The attacks began after Spamhaus blacklisted Cyberbunker, a Web hosting firm which “offers anonymous hosting of anything except child porn and anything related to terrorism.”

Cyberbunker denounced the move on its blog.

“According to Spamhaus, CyberBunker is designated as a ‘rogue’ host and has long been a haven for cybercrime and spam,” the Cyberbunker statement said.

“Of course Spamhaus has not been able to prove any of these allegations.”

Prince said of the latest incident: “While we don’t know who was behind this attack, Spamhaus has made plenty of enemies over the years… We’re proud of how our network held up under such a massive attack and are working with our peers and partners to ensure that the Internet overall can stand up to the threats it faces.”

Related Reading:   Cyberattack Capable of Downing Entire Internet Is Unlikely

Direct Link:  http://www.securityweek.com/largest-attack-record-slowing-internet-security-experts

Don’t Call or Click… BEWARE: Hackers, Scammers, Trolls & Low Lifes are on Overdrive!!

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, G.E. Investigations Articles, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
Feb 262013
 
PHISHING

PHISHING

Yes Virginia… It is getting worse out there!

I know, I know…. Washington D.C. keeps saying that “Everything Is Getting Better!” But, I wish Washington and our so called Leaders would tell that to the “Scumbag Trolls” on the internet that it is okay to stop ripping people off because the gravy train is back! Until then, you should BE AWARE that there are new phishing scams in the works that will not only put you, your family, your friends, co-workers financially at risk… But also cost you more money on your cellular bill in the way of unwanted text messages.

Very soon, if not already, you will begin getting text messages from somebody you don’t know telling you something like…

“Hey its Jennifer, and I just took some new pictures and wanted to know what you think”

Well, if you decide to look, YOU’RE AN IDIOT!

This is another popular one that goes like this….

“OMG, I can’t believe you let them get a picture of you like that. Check it out (with a link)”

Well, I you decide to look, YOU’RE AN EVEN BIGGER IDIOT!

Or how about these two texts…

From: 8008274203@vtext.com
Message: Call 8 0 0 8 5 1 7 2 6 8 Attention Required California C U

&

From: 2222817829@vtext.com
Message: Attention Required 802 851 7268 California CU

The point in a nutshell is that you should not click or call anything remotely like this nor should you trust the message because it came from what you believe to be a loved / trusted one because it could be they clicked or the information was “SPOOFED” to look legitimate.

We have been posting article on this time of “PHISHING” Schemes, Malware, Trojans, Viruses, etc for awhile now to keep you in the know and as safe as you can be, based on your own caution and habits online.

Surf Safe… Be Safe!

From Your Friends at:

G.E. Investigations, LLC

Toll Free: 866.347.7948

Website: www.GeInvestigations.com

Follow Us / Like Us for more updates and Postings to keep you aware!

** Twitter: http://www.Twitter.com/GeInvestigation

** Facebook: http://www.facebook.com/pages/Phoenix-AZ/GE-Investigations-LLC/125237851985

 Older Entries