Jul 182013

Dropbox used by Chinese hackers to spread malware


by Paul Wagenseil
July 15, 2013
Dropbox Chinese Hackers Infecting you through Drop Box. Dropbox is one of the better-known cloud-based services.

Chinese Hackers Infecting you through Drop Box. Dropbox is one of the better-known cloud-based services.

Popular cloud-based file-sharing service Dropbox wants to be all things to all people, with big plans to share application metadata — game saves, settings preferences and so forth — as well as raw files across devices and platforms.

But when Dropbox CEO Drew Houston announced last week that Dropbox intends to “replace the hard drive,” he probably didn’t expect Chinese hackers to take him up on it so quickly.

Comment Crew, the same Chinese cyberespionage team thought to be behind the recent attack on The New York Times, has been using publicly shared Dropbox folders to spread malware, reports Arlington, Va., digital-security firm Cyber Squared.

“The attackers have simply registered for a free Dropbox account, uploaded the malicious content and then publicly shared it with their targeted users,” a Cyber Squared blog posting explained last week.

For malicious hackers, Dropbox is an attractive malware distribution platform because it’s widely used in the corporate environment and is unlikely to be blocked by IT security teams.

In this way, Cyber Squared wrote, “the attackers could mask themselves behind the trusted Dropbox brand, increasing credibility and the likelihood of victim interaction with the malicious file from either personal or corporate Dropbox users.”

When a Dropbox file is publicly shared, the persons with whom it’s shared receive emails from Dropbox informing them of the share, along with a link to the file on the Dropbox website.

In the attack Cyber Squared examined, normal procedure was followed, but the shared file was an infected Word document of interest to China’s neighbors, indicating a “spear phishing” attack.

The Word document concerned commercial relations between the United States and the 10 members of the Association of Southeast Asian Nations, nine of which ring the South China Sea.

Embedded in the Word document was what seemed to be a PDF file on the same topic, but which was really malware exploiting a hole in Adobe Flash Player.

The malware copied itself to the targeted user’s hard drive, then reached out for instructions to a WordPress blog, which itself appeared to be a boring recitation of Asian trade statistics.

But seemingly decorative strings of text nestled among the postings on the WordPress blog were full of meaning.

For example, the strings “@@@@@@” or “######443######” may not look like much to the untrained eye.

The first string includes an Internet Protocol address, which computers use to find websites; the second string references port 443, which the Internet Protocol sets aside for encrypted Web connections.

The WordPress blog was thus telling the malware where to go for further instructions and which port to connect on. (The URL in the example above is TechNewsDaily’s own.)

Cyber Squared didn’t wait to see what would happen after the malware received its instructions. Previous Comment Crew attacks have included mass penetration of organizational network, theft of intellectual property and other data and installation of spyware to keep track of a targeted user’s online activities and communications.


Related Article:

** 8 Simple Tips for Securing Your Computer


Direct Link:  http://www.nbcnews.com/technology/dropbox-used-chinese-hackers-spread-malware-6C10642402

Jul 122013

Google: Hacked sites far worse than attack sites

The new Safe Browsing section of Google’s Transparency Report shows that you face a significantly bigger threat from compromised legit sites than intentionally dangerous sites.


C/NET News
by Seth Rosenblatt
June 25, 2013

This map from the Google Transparency Report on Safe Browsing shows that only two percent of sites hosted in the U.S. contain malware. (Credit: Screenshot by Seth Rosenblatt /CNET)

This map from the Google Transparency Report on Safe Browsing shows that only two percent of sites hosted in the U.S. contain malware.
(Credit: Screenshot by Seth Rosenblatt /CNET)


Web sites you think are safe but have been compromised to distribute malicious software are far more prevalent than sites that are intentionally dangerous, according to a new Transparency Report from Google released on Tuesday.

The new Safe Browsing section of the report reveals some of the security trends that Google has been seeing. While Google reiterated that its Safe Browsing program flags up to 10,000 sites a day, the report showed that hacked sites remain a major problem — with about 60 percent hosting malware and 40 percent being used for phishing attacks.

Dedicated attack sites numbered in the hundreds until late 2009, when they began to increase. They crested at the end of last year above 6,000, but that number has since dropped. As of June 9, 2013, Google reports the number of these malicious sites at 3,891.

Dramatically worse is the problem of compromised sites, Web sites that are supposed to be legitimately safe but that have been hacked to infect visitors.

During the week of June 9, Google tallied 39,247 hacked sites, down from more than 60,000 last July and more than 76,000 in June 2009.

Webmaster response time to fixing those compromised sites has accelerated remarkably, although it has been slowly getting worse over past 18 months. Response time began to drop from more than 90 days in 2008 to a low of 12 days in May 2009. As of March 2013, the response time hovered around 50 days.

The full Google Transparency Report on Safe Browsing can be read here.

Originally posted at Internet & Media

Direct Link:   http://news.cnet.com/8301-1009_3-57591008-83/google-hacked-sites-far-worse-than-attack-sites/

May 202013

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer

Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Security Week
by Ramida Y. Rashid
May 16, 2013

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist's Computer

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer


Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Independent security researcher Jacob Appelbaum discovered the “new and previously unknown backdoor” on an African activist’s Mac during a workshop at The Oslo Freedom Forum, F-Secure’s Sean Sullivan wrote on the company blog. The workshop, ironically, was on how activists could secure their devices against government monitoring.

“Discussion at the #OsloFF just turned to discuss the backdoor I found on an Angolan dissident’s computer. Poor guy,” Appelbaum wrote on Twitter.

F-Secure is currently investigating the sample, but the backdoor application appears to take screenshots of the user’s computer and stores them in a folder in the user’s home directory called MacApp, Sullivan said. F-Secure researchers believe the application is related to an older sample, “HackBack,” and suspect it was commercially developed, Sullivan told SecurityWeek.

OSX/HackBack-A is an information-stealing Trojan designed to look for specific types of files, compress them into a zip file and upload them to a remote server. HackBack looks for various documents and images, including .txt, .doc, .eml, .pdf, .jpg, .xls, .log, .mbox, .pages, .tiff, and .ppt, among others.

While it’s not yet known how macs.app got on the activist’s computer, once installed, the application appended itself to the current user’s list of log-in items. This way, the app would run whenever the user is logged in. The application is designed to upload the screenshots to two remote servers, one in the Netherlands and the other in France. One of the servers is not responding and the other is returning a “public access forbidden” error message, Sullivan said.

Appelbaum called the malware “lame” since it was pretty simple and easily detected, but “deadly” because it was still able to spy on the activist. “The problem is that the author was good enough to get someone into mortal danger,” Appelbaum wrote on Twitter.

The fact that the application, macs.app, was signed with a valid Apple Developer ID, may be a sign that the developer was trying to bypass Apple’s Gatekeeper. Designed to protect Macs from malicious applications downloaded and installed from the Internet, the execution prevention technology from Apple exists in OS X Mountain Lion and OS X Lion v10.7.5.

Since the backdoor is not making any attempt to hide itself, users can look for the MacApp folder in their home directories to figure out whether the malware has infected their Macs. Users should also remove the macs.app program from the computer completely, and make sure it’s not included on the log-in items list.

“As we all know, the problem isn’t good malware or lame malware. The problem is being spied upon,” Morgan Marquis-Boire, a security researcher at the Citizen Lab, wrote on Twitter. Marquis-Boire, also a security engineer at Google, has done extensive research on FinFisher and FinSpy, “a remote monitoring” program used by government agencies to intercept communications.
Direct Link:  http://www.securityweek.com/malicious-mac-os-x-backdoor-signed-valid-developer-id-found-activists-computer