“Selfmite” Beware Android Users!! Here is a Text Messaging Malware

“Selfie” – The most trending word nowadays in this technology led world. But it’s time to jump out of the selfie world and look into the “Selfmite“. 😉 Nope this is not another amusement creature, this is the latest trending Android malware. What’s interesting about this malware is it’s propagating nature. “TEXT MESSAGES”… ohh yeah…that’s true Text Messages.

According to AdaptiveMobile, a security vendor, the new SMS worm is able to propagate itself to target other Android users through special links embedded within text messages

That worm app propagates by automatically sending text messages to 20 contacts in the infected phone’s address book. Next, the worm requests users to install a legitimate app via an advertising platform. Every time the app is installed the worm’s author gets paid.
android malware
Logically, most malware for Android can be considered as Trojan apps. But normally, those do not come with self-propagation mechanisms to be distributed through non-official app downloading stores. In general, SMS worms in Android are also rare.

Find IT, before you get IT: AdaptiveMobile reports, Selfmite spreads by sending users the following SMS, which contains a URL that redirects to the malware:

‘Dear [NAME], Look the Self-time, http://goo.gl/%5BREDACTED%5D’. If a user clicks on the goo.gl shortened link, he is invited to download and install an APK file that appears as an icon on his smartphone menu after installation is complete.

Additionally, Selfmite also attempts to convince affected users to download and then install another file called mobogenie_122141003.apk using a local browser. You might realize that Mobogenie is a legal app that enables users to synchronize Android devices with users’ PCs. They can then download apps through an alternative app store.
“At the moment North America seems to be the most targeted territory,” said Denis Maslennikov, a Security Analyst at AdaptiveMobile. The worm was first discovered in the U.S. , but AdaptiveMobile reports activity from other countries around the world.

Internet Explorer – New Zero Day Vulnerability

Here comes one more bad news for online users of internet explorer.

Microsoft announced that all versions of Internet Explorer have been affected by a “zero day” security flaw (a “zero day” flaw is a vulnerability that gives victims zero days of warning before attack) .

Zero-Day-IE1

According to the security company FireEye, the flaw leaves 26.25% of the browser market vulnerable to attack. This, of course, comes just weeks after the OpenSSL flaw, Heartbleed left over two-thirds of the internet vulnerable to potential attacks.

The vulnerability, which could allow remote code execution, is being used in “limited, targeted attacks,” according to an advisory issued by Microsoft. While all versions of the web browser, IE 6 through 11, are affected by the vulnerability, attacks are currently targeting IE versions 9, 10 and 11, according to security firm FireEye.

Plainly speaking, the flaw allows attackers to corrupt and steal data after users are lured to fake websites, meaning anyone using Internet Explorer should be extra vigilant clicking suspicious links that might come through email or other spam sites.

Microsoft said it is investigating the vulnerability and may issue an out-of-cycle security update to address the issue.

‘Gameover Zeus’ targets job seekers/Recruiters with ‘monster.com’

One of the Cybercrime group has initiated attack against the job seekers and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts.

A new variant of the Gameover computer Trojan is being used by attackers for targeting users of popular employment websites with social engineering attacks, implemented to fetch additional private information about the victims, that could be used for bypassing multi-factor authentication mechanisms on other websites or services.

Zeus-malware-monster-sign-in

Once user tries to visit monster.com, they are served with the fake login page quite similar to the legitimate one(hiring.monster.com), but once the victim logs in, they are hijacked to the web page injected by the malicious code.

monster-gameover-banking-trojan-malware

At this point the malware proposes to the victims 18 different security questions to choose from, the questions are requested via an injected form and a cookie called “qasent” is spawned by the process. 

  • In what City / Town does your nearest sibling live?
  • In what City / Town was your first job?
  • In what city did you meet your spouse/significant other?
  • In what city or town did your mother and father meet?
  • What are the last 5 digits / letters of your driver\’s license number?
  • What is the first name of the boy or girl that you first dated?
  • What is the first name of your first supervisor?
  • What is the name of the first school you attended?
  • What is the name of the school that you attended aged 14-16?
  • What is the name of the street that you grew up on?
  • What is the name of your favorite childhood friend?
  • What is the street number of the first house you remember living in?
  • What is your oldest sibling\’s birthday month and year? (e.g., January 1900)
  •  What is your youngest sibling\’s birthday?
  • What month and day is your anniversary? (e.g January 2)
  • What was the city where you were married?
  • What was the first musical concert that you attended?
  • What was your favorite activity in school?

Sean Sullivan, Security Advisor at F-Secure Labs, confirmed that it is hard to precisely count the number of victims because the Zeus Gameover is a P2P botnet.

“It’s a peer-to-peer botnet so it’s tricky to count,” ”There is some excellent analysis from Dell SecureWorks, which details about 24,000 Gameover bots, in July 2012. I haven’t seen any attempts to count the entireGameover botnet recently, but I’m sure it’s still in the multiple tens of thousands.” said Sullivan.

Security experts at F-Secure revealed the purpose of the attack is still a mystery, though it is likely designed to target the accounts of HR departments using Monster.

“HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget it’s a target for banking trojans. It wouldn’t be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.” said F-Secure expert Mikko Suominen.

Zeus Family:

Zeus Trojan is one of the most popular families of Banking Trojan, which was used in a targeted attack against a Salesforce.com customers last month and researchers found that the new variant of Zeus Trojan has capabilities that are used to fetch sensitive business data from that customer’s CRM instance.

Gameover is one of several Trojan programs that are based on the infamous Zeus banking malware, whose source code was leaked on the Internet in 2011. Like Zeus, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers.

 

Windows XP, India & ATM’s

Everyone is concerned about End of Support for Windows XP by Microsoft. Every security forums are flooded with the aligning risks & threats. But suddenly interesting risk has caught the eyes in India. It’s Bank ATM’s.

Banking operations, including ATM services, may be hit as support from Microsoft for Windows XP operating system will end from April 8. Microsoft has warned that “the effectiveness of antimalware solutions on out-of-support operating systems is limited.”

atm-windows-xp

In this regard, RBI has already asked banks to take immediate steps to control this.

The end of support for Windows XP is likely to increase the probability of attacks on such a system and may affect ATM operations as well, RBI said.

“The probability of attacks on such a system may increase and it may be difficult to defend such attacks in the absence of Microsoft support,” RBI said in a notification addressed to the banks.

Microsoft will stop issuing updates and patches for bugs in its Windows XP operating systems, which was released in 2001, from April 8, 2014.

“As some of your systems, including ATMs, may still be working on Windows XP, you are advised to take immediate steps to implement appropriate systems and controls in this regard,” it added.

There’s some good news and bad news about this. On the plus side, the more advanced fleets of ATMs should be able to upgrade their machines to a newer version of Windows through their network. Older ATMs, however, will still have to have a new version of Windows installed one by one, which means that technicians will be making lots of trips to different convenience stores this spring to make sure upgrades are going as planned.

NTP Based DDoS Attacks..

Since last few days, NTP Based DDoS attack has caught the eyes of security researchers across the world.

Very huge amount of DDoS attacks can be imparted to any target with the easy to use DDoS tools. Like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request.

Let me tell you more about NTP first.

Network Time Protocol (UDP Port 123):

NTP is the Network Time Protocol that is used by machines connected to the Internet to set their clocks accurately. it is widely used across the Internet by desktops, servers and even phones to keep their clocks in sync.

NTP Attack:

The attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-enabled devices. When used in an attack, it causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. The response is typically considerably larger than the request, which serves to amplify the volume of traffic directed at the victim server.

NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.he simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool.

Additionally, since the responses are legitimate data coming from valid servers, it is quite difficult to block these types of attacks.

The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.

The image below was created by Cloudflare.com to help illustrate the issue after a large-scale attack took place against that service.

NTP Attack

Avoiding the Problem:

  1. Best advice is to upgrade from the older version to NTP-4.2.7p26 or later.
  2. The Open NTP Project – offers a simple server check.
  3. US-Cert offers a fuller description of the issue, impact and basic solutions.
  4. Team Cymru Research NFP is a specialized Internet security research firm that is dedicated to helping organizations identify and eradicate problems in their networks. They offer a highly regarded set of secure NTP templates to assist organizations to properly deploy and secure NTP service on their network.