Tag Archives: Malware

Banking malware on Google Play targets Polish banks

Besides delivering the promised functionalities, the malicious apps can display fake notifications and login forms seemingly coming from legitimate banking applications, harvest credentials entered into the fake forms, as well as intercept text messages to bypass SMS-based 2-factor authentication.

The post Banking malware on Google Play targets Polish banks appeared first on WeLiveSecurity

Read More

Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions

Process-Doppelganging-malware-evasion-technique

A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.

Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.

Here’s How the Process Doppelgänging Attack Works:

Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.

NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

  1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
  2. Load—create a memory section from the modified (malicious) file.
  3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
  4. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, “making it invisible to most recording tools such as modern EDRs.”

Process Doppelgänging Evades Detection from Most Antiviruses

malware evasion technique

Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools.

In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:

Process-Doppelganging-malware-evasion-technique

However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.

Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users’ computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don’t expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.

This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS.

In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory.

ESET malware researchers awarded prize in open-source memory forensics competition

The Volatility Foundation, the non-profit organization behind the Volatility Framework, sponsors the yearly Volatility Plugin Contest to acknowledge the best forensic tools built on the Volatility platform.

The post ESET malware researchers awarded prize in open-source memory forensics competition appeared first on WeLiveSecurity

Read More

Worms vs. Viruses: What’s the difference?

Worms, viruses, bots, oh my! Such names sound less like monikers for malicious software than characters in a sci-fi novel. Despite their fictional-sounding names, the monetary damage these types of malware can cause to computers and data is very real. Studies put the global cost of ransomware attacks for 2017 between 1 and 3 billion dollars.

Most types of malicious software (aka malware) work differently, but all have the same function: to install unwanted software on your computer or network for malicious purposes ranging from simple annoyance to corporate espionage.

Two of the most common forms of malware are worms and viruses. Knowing how they work can limit the damage of a malware attack sooner and help avoid infection altogether.

Spreading the Word Doc

Worms and viruses differ in two main ways: how they spread or “replicate” and their level of autonomy. To function, viruses need a host file (e.g., a Word document) or a host program (e.g., that free PDF splitter you downloaded). To replicate, viruses need humans to send them through emails, messages, attachments, etc. They can’t do this on their own.

Worms are viruses that can replicate themselves, emailing themselves to other computers and networks without help from pesky humans. A worm’s autonomy tends to make it more aggressive or contagious, while a virus may lay dormant for years waiting for a user to open an infected file. To use a cinematic analogy, worms are more like predators, viruses are more like aliens.

How viruses replicate

Computer viruses are transmitted like biological ones. For example, the common cold spreads through person-to-person contact. We pass our cold germs to other people through coughs and sneezes. Unsuspecting victims breath in our virus spray and presto! We’ve just replicated the virus to them. The point: It takes a human action (i.e., coughing and sneezing) to replicate a virus.

We replicate computer viruses by sending (sneezing) infected attachments through emails, instant messages, etc., to other users. Like us, they unknowingly download and open the attached file. Most recipients will open these attachments because they trust us. Replication of the virus took a human action and a little gullibility.

Social engineering

Social engineering is a way of tricking people into spreading malware to others. Hackers use our own assumptions and confirmation bias to fool us.

For example, when we visit our bank’s website, we usually first look for the most recognizable features: company name, logo and the familiar layout of the page. All of these features tip us off that we’re in the right place. Instead of applying a more critical eye, we quickly compare what we see to what we expect. When those basic expectations are confirmed, we click ahead.

Everyday, hackers create malicious copies of legitimate websites and emails to steal our private credentials. These digital fakes don’t need to be perfect copies either, just close enough to match our expectations. That’s why it’s best to avoid clicking email links to common websites and instead use a browser bookmark so you always know you’re in the right place.

Even a worm will turn

Worms are actually a subclass of virus, so they share characteristics. They also are passed through files like attachments or website links, but have the ability to self-replicate. Worms can clone and transmit themselves to thousands of other computers without any help from humans. Consequently, worms tend to spread exponentially faster than viruses.

Worms have this viral superpower in part because they don’t rely on a host file like a virus. While viruses use these files and programs to run, worms only need them as disguises to sneakily wiggle into your computer. After that, the worm runs the show. No more host files or social engineering required.

How to protect yourself

Even though worms and viruses are different, you take similar precautions to avoid them.

Avoid opening unfamiliar messages and attachments

Social engineering is powerful and preys on our assumptions and familiarity, but you can fight it by paying more attention to your online interactions. Inspect emails closely. Phishing emails usually have telltale signs they’re scams. Most importantly, never open an email attachment from an unknown source. If you can’t confirm the source, delete the attachment. One moment of satisfying your curiosity isn’t worth the risk.

Avoid non-secure web pages

Non-secure websites don’t encrypt how they talk to your browser like secure ones do. It’s easy to identify websites that are non-secure. They start with HTTP in their URL address. Try to visit only secure sites that start with HTTPS. The ‘s’ stands for ‘secure’. Browser plugins like HTTPS Everywhere can make searching only HTTPS sites easier.

Update your operating systems

Hackers love to find security holes in operating systems like Windows. It’s a game of cat and mouse played with software engineers who constantly test, identify and patch ways of infiltrating their own software. The result of their efforts is the security update. Updating your OS applies those patches as soon as they’re released, increasing your protection level. Set your system to auto-update.

Be picky about your programs

Like operating systems, individual apps on your devices also need updating – and for the same reason. Aside from updating them, you should also decide whether you even need them at all. Remember, viruses need host files and programs for execution and disguise. Decide whether you actually need the app, or if you already have it, how often you use it. The more apps you have, the more updates. The more updates, the more opportunities for a security breach or infection.

A couple of programs you will want to give special attention to are Adobe Flash and Acrobat Reader. Both are popular targets for cyber criminals. If you don’t use them, uninstall them.

Get antivirus protection

The easiest and most effective action you can take to protect yourself from worms and viruses is to get a total antivirus protection plan. Antivirus software can’t be manipulated by social engineering tricks. It never assumes anything. It scans every file you open and every program you run for viruses and worms. Good ones do this in real time.

Every worm and virus discovered gets assigned a ‘signature’, a unique indicator that says “this is a virus!” Antivirus software keeps a list of those signatures and compares them to all of the data coming through your system.

You now understand the differences between worms and viruses, how they spread and where they hide. Be more critical the next time you open an unfamiliar email or visit a familiar website. Following these tips and getting antivirus software is the best way to avoid malware.

Antivirus protection against ransomware

The post Worms vs. Viruses: What’s the difference? appeared first on Panda Security Mediacenter.

Read More

Google Detects Android Spyware That Spies On WhatsApp, Skype Calls

android-spying-app

In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.

Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.

Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims’ devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

“The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities,” Google said in a blog post. “The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015.”

Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.

Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.

Here’s How Tizi Gains Root Access On Infected Devices

For gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, “it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, ” Google said.

Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.

The Tizi backdoor contains various capabilities common to commercial spyware, such as

  • Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
  • Recording calls from WhatsApp, Viber, and Skype.
  • Sending and receiving SMS messages.
  • Accessing calendar events, call log, contacts, photos, and list of installed apps
  • Stealing Wi-Fi encryption keys.
  • Recording ambient audio and taking pictures without displaying the image on the device’s screen.

So far Google has identified 1,300 Android devices infected by Tizi and removed it.

Majority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania.


How to Protect your Android device from Hackers?

Such Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself:

  • Ensure that you have already opted for Google Play Protect.
  • Download and install apps only from the official Play Store, and always check permissions for each app.
  • Enable ‘verify apps’ feature from settings.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep “unknown sources” disabled while not using it.
  • Keep your device always up-to-date with the latest security patches.

The modern Wild West’s guide to mobile malware

The modern Wild West's guide to mobile malware

Smartphones are mobile – which is precisely why we spend so much time with them instead of our more stationary computers. We do surfing, mobile banking, shopping, chatting – even watching advertisements. In fact, just about everything we do online is now done on the go with our smartphones. This huge amount of face time […]

The post The modern Wild West’s guide to mobile malware appeared first on Avira Blog.

Read More

Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts

Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details.

Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.

However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.

Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.

Besides this, the new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.

Usually, Terdot targeted banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.

This Trojan Can Steal Your Facebook, Twitter and Gmail accounts

However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google’s Gmail, Microsoft’s live.com, and Yahoo Mail.

Interestingly, the malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.

The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.

If clicked, it executes obfuscated JavaScript code that downloads and runs the malware file. In order to evade detection, the Trojan uses a complex chain of droppers, injections, and downloaders that allow the download of Terdot in pieces.

Once infected, the Trojan injects itself into the browser process to direct connections to its own Web proxy, read traffic and inject spyware. It can also steal authentication info by inspecting the victim’s requests or injecting spyware Javascript code in the responses.

Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.

Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.

“Terdot is a complex malware, building upon the legacy of Zeus,” Bitdefender concluded. “Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean.”

Bitdefender has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a technical paper (PDF) published by the security firm.