Ransomware steals email addresses and passwords; spreads to contacts.
Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.
The files have .btc attachment, but they are regular executable files.
coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication
After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.
Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.
This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.
Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:
The latest version of Android 4.2, code-named “Jelly Bean” has been released some time ago. While being just an incremental update to the major 4.0 release “Ice Cream Sandwich”, Google introduced some major new features within that update. While offering multi-user support and improved notifications, a new feature which is being promoted heavily, is the built-in app scanner which should protect Android devices from being infected by malware.
The client side app scanner of Android 4.2 is the next step in Google’s attempts to protect their Android ecosystem from malware threats, after introducing Bouncer, a server-side malware scanner used by Google to analyze apps that are being uploaded to Google Play Store. Bouncer was announced in February 2012 and is Google’s approach to prevent malware from being uploaded to the Google Play store as a first line of defense.
Now, some authors claim that third party mobile security tools are most likely not needed anymore, because Google now already pre-checks all mobile apps. I’ve been closely monitoring all those changes and improvements because I wanted to make my own mind on how successful these attempts by Google would be and to find out how our Android antivirus scanner delivered within our free avast! Mobile Security suite (http://www.avast.com/free-mobile-security) would stack up to what the operating system vendor itself would be able to provide.
Since months before the release of avast! Mobile Security in December 2011, our virus lab was working on setting up the initial state of our Android malware database. The database contains signatures of all the malicious files our virus lab guys find over time and is being extended day-by-day to contain definitions of the newest threats in real-time. Currently, tens of millions of Android devices owned by our users download those definitions every day to their avast! client side scanners. So I just went to our virus lab and asked the guys there to provide me with some statistics on the growth of our Android malware database.
As I already stated, Bouncer was thought to be the first line of defense, and tries to protect the main source of app downloads from malicious offerings. Could it be that as a result of introducing Bouncer, our malware database stopped growing or started to decline in size when Bouncer was introduced? Has Google been successful? See for yourself:
Android Malware Database History (Click to enlarge)
Obviously, since February 2012, our Android malware growth has not started to decline; it has not even stalled its growth, but has been continuously growing since that point in time. Read more…
Inaccurate spelling means more than poor marks at school, it is a billion dollar business opportunity for typosquatters. At a single IP address, the AVAST Virus Lab has identified 8,600 typosquatting sites, registered variations of well-known sites or brands. Two identifiable targets were the Craig’s List online classified ad service and YouTube, other site addresses were parodies of Hotmail, Google, and YouTube – basically everyone.
After going to one of the identified typosquatting sites, visitors are redirected to one of several hundred “quiz” sites where they receive an offer of a “free” prize such as an iPhone. The sites typically make money through premium phone calls, selling advertisements, and reselling the emails collected from visitors.
Spelling errors are a huge moneymaker on the internet. A Harvard research paper estimated that a major search engine alone could be making nearly a half billion dollars annually just on pay-per-click ads from typosquatting sites. Add in the other search engines and the revenue from the sites identified by AVAST, and typosquatting could easily be a billion dollar market.
“It is not technically malware, but it is online fraud and features like AutoCorrect in Microsoft Word have really let people get lazy with their spelling,” pointed out Jindrich Kubec, head of the AVAST Virus Lab. “The popularity of Craigslist with this one gang gives us a great sample set to demonstrate the types of spelling errors the bad guys are looking for.” Read more…
Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.
“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”
AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.
In this specific case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.
While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. Read more…
The Duqu malware has raised the specter of Stuxnet II, with some in the security community claiming that this new Trojan is a reverse-engineered copy of Stuxnet – the infamous malware that may have sold more newspapers than it damaged nuclear centrifuges. Unlike Stuxnet, Duqu is designed to steal data from the targeted organization, not just destroy equipment. First noticed this summer, Duqu self-destructed after 30 days, than vanished again into cyberspace.
I’m 38 years old, lived my first 33 years in the USA, read and studied amply about US government agencies over the years (especially during my ultra-paranoid conspiracy theory phase in my early 20s), and yet, until today, I had never heard of DARPA.
According to Wikipedia, however, the agency has been around a while — longer than me, in fact: << Its original name was simply Advanced Research Projects Agency (ARPA), but it was renamed to “DARPA” (for Defense) in March 1972, then renamed “ARPA” again in February 1993, and then renamed “DARPA” again in March 1996. >>
It sounds like an agency with multiple personality disorder, but I guess it’s essentially a branch of the Department of Defense (DoD) that focuses on technological R&D.
Why am I telling you about it? Because I know a lot of readers of this blog are sharp-minded (maybe even genius-level) non-Luddites, who can actually understand what the guys in our Virus Lab talk about when they post here… and would jump at the chance to prove their skills (and win some money in the process). Read more…
I would have never imagined that it could happen, but a couple of weeks back we received the “Export Company of 2010” award from DHL. That really surprised me because in my mind anything organized by DHL means they will tend to award it to someone who actually uses DHL to ship something in the first place. But we ship ones and zeros through servers and cables. Lots of ones and zeros, that is true, but certainly nothing that would need the attention of DHL or FedEx.
But that is not the subject of this post actually. The subject is that I got a call from a journalist who was covering the story with a request to get her some pictures that would go with the story. Such as the picture of our AVAST Virus Lab. Read more…
It is a very quiet day in the office today because it is a DAY OFF. Yes, it’s a state holiday on Wednesday thanks to Saint Wenceslaus I. Wenceslaus –or ‘Vaclav’ (quite a common name for boys in Czech) was the Duke of Bohemia. On September 28th in the year 935, he was killed by his younger brother Boleslav (today, not such a common boy name) in a small city called Stara Boleslav about 30 kilometers north of Prague. Boleslav wanted to be the local duke and indeed he was for the next 6 years until his own death. Why Boleslav chose Stara Boleslav as the place to commit this murder is not so clear today. The legends focus on Wenceslaus and several of them would be a good topic for blog post, but most Czechs today remember him only thanks to the holiday on September 28th. In my view ‘a day off on Wednesday’ is one of the best inventions of mankind. Read more…