Sweet Orange Exploit Kit

Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.

BlackHole is the most famous and the most utilized exploit kit these days, but that doesn’t mean there aren’t others that have the potential to compete with it. One of them is the Sweet Orange exploit kit, which is presumably capable of some impressive things.

Developers of Sweet Orange boast that their creation has a small footprint, a high infection rate, and the ability to drive 150,000 unique daily visitors to a website.

They claim that around 10% to 25% of those who land on the malicious website will be infected, meaning that at least 15,000 bots should be added to the botnet each day.

So far, experts have managed to identify 45 different IP addresses and 367 domains utilized by Sweet Orange, which makes the 150,000 unique daily visitors forecast sound valid.
 



 

Read more

MyBB Security Release

The SQL Injection vulnerability, which affected all MyBB versions, affected the post editing section. The second flaw allowed brute-force access because the CAPTCHA system was not effective.

An issue which prevented the editor from working in Firefox 16 and newer versions of the web browser has also been addressed.

Users are advised to immediately update their installations, but not before backing up their forum files and databases.

Those who identify similar vulnerabilities are advised to responsibly disclose them to the vendor via their contact page or via the Private Inquiries forum. 

Read more

Facebook and Walmart Offer $1,000 Christmas Gift Cards Scam

On Facebook Some posts, claiming that the social media network has partnered up with Walmart and they’re giving away free $1,000 (764 Euro) gift cards.

“Hey friends, I got a $1000 Gift Card from WALMART as a Christmas Gift! Get it right away! -> bil.ly,” the malicious Facebook posts read.

Users who fall for it and click on the link are taken to a website where they’re presented with instructions on how to provide their authentication tokens.

Then they’re asked to install a bogus Walmart Facebook app and participate in all sorts of surveys. 

 
By doing what the scammers ask of you, you’re actually allowing them to post on your Facebook timeline. Furthermore, by participating in the surveys, you’re helping them make a profit. 

If you did make the mistake of installing the Facebook application, then you could be spamming the message to your friends. Clean up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post). 

Read more

Trojan Upclicker: Using a Mouse To Evade Automated Analysis

We came across another sample, called Trojan Upclicker, that went one step further: using a mouse to evade automated analysis.

 Per the code in Figure , the function SetWinodwsHookExA is called with 0Eh as a parameter. Per MSDN the parameter 0Eh is used to hook a mouse. Pointer fn is the pointer to the hooked procedure in the code.

The Trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.

Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment.
When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.

Read more

Carberp : Trojan-Spy.AndroidOS.Citmo

For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.

In order to gain access to online banking accounts, the attackers need to get a hold not only of the victim’s username and password, but also of the mobile Transaction Authentication Number (mTAN) that’s used for two-factor authentication.  


But when the mobile version of Carberp Trojan appeared ,such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code .

The CitMo Android Trojan works in almost the same way as ZitMo. It is able to hide particular SMS messages and resend them to the attacker's command server. Some versions of ZitMo resend SMS messages to particular cell phone numbers in addition to various web servers. Known versions of CitMo and the Windows module of Carberp (Trojan-Spy.Win32.Carberp.ugu) work only with the remote server ‘bersta***.com’.

Read more

California Department of Health Care Mistakenly Publishes Details of 14,000 People

State of California has mistakenly published thousands of Social Security numbers on the Internet.
The list includes Medi-Cal providers in 25 California counties, including Amador, Calaveras, Colusa, Nevada, Placer, Sutter, Tuolumne and Yuba.

The information, belonging to Medi-Cal providers working for In-Home Supportive Services, had been posted on the Medi-Cal website for a period of nine days before someone noticed the error.

Individuals from 25 countries are affected by the breach. Those impacted will be receiving notification letters and they’re being offered one year of free credit monitoring services.

Additional measures are being deployed to avoid such incidents from occurring in the future.  

The confidential information was available on the state's Medi-Cal website for anyone to see for a period of nine days, before the mistake was discovered and the numbers removed.Social Security numbers are a key ingredient for identity theft.

This is the second time in the past 5 months when In-Home Supportive Services providers are affected by a data breach. Last time, a total of 750,000 people were exposed by a breach at the Department of Social Services.

Read more