Skynet Botnet Command and Control Servers Controlled Over Tor

Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach.

The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins -- a type of virtual currency -- using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.

However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.
Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. These services can only be accessed from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.

The Hidden Service protocol was designed to hide the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other's physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of other computers acting as Tor relays.

As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C.

Read more

Samsung Location Spoofing flaw

According to experts, 113 devices are lost or stolen every minute in the Unites States. Because of the large number of incidents, many phone owners deploy some sort of anti-theft/anti-loss solutions to protect their data or to track down their smartphones in case they get lost.

In the case of Samsung smartphones, the service is called Samsung Dive. The system allows the phone’s owner to pinpoint the whereabouts of the device via GPS and other location acquisition techniques. 

In case of Phone theft the Thief can simply broadcast a fake location on Samsung tracking server and mislead Original Phone User/Owner to believe that the phone is genuinely at fake location. The locations can be faked continuously to random places anywhere in the world.

All this happens because Samsung’s Location API’s are completely vulnerable to be manipulated by installing commonly available simple GPS location spoofer on the device.

Another noteworthy thing is that Samsung’s tracking application shows notifications when the device is being remotely monitored.
This simply alerts the hacker or thief. This defeats the very fundamental principal and purpose of a tracking application, which should always work on the principal of hidden remote tracking in case of theft.

Though other applications like AVG and famous tracking application like Lookout also provide similar Services were are also vulnerable to location spoofing but Samsung's own tracking service becomes far more critical and important as Samsung is the device Manufacturer and tracking module comes inbuilt in the phone and most widely used. Since such tracking applications also provide remote data wipe service also, Phone owners always prefers device manufacturers solution instead of a Third party tracking application
Apart from this Location spoofing Vulnerability, To make thing worse, Samsung tracking application also shows notification that device is being tracked remotely. This simply alerts the hacker or thief. This defeats the very fundamental principal and purpose of a tracking application, which should always work on the principal of hidden remote tracking in case of theft.

We’ve contacted Samsung to find out if they’re aware of this issue and if they plan on doing anything to address it. We’ll return with more details once they become available.

Read more

Microsoft ERP hack

Security researchers have presented proof-of-concept code capable of accessing the database driving a Microsoft ERP system and then diverting funds while avoiding immediate detection.
Tom Eston and Brett Kimmel of vendor SecureState presented the would-be malware this week at the Black Hat Abu Dhabi conference.

For hackers seeking big money, infiltrating an enterprise resource planning system would be like hitting the jackpot. Once inside, cybercriminals would have access to financial software, as well as applications driving business operations.

Makers of corporate enterprise resource planning (ERP) systems include Oracle and SAP, while Microsoft's Dynamics Great Plains software is for midsize businesses.

Hacking Great Plans, or any other ERP system, requires more than just technical expertise.An accountant would also be needed to make sense of the information in the database and to manipulate accounts in a way to avoid immediate detection.

Project Mayhem included tech experts and a certified public accountant. "It's that blending of unique knowledge that facilities the ability to find [where to] attack.

Read more

Air Canada Order Confirmation Email Contains Malicious URL

Fake Air Canada emails with order confirmation contains URL that downloads malicious ZIP file, email is send from the spoofed address “Air Canada <tickets@aircanada.com>” and has the following body:

Dear Customer,
Your order has been successfully processed.
FLIGHT NUMBER TB8696CA
ELECTRONIC 75267302
DATE & TIME / DECEMBER 5, 2012, 10:30 AM
DEPARTING / Toronto
TOTAL PRICE / 375.12 CAD
Please download and print your ticket from the following URL : http://www.aircanada.com/aco/manageMyBookings.do?tid=TB7392CA&ticket_number=75267302
For more information regarding your order, contact us by visiting , visit : http://www.aircanada.com/en/customercare/index.html?orderid=75267302&ssid=1866
Thank you
Air Canada.

The embedded URL does not points the browser to the real web site address but to hxxp://air-canada.org/tickets/ticketTB7392CA.zip. Once this file is extracted you will have the 175 kB large file ticketTB7392CA.scr.

The trojan is known as Trojan-Spy.Win32.Zbot.gtvm, Trojan.Zbot or Trojan.Agent/Gen-Festo.

 

Read more

RapidFAX And eFax Inbound Fax Emails Attached ZIP File Contains Trojan

ALERT : If you come across an email entitled “Inbound Fax,”eFax, “RapidFAX: Inbound Fax” or “RapidFax: New Inbound Fax” in your inbox, don’t open the attachment it contains since it hides a new variant of a Trojan.

The messages, which purport to come from reports@rapidfax.com, contain information such as MCFID, the time at which it was received, fax number, ANI, number of pages, CSID, and the fax status code.
They only inform recipients that “a fax have been received” and urge them not to reply to the email.

The attached ZIP file has the name rapidfax-E4C935577EDD.zip and contains the  117 kB large file RapidFAX_MCID_000_LOTS_OF_NUMBERS__13341.pdf.exe.

Malware is identified as TR/Dldr.Kryptik.H, Trojan.Generic.8337227, Win32/Kryptik.APZB or Trojan-PSW.Win32.Tepfer.cqaj, depending on the antivirus vendor. 
The trojan is also known as UDS:DangerousObject.Multi.Generic or Trojan.Lameshield.

                                                Virus Total Analysis Here



This isn’t the only spam campaign that relies on bogus fax messages. Emails pretending to come from eFaxCorporate are also making the rounds these days.

The emails appear to come from messages@inbound.efax.com (the default eFax account) and they’re entitled “Corporate eFax message – (xyz) pages .

Read more

Twitter SMS-Spoofing Bug

Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable. All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info. Messages can then be sent to Twitter with the source number spoofed," Jonathan Rudenberg, the researcher who discovered the bug, said in an advisory on the Twitter SMS flaw .

Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their respective security teams.

The vulnerability is a reault of the way that the Twitter service handles incoming commands from users's mobile devices. Twitter users have the option of turning on an option that allows them to post messages, follow and unfollow users and take other actions simply by sending SMS commands from their mobile phones. In order to do this, a user must register his mobile number with Twitter in his profile, so the service knows what account the commands are associated with. The problem, however, is that anyone who knows a user's mobile number can post messages, change profile settings and take other actions on the user's behalf.

Read more

Dockster: New Mac Trojan OSX/Dockster Targets gyalwarinpoche.com Website Related To Dalai Lama

A website related to the Dalai Lama is hosting attack code that attempts to surreptitiously install OS X-based spy software on the Macs of people who visit.

This malware is now known to be in the wild and the remote address contacted by the backdoor is now active. The Java-based exploit uses the same vulnerability as "Flashback", CVE-2012-0507. Current versions of Mac OS X and those with their browser's Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.

If it’s executed, the trojan deletes itself from the location where it was run and installs itself in the user’s home directory with the filename .Dockset. The file is not visible through Finder; however, if it’s running, it can be seen within OS X’s Activity Monitor.  It creates a launch agent called mac.Dockset.deman so that the trojan will restart each time an affected user logs in. Once the trojan is active, it tries to contact the remote address itsec.eicp.net to await instructions. At the time of writing, this address is not registered, which indicates the sample may be intended simply as a test rather than an active threat.

 In the case of Flashback, which was also discovered by Intego, reported 600,000 Macs were affected before both Apple and Oracle released a Java patches to remove the malware and protect against future attacks.

Although the newly-found Dockster takes advantage of an already fixed weakness, users who haven't yet updated their Macs or are running older software may still be at risk.

Read more

Tumblr Suffering From a Viral Hack

Tumblr seems to be suffering from a viral hack at the moment, as several blogs appeared to have been compromised and are now displaying a message from the notorious troll organization GNAA.
The problem seems to be with Tumblr, which has acknowledged it, so account credentials probably haven’t been compromised.

“There is a viral post circulating on Tumblr which begins ‘Dearest ‘Tumblr’ users.’ If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible,” Tumblr explained.

A coding tag contained in the post linked to malicious code on another website. The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It's a technique that uses printable ASCII characters to represent large chunks of binary data and has the benefit of making it harder to know exactly how a script will behave when executed.

There’s no way to know how many blogs have been affected so far and the only way to avoid your blog being taken over is to not use Tumblr and log out of your account. Not the greatest of fixes, but it’s all that works for now.

The exploit through which all of this was accomplished is unknown for now, the speculation is that the hackers were able to use a bug in Tumblr’s embedding system and get their scripts to run from there.

The malicious posting can be easily removed from infected accounts using the Tumblr mass editor. The site also recommends affected users change their account password, a measure that's probably not necessary, but wise considering Tumblr researchers have yet to offer a complete analysis of the attack.

Read more

Session Riding Vulnerability In Instagram 3.1.2 For iOS

Following my latest report on Instagram ,Instagram 3.1.2 for iPhone (released on Oct 23, 2012) is vulnerable to a session riding attack that could lead an attacker on the same network to gain access to the victim’s account.

In this PoC exploit an attacker on the same LAN of the victim could launch a simple ARP spoofing attack to trick mobile devices into directing port 80 traffic through the attackers machine. When the victim starts the Instagram app and performs any action that requires authentication, such as liking or unliking pictures, a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to login into the user’s account via web and perform a variety of actions.

The compromise uses a method called ARP (Address Resolution Protocol) spoofing,
an ARP spoofing attack redirects Instagram requests from the iPhone into a custom hyperfox proxy, when the proxy detects an Instagram cookie, a file cookie/$IP_ADDRESS.txt is created containing the cookie value.
After the attacker gets a cookie, he could use a plugin like Modify Headers on Firefox to sign in as the user on the secure URL https://instagram.com/accounts/edit/ where he could change personal data, such as the user’s e-mail address, and compromise the account., Reventlov wrote.


Credit  : The attack was developed by a security researcher Carlos Reventlov

Read more

Sulit.com.ph falls victim to a DNS change

Sulit.com.ph, the Philippines website with the highest Internet traffic in the country, was attacked by hackers on Saturday night, Dec.1, when its domain name was redirected to another site.

Entering Sulit.com.ph will redirect you to Ayosdito.ph, another local classified ads portal. This is done by simply changing the DNS server of the domain on the domain registar (dotPH) to point to another host (Ayosdito.ph). Hackers said that they found a vulnerability on the DotPH site that allowed them to change the DNS details on Sulit.com.ph’s account.Sulit said in its advisory it does not have control over the security of its domain name as Dot.ph is the local domain registry which handles all .ph domains.But, IT pioneer Fernando Contreras Jr. said in a Facebook comment that the incident may not have been just a simple DNS attack. “I don’t think it was just a DNS hack, the header and title of the page was changed also.”

UPDATE : Sulit.com.ph is already back online .

Read more