MetaFilter posts tagged with malware

the ultimate in spyware

madamjujujive — Sun, 10 Mar 2013 21:01:26 -0800

Meet the men who spy on women through their webcams - "If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, "Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b" At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection."

Welcome to the Malware-Industrial Complex

Chrysostom — Thu, 14 Feb 2013 12:32:44 -0800

“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

But not browsing MetaFilter

Wordshore — Wed, 16 Jan 2013 08:30:13 -0800

(BBC) A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China. "The software developer, in his 40s, is thought to have spent his workdays surfing the web, watching cat videos on YouTube and browsing Reddit and eBay. He reportedly paid just a fifth of his six-figure salary to a company based in Shenyang to do his job." The Register gives a timetable of "Bob's" day, while geek.com has more details. v3 reports that: "The developer in question had quarter after quarter been rated as the best in the firm..." ...while Tim Stanley in the Daily Telegraph opinions that "This is capitalism at its best".

The Hunt For "Red October"

the man of twists and turns — Tue, 15 Jan 2013 01:55:12 -0800

An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.

The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”

Massive espionage malware targeting governments undetected for 5 years - "Red October" command-and-control setup more sophisticated than that of Flame. Kaspersky uncovers Red October malware campaign targeting governments for the last 5 years "Red October" Diplomatic Cyber Attacks Investigation

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»). This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia. The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment. The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.

"Red October" is still operational at this time. There are some indications is was used to collect information from EU and NATO encrypted systems. The botnet/worm has been compared to Stuxnet, Duqu, and Flame/Skywiper (Flame Full Analysis), though it does not currently appear to be connected to any of them, either through code analysis or methodology. Previously on MetaFilter, in reverse chronological order: "Flame is a newly-identified malware program" US and Israel Confirmed As Authors Of Stuxnet Virus Stuxnet II: Electric Duqu Stux to be you Weapons of the 21st Century

Thanks for two hours of your time

the man of twists and turns — Fri, 26 Oct 2012 03:34:40 -0800

"I am calling you from Windows": A tech support scammer dials Ars Technica Earlier this month, the Federal Trade Commission

launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers. At the request of the FTC, a U.S. District Court Judge has ordered a halt to six alleged tech support scams pending further hearings, and has frozen their assets.

More Ars: How To Troll A Tech Support Scammer

A good troll is a prepared troll, and Ted was ready. He dragged out the call by pretending to connect his Windows 95 and Windows Vista computers to CompuServe via dial-up Internet, by providing an expired credit card number, and by providing absurd answers to basic questions.

After FTC crackdown, users chronicle tech support scam calls: Recording of Scam Telemarketers (Video) Trolling The Windows Indian Phone Call Scam (Youtube) Scamming the scammers -- catching the virus call centre scammers red-handed (Youtube)

DNSChanger servers get shut down

Chocolate Pickle — Sat, 07 Jul 2012 13:16:01 -0800

On Monday hundreds of thousands of computers will lose their ability to connect to the Internet. The servers controlling the DNSChanger malware will be shut down, and without them computers which are still infected will cease to be able to do DNS lookups. Getting rid of it isn't easy, and requires a specific set of tools which would need to be downloaded before Monday. (Or, of course, you could reinstall the OS.)

An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

mek — Fri, 08 Jun 2012 11:13:00 -0800

"Flame" is the name of a newly-identified malware program which utilizes a previously unknown MD5 collision attack to successfully spoof Microsoft Terminal Services, and install itself as a trusted program using Windows Update, Microsoft has confirmed. The program appears to have targeted computers in the Middle East, and specifically Iran; analysts have alleged it is likely created by the same entity that designed Stuxnet. Flame has been live and actively spying since 2010, but went undetected until recently, due to sophisticated anti-detection measures. While anonymous US officials have claimed responsibility for the program, officially both the USA and Israel have denied any involvement.

For those family computer rescue sessions

JHarris — Wed, 21 Dec 2011 20:22:16 -0800

Here are some free tools for rescuing infected Windows systems: Windows Defender Offline Beta - Kaspersky Rescue Disk 10 - BitDefender Bootable CD - Avira Bootable CD - How To Geek provides instructions for scanning a system from an Ubuntu Live CD. For more info, click through.... Windows malware has gotten a lot more insidious as of late. Many programs actively monitor the process list of the machine they're running on and immediately kill software that could be used to remove them, like msconfig, Windows Security Essentials and other antivirus programs. (In fact, if you try to run msconfig from the Run box and it never starts up, it's a good indication there's something screwy happening.) And even when it doesn't kill the program, many programs can somehow survive even when the antivirus program claims to have removed them. Many times I've had an antivirus program claim to have removed a piece of malware, only to reboot the machine and presto, it's still alive. The problem is, if you scan a system for malware while malware is running, it can take measures to defend itself. So, the best way to be sure of killing malware is to scan it while booting off of alternate media, so it never gets a chance to run. So rescue CDs and USB drives are potentially much more effective.

Facebook as Malware

Kimberly — Tue, 22 Nov 2011 07:33:23 -0800

Facebook has been criticized repeatedly for how it treats its users' privacy (this topic is not a stranger to MeFi), but with the introduction of OpenGraph (previously) earlier this year, some are arguing that Facebook has gone beyond general privacy concerns and has become Malware.

Now, we've shown that Facebook promotes captive content on its network ahead of content on the web, prohibits users from bringing open content into their network, warns users not to visit web content, and places obstacles in front of visits to web sites even if they've embraced Facebook's technologies and registered in Facebook's centralized database of sites on the web. Some other interesting reading on this topic: Why Facebook's Seamless Sharing is Wrong Marshall Kirkpatrick thinks that Facebook is "violating the relationship between the web and its users." How Facebook is ruining sharing Molly Wood from CNET claims that Facebook is "ruining sharing."

Stuxnet II: Electric Duqu

gemmy — Tue, 18 Oct 2011 13:14:04 -0800

A year after the infrastructure-attacking Stuxnet worm was discovered in Iran, a new piece of malware using some of the same techniques (but apparently with different goals) has been found infecting systems in Europe. The new malware, dubbed “Duqu” [dü-kyü], appears to have been written by someone with direct access to the Stuxnet source code.

The Cybercrime of Sextortion

Jasper Friendly Bear — Thu, 08 Sep 2011 20:22:25 -0800

Sextortion /sekˈstɔː(r)ʃ(ə)n/ noun The extortion and/or blackmail of an individual, wherein the item or service requested/demanded is the performance of a sexual act.

He seeded P2P networks with popular-sounding song titles that were actually malware; when someone downloaded and executed the file, their machine was infected and would open itself to his control. He took over 129 different computers for a total of 230 victims. Forty-four of the victims were juveniles. How an omniscient Internet "sextortionist" ruined the lives of teen girls. [Sextortionism, previously discussed on Mefi (working link to Sextortion at Eisenhower High article and an update).]

ANY KEY TO PLAY

griphus — Mon, 22 Aug 2011 10:48:10 -0800

Your Data depends on a game of JACKPOT and other classic vir(ii/uses). Brought to you by danooct1 and a Compaq Portable.

Stux to be you

Horace Rumpole — Mon, 11 Jul 2011 17:15:10 -0800

In-depth pieces in Vanity Fair and Wired detail the structure and impact of the Stuxnet worm, and what it means for the future of cybersecurity. (Previously)

Command and control

Artw — Tue, 22 Mar 2011 13:55:50 -0800

How Operation b107 decapitated the Rustock botnet (Previously)

Car back door

Chocolate Pickle — Sun, 13 Mar 2011 10:14:40 -0800

Researchers at UCSD have modified an MP3 file so that when it is played on a car's stereo system it modifies the stereo's firmware and opens up a security back door into the car's operating system. Using it, they were then able to control the door locks, the car ignition, and change the speedometer reading. They hypothesize that black-hats could create such modified files and spread them around on the torrent networks. And given that some cars now are networked and contain GPS systems, they say that cars which become compromised could be programmed to announce their location so that thieves could locate and steal them.

2010: The Year in Data Breaches

These Premises Are Alarmed — Tue, 28 Dec 2010 09:56:29 -0800

Wikileaks may have been the big news, but there were numerous other data breaches in 2010. The year started off with 'Aurora' - a coordinated attack against Google, Adobe, and others, which used vulnerabilities an Internet Explorer and Adobe Reader and Acrobat to steal intellectual property and attempt to access to the Gmail accounts of human rights activists. This attack brought the phrase "Advanced Persistent Threat" into the lexicon. Also, it supposedly got Google to switch all employees off Windows systems and take a more 'open' approach towards China. It wasn't just the big guys. Many, many small businesses were targeted, too. Specialized malware hit systems used for accounting and stole hundreds of thousands of dollars, often using "money mules" recruited through help-wanted ads. Health care companies also lost your info: a former Wellpoint employee was convicted of stealing health care providers' info to buy cell phones and forge checks. Wellpoint also notified up to 470,000 members that their personal health and financial information, including some social security numbers, were exposed after a botched website upgrade. Aetna threw out a file cabinet with the personal information of about 5,000 customers, Marsh and Mercer lost a backup tape being sent by courier with data for 121 patients and KPMG lost an unencrypted flash drive with 3,630 records. All in all "medical identity theft" struck 5.8% of US adults. Hotels, especially luxury brands, rose in prominence as targets of data thieves. Westin and Wyndham both acknowledged being hit. HEI, operator of Marriotts, Sheratons and Westins, sent letters to 3,400 customers stating their credit card numbers may have been compromised. AT&T and Apple got bad press for exposing the email address of everyone who bought an iPhone 4 in its early days, and disclosing[*] information on 114,000 3G iPad purchasers. Even an Energizer USB battery charger contained a backdoor that allowed remote access into the user's system. Malicious code spread through Twitter and a large email marketing firm had their database stolen. Banks remained a popular target. They did themselves no favors: it was reported up to 9,000 USB sticks are left in suit pockets at dry cleaners in London. A couple ID thieves were convicted of stealing names and account numbers at Wells Fargo, and Wells had more trouble with insider breaches. Hackers hit online check image archiving companies for $9 million. Can't get your bank on the phone? Maybe you're the victim of a telecom denial of service, where your phone system is overloaded to divert your bank trying to confirm a transaction. Governments lose data too: from UK Ministry of Defence down to state retirement boards. And, high school students still test their school's systems. Former NYC employees stole birth certificates and social security cards to sell. The Stuxnet worm supposedly was written by one government to target the operations of another. The Pentagon reported the "most serious" breach ever, caused by a flash drive inserted into a military laptop. Security remains hard to do right: the much-hyped Haystack program to allow dissidents free communication turned out to be snakeoil. Intel admitted the encryption key for Blu-Ray was disclosed, possibly having been brute-forced instead of leaked. A proprietary encryption key in car immobilizers was cracked. The BackTrack security testing Linux distro had their site compromised. [*] Link goes to Gawker, who had their own small data breach incident, too. Want to read more? My most frequent sources are The Office of Inadequate Security, the RISKS digest, and the great reporting of Brian Krebs.

Weapons of the 21st Century?

entropone — Tue, 30 Nov 2010 20:07:19 -0800

In June 2010, a bit of malware of unprecedented ability was discovered by a Belarussian security firm. Stuxnet had remained undetected for over a year. Security researchers have gradually learned more about this worm, which has led to much speculation about its origins and purposes. Though questions remain, it is clear that it is extremely advanced, and that it was designed to find a very specific hardware/software system and disrupt the operation of centrifuges, causing some to assert that it was built to sabotage Iran's nuclear facilities. Recently, Iran confirmed that its nuclear facilities had been seriously affected by Stuxnet. Some experts say that a worm of this level of sophistication could only have been designed by a nation-state. Previously.

Parking Malware

Chocolate Pickle — Sat, 28 Aug 2010 13:41:54 -0800

The page served by Network Solutions for parked domains was serving malware until two weeks ago. Apparently it had been like that for months without anyone taking notice.

I'm not trying to scare you!

Obscure Reference — Sun, 18 Apr 2010 09:27:38 -0800

Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are marketed to consumers by scaring them. One frequently seen version is rogue security software that deceives users into paying for the fake or simulated removal of malware. The N. Y. Times site inadvertently displayed a scareware message last September. Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration. A recently seen version pretends to be the fake ICPP Foundation. The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents and must pay $400 (via credit card), to avoid jail and huge fines. (Microsoft genuine advantage, which can display "periodic reminders" has been legally ruled non-spyware.) Macs are not immune to ransomware.

The dry, technical language of Microsoft's October update did not indicate anything particularly untoward.

The Whelk — Mon, 15 Jun 2009 14:40:29 -0800

Its reach is impossible to measure precisely, but more than 3 million vulnerable machines may ultimately have been infected. : The inside story on the Conficker Worm at New Scientist.

GhostNet

homunculus — Sat, 28 Mar 2009 22:55:33 -0800

Tracking GhostNet: Investigating a Cyber Espionage Network. "A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded. In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved." Another report does fault China: The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement

The "boss level" of internet worms.

e.e. coli — Sat, 21 Mar 2009 21:14:02 -0800

Conficker C is scary as hell. Conficker C represents a best-of-breed specimen of malware, with its swiss-army-knife-from-hell approach to digging in, staying hidden, and making your life generally miserable. Telltale symptoms: you can't view such web sites as Microsoft.com, symantec.com, avast.com, or any other computer security-related sites the worm authors have thought to include in the blacklist; you can't run any of the superb Sysinternals utilities, or many other utilities, because they get killed within a second of starting them up; your antiviral software is impotent. But none of that is the point of the worm. On April Fool's Day of this year, the roughly 10 million conficker-infected Windows XP-based PCs (mostly in China, Brazil, and Russia) will phone home, but nobody knows to what purpose. The "best" possible outcome is that the bad guys are merely stealing the identities of 10 million people. It's hard to say what the worst case is, but the metaphor "internet warfare" is, apparently, not overblown.

Heartland Systems data breach

Class Goat — Tue, 20 Jan 2009 15:39:55 -0800

"Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained." Heartland Payment Systems processes payroll and credit card payments for more than 250,000 businesses. Looks like this data breach is even bigger than 2007's TJ Maxx break-in.

DOWNLOADING IS WRONG

azarbayejani — Tue, 06 Jan 2009 06:06:43 -0800

A new trojan is on the loose. It doesn't install any harmful adware/spyware, but does block both mininova and the Pirate Bay.

Super-targeted spear phishing attacks

gemmy — Thu, 27 Mar 2008 20:34:53 -0800

The recent cyber attacks on pro-Tibet groups in the U.S. (attack details, technical data) and on the Save Darfur Coalition, among others, have managed to catch the attention of some in the mainstream media. Such super-targeted spear phishing attacks have been on the rise for several years, and have become an important tool for corporate espionage and military infiltration attempts. Teaching users to recognize such attack emails is probably the most effective deterrence, as technology solutions have shown to not be particularly effective. Some companies and government agencies even conduct sting operations to ferret out which internal users fail the test, targeting them for additional training. Thanks to homunculus for encouraging me to post on this.