By Michael Sweeting After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct […]
Posts Categorized: Exploits
By Nathan Collier Last Friday we blogged about the radical Android OS bug 8219321, better known as the “Master Key” bug, which was reported by Bluebox Security. Check out last weeks blog if you haven’t already: “The implications are huge!” – The Master Key Bug. We mentioned how we have been diligently working on protecting those not yet covered by patches or updates, and finding a solution for older devices as well. We are happy to report we have the solution! The newest version of Webroot SecureAnywhere Mobile with a patch for the “Master Key” bug can be found on the […]
By Nathan Collier and Cameron Palan Last week, Bluebox Security reported they’d found a new flaw with the Android OS, saying “The implications are huge!”. The bug, also known as the “Master Key” bug or “bug 8219321”, can be exploited as a way to modify Android application files, specifically the code within them, without breaking the cryptographic signature. We call these signatures the “digital certificate”, and they are used to verify the app’s integrity. Since the bug is able to modify an application and still have the certificate appear valid, it is a big deal.
By Nathan Collier There’s one variant of Android.Bankun that is particularly interesting to me. When you look at the manifest it doesn’t have even one permission. Even wallpaper apps have internet permissions. Having no permissions isn’t a red flag for being malicious though. In fact, it may even make you lean towards it being legitimate. There is one thing that thing that gives Android.Bankun a red flag though. The package name of com.google.bankun instantly makes me think something is fishy. To the average user the word ‘Google’ is seen as a word to be trusted. This is especially true when […]
By Dancho Danchev Our sensors recently picked up a Web site infection, affecting the Web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns. Let’s profile the campaign, list the malicious URLs, associate them with previously launched malicious campaigns, and provide actual MD5s for historical OSINT preservation/attribution purposes. More details:
By Israel Chavarria Recently we have seen a spike of this ransomware in the wild and it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you pay to unblock your computer.
By Dancho Danchev Kindle users, watch what you click on! Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign. More details:
On a regular basis we profile various DIY (do it yourself) releases offered for sale on the underground marketplace with the idea to highlight the re-emergence of this concept which allows virtually anyone obtaining the leaked tools, or purchasing them, to launch targeted malware attacks. Can DIY exploit generating tools be considered as a threat to the market domination of Web malware exploitation kits? What’s the driving force behind their popularity? Let’s find out by profiling a tool that’s successfully generating an exploit (CVE-2013-0422) embedded Web page, relying on malicious Java applets. More details:
Following the recent events, opportunistic cybercriminals have been spamvertising tens of thousands of malicious emails in an attempt to capitalize on on the latest breaking news. We’re currently aware of two “Boston marathon explosion” themed campaigns that took place last week, one of which is impersonating CNN, and another is using the “fertilizer plant exposion in Texas” theme, both of which redirect to either the RedKit or the market leading Black Hole Exploit Kit. Let’s profile the campaigns that took place last week, with the idea to assist in the ongoing attack attribution process. More details:
By Dancho Danchev On a daily basis we process multiple malicious campaigns that, in 95%+ of cases, rely on the market leading Black Hole Exploit Kit. The fact that this Web malware exploitation kit is the kit of choice for the majority of cybercriminals, speaks for its key differentiation factors/infection rate success compared to the competing exploit kits, like, for instance, the Sweet Orange exploit kit or the Nuclear Exploit pack v2.0. In this post I’ll profile the EgyPack, a Web malware exploitation kit that was originally advertised on invite-only/vetted cybercrime friendly communities between the period of 2009-2011. List its core features, provide exclusive screenshots […]