Posts Categorized: Targets


Android.RoidSec: This app is an info stealing “sync-hole”!

by

Android.RoidSec has the package name “cn.phoneSync”, but an application name of “wifi signal Fix”. From a ‘Malware 101′ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. So what is Android.RoidSec? It’s a nasty, malicious app that sits in the background (and avoids installing any launcher icon) while collecting all sorts of info-stealing goodness.

Continue Reading »

New versatile and remote-controlled “Android.MouaBot” malware found in the wild

by

By Cameron Palan and Nathan Collier Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.

Continue Reading »

Android.TechnoReaper Downloader Found on Google Play

by

We have found a new threat we are calling Android.TechnoReaper. This malware has two parts: a downloader available on the Google Play Market and the spyware app it downloads. The downloaders are disguised as font installing apps, as seen below:

Continue Reading »

New IRC/HTTP based DDoS bot wipes out competing malware

by

Everyday, new vendors offering malicious software enter the underground marketplace. And although many will fail to differentiate their underground market proposition in market crowded with reputable, trusted and verified sellers, others will quickly build their reputation on the basis of their “innovative” work, potentially stealing some market share and becoming rich by offering the tools necessary to facilitate cybercrime. Publicly announced in late 2012, the IRC/HTTP based DDoS bot that I’ll profile in this post has been under constant development. From its initial IRC-based version, the bot has evolved into a HTTP-based one, supporting 10 different DDoS attack techniques as well as possessing a […]

Continue Reading »

How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators

by

How are cybercriminals most commonly abusing legitimate Web traffic? On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic. In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case […]

Continue Reading »

DIY SIP-based TDoS tool/number validity checker offered for sale

by

By Dancho Danchev Over the past year, we observed an increase in publicly available managed TDoS (Telephony Denial of Service) services. We attribute this increase to the achieved ‘malicious economies of scale’ on behalf of the cybercriminals operating them, as well as the overall availability of proprietary/public DIY phone ring/SMS-based TDoS tools. What are cybercriminals up to in terms of TDoS attack tools? Let’s take a peek inside a recently released DIY SIP-based (Session Initiation Protocol) flood tool, which also has the capacity to validate any given set of phone numbers. More details:

Continue Reading »

A peek inside a (cracked) commercially available RAT (Remote Access Tool)

by

By Dancho Danchev In an attempt to add an additional layer of legitimacy to their malicious software, cybercriminals sometimes simply reposition them as Remote Access Tools, also known as R.A.Ts. What they seem to be forgetting is that, no legitimate Remote Access Tool would posses any spreading capabilities, plus, has the capacity to handle tens of thousands of hosts at the same time, or possesses built-in password stealing capabilities. Pitched by its author as a Remote Access Tool, the DIY (do it yourself) malware that I’ll profile in this post is currently cracked, and available for both novice, and experienced cybercriminals to take […]

Continue Reading »

BitCoin Jackers Ask: “What’s in Your Wallet?”

by

By Adam McNeil With all the recent media coverage and extreme changes of the BitCoin value, it should come as no surprise that malware authors are trying to capitalize on the trends.  These people attempt to make money on all sorts of digital transactions and it’s probably a safe bet to expect their rapid expansion into the up-and-coming Digital Currency market. The Webroot Threat Research Department has already seen many malware campaigns targeting BitCoin users.  The recent explosion (and subsequent implosion) of the BitCoin value has expedited the need for custom compiled BitCoin harvesters and the malware authors are happy […]

Continue Reading »

Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals

by

Over the last couple of years, the industry’s and the media’s attention has been shifting from mass widespread malware campaigns to targeted attacks most commonly targeting human rights organizations, governments and the military, also known as advanced persistent threats (APTs). In this post, I’ll profile a recently spotted underground market advertisement, which basically offers a Microsoft Access file of data belonging to executives within major companies such as Audi, Ralph Lauren, Bentley, Breitling, Porsche, Avito, Marc Jacobs, Ralph Lauren, Live Nation, Societe Generale, Bloomberg, Technip, Carlsberg, Coca-Cola, etc., obtained primarily through valid business cards. More details:

Continue Reading »