Security firm Sophos has discovered a modified variant of the well known darkComet Remote Access Trojan (RAT) that not only affects Windows PCs, but the Mac OS X platform too. Interestingly enough, the nefarious Trojan readily admits it's not yet finished, which could be indicative of more underground programmers finally taking notice of Mac's increased market share. In its current form, Sophos senior security adviser, Chester Wisniewski, describes the Trojan as "very basic" in nature with a mix of English and German in the UI.
There's a new piece of malware making the rounds, one that could get more dangerous with time. It's a Trojan called "OddJob," and eastern European cybercriminals are using it to steal from online bank accounts in the U.S., ComputerWorld reports. That in and of itself isn't anything new, but according to Amit Klein, chief technology officer at security firm Trusteer, the way it's hijacking account information is different than most other malware.
Security firm Lookout warns that a new Trojan affecting Android devices has emerged in China. It's being called "Geinimi" and it's capable of compromising a "significant amount of personal data" harvested from a user's phone, which is then sent to remote servers.
"The most sophisticated Android malware we've seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities," Lookout says. "Once the malware in installed on a user's phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone."
Right now it's being distributed via legitimate applications (mostly games) in third-party Chinese Android app markets, though Lookout warns it could be packaged into apps in other geographic regions, too.
In a recent blog post, Webroot warned of a Firefox Trojan that forces the browser to save all login credentials by default and subsequently uses the stolen information to create a new user account (username: Maestro) on the compromised machine. It then sniffs out sensitive user data (data forms and login details) from the Windows Protected Storage Area. The data stolen from here is faithfully shipped out to a server once every minute.
The Trojan's author Salar “Salixem” Zeynali is an Iran-based crimeware hobbyist and heavy metal enthusiast, according to his Facebook profile. With Zeylani choosing his real name above a nom de plume to take credit for the malware, Webroot clearly didn't have to work too hard to get to him.
“His Facebook profile indicates he lives in Karaj, Iran; He sports an emo haircut, and likes heavy metal music and programming. And, apparently, Zeynali writes crimeware for fun, because he doesn’t sell his keylogger. He offers a keylogger creator tool as a free download from the message board he hangs out on,” Webroot's Andrew Brandt wrote in the blog post.
“Unfortunately, there are a lot of people who frequent the same message board Zeynali uses to post his keylogger code, and some of those people have clearly been using the keylogger creator tool Zeynali built to create and distribute Trojans.”
According to Brandt, no AV solution can automatically fix the nsLoginManagerPrompter.js file the Trojan modifies, but it is rather easy to fix manually: download and install the latest version of Firefox on top of the existing installation.
Spanair flight number JK 5022, which crashed seconds after taking off from Madrid's Barajas airport on August 20, 2008, may have been doomed by a malware-infected mainframe responsible for identifying technical snags, it has now emerged. A preliminary probe into the cause of the crash that killed 154 people had pinned the blame on pilot error.
But according to a recent report in Spanish daily El Pais, the malware-toting mainframe may have had a significant role in the crash. A couple of technical problems passed under the radar a day before the crash. However, had the computer been in rude health, it would have not only helped technicians identify the snags but also prompted them to ground the ill-fated plane. An investigation commission is expected to submit its final report in December.
And thus it begins, the era of SMS viruses for Android. That's according to security firm Kaspersky, which earlier this week warned that the first malicious program classified as a Trojan-SMS has been detected for smartphones built around Google's Android platform.
"The new malicious program penetrates smartphones running Android in the guise of a harmless media player application," Kaspersky warns. "Users are prompted to install a file of just over 13KB with the standard Android extension .APK. Once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner's knowledge or consent, resulting in money passing from a user's account to that of the cybercriminals."
Called Trojan-SMS.AndroidOS.FakePlayer, Kaspersky says this bit of mischievous (and costly) code has already infected a number of mobile devices. That isn't surprising, considering that the Trojan-SMS category is the most widespread class of malware for mobile phones, Kaspersky claims.
Android has had a few security scares during its meteoric rise to greatness, but this is the first time a software package could accurately be described as a malicious trojan. The malware, called Trojan-SMS.AndroidOS.FakePlayer, appears to be a standard Android application with the .APK file extension. Upon installing, the app will begin sending out SMS messages to premium numbers. This racks up huge charges on customer bills. It could be a big payday for the criminal elements behind this trojan.
This application is not available through the Android Market, it is obtained from outside sources and must be side-loaded onto the phone. This has kept its spread limited to Russia so far. Even if international users were infected, they could not be charged by the premium number being used. In response to the issue Google said in a statement, "Users must explicitly approve this access in order to continue with the installation. We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market."
Is this the beginning of a trend? If this proves to be just the first volley in a campaign to target Android with malware, we might be running mobile security apps out of necessity rather than paranoia.
The ZeuS banking trojan is back making headlines, this time for hitting up infected machines with fake enrollment screens for both Visa and MasterCard credit cards.
"When you log into your bank, it says you have to enroll in Verified by Visa, that it's regulated now and you have to do it," explains Mickey Boodaei, CEO at Trusteer, a security firm.
This new variant sits in waiting until the potential victim logs into a list of targeted sites. Once they do, the ZeuS trojan uses this and other shenanigans to trick users into forking over not just credit card credentials, but Social Security numbers, personal identification numbers, and other personal info.
Here's a scary thought - while you sit there firing foam projectiles at co-workers, your USB rocket launcher could be harvesting your personal data and sending it to a snooper. What's worse, your security software would be none the wiser.
This would be an example of a hardware trojan, which up to this point were mostly considered to be modified circuits. A hacker might, for example, intercept a microchip while it's still in the factory and code subtle changes into it so that whatever device the chip goes into ends up crashing.
John Clark, Sylvain Leblanc, and Scott Knight, three computer engineers at the Royal Military College of Canada in Kingston, Ontario, set out to prove that a hardware trojan could be sent out by other means, specifically by exploiting a weakness in USB's plug-and-play functionality, New Scientist reports. Because the USB protocol blindly trusts any device being plugged in to honestly report its identity, a hacker would need only to switch it out with a compromised device that reports the same information.
To show that it was possible, the team assembled a keyboard with malicious circuitry that was successfully able to swipe data from the hard drive and transmit it in one of two ways - by sending out Morse code via LED flashes, and by encoding data as a subtle warbling output from the soundcard. The transmission isn't limited to these two examples, however, and could just have easily been sent via email, but the team was more interested in seeing if they could steal information on the sly.
"We've shown any USB device could contain a hardware trojan," says Leblanc. "Security software, if it checks USB devices at all, tends to look only for malware on USB memory sticks."
Leblanc went on to say that "you could mount a hardware trojan attack with a USB coffee-cup warmer," so the next time someone asks how you like your coffee, "malware free" might be an appropriate response.
The tech media has gone into full "told you so" mode after it was discovered that hackers managed to plant a Trojan in the popular Unreal IRC server, proving that Linux users need to worry about malware too.
"This is very embarrassing... We found that the Unreal188.8.131.52.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (Trojan) in it," an announcement on the Unreal IRC forum states. "This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in)."
While a single outbreak doesn't constitute an insecure OS platform by any stretch of the imagination, perhaps the media has a point. The announcement goes on to state that the "replacement of the.tar.gz occurred in November 2009 (at least on some mirrors," which means it took nearly a year for it to be noticed. What most of the write-ups are insinuating -- and we'll just come out and say it -- is that perhaps this was left unnoticed in the Linux community because of an arrogance that suggests the open source OS is impenetrable. Obviously that isn't the case, but despite reports you may read elsewhere, the opposite isn't true either -- Linux users needn't worry that the sky is falling because of one high profile outbreak.