31 Temmuz 2012 Salı
Google buying social-media startup Wildfire
Trojan:Android/DroidKungFu.C
Application:W32/Keygen
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Come have Coffee and Code in Vancouver with me and Microsoft tomorrow
So John Bristowe, Developer Evangelist for Microsoft Canada will be hosting a Coffee and Code event in Vancouver tomorrow from 9 to 2 at Wicked Cafe. Come join him and fellow Microsoft peers Rodney Buike and Damir Bersinic as they sit and share their knowledge over a cup of joe.
I will be there too, and will be available if anyone wants to talk about secure coding, threat modeling with the SDL TM or if you want to talk about integrating AuthAnvil strong authentication into your own applications or architectures
I do hope to see some of you there. And if I don't... I will be seeing you at #energizeIT right?
What: Coffee and Code in Vancouver
When: April 8th, 2009 from 9am - 2pm
Where: Wicked Cafe - 861 Hornby Street (Vancouver)
nod32 full indir nod32 full download full nod32 download est nod32 serial
Trojan:Android/DroidKungFu.C
esed nod32 indir nod32 serial nod32 güncel keyleri nod32 keyleri güncel
Team Poison teenager is sentenced to prison
A UK TEENAGER has pleaded guilty to criminal charges relating to cyber crime and sentenced to six months in prison for his troubles..
Junaid Hussain, 17 and of Birmingham, was the leader of the Team Poison group of hackers that infamously called the Met police anti-terrorism hotline for a bit of a giggle.
He has pleaded guilty to a conspiracy to cause a public nuisance, because when he and the rest of Team Poison were making prank calls to the Met, legitimate callers were unable to get through.
Worm:W32/Downadup.A
Rogue:W32/SystemTool
Trojan-Downloader:OSX/Flashback.I
eset nod32 guncel key eset nod32 güncel key indir com nod32 nod32 keyleri
Trojan-Dropper:OSX/Revir.C
Apple TV now includes Hulu Plus
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
The end of DNS-Changer
FBI's “Operation Ghost Click” was discussed earlier by my colleague Kurt here and here and now it comes to an end.
Next Monday, 9th of July, at 06:00 (MEZ) the temporary DNS-servers setup by FBI will be shut down. But still there are still thousands of infected machines - one can wonder, what will happen to them?
Computers in the internet have their own address - the IP-address. There are two versions:
- IPv4 which is a 32-bit address e.g. 195.122.169.23 and
- IPv6 which is a 128-bit address e.g. 2001:db8:85a3:8d3:1319:8a2e:370:7347
You clearly see that these addresses are not so easy to remember compared to e.g. “kaspersky.com”. Therefore the “Domain Name System” was created which translates domain-names as “kaspersky.com” to their respective IP-address to connect to the server.
The DNS-Changer malware replaces the DNS-servers on the infected system with its own. FBI Press Release
The reason they do this is because it facilitates “Click Hijacking”. This is a technique where infected users are redirected to advertisement websites from the criminals and “Advertising Replacement” where on legitimate websites the advertisements were exchanged with one from the criminals.
Luckily, the FBI caught the criminals and installed temporary DNS-Servers in order to avoid a “black-out” for the mass of infected computers.
This temporary solution will come to an end on Monday when the servers are shut down. When this happens, the infected machines will no longer able to resolve domain names in order to connect to e.g. a website.
Of course, if you know the address of the server you can still use it instead of the name e.g. 195.122.169.23 is “securelist.com” but this is not easy solution.
We would like to point out that despite the big noise around this topic, there is no need to panic. The solution is rather simple - read below for more.
First of all, it might be interesting to point out that in 2012 we detected 101.964 attempts by DNSChanger malware to infect our users.
The good news is that the infections were blocked and the number of infection attempts is going down.
For instance, this map of the past week shows that the amount of infection attempts/detections as decreasing. Of course, computers with no or old protection are still in danger of possible unspotted infections.
So, how to check if you are infected with DNSChanger?
The DNS Changer Working Group provides helpful information on their website - unfortunately, we previously mentioned that automatic websites setup for this purpose do not work 100% well. So, the manual solution of checking the DNS server IPs is better.
If you are infected, you can change your DNS entries to the free DNS-Servers from Google: 8.8.8.8 and 8.8.4.4. OpenDNS also offers two: 208.67.222.222 and 208.67.220.220, which we also recommend for additional security features.
The best solution is of course to install a security suite capable of detecting and cleaning the infection and fixing the DNS servers.
Since many DNSChanger infections are accompanied by TDSS, a rather nasty rootkit, you can also use our tool “Kaspersky TDSSKiller” in order to detect and delete the infection
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
Backdoor:W32/Spyrat.D
Worm:ACAD/Kenilfe.A
Featured apps from the Appolicious community of Android developers
indir nod32 nod32 güncel key nod32 guncel key eset nod32 guncel key
The Madi Campaign - Part I
Together with our partner, Seculert, we�ve thoroughly investigated this operation and named it the �Madi�, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.
The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.
This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don't want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.
nod32 guncel keyler nod32 guncel key güncel key nod32 full nod32
Find and Call: Leak and Spam
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Angry Birds comments
30 Temmuz 2012 Pazartesi
Congressional Privacy Caucus clamps down on data brokers
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Other:W32/Generic
full nod32 download est nod32 serial 64 bit nod32 esed nod32 4
IPhone appeal dims as Samsung shines
esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
Pen and sword equally mighty for science fiction's Stephenson
Exploit:W32/D-Encrypted.Gen
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Rootkit:W32/Zxshell.B
güncel key nod32 full nod32 esed nod32 keyleri esed nod32 key
New APT Attack Shows Technical Advance in Exploit Development
Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting CVE-2012-0158. Here’s how such e-mails appear:
Find and Call: Leak and Spam
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Angry Birds comments
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
How hackers steal bank details from chip and pin machines
Security flaws have been identified in some chip and PIN terminals, which is suggested allows thieves to download a customer?s personal card details.
As a result, it is claimed that thousands of terminals, commonly found in shops and restaurants, will now have to re-programmed.
güncel nod32 keyleri nod32 guncel keyler nod32 guncel key güncel key nod32
Other:W32/False Positive
güncel nod32 keyleri nod32 guncel keyler nod32 guncel key güncel key nod32
Trojan-Dropper:OSX/Revir.C
Trojan:Android/DroidKungFu.C
eset nod32 guncel key eset nod32 güncel key indir com nod32 nod32 keyleri
Defcon 20: Skillz, thrills for the whole hacker family
nod32 guncel key eset nod32 guncel key eset nod32 güncel key indir com nod32
Critics assail 1980s-era hacking law as out of step
A 1984 U.S. anti-hacking law passed when computer crime was in its infancy is under fire for potentially going too far in criminalizing the actions of employees who violate workplace policies.
esed nod32 indir nod32 serial nod32 güncel keyleri nod32 keyleri güncel
Packed:W32/PeCan.A
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
The Flame: Questions and Answers
Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East - but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code - nicknamed Wiper - we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
For the full low-down on this advanced threat, read on…
General Questions
What exactly is Flame? A worm? A backdoor? What does it do?
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Big Brother
It seems that development of the main module of SpyEye stopped with last autumn’s version 1.3.48 - and this is now
the dominant strain of SpyEye malware.
SpyEye distribution by versions for the period since 1 January 2012* * Others (7%) includes: 1.2.50, 1.2.58, 1.2.71, 1.2.80, 1.2.82, 1.2.93, 1.3.5, 1.3.9, 1.3.25, 1.3.26, 1.3.30, 1.3.32, 1.3.37, 1.3.41, 1.3.44.
But just because the authors are not developing this platform further, it doesn’t mean that SpyEye is no longer
getting new functions. The core code allows anyone to create and attach their own plugins (DLL libraries). I’ve been
analyzing SpyEye samples since the start of the year, and I’ve counted 35 different plugins. Below you can see a
table with those plugins and the corresponding number of samples in which they were included:
29 Temmuz 2012 Pazar
Cell phone battery catches fire, burns hacker's tail at Defcon
A cell phone battery spontaneously caught fire today, burned through a Defcon attendee's back pants pocket, and fell on the floor, creating burn spots on a carpet and leaving a burn-hole in the attendee's chair.
The man, who asked not to be identified, was not harmed but his trousers were ruined. He told CNET that he was sitting in a session at Defcon around 11:30 a.m. PT when he started to smell something burning and felt some heat underneath him on his seat. He stood up to find that his back left pocket was on fire.
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
The Flame: Questions and Answers
Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East - but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code - nicknamed Wiper - we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
For the full low-down on this advanced threat, read on…
General Questions
What exactly is Flame? A worm? A backdoor? What does it do?
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
nod32 full indir nod32 full download full nod32 download est nod32 serial
Phishing at the Top Level
nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler nod32 guncel key
Trojan-Downloader:OSX/Flashback.A
Skype is not helping the feds spy on its users, it says
esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
Application:W32/Keygen
nod32 turkce nod32 full indir nod32 full download full nod32 download
Congressional Privacy Caucus takes aim at data brokers
güncel key nod32 full nod32 esed nod32 keyleri esed nod32 key
Worm:W32/Downadup.A
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
GPS Weakness Could Enable Mass Smartphone Hacking
Weaknesses in the technology that allows smartphone users to pinpoint themselves on a map, or check into restaurants and bars using apps such as Foursquare, could allow those users to be tracked remotely.
Ralf-Philipp Weimann, a researcher at the University of Luxembourg, reported this finding at the Black Hat computer security conference in Las Vegas yesterday. He believes that the complex mechanism by which phones get location fixes likely also hides vulnerabilities that could allow the mechanism to be used to install and run malicious code on the device.
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
Microsoft: Update Java or kill it
Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it. The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it.
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Backdoor:W32/Binanen.A
güncel key nod32 full nod32 esed nod32 keyleri esed nod32 key
Ex-FBI agent tells hackers to 'step up' against cyberattacks
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
iOS app hacking alive and well
nod32 turkce nod32 full indir nod32 full download full nod32 download
Monitoring-Tool:Android/SimChecker.A
Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable
Malicious software, like all software, gets smarter all the time. In recent years it?s learned to destroy physical infrastructure, install itself through Microsoft updates, and use human beings as physical ?data mules,? for instance. But researcher Jonathan Brossard has innovated a uniquely nasty coding trick: A strain of malware that?s nearly impossible to disinfect.
Backdoor:OSX/Imuler.A
Exploit:W32/D-Encrypted.Gen
indir nod32 nod32 güncel key nod32 guncel key eset nod32 guncel key
28 Temmuz 2012 Cumartesi
Trojan:Android/DroidKungFu.C
Hacker delves into secret world of warranties
esed nod32 download nod32 serialleri esed nod32 indir nod32 serial
Apple iOS Black Hat talk had bark, but no bite
Apple's much-ballyhooed first-ever talk at the Black Hat conference lacked any of the fireworks that the standing-room only crowd had been hoping for.
Dallas De Atley, manager of the platform security team at Apple, presented "iOS Security", the simply (but blandly by Black Hat standards) titled talk on Thursday morning. But it only took a few seconds to realize that that was Apple's plan. The company is uncomfortable publicly speaking about its security posture, so a talk like this was going to be all business from start to finish.
nod32 turkce nod32 full indir nod32 full download full nod32 download
Who is attacking me?
Browsing is a risky activity from a security point of view. The good old times when we could identify a bunch of suspicious sites and avoid them are gone forever. Massive infections of websites are common nowadays, blindly infecting as many sites as possible. Once these sites are compromised, the access is usually sold to cybercriminals. At this point the site hosts malware or redirects victims to some exploit kit.
We have seen this hundreds of times, for example the recent example such as the distribution of Flashfake through compromised Wordpress blogs.
Thanks to KSN we have nice stats of the sites browsed by our customers and detected as malicious. And thanks to KIS/KAV protection, users can happily continue browsing without further inconvenience.
I have been analyzing compromised sites with ES TLD during the last month, wondering what the most dangerous sites for Spanish users are. These are the top 5 verdicts:
The Dark Knight Rises doesn't fall short of expectations
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
Trioh! The Flashlight You Can See When The Power Goes Out
esed nod32 key esed nod32 keys est nod32 key esed nod32 serial
Hacking, the card game, debuts at Black Hat
D.C. chief allows citizens to record and photograph police
The Madi Campaign - Part I
Together with our partner, Seculert, we�ve thoroughly investigated this operation and named it the �Madi�, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.
The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.
This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don't want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.
nod32 guncel key güncel key nod32 full nod32 esed nod32 keyleri
Rootkit:W32/ZAccess
nod32 full indir nod32 full download full nod32 download est nod32 serial
Trojan:BASH/QHost.WB
nod32 full indir nod32 full download full nod32 download est nod32 serial
GPS Weakness Could Enable Mass Smartphone Hacking
Weaknesses in the technology that allows smartphone users to pinpoint themselves on a map, or check into restaurants and bars using apps such as Foursquare, could allow those users to be tracked remotely.
Ralf-Philipp Weimann, a researcher at the University of Luxembourg, reported this finding at the Black Hat computer security conference in Las Vegas yesterday. He believes that the complex mechanism by which phones get location fixes likely also hides vulnerabilities that could allow the mechanism to be used to install and run malicious code on the device.
nod32 key esed nod32 download nod32 serialleri esed nod32 indir
Coding Tip: Why you should always use well known SIDs over usernames for security groups
So have you ever tried to restrict access to your applications in a way so that you can maintain least privilege?
I do. All the time. And recently it blew up in my face, and I want to share my experience so others can learn from my failure.
Let me show you a faulty line of code:
if( principal.IsInRole( "Administrators" ) )
Seems rather harmless doesn't it? Can you spot the defect? Come on... its sitting right in the subject of this post.
Checking to see if the current user is in the "Administrators" group is a good idea. And using WindowsPrincipal is an appropriate way to do it. But you have to remember that not EVERYONE speaks English. In our particular case, we found a customer installed our product using English, but had a user with a French language pack. Guess what... the above code didn't work for them. Why? Because the local administrators group is actually "Administrateurs".
The fix is rather trivial:
SecurityIdentifier sid = new SecurityIdentifier( WellKnownSidType.BuiltinAdministratorsSid, null );
if (principal.IsInRole(sid))
By using the well known SID for the Administrators group, we ensure the check regardless of the name or language used.
Lesson learned the hard way for me. We have an entire new class of defect we are auditing for, which we have found in several places in our code. it always fails securely, NOT letting them do anything, but that's not the point. It is still a defect. Other accounts we weren't considering were "Network Service" (its an ugly name on a German target) and "Guest". Just to name a few.
Hope you can learn from my mistake on that one. That's a silly but common error you may or may not be considering in your own code.
Microsoft: Update Java or kill it
Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it. The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it.
esed nod32 download nod32 serialleri esed nod32 indir nod32 serial
Trojan:Android/BaseBridge.A
nod32 serialleri esed nod32 indir nod32 serial nod32 güncel keyleri
27 Temmuz 2012 Cuma
Trojan:Android/AutoSPSubscribe.A
Microsoft SDL bans mempcy()... next it will be zeros!!!!
So recently Microsoft banned memcpy() from their SDL process, which got several of us talking about perf hits and the likes when using the replacement memcpy_s, especially since it has SAL mapped to it. For those that don't know, SAL is the "Standard Annotation Language" that allows programmers to explicitly state the contracts between params that are implicit in C/C++ code. I have to admit its sometimes hard to read SAL annotations, but it works extremely well to be able to help compilers know when things won't play nice. It is great for static code analysis of args in functions, which is why it works so sweet for things like memcpy_s()... as it will enforce checks for length between buffers.
Anyways, during the discussion Michael Howard said something that had me fall off my chair laughing. And I just had to share it with everyone, because I think it would make a great tshirt in the midst of this debate:
Oh, I'm thinking of banning zero's next - so we can no longer have DIV/0 bugs! Waddya think?
OK.. so its a Friday and that is funny to only a few of us. Still great fun though.
Have a great long weekend! (For you Canadian folks that is)
Virus:W32/Ramnit.N
est nod32 key esed nod32 serial esed nod32 antivirus nod32 turkce
Flame: Bunny, Frog, Munch and BeetleJuice?
eset nod32 guncel key eset nod32 güncel key indir com nod32 nod32 keyleri
Thunderstruck! A tale of malware, AC/DC, and Iran's nukes
Trojan-Dropper:OSX/Revir.A
Galaxy phones drive Samsung to record profit again
esed nod32 antivirus nod32 turkce nod32 full indir nod32 full download
Trojan:Android/AutoSPSubscribe.A
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
Oakland police radios failed during Obama visit
Exploit:Java/Blackhole
nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri nod32 guncel keyler
Find and Call: Leak and Spam
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Angry Birds comments
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
26 Temmuz 2012 Perşembe
Backdoor:OSX/Sapbap.A
esed nod32 keys est nod32 key esed nod32 serial esed nod32 antivirus
The Madi Campaign - Part I
Together with our partner, Seculert, we�ve thoroughly investigated this operation and named it the �Madi�, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.
The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.
This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don't want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.
Researcher uses NFC to attack Android, Nokia smartphones
esed nod32 serial esed nod32 antivirus nod32 turkce nod32 full indir
Early HIV Treatment Might Save Livelihoods as Well as Lives
Adware:W32/ClickPotato.A
Worries about future pummel Zynga shares
esed nod32 keyleri esed nod32 key esed nod32 keys est nod32 key
The Roof Is on Fire: Tackling Flame?s C&C Servers
On Sunday, May 27 2012, the Iranian MAHER CERT posted a note announcing the discovery of a new targeted attack dubbed “Flamer”. On Monday 28 May 2012 aat 9am EST, after an investigation prompted and supported by the International Telecommunication Union, Kaspersky Lab and CrySyS Lab from Hungary announced the discovery of Flame (aka Skywiper), a sophisticated cyber-espionage toolkit primarily targeting Windows computers in the Middle East.
Several hours later, around 4PM GMT, the Flame command-and-control infrastructure, which had been operating for years, went dark.
For the past weeks, Kaspersky Lab has been closely monitoring the C&C infrastructure of Flame. In collaboration with GoDaddy and OpenDNS, we succeeded in sinkholing most of the malicious domains used by Flame for C&C and gain a unique perspective into the operation.
Before going further, Kaspersky Lab would like to thank the “GoDaddy Network Abuse Department” and to William MacArthur for their fast reaction and exceptional support of this investigation. The OpenDNS security research team also offered invaluable assistance during the course of this investigation.
Our findings from analysing the infrastructure can be found below.
Introduction
Since both Flame and Duqu appear to be targeting similar geographical regions and have been created with similar goals in mind, we will provide an analysis from the point of view of comparing the Flame C&C infrastructure with the Duqu infrastructure.
In the past, Kaspersky Lab analyzed the Duqu C&C infrastructure and found several important details, such as the attackers’ preference for CentOS, the use of SharpSSH to control the proxy servers and the huge number of hacked proxies used to hide the true identity of the attackers.
In the case of Flame, we performed a similar analysis. First of all, it’s interesting to point out a big difference from Duqu: while all the Duqu C&C proxies were CentOS Linux hosts, all of the known Flame C&C are running Ubuntu.
Additionally, while Duqu used the super stealthy way of hiding the true IP of the mothership using SSH port forwarding, Flame’s scripts are simply running on the respective servers. The reason is simple - on Monday May 28, all control scripts started returning 403/404 errors. In the case of Duqu, the real malware scripts were on a remote server and were never found.
From this point of view, we can state that the Duqu attackers were a lot more careful about hiding their activities compared to the Flame operators.
Here’s a comparison of the Duqu and Flame C&C infrastructure:
| Duqu | Flame | |
| Server OS | CentOS Linux | Ubuntu Linux |
| Control scripts | Running on remote server, shielded through SSH port forwarding | Running on servers |
| Number of victims per server | 2-3 | 50+ |
| Encryption of connections to server | SSL + proprietary AES-based encryption | SSL |
| Compression of connections | No | Yes, Zlib and modified PPMD |
| Number of known C&C’s domains | n/a | 80+ |
| Number of known C&C IPs | 5 | 15+ |
| Number of proxies used to hide identity | 10+ | Unknown |
| Time zone of C&C operator | GMT+2 / GMT+3 | Unknown |
| Infrastructure programming | .NET | Unknown |
| Locations of servers | India, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc... | Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc... |
| Number of built-in C&C IPs/domain in malware | 1 | 5, can update list |
| SSL certificate | self-signed | self-signed |
| Servers status | Most likely hacked | Most likely bought |
| SSH connections | no | yes |
nod32 serial nod32 güncel keyleri nod32 keyleri güncel güncel nod32 keyleri
Find and Call: Leak and Spam
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Angry Birds comments