malware

News, Spam & Phishing January 28, 2020

Malicious emails sent in German on behalf of the Post

German users are receiving a lot of such spams these days: It is about a package which allegedly it has its transport costs not paid. (2 €). The user is invited to visit a page where he can be pay this. Verfolgen Sie Ihr Paket: DE3428632-19 STATUS: BEARBEITUNG – VERTEILERZENTRUM BERLIN – Transportkosten VON 2,00 € wurden nicht bezahlt LIEFERUNG ERFOLGT NACH BEZAHLUNG LIEFERKOSTEN BEZAHLEN Useless to say, this is not the usual way to deal with packages, so those which sent the spam have no idea how things work. The link goes to a page delivering a malicious payload.   This is how the email looks like:   Observe the blue marked items. The spammers are either lacking skills, or they think that the users are idiots, or are themselves idiots. The body of the email is one single line of Base64 encoded text. It appears to be sent from an AWS account.     Received: from domain.com (ec2-52-193-124-80.us-west-1.compute.amazonaws.com [35.181.165.41]) by mx.google.com with ESMTP id d8si40042704pgv.61.2019.07.23.01.00.43 for ; Fri, 24 Jan 2020 12:43:25 -0500 (EST) Received: from smtp.J51G83V9.org (enr2-mrelay-01.ad4123fb38497b9631680eea23dbd0b2.org. ) by mx.google.com with ESMTP id t6si5997511qvm.25.2019.02.12.06.38.06 for ; Fri, 24 Jan 2020 12:43:25 -0500 (EST) Received: from pdr8-services-05v.prod.J51G83V9.org (HELO…

antivirus August 9, 2016

Awesome Malware Analysis – Resources

Source and credit: https://github.com/rshipp/awesome-malware-analysis   I save it here for easier reference. Do note that this list grows a lot !   A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php. Awesome Malware Analysis Malware Collection Anonymizers Honeypots Malware Corpora Open Source Threat Intelligence Tools Other Resources Detection and Classification Online Scanners and Sandboxes Domain Analysis Browser Malware Documents and Shellcode File Carving Deobfuscation Debugging and Reverse Engineering Network Memory Forensics Windows Artifacts Storage and Workflow Miscellaneous Resources Books Twitter Other Related Awesome Lists Contributing Thanks Malware Collection Anonymizers Web traffic anonymizers for analysts. Anonymouse.org – A free, web based anonymizer. OpenVPN – VPN software and hosting solutions. Privoxy – An open source proxy server with some privacy features. Tor – The Onion Router, for browsing the web without leaving traces of the client IP. Honeypots Trap and collect your own samples. Conpot – ICS/SCADA honeypot. Cowrie – SSH honeypot, based on Kippo. Dionaea – Honeypot designed to trap malware. Glastopf – Web application honeypot. Honeyd – Create a virtual honeynet. HoneyDrive – Honeypot bundle Linux distro. Mnemosyne – A normalizer for honeypot data; supports Dionaea. Thug – Low interaction honeyclient, for investigating malicious…

security March 17, 2016

About ransomware, Google malvertising and Fraud

I am sick and tired to see so many people affected by this wave of ransomware attacks. I don’t want to go into details about Ransomware like Locky because it has been written quite a lot about it. The most common way that Locky arrives is as follows: You receive an email containing an attached document. The document advises you to enable macros “if the data encoding is incorrect.” If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. The saved file serves as a downloader, which fetches the final malware payload from the crooks. The final payload could be anything, but in this case is usually the Locky Ransomware. Read more details here (NakedSecurity of Sophos).   Now, desperate people who just got all their document encrypted by Locky, search the web for possible solutions. Remember: Locky scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X…

Spam & Phishing December 11, 2015

How you can see that the cyber crooks are preparing for XMas

I start this post with the Conclusion Don’t fall for these scams! You will never get money or vouchers like this.     Details I see a lot of these messages in my Spam folder:   PayPal payment received     Report Spam Hi, Your account has been credited with $563.50 Click Here to Claim If you don’t want to get any more e-mails please Unsubscribe     Malware as invoice   Dear Customer Your invoice appears below. Please remit payment at your earliest convenience. Thank you for your business – we appreciate it very much. Sincerely, Dwain Dale Courier Service   3. Received Google Voucher   Report Spam Hi, You have just received a Google Voucher of $500, claim below: ==> Claim Now If you don’t want to get any more e-mails please Unsubscribe     4. Shipping update for your Amazon.com order     And many more…  

automotive, General September 24, 2015

Where PC security and Automotive security meet

I visited yesterday the IAA in Frankfurt. IAA stands for International Automobile Exhibition and takes place every year in Frankfurt, Germany. This is the place where every year the latest cars are being presented but also the newest technologies around cars. This year it was a lot about mobility, interaction, autonomous parking and driving, interconnectivity between cars and IoT. I addressed more the car parts suppliers than the car manufacturers. For us it was more interesting to get involved in the devices that are easily and directly attackable. Things like entertainment systems, connected devices of the car, GPS devices,etc.. Challenges: Nobody from the car manufacturers or car parts suppliers wants to openly speak about security. Speaking about security is like causing “bad luck” on them. Why speaking about something that nobody wants to happen? 🙂 The most used argument by the car components suppliers was: “Why would anyone hack us/our device? They don’t have anything to gain.”   About security in the car Here is the list of things that can happen if a device in the car, or a car, is hacked: Accidents can be caused if the car detects that the speed limit is 50 KMH, a hacker…

security, Spam & Phishing March 1, 2015

Spam with a malicious taste (update)

This post appeared originally in: IT Security blog: http://itsecurity.co.uk/2015/03/spam-malicious-taste/   I haven’t seen in a while a well done complex spam with malicious payload. This one appears to be addressed to first name of the email recipient. As you can see in the subject, it is addressed to “SORIN” since my email address is sorin.mustaca@… The spam contains a nice piece of social engineering which creates enough curiosity to the reader to open the attached archive.   The archive is called “Notice_to_appear_in_court_<random number>.zip. The only file in the archive is a JavaScript file extremely obfuscated : Notice_to_Appear_000483082.doc.js. First of all, I asked myself why a ZIP with a JS in it? ZIP is natively supported by Windows Explorer. If you have a ZIP archive, it will be automatically opened as a folder and you can execute any file in it. JS is executed by the Windows Script host without any HTML page to interpret it. Smart, I have to agree. Now,there are some things which ruined my amazement of this spam after I executed it in a VM.   It doesn’t work… 🙂   Apparently, due to a programming error a function is called recursively without any limit. I didn’t spend any time…

No Image

security, security breach December 18, 2014

BSI IT Security Report 2014 – attacks on industrial objectives

BSI (Federal Office for Information Security) published “IT Security Report 2014” (in German), a document with 40 pages of information and reports on cyber security. Probably the most interesting parts of the reports are those in Chapter 3.3 – Security Incidents in the industry. 3.3.1 reports about an APT (Advanced Persistent Threat) attack on a steel factory in Germany. The attack was, as usual, conducted via spear-phishing and social engineering targeting the office employees of the steel factory. Check out this link to see the 28 steel factories in Germany (I can’t guarantee that the number is correct). After the office network was penetrated and malware was running on the computers inside the company network, the attackers went a step further and infected successively computers in the factories. What happened next is a matter which can be truly understood by security experts in ICS/ACS. If you don’t know what it means, read further. Industrial Control Systems (ICS) are those systems that control entire systems in factories, consisting in computers, and devices that belong to the production – in this case, furnaces and their control systems. BSI mentions that the malware attack on the CS of the furnace produced “massive damages to the…

No Image

security August 7, 2014

Why the Security of USB Is NOT Fundamentally Broken

I am very, very unhappy about the Fear, Uncertainty and Doubt (FUD) created by Karsten Nohl and Jakob Lell  who will present their findings, as well as proof-of-concept software, at the Black Hatconference in Las Vegas this August. What makes me unhappy is how easy they generalize the fact that in some extraordinary circumstances some bad things can happen. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” Nohl said. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”   What is the story? Read here the original article: http://www.wired.com/2014/07/usb-security/ This is the most interesting part: The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average…

No Image

security April 24, 2013

Signs that your smartphone is potentially infected with malware

1. You notice that you pay more than usual for your mobile phone bill This is a sign that some trojan might send SMSs or make phone calls to super expensive phone numbers oversees. 2. Data usage increase Malware usually sends data to the cybercriminals. If you notice an increase in the data usage or if your provider is slowing down your data transfer because you consumed too much, it might be a sign that malicious software communicates without your knowledge. 3. Calls are interrupted often and SMSs don’t reach their destination Even if you see that you have maximum reception sometimes the most basic functions of the phone don’t work reliably. Sometimes malware tries to intercept the calls and even re-route them to more expensive numbers or through proxies. 4. Battery consumption grows unexpectedly If without using your phone more than usual you notice that the battery drains, there might be some program that is residing in the active memory. Such programs can be trojans that try to intercept the calls and SMSs you make. 5. Bad overall performance of the smartphone If your smartphone becomes slower than usual and apps take much longer to start and function, something…

No Image

News October 8, 2011

Virus Bulletin International Conference 2011

  The VB2011 – the 21st Virus Bulletin International Conference took place between  5-7 October 2011 in Barcelona, Spain. The city of Barcelona is a wonderful place to be. Pity that I didn’t have enough time to see all of its wonders.   Here is the article about the Opening of the conference.   Here are the reports from the three days of the conference: Day 1 Day 2 Day 3  

%d bloggers like this: