>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
(via Critical app flaw bypasses screen lock on up to 100 million Android phones | Ars Technica)
A critical flaw in an Android app downloaded as many as 100 million times allows attackers to take full control of handsets even when they’re protected by screen locks.
The vulnerability in the Skype rival known as Viber affects Android smartphone brands such as Samsung, Sony, and HTC, according to a blog post published Tuesday by Bkav Internet Security. Although attack techniques differ from model to model, they all exploit programming logic in the way Viber handles popup messages, researchers with the company wrote.
A spokesman Viber Media, maker of the affected app, said company officials learned of the vulnerability on Wednesday and plan to release a fix next week.
“In the meantime, anyone concerned about this issue can resolve it by disabling Pop-up Notifications in the Android version of Viber,” Viber said in a statement issued to Ars. “This can be done by going to Viber Settings and choosing to disable—’New Message Pop-Up…’”
(via Malware spread on Skype taps victim PCs to mint bitcoins | Ars Technica)
As the value of bitcoins skyrockets, security researchers have discovered yet another piece of malware that harnesses the processing power of compromised PCs to mint the digital currency.
BTCs, as individual bitcoin units are known, have recently traded as high as $130, about four times their value from February. In Bitcoin vernacular, BTCs are “mined” by computers that solve cryptographic proof-of-work problems. For each correct block of data submitted, contributors are collectively rewarded with 50 25 bitcoins. Legitimate participants, who typically receive a percentage of the reward based on the number of blocks processed, often use powerful systems with multiple graphics processors to streamline the process.
But scammers spreading malware on Skype are taking a decidedly more nefarious approach. Their malicious code hijacks a computer’s resources to mine BTC, according to a blog post published Thursday by a researcher from Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don’t have to pay the purchase price of the hardware or pay for the electricity to run them.
Bitcoin-mining malware has been circulating for almost two years now. Some versions actually tap infected computers’ GPUs and can even run on OS X Macs.
The malware spotted by Kaspersky is most likely just a copycat phenomenon, but there’s reason to think it hasn’t been a waste of time for the people who created it. The bit.ly URL that had been hosting the malware was receiving more than 2,000 clicks per hour just prior to the Kaspersky blog post going live. That’s a fair amount of distributed computing power.
“As I said, the campaign is quite active,” Kaspersky Lab Expert Dmitry Bestuzhev wrote. “If you see your machine is working hard, using all available CPU resources, you may be infected.”
(via Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites | Ars Technica)
Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of “Darkleech,” a mysterious exploitation toolkit that exposes visitors to potent malware attacks.
The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet’s most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren’t ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.
Researchers also don’t know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don’t access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.
“Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.,” Mary Landesman a senior security researcher for Cisco Systems’ TRAC team, told Ars. “Unfortunately, the nature of the compromise coupled with the sophisticated conditional criteria presents several challenges.”
The injected HTML iframe tag is usually constructed as IP address/hex/q.php. Sites that deliver such iframes that aren’t visible within the HTML source are likely compromised by Darkleech. Special “regular expression” searches such as this one helped Landesman ferret out reported iframes used in these attacks. Note that while the iframe reference is formed as IP/hex/q.php, the malware delivery is formed as IP/hex/hex/q.php…
Malware used to spy on Tibetan activists and other ethnic groups in China is nothing new. But a new Trojan discovered by researchers at Kaspersky Labs has widened the scope of this digital espionage and intimidation. The malware uses a combination of e-mail hacking, “spear phishing,” and a Trojan built specifically for Android smartphones. Kaspersky claims this is the first discovery of a targeted attack that uses mobile phone malware.
On March 25, the e-mail account of a Tibetan activist was hacked and then used to distribute Android malware to the activist’s contact list. The e-mail’s lure was a statement on the recent conference organized by the World Uyghur Congress that brought together Chinese democracy activists and Tibet, Southern Mongolia, and East Turkestan human rights activists. The e-mail claimed to have an attachment that was a joint letter from WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. If the targets opened the attachment, however, they received malware packaged in an Android APK file.
When opened, the Trojan installs an app called “Conference” on the Android devices’ desktops. If the app is launched, it displays a fake message from the chairman of the WUC—while sending back a message to a command and control server to report its successful installation. The malware provides a backdoor to the device via SMS messages sent by the server. On command, it returns the phone’s contact lists, call logs, data about the smartphone, its geo-location data, and any SMS messages stored on it to a server via a Web POST upload.
The server itself is running on a Chinese-language configured Windows Server 2003 machine sitting in a data center in Los Angeles. In addition to providing an upload point for the data stolen from Android devices, it also hosts more Android malware in its home page and provides a public Web interface (in Chinese) that allows direct control over phones that have been infected with the malware. While the server itself is at an IP address registered to a company called Emagine Concept, a domain pointed at the machine is registered to Shanghai Meicheng Technology Information Development Co., Ltd., a Chinese company with a contact in Beijing.
A day after Russian anti-virus firm Doctor Web highlighted an adware Mac trojan called “Yontoo,” Apple has moved to block it. Confirmed by Intego, Apple has updated the definitions included in OS X’s Xprotect.plist in order to detect the adware, meaning users don’t need to run anything special in order to be protected.
“In testing, it appears this detection is very specific and potentially location-dependent,” wrote Intego. “This extra specificity is likely there so as to catch only the surreptitious installations of this file.”
As we wrote on Thursday, the Yontoo adware socially engineers users into installing it as a browser plugin. Once it’s installed into Safari, Firefox, and Chrome, the plugin injects advertising into the websites you’re visiting—including those that don’t even normally show ads.
The plugin poses a risk not just because it’s annoying to see third-party ads where they don’t belong, but because those behind the trojan could inject other malicious code. (The same trojan exists for PC users as well.) But now that Apple has added Yontoo to the built-in malware protections in OS X, it’s a lot less likely that Mac users will end up accidentally installing it.
(via Cisco switches to weaker hashing scheme, passwords cracked wide open | Ars Technica)
Password cracking experts have reversed a secret cryptographic formula recently added to Cisco devices. Ironically, the encryption type 4 algorithm leaves users considerably more susceptible to password cracking than an older alternative, even though the new routine was intended to enhance protections already in place.
It turns out that Cisco’s new method for converting passwords into one-way hashes uses a single iteration of the SHA256 function with no cryptographic salt. The revelation came as a shock to many security experts because the technique requires little time and computing resources. As a result, relatively inexpensive computers used by crackers can try a dizzying number of guesses when attempting to guess the corresponding plain-text password. For instance, a system outfitted with two AMD Radeon 6990 graphics cards that run a soon-to-be-released version of the Hashcat password cracking program can cycle through more than 2.8 billion candidate passwords each second…
cryptographic salt!
(via Brazilian docs fool biometric scanners with bag full of fake fingers | Ars Technica)
The BBC is one of several outlets carrying the bizarre story of a Brazilian doctor arrested for allegedly defrauding her employer, a hospital in the town of Ferraz de Vasconcelos, near São Paulo. At the time of her arrest, she was equipped with a total of sixteen fingers—ten of which God gave her, and six of which were crafted of silicone and given to her by coworkers. At least three of the extra fingers bore the prints of fellow doctors at the hospital.
The doctor, Thaune Nunes Ferreira, 29, claims through her attorney that she was forced to use the silicone fingers to clock in to the hospital’s time card system in order to cover for absentee colleagues. “She says she was innocent because it is a condition they imposed on her to keep her job,” the attorney notes…
(via Zero-day attack exploits latest version of Adobe Reader | Ars Technica)
A previously undocumented flaw in the latest version of Adobe Systems’ ubiquitous Reader application is being exploited in online hacks that allow attackers to surreptitiously install malware on end-user computers, a security firm said.
The attacks, according to researchers from security firm FireEye, work against Reader 11.0.1 and earlier versions and are actively being exploited in the wild. If true, the attacks are notable because they pierce security defenses Adobe engineers designed to make malware attacks harder to carry out. Adobe officials said they’re investigating the report.
“Upon successful exploitation, it will drop two DLLs,” FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett wrote of the online attacks they witnessed. “The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.” DLL is the researchers’ shorthand for a file that works with the Microsoft Windows dynamic link library…
I use this: Foxit Reader, it’s free…
