Archive | April, 2012

Russian Cyber-Crime Market Doubled In 2011

Keep on Guard!


It’s been quite a while since we’ve posted any news about Russia, so here’s an article which in some ways is quite scary.

The global cybercrime market is being dominated by Russian-speaking nations and their activity doubled in 2011. It’s certainly a disproportionate amount of crime when you look at their population size.

Cybercrime is a HUGE business, especially when it comes to malware and trojans targeting banking details and the follow on phishing scams.

Russian-speaking criminals grabbed more than a third of the entire global cybercrime market in 2011 as a growth in online fraud activity turned the country into a major digital crime superpower, a new report has suggested.

Russian cybercriminals earned $4.5 billion in 2011

The State and Trends of the Russian Digital Crime market 2011 from Russian security research company Group-IB estimates (using public and partner data) that the global cybercrime market reached around $12.5 billion (APS7.74 billion) in size during the year, with Russians and Russian speakers (including those outside the country) accounting for $4.5 billion of that total.

At the same time, using its own internally-collected analysis, the Russia-only cybercrime market doubled to $2.3 billion compared to 2010, a disproportionate level of activity considering the country’s modest 143 million population.

The top Russian cybercrime activity was online fraud, equivalent to almost a billion dollars in revenue, just ahead of spam on $830 million, internal market services on $230 million and DDoS on with $130 million.

As well as startling growth, the Russian cybercrime scene also saw consolidation into larger, more organised groups increasingly controlled by conventional crime mafias. There was also evidence of co-operation between these groups, and the growth of an important internal ‘crime-to-crime’ (C2C) market to support its activities.

$12.5 Billion dollars is a LOT of zeros, that was the estimate of the money lost in 2011 to cybercrime. That’s almost $2 per person for the ENTIRE population of the World, that’s what I would colloquially call a shitload of cash.

It doesn’t stop there too, it amazes me that DDoS attacks are a multi-million dollar business! In Russia alone, according to this report anyway, these crims earnt $130 million USD carrying out DDoS attacks!


Coming from a Russian-based group of researchers, the report makes fascinating reading. There is a wealth of anecdotal evidence from crime busts and malware trends that Russia is a key hub for crybercrime but hard numbers are seldom put on its inner workings or business model.

An obvious question is why Russia has become such an important country for cybercrime. Beyond the traditional explanation of the large number of relatively poorly-paid programmers in the country, Group-IB also underlines the importance of policing and local laws.

The researchers note the case of Yevgeniy Anikin and Viktor Pleschuk, who were part of the gang that stole $10 million from the Royal bank of Scotland’s WorldPay ATM system in 2008 And yet received suspended sentences from Russian courts.

“Thus, because of imperfections in Russian laws and the lack of severe penalties, stable law enforcement practice, and regular training regarding counter cybercrime measures, cybercriminals are disproportionately [not held] liable for the crimes they commit,” note the researchers.

“The cybercrime market originating from Russia costs the global economy billions of dollars every year,” said Group-IB’s CEO, Ilya Sachkov.

The lax laws when it comes to cybercrime in Russia aren’t going to help the situation, but sadly – I’m not sure if they will even care.

If you want to read the original report you can do so here:

State and Trends of the Russian Digital Crime market 2011 [PDF]

Source: Network World


Posted in: Malware, Phishing, Spammers & Scammers

Tags: , , , , , , , , , , , ,

Posted in: Malware, Phishing, Spammers & Scammers | Add a Comment
Recent in Malware:
- Androguard – Reverse Engineering & Malware Analysis For Android
- Android Devices Phoning Home To China
- Linux kernel.org Hacker Arrested After Traffic Stop

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,579 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,708 views
- US considers banning DRM rootkits – Sony BMG - 45,008 views


creepy – A Geolocation Information Aggregator AKA OSINT Tool

Outsmart Malicious Hackers


creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

Creepy

Features

  • Automatic caching of retrieved information in order to reduce API calls and the possibility of hiting limit rates.
  • GUI with navigateable map for better overview of the accumulated information
  • 4 Maps providers (including Google Maps) to use.
  • Open locations in Google Maps in your browser
  • Export retrieved locations list as kmz (for Google Earth) or csv files.
  • Handling twitter authentication in an easy way using oAuth. User credentials are not shared with the application.
  • User/target search for twitter and flickr.

Map Providers

  • Google Maps
  • Virtual Maps
  • Open Street Maps

Information Retrieval Using

  • Twitter’s tweet location
  • Coordinates when tweet was posted from mobile device
  • Place (geographical name) derived from users ip when posting on twitter’s web interface. Place gets translated into coordinates using geonames.com
  • Bounding Box derived from users ip when posting on twitter’s web interface.The less accurate source , a corner of the bounding box is selected randomly.
  • Geolocation information accessible through image hosting services API
  • EXIF tags from the photos posted.

Social Networking Platforms Supported

  • Twitter
  • Foursquare (only checkins that are posted to twitter)
  • Gowalla (only checkins that are posted to twitter)

Image Hosting Services Supported

  • flickr – information retrieved from API
  • twitpic.com – information retrieved from API and photo exif tags
  • yfrog.com – information retrieved from photo exif tags
  • img.ly – information retrieved from photo exif tags
  • plixi.com – information retrieved from photo exif tags
  • twitrpix.com – information retrieved from photo exif tags
  • foleext.com – information retrieved from photo exif tags
  • shozu.com – information retrieved from photo exif tags
  • pickhur.com – information retrieved from photo exif tags
  • moby.to – information retrieved from API and photo exif tags
  • twitsnaps.com – information retrieved from photo exif tags
  • twitgoo.com – information retrieved from photo exif tags

You can download creepy here:

CreepySetup_0.1.94.exe

Or read more here.


Posted in: Privacy, Web Hacking

Tags: , , , , , , , , ,

Posted in: Privacy, Web Hacking | Add a Comment
Recent in Privacy:
- Android Devices Phoning Home To China
- Signal Messaging App Formal Audit Results Are Good
- Censys – Public Host & Network Search Engine

Related Posts:

Most Read in Privacy:
- Browse Anonymously at Work or School – Bypass Firewall & Proxy - 180,606 views
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,467 views
- Anonymous Connections Over the Internet – Using Socks Chains Proxy Proxies - 122,994 views


Anonymous Take Down Official F1 Site As Bahrain Protest

Outsmart Malicious Hackers


It seems like the latest target for Anonymous is the F1 due to the race that took place in Bahrain and the human rights issues in the country.

They DDoSed the official F1 site (formula1.com), which was up and down on Saturday and defaced another related site (f1-racers.net) which also contains some details from ticket sales.

I’m not entirely sure if it’s really Anonymous behind this or another fragment as the Blogspot has been killed and the AnonOps Twitter account hasn’t been updated since March 22nd.

Hackers claiming to be from Anonymous have taken down the official Formula One website as protests grow over this weekend’s controversial Grand Prix in the Kingdom of Bahrain.

“The F1 Grand Prix in Bahrain should be strongly opposed. The Al Khalifa regime stands to profit heavily off the race and has promised to use live ammunition against protestors in preparation,” the group said in a statement.

“They have already begun issuing collective punishment to entire villages for protests and have promised further retribution ‘to keep order’ for the F1 events in Bahrain. The Formula 1 racing authority was well-aware of the Human Rights situation in Bahrain and still chose to contribute to the regime’s oppression of civilians and will be punished.”

The statement also called for the release of Abdulhadi Alkhawaja, a prominent local human rights activist who was arrested at his home in April 2011 and sentenced to life in prison two months later on charges of aiding terrorist organizations. Amnesty International has declared him a ‘prisoner of conscience’ and he is now in the 70th day of a hunger strike.

So far the race looks like it will be going ahead anyway, although some members of the Force India team have left the country following an incident earlier in the week where they were caught in a riot and tear gassed. The country’s Crown Prince said to cancel the race now would “empower extremists,” Reuters reports.

The F1 in Bahrain went ahead without incident, the race track was heavily guarded by police with dogs etc. Bernie Ecclestone has also stated that he sees no reason to drop Bahrain from future F1 schedules, despite the controversy it provoked.

It’ll be interesting to see if the F1 now becomes a mainstay target for the Anonymous movement and their offshoots – F1 could suffer some serious damage from this.

The race was cancelled last year due to protests.


Bahrain was the first Middle Eastern state to hold a Formula One race in 2004 and the ruling family has a significant stake in the McLaren racing team. The 2011 race was cancelled after protests erupted across the country.

The protests began on Valentine’s Day last year, as part of the wave of uprisings across the Arab world. While uprisings in Tunisia, Egypt and Libya were successful (with some help from NATO in the last case,) the Bahraini uprising, which saw over 100,000 people take to the streets, was quickly crushed when the royal family asked the Saudi Arabian army to intervene. The US Navy 5th Fleet, which is based in Bahrain, did not take part.

After the initial uprising the former Metropolitan Police assistant commissioner John Yates, who resigned after being heavily criticized for his conduct of an investigation into the News of The World hacking scandal, was hired by the Bahraini royal family to investigate human rights abuses that may or may not have taken place.

Yates reportedly wrote to FIA president Jean Todt earlier this month, telling him that the protests were not as serious as the media was reporting and said he felt safer in Bahrain than he did in some parts of London.

“These are criminal acts being perpetrated against an unarmed police force who, in the face of such attacks, are acting with remarkable restraint,” he wrote. “They are not representative of the vast majority of delightful, law-abiding citizens that represent the real Bahrain that I see every day.”

The whole Anonymous thing has been pretty quiet lately, the last major target I recall was OccupyWallStreet, the Vatican and a few others. The last time we reported on Anonymous was about – Former LulzSec Leader Sabu Flips Sides & Informs For The FBI.

I guess the movement might have gotten too much press and there have been a LOT of arrests so it’s probably fragmented and gone a lot more underground – communicating offline and over more secure channels.

Source: The Register


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,523 views
- AJAX: Is your application secure enough? - 120,380 views
- eEye Launches 0-Day Exploit Tracker - 85,872 views


NfSpy – ID-spoofing NFS Client Tool – Mount NFS Shares Without Account

Outsmart Malicious Hackers


We wrote about this tool originally last year – NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – and a new version just came out!

NfSpy has just been updated to support NFSv3, a more efficient and widespread protocol than the previous NFSv2. NfSpy is a FUSE filesystem written in Python that automatically changes UID and GID to give you full access to any file on an NFS share. Use it to mount an NFS export and act as the owner of every file and directory.

NFS before version 4 is reliant upon host trust relationships for authentication. The NFS server trusts any client machines to authenticate users and assign the same user IDs (UIDS) that the shared filesystem uses. This works in NIS, NIS+, and LDAP domains, for instance, but only if you know the client machine is not compromised, or faking its identity. This is because the only authentication in the NFS protocol is the passing of the UID and GID (group ID). There are a few things that can be done to enhance the security of NFS, but many of them are incomplete solutions, and even with all three listed here, it could still be possible to circumvent the security measures.

Features

  • Use filehandles from packet captures instead of asking mountd.
  • Hide from sysadmins by immediately “unmounting” while retaining access
  • Specify port/protocol for NFS or Mountd if you don’t have access to the portmapper

You can download NfSpy here:

NfSpy.zip

Or read more here.


Posted in: Hacking Tools, Linux Hacking, Network Hacking

Tags: , , , , , , , , , , , ,

Posted in: Hacking Tools, Linux Hacking, Network Hacking | Add a Comment
Recent in Hacking Tools:
- HexorBase – Administer & Audit Multiple Database Servers
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,001,200 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,512,956 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,334 views


Android Trojan Targets Japanese Market – Steals Personal Data

Keep on Guard!


Early last year we wrote about China Facing Problems With Android Handsets & Pre-installed Trojans, then later last year there was a possibility Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages.

The latest news about Android malware is malicious apps that are in the official Google marketplace (called Play) – they are masquerading as apps to deliver trailers for various content – but in fact steals your data in the background.

Security experts are warning of yet more malicious applications found on Google’s official online apps market Play, this time designed to steal personal data in the background while promising to show trailers for Japanese anime, video games and porn.

McAfee malware researcher Carlos Castillo explained in a blog post that the new Android Trojan had been discovered in 15 applications on Google Play so far and downloaded by at least 70,000 users.

The malware, specifically designed to target Japanese users, is hidden in apps which show internet-based video trailers.

On installation, the malicious apps request the user grants them permission to read contact data and read phone state and identity which.

If granted by the user, this will enable them to pilfer Android ID, phone number and the victim’s entire contacts list including names, email addresses and phone numbers.

It will then attempt to send the data in clear text to a remote server and, if successful, will request a video from that same server to display, said Castillo.

I think most of us are pretty safe from this set of nasties though as it targets the Japanese market specifically. It is a general problem with Android apps though, most of them ask for far more permissions than they actually need to function (lazy devs perhaps?) so Android users are very used to granting all kinds of permissions to fairly simple apps.

Thankfully McAfee mobile security app does detect these as a threat (although how many people really have AV software on their phones?!).


“Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market,” he cautioned.

“McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.”

Google’s relatively open Android ecosystem has led to a huge surge in malware hidden in legitimate looking applications.

Apart from data-sucking Trojans, cyber criminals have looked to distribute apps containing premium dialler malware, SMS fraud Trojans and malware designed to turn a user’s handset into a bot.

Worryingly, two-thirds of Android anti-malware scanners are not up to the task, according to recent research from AV-Test.

The firm said that there are more than 11,000 strains of malware in the wild targeted at the platform – a figure growing at some pace.

Google does seem to be fairly on top of removing these apps from the marketplace as soon as they are reported and verified as malware. I’d have though they should integrate some kind of malware scan (including heuristic scanning for dodgy calls) to Google Play when someone adds a new app.

As always just be careful what you’re downloading and what you are giving permissions to. If you are paranoid, hook your phone up to your desktop and proxy all the traffic through there and get sniffing.

Source: The Register


Posted in: Malware, Privacy, Spammers & Scammers

Tags: , , , , , , ,

Posted in: Malware, Privacy, Spammers & Scammers | Add a Comment
Recent in Malware:
- Androguard – Reverse Engineering & Malware Analysis For Android
- Android Devices Phoning Home To China
- Linux kernel.org Hacker Arrested After Traffic Stop

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,579 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,708 views
- US considers banning DRM rootkits – Sony BMG - 45,008 views


web-sorrow – Remote Web Security Scanner (Enumeration/Version Detection etc)

Keep on Guard!


web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Current Functionality

  • -S – stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, and 200 response testing (some servers send a 200 ok for every req)
  • -Eb – stands for error bagging. The default config for servers is to put the server daemon and version and sometimes even the OS inside of error pages. web-sorrow reqs a URl of 20 random bytes with get and post methods.
  • -auth – looks for login pages with a list of some of the most common login files and dirs. We don’t need to be very big list of URLs because what else are going to name it?
  • -cmsPlugins – run a huge list of plugins dirs for cms servers. the list is a bit old (2010)
  • -I – searches the responses for interesting strings
  • -Ws – looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
  • -Fd – look for generally things people don’t want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
  • -proxy – send all http reqs via a proxy. example: 255.255.255.254:8080
  • -e – run all the scans in the scanner

web-sorrow also has false positives checking on most of it’s requests (it pretty accurate but not perfect).

Examples

basic:

look for login pages:

most intense scan possible:

You can download web-sorrow here:

Wsorrow_v1.3.0.zip

Or read more here.


Posted in: Hacking Tools, Network Hacking, Web Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Web Hacking | Add a Comment
Recent in Hacking Tools:
- HexorBase – Administer & Audit Multiple Database Servers
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,001,200 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,512,956 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,334 views


Microsoft Delivers 6 Out Of Band High Priority Security Updates

Keep on Guard!


Now it was only last month when everyone was wrapped up in the MS12-020 RDP Exploit Code In The Wild issue.

As it turns out, Microsoft have been hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild – although Microsoft of course say there have been only ‘limited attacks’.

It’s a fair old bundle of updates and it must be serious if they are pushing an out of band patch and not just waiting for the next patch Tuesday (which is what they normally do).

Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting. The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.

But it was MS12-027 that got the most attention today.

“Things got a bit more interesting today,” said Andrew Storms, director of security operations at nCircle Security, “because Microsoft is reporting limited attacks in the wild.”

Flaws that attackers exploit before a patch is available are called “zero-day” vulnerabilities. The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.

Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.

Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad — the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 — can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.

Now the good thing is, the flaw is not a remote access type exploit – meaning someone can’t hack you over the network with this. But it is serious as you can be jacked by opening a malformed document, which I assume would contain some type of ActiveX control.

Even so, it’s classed as remote code execution – which means if an attacker can get you to open the document in a browser – you’re owned.

There have been a lot of flaws like this (usually in Adobe Reader) and they have caused a fair amount of havoc, so tell whoever you know that’s running Windows to get their Windows Update on ASAP.


“We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents,” said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.

Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.

Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft. Microsoft rarely deploys a patch “out of cycle,” meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.

Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.

“Any developer that has released an ActiveX control should review the information for this security bulletin,” said Jason Miller, manager of research and development at VMware. “These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”

Attackers can also exploit this bug using “drive-by download” attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.

And well if anyone is using Internet Exploder Explorer still – they are in trouble anyway.

The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 – the latest version of the Microsoft browser.

You can read the original Microsoft advisory here – Microsoft Security Bulletin MS12-027 – Critical – note they have marked this as a Critical issue.

Source: Network World


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,523 views
- AJAX: Is your application secure enough? - 120,380 views
- eEye Launches 0-Day Exploit Tracker - 85,872 views


Carbylamine – A PHP Script Encoder to ‘Obfuscate/Encode’ PHP Files

Outsmart Malicious Hackers


Carbylamine is a PHP Encoder project, which can bypass all leading anti-virus detection against PHP Shells (C99, R57 etc) easily. It can be a very efficient tool for pen-testers when carrying out a black box test which involves inserting malicious code via PHP.

Carbylamine - PHP Script Encoder to Obfuscate/Encode PHP Files

Usage

You can download Carbylamine here:

carbylamine.php

Or read more here.


Posted in: Cryptography, Hacking Tools, Programming

Tags: , , , , , , , , , , ,

Posted in: Cryptography, Hacking Tools, Programming | Add a Comment
Recent in Cryptography:
- UK Encryption Backdoor Law Passed Via Investigatory Powers Act
- Signal Messaging App Formal Audit Results Are Good
- SHA-256 and SHA3-256 Are Safe For the Foreseeable Future

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,915 views
- Hackers Crack London Tube Oyster Card - 45,446 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 33,395 views


Server Migration – Moved To Linode! And Changed To Nginx/PHP-FPM/APC/W3TC

Outsmart Malicious Hackers


So lately I’ve being doing a lot more DevOps stuff than security stuff and I’m pretty much enjoying it (apart from some of the tedious sys-admin stuff).

So with some of the new stuff I’ve learnt along the way, I decided to move Darknet from a rather bloated managed VPS with 2GB of RAM and Cpanel + a bunch of other crap to a very lean 512MB unmanaged VPS instance on Linode. This has no control panel, no DNS server (using Linode DNS now), no mail server (switched over to Google Apps) and a very minimal software setup.

Linode VPS

I also shifted from Apache2 to nginx + PHP-FPM which is a lot more memory friendly, and PHP-FPM has very intelligent self-healing and auto-scaling features.

And I’ve managed to get W3 Total Cache working nicely with the site, so basically all pages are served as static HTML, js + css are minified and DB + WP objects are cached in APC.

The most memory I’ve used so far is a little over 100MB, and the most CPU I’ve used is 32% out of an available 400% (4 cores) – pretty good for a reasonably busy site like this.

Anyway if you find the site faster or slower now, let me know – and if you see any weird stuff/errors/missing pages – please let me know (either in a comment here or via the Contact Page).

And yah, if you do want to sign up with Linode, please use the links on this page – if you stay a customer for 3 months I’ll get $20 credit which will go towards the hosting costs of this site :)


Posted in: Site News

Tags: , , , , , , , , , , ,

Posted in: Site News | Add a Comment
Recent in Site News:
- A Look Back At 2015 – Tools & News Highlights
- A Look Back At 2014 – Tools & News Highlights
- Yes – We Now Have A Facebook Page – So Please Like It!

Related Posts:

Most Read in Site News:
- Welcome to Darknet – The REBIRTH - 36,636 views
- Get the ball rollin’ - 19,008 views
- Slashdot Effect vs Digg Effect Traffic Report - 12,276 views


Zero Day Java Vulnerability Exploited – Macs Infected With Flashback Malware

Outsmart Malicious Hackers


Interesting timing this one, just a couple of days ago we reported – Avira Joins The Crowd & Starts To Offer Mac Antivirus Software – and now an unpatched vulnerability in Java for Mac OS that is being exploited in the wild.

The vulnerability (CVE-2012-0507) was patched in Java by Oracle back in February, but Apple roll their own Java for Mac OS and they haven’t rolled in this fix yet.

Flashback malware seems to be evolving pretty fast, it just shows that security in the Apple world is becoming a serious issue.

A Java vulnerability that hasn’t yet been patched by Apple is being exploited by cybercriminals to infect Mac computers with a new variant of the Flashback malware, according to security researchers from antivirus firm F-Secure.

Flashback is a computer Trojan horse for Mac OS that first appeared in September 2011. The first variant was distributed as a fake Flash Player installer, but the malware has been changed significantly since then, both in terms of functionality and distribution methods.

Back in February, several antivirus companies reported that a new Flashback version was being distributed through Java exploits, which meant that the infection process no longer required user interaction.

The Java vulnerabilities targeted by the February exploits dated back to 2009 and 2011, so users with up-to-date Java installations were protected.

However, that’s no longer the case with the latest variant of the malware, Flashback.K, which is being distributed by exploiting an unpatched Java vulnerability, security researchers from F-Secure said in a blog post Monday.

Oracle released a fix for the targeted vulnerability, which is identified as CVE-2012-0507, back in February and it was included in an update for the Windows version of Java.

People have called Apple out on this before, the lag between official patching of Java and the deployment of the safe version of Java on Mac OS can be months – a dangerous windows of opportunity of malware pimps to spread their wares.

You can disable Java in your browser though, if you’re a Mac user. Or just completely disable it from the OS, details here:

Mac Malware at the Moment

I’m not exactly sure how relevant Java is these days, there is the odd web-site with a Java applet – but it seems pretty rare on the whole.


However, since Apple distributes a self-compiled version of Java for Macs, it ports Oracle’s patches to it according to its own schedule, which can be months behind the one for Java on Windows.

Security experts have long warned that this delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right.

After being dropped and executed on the system via the CVE-2012-0507 exploit, the new Trojan horse prompts a dialog window that asks the user for their administrative password.

Regardless of whether the user inputs the password or not, the malware still infects the system, F-Secure said in its description of the malware. The Trojan’s purpose is to inject itself into the Safari process and modify the contents of certain Web pages.

There are rumors that a new exploit for a different unpatched Java vulnerability is currently being sold on the underground market and could be used to target Mac users in a similar way in the future, the F-Secure researchers said.

“If you haven’t already disabled your Java client, please do so before this thing really become an outbreak,” they said. The antivirus company provides instructions on how to do this.

Apple stopped including Java by default in Mac OS X starting with version 10.7 (Lion). However, if Lion users encounter a Web page that requires Java, they are prompted to download and install the runtime and might later forget that they have it on their computers.

As we all know, Java is not exactly the most secure software on your computer – there have been multiple ’emergency’ patches for critical issues in Java in the last couple of years. It ranks up there with Flash and Adobe Acrobat for being the biggest threats to your machine.

As always – stay safe. Some more details here – Mac Flashback Exploiting Unpatched Java Vulnerability

Source: Network World


Posted in: Apple, Exploits/Vulnerabilities, Malware

Tags: , , , , , , , , , , ,

Posted in: Apple, Exploits/Vulnerabilities, Malware | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,108 views
- Apple Struggling With Security & Malware - 24,150 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 16,041 views