• Tag Archives new trojan
  • Android Trojan Switcher Infects Routers via DNS Hijacking – Android Trojan Switcher Infects Routers via DNS Hijacking

    A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices.

     

    Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they’ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm.

    One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router.

    The malware does so by carrying out a brute-force password guessing attack on the router’s admin web interface. Once in, Switcher swaps out the addresses of the router’s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down.

    This makes it so queries from devices on the network are re-routed to the servers of the attacker, something that can open victims to redirection, phishing, malware and adware attacks.

    “The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic,” Kaspersky Lab said Wednesday, “The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

    The creators of the Trojan were a little sloppy when it came to crafting parts of its command and control website however; they left a table complete with internal infection statistics publicly viewable. According to Buchka, who has reviewed the site, the attackers boast to have infiltrated 1,280 WiFi networks over the last several weeks.

    In a Securelist post on the malware posted Wednesday Buchka cautioned users to review their routers’ DNS settings for the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59. He also took the opportunity to encourage users – although for many it goes without saying – to verify that they’ve changed their routers’ default login and passwords.

    Several weeks ago a handful of router users in Germany fell victim when a variant of Mirai, the nasty malware that’s become synonymous with internet of things vulnerabilities, took hold of their devices. While those routers didn’t suffer from a hardcoded username/password vulnerability, they did have port 7547, usually used by internet service providers to remotely manage the device, open.

    The behavior of Switcher is somewhat similar to that of DNSChanger, malware that’s been repurposed as an exploit kit as of late. A recent campaign observed by Proofpoint was targeting wireless routers and changing DNS entries in order to steal traffic. In that instance routers made by D-Link, Netgear, Pirelli and Comtrend were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.


  • NEW MALWARE – New Banking trojanwith Network Sniffer Spreading on the Internet at a high pace

    The hike in the banking malware this year is no doubt almost double compared to the previous one, and so in the techniques of malware authors.

    Until now, we have seen banking Trojans affecting the infected device and steal users’ financial credentials in order to run them out of their money. But nowadays, malware authors are adopting more sophisticated techniques in an effort to target as many victims as they can.

    BANKING MALWARE WITH NETWORK SNIFFING

    Security researchers from the Anti-virus firm Trend Micro have discovered a new variant of banking malware that not only steal the users’ information from the device it has infected but, has ability to “sniff” network activity to steal sensitive information of other network users as well.

     

    The banking malware, dubbed as EMOTET spreads rapidly through spammed emails that masquerade itself as a bank transfers and shipping invoices. The spammed email comes along with a link that users easily click, considering that the emails refer to financial transactions.

    Once clicked, the malware get installed into users’ system that further downloads its component files, including a configuration and .DLL file. The configuration files contains information about the banks targeted by the malware, whereas the .DLL file is responsible for intercepting and logging outgoing network traffic.

    The .DLL file is injected to all processes of the system, including web browser and then “this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file, wrote Joie Salvio, security researcher at Trend Micro.

    If strings match, the malware assembles the information by getting the URL accessed and the data sent.

    ENCRYPTED STOLEN DATA

    Meanwhile, the malware stores stolen data in the separate entries after been encrypted, which means the malware can steal and save any information the attacker wants.

    The decision to storing files and data in registry entries could be seen as a method of evasion“, Salvio said. “Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.”

    HTTPS CONNECTIONS KICKED

    Moreover, the malware also has capability to even bypass the secure HTTPs connection which poses more danger to users’ personal information and banking credentials, as users will feel free to continue their online banking without even realizing that their information is being stolen.

    [It has] capability to hook to the following Network APIs to monitor network traffic: PR_OpenTcpSocket PR_Write PR_Close PR_GetNameForIndentity Closesocket Connect Send WsaSend

    This kind of financial threat is really dangerous for the people, because previous banking malwares often rely on form field insertion or phishing pages to steal users’ financial information, but the use of network sniffing in the malware, makes the threat even more harder for users to detect any suspicious activity as no changes are visibly seen, said the researcher.

    Researchers are still investigating that how the gathered stolen data the malware sniffs from the network is being sent to the attacker.

    The malware infection is not targeted to any specific region or country but, EMOTET malware family is largely infecting the users of EMEA region, i.e. Europe, the Middle East and Africa, with Germany on the top of the affected countries.

    Users are advised to do not open or click on links and attachments provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.

    The hike in the banking malware this year is no doubt almost double compared to the previous one, and so in the techniques of malware authors.

    Until now, we have seen banking Trojans affecting the infected device and steal users’ financial credentials in order to run them out of their money. But nowadays, malware authors are adopting more sophisticated techniques in an effort to target as many victims as they can.

    BANKING MALWARE WITH NETWORK SNIFFING

    Security researchers from the Anti-virus firm Trend Micro have discovered a new variant of banking malware that not only steal the users’ information from the device it has infected but, has ability to “sniff” network activity to steal sensitive information of other network users as well.

    The banking malware, dubbed as EMOTET spreads rapidly through spammed emails that masquerade itself as a bank transfers and shipping invoices. The spammed email comes along with a link that users easily click, considering that the emails refer to financial transactions.

    Once clicked, the malware gets installed into users’ system that further downloads its component files, including a configuration and .DLL file. The configuration files contains information about the banks targeted by the malware, whereas the .DLL file is responsible for intercepting and logging outgoing network traffic.

    The .DLL file is injected to all processes of the system, including web browser and then “this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file, wrote Joie Salvio, security researcher at Trend Micro. “If strings match, the malware assembles the information by getting the URL accessed and the data sent.

     

    ENCRYPTED STOLEN DATA

    Meanwhile, the malware stores stolen data in the separate entries after been encrypted, which means the malware can steal and save any information the attacker wants.

    The decision to storing files and data in registry entries could be seen as a method of evasion“, Salvio said. “Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.”

    HTTPS CONNECTIONS KICKED

    Moreover, the malware also has capability to even bypass the secure HTTPs connection which poses more danger to users’ personal information and banking credentials, as users will feel free to continue their online banking without even realizing that their information is being stolen.

    [It has] capability to hook to the following Network APIs to monitor network traffic: PR_OpenTcpSocket PR_Write PR_Close PR_GetNameForIndentity Closesocket Connect Send WsaSend

    This kind of financial threat is really dangerous for the people, because previous banking malwares often rely on form field insertion or phishing pages to steal users’ financial information, but the use of network sniffing in the malware, makes the threat even more harder for users to detect any suspicious activity as no changes are visibly seen, said the researcher.

    Researchers are still investigating that how the gathered stolen data the malware sniffs from the network is being sent to the attacker.

    MALWARE DISTRIBUTION OVER WORLD MAP

    The malware infection is not targeted to any specific region or country but, EMOTET malware family is largely infecting the users of EMEA region, i.e. Europe, the Middle East and Africa, with Germany on the top of the affected countries.

    Users are advised to do not open or click on links and attachments provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

     


  • Zeus Trojan (or Zbot Trojan) steals confidential information from the infected computer.

    Pandemiya hacking trojan

    A new and relatively rare Zeus Trojan program was found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim’s computer.

    Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies.

     

    The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus.

     

    But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C.
    Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page.

    Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.

    Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as $2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection.The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USD to get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up.

     

    The advent of a freshly coded new trojan malware application is not too common in the underground,” Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future.

    The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts.

    HOW TO REMOVE PANDEMIYA TROJAN

    The Trojan can be easily removed with a little modification in the registry and command line action, as explained below:

      1. Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value.
      2. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry.
      3. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida