Skip to content

Smokeys License Give Away

July 9, 2017

Due to the rise in Ransomware attacks lately, Smokeys has got together with some top security vendors to offer you a chance of getting a free license for a security program that will help to combat the threat and give you a better chance of being protected.

The ‘Give Away’ will be open to all membergroups except for Staff and Visiting Staff and will run from Mon 10th – Sun 16th July.

Licenses available are for the following Programs: (in alphabetical order)

Emsisoft AntiMalware
Emsisoft Internet Security
Eset NOD32
Eset Internet Security
Eset Smart Security
Malwarebytes 3

http://www.smokey-services.eu/forums/index.php/board,318.0.html

Beware this Android banking malware posing as a software update

June 23, 2017

Latest version of the mobile malware can steal login credentials from at least 40 banking, retail and social media apps.

A sophisticated banking trojan has once again develop new techniques in order to trick Android users into downloading the malware.

It’s the latest variant of Marcher Android malware and this time it’s posing as an Adobe Flash Player Update.
Having first appeared on Russian-speaking undeground forums in late 2013, previous incarnations of Marcher have posed as a security update a Super Mario mobile game and more.

Uncovered by researchers at Zscaler Threatlabz, this version of the banking trojan is using new lure techniques to spread infections, including adult content and links taking advantage of hype around new mobile games.
All of the malware downloads are accessed from third-party sites and not via the official Google Play store.

Once the victim has opened the dropper URL, they’ll be prompted with a message saying the device’s Flash Player is out of date and needs updating.
Of course, this is fake, but if the user goes through and downloads the playload, they’ll become infected.

Marcher even offers a step by step guide on how to disable security settings and allow the device to install third-party software – an option turned off by default on Android devices and a key way of protecting the user from malicious software.

Once installed, the malware will immediately hide itself and remove its icon from the phone menu, and register the infected device with its command and control server.
All of the meta information about the infected phone, including the installed apps list is sent to the C&C server.

The malware lies in wait for the user to open one of its targeted apps, but instead of the official, authentic login page, Marcher displays a fake overlay, allowing the cybercriminals behind it to steal login credentials and gain access to bank accounts and email services.

Some of the apps Marcher provides fake login pages for include Citibank, TD Bank, PayPal, Gmail, Facebook, Walmart, Amazon, Western Union and more.
The list of targets is in fact hardcoded into the malware payload, but the fake login pages can be changed by the authors as and when needed.

Researchers note that unlike previous versions of Marcher, this variant is highly obfuscated, allowing it to bypass most antivirus programmes.
Indeed, VirusTotal shows that it’s caught under 20 percent of the time by virus scanners.

We have been seeing regular infection attempts for this Marcher variant in the past month.
The frequent changes in the Marcher family indicate that the malware remains an active and prevalent threat to Android devices
,” said Viral Gandhi, senior security researcher at Zscaler.

In order to avoid infection via Marcher and over Android malware which spreads itself from third-party websites, users should only download apps from trusted app stores such as Google Play – although the official Android market still doesn’t keep malicious software out one hundred percent of the time.

Source:
http://www.zdnet.com/article/beware-this-android-banking-malware-posing-as-a-software-update/#ftag=RSSbaffb68

Android Adware Infects 36.5M Devices via Google Play

May 29, 2017

More than 41 Android apps managed to bypass Google’s protections in the Play Store, makes heaps of cash for devs

What is believed to be one of the largest malware campaigns on Google Play Store has been discovered by security firm Checkpoint who claims that around 36.5 million Android devices were infected with ad-ware.

According to the report, more than 41 Android apps made by a Korean company and uploaded to the Google Play Store actually carry malicious code.
They have managed to attract plenty of users interested in them and are making the authors loads of money by creating fake ad clicks from the infected devices.

Developed by Korean-based Kiniwini, all the malicious apps are published under the moniker ENISTUDIO.
They all contain an adware program that’s been dubbed as Judy, used to generate fraudulent clicks in exchange for ad revenue.

It’s not just this particular developer that’s running apps infected with Judy, but also other developers that inexplicably contain the same malware.

The malware has been dubbed Judy mostly because a good part of the apps published by Kiniwi contain the name, whether it’s some variation of “Fashion Judy,” “Chef Judy,” or “Animal Judy.”

How does it work?

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store,” Checkpoint experts explain.
Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server.
The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author
.”

The malware then opens the URLs using the user agent that imitates a PC browser in a hidden webpage, receives a redirection to another website, which, as soon as it launches, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Each click brings revenue to the malware authors via the aforementioned website.

Source:
http://news.softpedia.com/news/android-adware-infects-36-5m-devices-via-google-play-516109.shtml

Amazon’s app store compromises Android security

May 27, 2017

It’s dangerous to go alone outside Google’s protective walled garden, but it’s the price you pay for free software.

Ask almost any security expert, and they’ll tell you switching on “unknown sources” on your Android phone or tablet is one of the worst things you can do for device security.

But that’s exactly what Amazon has asked its app store customers to do for years.

The heart of the problem is Amazon’s requirement to allow installations from “unknown sources” — that is, any app or game that hasn’t been carefully vetted by the Google Play app store.
That’s because while almost all of Amazon’s apps are already in Google Play, the retail giant’s own third-party app store, dubbed Underground, isn’t allowed.

Opening your Android phone or tablet up to apps and games outside Google’s protective walled garden also makes your device infinitely more vulnerable to malware.

And that’s no secret.
We’re not even the only ones to notice it — some noted the security issue back in 2015 when Amazon Underground first launched.

When asked to comment, an Amazon spokesperson confirmed that Underground had since been installed on “millions” of Android devices.
That’s in part because some of Amazon’s own apps for Android are only available through Amazon Underground, such as Amazon Prime Video — the company’s competitor to Netflix.

The spokesperson added that “customers should take care only to download content from sources they trust, like Amazon.”

But it’s not Amazon’s app store that’s the problem — it’s the giant hole you have to punch in Android’s security to get it installed in the first place.

We spoke to several prominent security researchers and experts, and they all agreed that opening up “unknown sources” is a bad move for security.

Joshua Drake, VP of Platform Research and Exploitation at Zimperium, who was credited with finding the Stagefright bug that affected millions of Android users, said that installing apps from unknown sources is “a significant source of malware in the Android ecosystem.”

Andrew Blaich, a security researcher at Lookout, agreed.
He said: “By allowing unknown sources, a user is removing the first line of defense in stopping themselves from installing a malicious app that can be delivered from a number of sources, including malicious website links, phishing attempts and others of which we’ve seen happen in targeted attacks like ViperRat and other broader non-targeted attacks.”

Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said in an email: “There are a lot of nasty Android apps out there and only downloading apps from official sources is key to a safe mobile computing experience,” he added.

The battle for access to app stores isn’t new.
Because mobile device and software makers like Apple and Google get to dictate the terms to who can and can’t access their platforms, competitors like Amazon will resort to begging their customers to essentially forego some security for access to its own app store.

And while Android has always been the more open platform for apps and games compared to iPhones and iPads, which have built a reputation for security thanks to Apple’s strict app store requirements and code checking, that is soon set to change.
Drake added in his email that Google’s upcoming Android O will allow third-party app stores without requiring blanket access to the whole phone, effectively making it harder for malware to install.

When reached, Google wouldn’t comment on the record.

Amazon’s app store currently has 800,000 free apps, thanks to the company’s incentive to developers to submit their apps.
The company said last month that though it’s shutting down its namesake developer program, which allows the millions of Amazon Underground users to download apps and games for free, the app store itself is “not going away” any time soon.

Given the security risks, your best bet is to uninstall the app — pronto — and switch off “unknown sources.”
Anything else is putting you at risk.

Source:
http://www.zdnet.com/article/amazons-app-store-puts-millions-of-android-devices-at-risk/#ftag=RSSbaffb68

Crysis ransomware master keys released to the public

May 25, 2017

A total of 200 master keys can now be used by victims to decrypt and unlock their systems.

The world has been rocked by WannaCry causing disruption and upheaval across core services and businesses alike over the past week, but there is good news for victims of Crysis with the release of 200 master keys to the public.

Posted at the BleepingComputer forum, the keys can be used by victims of the ransomware as well as security firms in the creation of decryption tools.

The keys,uploaded to Pastebin , have been confirmed as valid by security researchers.
Users of the keys have also confirmed that they have regained access to the files.

Ransomware is a particularly nasty form of malware which, once executed on a vulnerable PC, encrypts files and locks users out of their system.

In return for a ransom demand in the virtual currency Bitcoin which can reach thousands of dollars, the victims are told that they will be granted a key to decrypt their files and restore access.

However, there is no guarantee that such keys will work, and to pay up only fuels this expanding criminal industry.

Recently, one strain of the malware dubbed WannaCry caused widespread disruption.
The ransomware targets elderly Windows operating system builds — Windows 10 has been protected with an automatic patch — and enjoyed a successful campaign which is still causing damage and disruption to date.

The ransomware hit the headlines after taking down numerous UK National Health Service (NHS) hospital and trust systems, and since then, has spread worldwide.

In total, 386 samples of malware utilizing WannaCry have been detected in the wild, but if you have accepted automatic updates and keep your system up-to-date, there shouldn’t be any need to worry about becoming infected.

This is not the first time master keys for Crysis have been released; in fact, this is the third time.
However, what sets this release apart is that the keys can also be used to decrypt files which have been encrypted with .wallet and .onion extensions.

This has become a habit of the Crysis operators lately — with this being the third time keys were released in this manner,” ESET researchers say. “Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.”

Why the keys have been released remains a mystery — it may be that all who were likely to pay up have done so, and so there is no harm in releasing the keys, or perhaps after enjoying some time in the spotlight the campaign’s operators are happy to get out of the game.

If you have been affected by this strain of ransomware, you can download a decryption tool provided by security firm ESET Here.

Source:
http://www.zdnet.com/article/crysis-ransomware-master-keys-released-to-the-public/#ftag=RSSbaffb68

WannaCry Decryption Tool WanaKiwi Works on Windows XP, 2003, Vista, 2008 and 7

May 21, 2017

The decryption tool has a higher chance of working if you haven’t rebooted your device after the infection

Now that WannaCry infections have dropped somewhat, saviors come to our help, bringing decryption keys. So far, two have been confirmed to work.
One is WannaKey, that we’ve already reported on, and another is WanaKiwi
.

Developed by researcher Benjamin Delpy, also known as gentilkiwi, WanaKiwi works on multiple Windows versions. Europol also confirmed the decryption tool is effective.

There’s a catch before running WanaKiwi, however – you have to keep your machine running after the infection.
That means no reboot is allowed.
This is because prime numbers may be overwritten in the system’s memory after a while, which would lower the chances of the tool being effective.

WanaKiwi works on both Windows XP and Windows 7.
This would imply it works for every version of Windows XP to 7, including Windows 2003, Vista and 2008 and 2008 R2,” confirms Matt Suiche from security firm Comae Technologies.

How does it work?

You’ll first have to download wanakiwi (obviously).
Once you run the file, it will automatically look for the 00000000.pky file and you’ll just have to hope for the best while it scans.
Basically, you have to hope that your prime numbers haven’t been overwritten from process address space, hence why you should not reboot your device after it has been infected.

The tool will not work for every user due to its dependencies, but there’s hope for many, many people.
There are hundreds of thousands of people who have been infected by WannaCry, and only a handful of those have chosen to pay the $300 in Bitcoin requested by the attackers.

The WannaCry ransomware spread started a week ago and over 220,000 computers have been infected in the process.
The malware takes advantage of a Windows vulnerability that was being exploited by the NSA, as per a series of documents dumped online by a hacker group called the Shadow Brokers.

Microsoft has released a patch for the affected systems, although users are also advised to install a security solution which will block off attacks.

Source:
http://news.softpedia.com/news/wannacry-decription-tool-wanakiwi-works-on-windows-xp-2003-vista-2008-and-7-515872.shtml

Researcher Creates Tool to Unlock WannaCry-Infected Windows XP Files

May 19, 2017

A security researcher appears to have discovered a flaw in WannaCry that may provide Windows XP victims of the attack with a way to unlock their files.

A French security researcher has reportedly found a potential rescue tool for Windows XP WannaCry victims after discovering a flaw in the malware, according to various published reports.

Adrien Guinet of QuarksLab in Paris released a potential fix in Github, which relies on snagging private key traces from the infected computer’s memory to decrypt the files, according to a report in Wired.
But there is a caveat: the potential fix may fail if the malware, or other processes, overwrote the decryption key traces, or if the user rebooted the computer after the infection, according to Wired.

Other security researchers have had mixed results in testing Guinet’s WannaCry workaround, with some saying it did not work when they tested it and others noting Guinet appears to have found a legitimate flaw in WannaCry.

Read more about Guinet here.

Source:
http://www.darkreading.com/threat-intelligence/researcher-creates-tool-to-unlock-wannacry-infected-windows-xp-files/d/d-id/1328916?_mc=RSS_DR_EDT