Malware

The BBC is reporting that websites belonging to the Iranian oil ministry and national oil company are offline after suffering a malware infection this weekend. Iran has disconnected all of its oil processing facilities as a precaution, including the facility at Kharg Island which processes more than 90% of Iran’s exports. The semi-official news agency, Mehr, reported that information about users of the websites had been stolen, but no sensitive data had been accessed. ...

SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient. The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse. Subject lines used in the spammed-out malware campaign include: RE:Check the attachment you have to react somehow to this picture FW:Check the attachment you have to react somehow to this picture RE:You HAVE to check this photo in attachment man RE:They killed your privacy man your photo is all over facebook! NAKED! RE:Why did you put this photo online? ...

SophosLabs: More malware for the Mac OS X platform has been discovered, hot on the heels of the revelation that some 600,000 Macs had been infected in the Flashback attack. And just like Flashback, the new Trojan doesn’t require any user interaction to infect your Apple Mac. The Sabpab Trojan horse exploits the same drive-by Java vulnerability used to create the Flashback botnet. The newly discovered Sabpab malware is in many ways a basic backdoor Trojan horse. It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do. The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely. ...

Anti-virus experts at Trend Micro have discovered ransomware which blocks systems from booting. In contrast to the localised trojans, which are widely spread around Europe, it does so by inserting itself into the master boot record (MBR). It then restarts the system and instructs the user to pay a ransom of 920 Ukrainian hryvnia (equivalent to about 90 euros) to the criminals via payment service QIWI. If victims pay up, the criminals send them a code to unlock their computers. Users can, however, save themselves 920 hryvnia by following the experts’ instructions for removing the infection. This essentially consists of running the recovery console from the Windows Installation DVD and restoring the original MBR using the fixmbr command. ...

The H-Online: As expected, Apple has released an updated version of the Java implementation for its Mac OS X operating system that includes a removal tool for the Flashback trojan. According to the company, the update, labelled “Java for OS X 2012-003“, finds and removes the “most common variants” of the malware which had infected approximately 600,000 systems using flaws in the previous version of Java. Additionally, the new Java update for Mac OS X 10.7 Lion prevents Java applets from being automatically executed by disabling the Java web plugin by default. Users can re-enable the automatic execution of Java applets via the Java Preferences application (Applications ➤ Utilities ➤ Java Preferences). However, if the plugin detects that Java applets have not been run for “an extended period of time”, it will automatically disable applet support again. ...

Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular “Angry Birds” series of games. SophosLabs recently encountered malware-infected editions of the “Angry Birds Space” game which have been placed in unofficial Android app stores. The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code. ...

The H-Online: A Russian AV company, Dr. Web, says it has conducted research to determine the spread of the Flashback trojan on systems running Mac OS X and says that 550,000 systems are infected, mostly in the US and Canada. A later update raised that number to 600,000 and claimed 274 infected systems in Cupertino, California. Dr. Web says it employed a sinkhole technique to intercept the bot installed by the newest Flashback trojan, and directed the bots to its own servers where it could analyse the traffic. Each bot includes a unique ID of the machine it has infected in the query string it sends to the command and control server; it is these unique IDs that Dr. Web has used to calculate the infection count. According to its estimates, of the original 550,000 estimate, 56.6% of the systems were in the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia. ...

The H-Security: On Tuesday, a user who is known as “lawabidingcitizen” posted an unusual request to the Full Disclosure mailing list, a forum that is mainly used by the security community: “Please do not take down the Sality botnet.” The contributor says that he found a way of dramatically reducing the number of infected computers after analysing the botnet. He adds that the required actions are unlawful, however, but proceeds to describe the method in considerable detail and makes special tools for the task available. ...

SophosLabs: Jenna-Louise Coleman has been unveiled as the new “Doctor Who” companion, joining the BBC TV time traveller in his TARDIS later this year. “Doctor Who” is one of Britain’s biggest television shows, and is popular elsewhere around the world, so it was no surprise to find 25-year-old actress Jenna Louise-Coleman’s name was a trending topic on Twitter today. Unfortunately, there are frequently mischief-makers, scammers and cybercriminals waiting to exploit a popular search term or hashtag. ...

Exploit found in Russian adware invades process, doesn’t install files The Register: Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs. The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process. ...