Review on Omid Farhang

Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

Wed, 27 Feb 2013 16:12:00 +0000

Cross-posted from WIRED.

As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Thu, 02 Aug 2012 14:21:00 +0000

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Trojan "made in Germany" spies in Bahrain

Thu, 26 Jul 2012 14:18:00 +0000

h-Online: Citizenlab has released a detailed analysis of the activities of a trojan in which the experts conclude that the malware is most likely closely related to FinFisher, a commercial spyware tool developed by a company called Gamma International. The trojan targeted political activists in Bahrain and included sender names such as that of an Al Jazeera correspondent and subject lines like “Torture reports on Rabil Najaab”.

The attached .exe file, disguised as an image, disabled anti-virus software and installed a complete set of spyware programs on the recipient’s PC. The spyware proceeded to monitor, among other things, the victim’s Skype communications including conversations and file transfers. An analysis of the infected systems’ working memory repeatedly produced the “finspy” character string. This name is used by Gamma to advertise FinFisher modules.

Why Google or Facebook Buying Your Favorite Startup

Sun, 22 Jul 2012 21:37:00 +0000

Time Techland wrote:

When I learned this morning, via Twitter, that the small company behind Mac/iOS e-mail app Sparrow was being bought by Google, I almost didn’t need to read the startup’s announcement to know the upshot.

Google and Facebook buy itty-bitty web companies all the time. And the acquired businesses typically convey what’s happening in an eerily consistent five-step ritual:

Announcement of thrilling acquisition
Reiteration of startup’s wildly ambitious founding notion
Explanation that either Google or Facebook is the best place to change the world
Acknowledgement (or sometimes non-acknowledgement) that the startup’s product is being discontinued or is going into limbo
Expression of heartfelt gratitude to various supporters, usually including the consumers who are losing their something they liked

So it seems to be going with Sparrow: Its five-person team will be working on Gmail henceforth; the existing Sparrow apps aren’t being discontinued, but they apparently won’t get any updates, either.

Madi Malware: Another Trojan Targets Organizations from the Middle East [Updated]

Wed, 18 Jul 2012 10:06:00 +0000

This article is copied from Softpedia:

Researchers from Symantec, Kaspersky and Seculert **have all come across Madi (Madhi), a relatively new piece of malware that mainly targets organizations from the Middle East.
**
Before we take a look at Madi and compare it to other infamous Trojans such as Stuxnet, Duqu, or Flame, let’s take a quick look at its name.

According to Wikipedia, Mahdi is considered to be the redeemer of Islam who will rid the world of tyranny, injustice and wrongdoings.

LinkedIn spam, exploits and Zeus: a deadly combination ?

Thu, 14 Jun 2012 11:25:00 +0000

Is this the perfect recipe for a cybercriminal ?:

Hacking LinkedIn’s password (and possibly user-) database.
Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
A user unawarely clicking on the link.
An exploit gets loaded. Malware gets dropped. Malware gets executed.
User’s computer is now a zombie (part of a botnet).

I would definitely say YES.
A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth…
Here’s the email in question:

Password leaks bigger than first thought

Sat, 09 Jun 2012 12:48:00 +0000

The H-Online: There have still been no official statements on the causes and extent of the recent password leaks at LinkedIn, eHarmony and Last.fm. A credible source is now reporting that the published 2.5 million Last.fm MD5 hashes, for example, are just the tip of a 17 million hash iceberg. That iceberg has reportedly been circulating since summer 2011.16.4 million of these – 95 per cent – have, the source claims, already been cracked, a claim which, for unsalted hashes, is entirely credible.

FAQ: Flame, the "super spy"

Thu, 31 May 2012 12:51:00 +0000

Copied from H-Online: Source

The spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread online-banking trojan Zeus.

What is Flame?

Flame is the code name for a spyware program that is built to be very modular and which is also known as Flamer and sKyWIper. Flame was just recently discovered, and it will be some time before all of its components are analyzed. Anti-virus software companies estimate that Flame has infected about 1,000 computers, mostly in the Middle East.

Painting a Picture of W32.Flamer

Thu, 31 May 2012 12:40:00 +0000

Symantec Connect: The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into ‘apps’ and the attackers even appear to have something equivalent to an ‘app store’ from where they can retrieve new apps containing malicious functionality.

Fake BBC Website Serves Exploits and Work From Home Offers

Mon, 21 May 2012 14:14:00 +0000

GFI Wrote: In September, our friends at Sophos wrote about a fake BBC website offering up the “chance” to work from home for predictably large sums of money. No more than a day later, we were covering fake BBC video posts targeting Facebook users.

Today we’re looking at a fake BBC URL which drops the end-user onto a “work from home and earn $10,000+ a month” fake news site, but not before it’s attempted to load up the PC with malware via a rather nasty collection of exploits. The URL in question is bbcmoneynews(dot)com:

Fake Google Iranian domain defaced by Algerian Script Kiddies

Thu, 03 May 2012 20:31:00 +0000

TheHackerNews: Google got Pwned ? NO Few Algerian Script Kiddies try to spread fake rumors that they Hack and Deface the Giant Search engine “Google Iranian” domain http://www.google.co.ir/ . As the screenshot shown a Algerian flag on it and Page Titles : **“**H4Ck3D By vaga-hacker dz and DR.KIM”.

As mentioned by hacker, the team include hackers named : “V4Ga-Dz,Dz0ne,DR-KIM King-Dz,BroX0 aghilass elite jrojan password kha&mix wasim -dz” . It is not confirmed that, either these are member from some Anonymous Hackers but they try to use Anonymous Hackers Tag line : We Dont Forget , We Dont Forgive, Expect Us! to get some publicity.

Privacy concerns over popular ShowIP Firefox add-on

Tue, 01 May 2012 15:58:00 +0000

Cross-posted from SophosLabs: A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.

According to the description on the Mozilla add-ons website, ShowIP is designed to “show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc. Additionally you can copy the IP address to the clipboard.”

Get ready for exciting changes coming to Firefox 13, 14 and 15

Thu, 26 Apr 2012 15:12:00 +0000

Cross-posted from BetaNews: Following on from the release of Firefox 12 FINAL, Mozilla has updated its developmental branches to versions 13 (Beta), 14 (Aurora) and 15 (Nightly/UX), respectively. Those looking for major changes in version 12 will may be disappointed, but future builds promise a number of radical new features, including redesigned Home and New Tab pages, plus panel downloads manager and inline preferences screen.

Get a head’s up on what’s coming and discover which build is best for your personal needs with our essential guide to what’s coming up in the near future for Mozilla’s open-source, cross-platform browser.

WikiPharmacy? Fake Notifications Spammed Out

Thu, 26 Apr 2012 15:03:00 +0000

Symantec Connect: Symantec is intercepting a resurgence of spam attacks on popular brands. Spam messages that are replicas of the Wikipedia email address confirmation alert are the new vector for the present. The said spam messages pretend to be originating from Wikipedia, and are selling meds, with the following subject line: “Subject: Wikipedia e-mail address confirmation”.

The spoofed Wikipedia page is a ploy to give legitimacy to the sale of meds online. The embedded URL in the message navigates to a fake online pharmacy site that is dressed up as a Wikipedia Web page. Furthermore, to give the email a legitimate look, the spammer has added the recipient’s IP address in the body of the spam mail. Needless to say this IP does not belong to the user.

Adobe Creative Suite 6 takes to the cloud

Mon, 23 Apr 2012 19:21:00 +0000

Cross-posted from BetaNews.com: Adobe took the wraps off Creative Suite 6 on Monday, introducing the largest release to date of the content-creation platform. CS6 now includes up to 12 programs and two companion applications, Bridge and Encore, and is available in four editions: Design Standard, Design and Web Premium, Production Premium, and Master Collection.

The CS6 beta is one of the most successful in the company’s history, with one million downloads over the past month of availability alone, a record for Adobe. The move was slightly unusual considering the company typically does not offer large-scale betas of its products.

IMG0893.zip – Your photo all over Facebook? Naked? Malware campaign spammed out

Mon, 23 Apr 2012 19:02:00 +0000

SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.

Subject lines used in the spammed-out malware campaign include:

RE:Check the attachment you have to react somehow to this picture
FW:Check the attachment you have to react somehow to this picture
RE:You HAVE to check this photo in attachment man
RE:They killed your privacy man your photo is all over facebook! NAKED!
RE:Why did you put this photo online?

Free Stuff on Social Networks Not Free

Thu, 29 Mar 2012 15:22:00 +0000

Symantec Connect: In recent years, scammers have flocked towards social networking sites as they have grown and made it easier to access a large number of potential eyeballs to convert into dollars. Brands have found value in leveraging social media to know what their customers are talking about, so, naturally, scammers are doing the exact same thing.

Free iPads and iPhones

Every time Apple unveils a new iPad or iPhone, you can bet there are scammers out there trying to leverage the announcement for financial gain. In the days leading up to and after the announcement of the new third-generation iPad, Twitter users who tweet about the new tablet most likely will receive some targeted Twitter replies from scammers offering the new device for free:

New privacy guidelines for mobile app developers

Fri, 02 Mar 2012 21:50:00 +0000

SophosLabs: This week has seen the annual Mobile World Congress event. For 2012, the giants of the mobile tech world are back in Barcelona to captivate the imagination of the tech press with their latest smartphone and tablet offerings.

The mobile industry trade show has certainly not disappointed. Announcements of smartphones with new quad core processors, phone cameras with huge numbers of megapixels crammed onto its sensor and 3 in 1 smartphone-tablet-netbooks have all provided much excitement.

Phishing via NFC

Fri, 02 Mar 2012 21:38:00 +0000

At the RSA Conference 2012, McAfee’s Chief Technology Officer, Stuart McClure, and several of his colleagues, have demonstrated a whole range of different attacks on mobile devices. For example, they demonstrated an attack on an NFC (Near Field Communication)-enabled smartphone: the attacker simply attaches a modified NFC tag to a legitimate surface such as an advertising poster. For their live demo, the researchers used a Red Cross donations appeal such as those seen at bus stops in various cities across Europe.

Beatles for Sale? It's spam of the day

Mon, 27 Feb 2012 14:54:00 +0000

I’ve owned up to some of the great loves of my life in the past.

For instance, I’m a music lover and I’m very partial to board games (even during a denial-of-service attack).

Today I can also share that I like The Beatles. In particular, anything from “Rubber Soul” and later when the “Yeah yeah yeah” turned into something rather more “Yeah man. Dig it”.

I’ve simply never come across a more talented combination of musicianship and songwriting abilities – for me, you can kick The Stones, The Who, Cream and.. yes.. even MeatLoaf to the kerb, as Lennon, McCartney, Harrison and Starr are the guv’nors.