Windows BITS Service Used to Reinfect Computers with Malware

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia. 

Samsung Warns Customers To Think Twice About What They Say Near Smart TVs

(ANTIMEDIA) — In a troubling new development in the domestic consumer surveillance debate, an investigation into Samsung Smart TVs has revealed that user voice commands are recorded, stored, and transmitted to a third party. The company evenwarns customers not to discusspersonal or sensitive information within earshot of the device.

This is in stark contrast to previous claims by tech manufacturers, like Playstation, who vehemently deny their devices record personal information, despite evidence to the contrary, including news that hackers can gain access to unencrypted streams of credit card information.

The new Samsung controversy stems from the discovery of a single haunting statement in the company’s “privacy policy,” which states:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

This sparked a back and forth between the Daily Beast and Samsung regarding not only consumer privacy but also security concerns. If our conversations are “captured and transmitted,” eavesdropping hackers may be able to use our “personal or other sensitive information” for identity theft or any number of nefarious purposes.

There is also the concern that such information could be turned over to law enforcement or government agencies. With the revelation of the PRISMprogram — by which the NSA collected data from Microsoft, Google, and Facebook — and other such NSA spying programs, neither the government nor the private sector has the benefit of the doubt in claiming tech companies are not conscripted into divulging sensitive consumer info under the auspices of national security.

Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at the NYU School of Law, stated:

“I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access.”

Responding to the controversy, Samsung updated its privacy policy, named its third party partner, and issued the following statement:

“Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. The TV owner can also disconnect the TV from the Wi-Fi network.”

Under still more pressure,Samsung named its third party affiliate, Nuance Communications. In a statement to Anti-Media, Nuance said:

“Samsung is a Nuance customer. The data that Nuance collects is speech data. Nuance respects the privacy of its users in its use of speech data. Our use of such data is for the development and improvement of our voice recognition and natural language understanding technologies. As outlined in our privacy policy, third parties work under contract with Nuance, pursuant to confidentiality agreements, to help Nuance tailor and deliver the speech recognition and natural language service, and to help Nuance develop, tune, enhance, and improve its products and services.

“We do not sell that speech data for marketing or advertising. Nuance does not have a relationship with government agencies to turn over consumer data…..There is no intention to trace these samples to specific people or users.”

Nuance’s Wikipedia pagementions that the company maintains a small division for government and military system development, but that is not confirmed at this time.

Despite protestations from these companies that our voice command data is not being traced to specific users or, worse, stored for use by government or law enforcement agencies, it seems that when it comes to constitutional civil liberties, the end zone keeps getting pushed further and further down the field.

For years, technologists and smart device enthusiasts claimed webcam and voice recording devices did not store our information. While Samsung may be telling the truth about the use of that data, there are countless companies integrating smart technology who may not be using proper encryption methods and may have varying contractual obligations to government or law enforcement.

Is it really safe for us to assume that the now exceedingly evident symbiotic relationship between multinational corporations and government agencies does not still include a revolving door for the sharing of sensitive consumer data?

This article (Samsung Warns Customers To Think Twice About What They Say Near Smart TVs) is free and open source. You have permission to republish this article under a Creative Commonslicense with attribution to Jake Anderson and theAntiMedia.org.Anti-Media Radio airs weeknights at 11pm Eastern/8pm Pacific. If you spot a typo, emailedits@theantimedia.org.

90 Percent of All SSL VPN Use Insecure or Outdated Encryption

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

Android adware can install itself even when users explicitly reject it

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

Yes, Google can remotely reset Android passcodes, but there’s a catch

Newer Android phone and tablet owners aren’t affected, but it does say something about Android’s fragmentation of device security.

The one-sided encryption debate continues. Now, it’s being used as a tool to spread what’s commonly known as “fear, uncertainty, and doubt.”

If you ventured to Reddit, you might have read a startling claim by the Manhattan district attorney’s office, who last week released a report into smartphone encryption and public safety.

It reads [PDF]:

“Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device.”

But there’s a problem: that’s only half of the story. And while it’s true, it requires a great deal more context.

The next few lines read:

“For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default [device] encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction.”

If you thought you heard that before, that’s because you have.

Google, which develops Android, said in its “Lollipop” 5.0 upgrade two years ago it would enable device encryption by default, which forces law enforcement, federal agents, and intelligence agencies to go to the device owner themselves rather than Google.

This so-called “zero knowledge” encryption — because the phone makers have zero knowledge of your encryption keys — also led Apple to do a similar thing with iOS 8 and later. Apple now has 91 percent of its devices using device encryption.

However, there was some flip-flopping on Google’s part because there were reports of poor device performance. Eventually, the company said it would bring device encryption by default to its own brand of Nexus devices. Then, it said that its newest “Marshmallow” 6.0 upgrade will enable device encryption by default.

It took a year, but Google got there in the end. 

The US government, and its law enforcement and prosecutors were concerned. They have argued that they need access to device data, but now they have to go to the very people they are investigating or prosecuting.

Only a fraction of Android devices, however, are protected.

According to latest figures, only 0.3 percent of all Android devices are running “Marshmallow” 6.0, which comes with device encryption by default. And while “Lollipop” 5.0 is used on more than one-quarter of all Android devices, the vast majority of those who have device encryption enabled by default are Nexus owners.

To read more and the original story follow this link to ZD Net.

Americans are wary about IoT privacy

Americans are in an “it depends” state when it comes to disclosing personal information over internet-connected devices, according to a new Pew Research Center study. The study proposed different scenarios to which 461 Americans expressed whether they believed being monitored by a device was acceptable, not acceptable, or depended on the situation. Pew Research Center found that some scenarios were acceptable to the majority of Americans, but the answers often came with caveats. For example, most consumers find a security camera in the office acceptable, but with restrictions; one person said, “It depends on whether I would be watched and filmed every minute of the day during everything I do.”

Here are the responses to the IoT-related scenarios the study presented:

• Office surveillance cameras: More than half (54%) of Americans believe that it’s acceptable for a surveillance camera in the workplace, making it the most acceptable of the six proposed scenarios. Another 21% answered “it depends,” while 24% said it would not be acceptable.

• Sharing health information with your doctor: 52% of Americans believe it’s acceptable for their doctor to utilize a website to manage patient records and schedule appointments, 20% answered “it depends,” and 26% thought it was not acceptable. This correlates with iTriage survey, which indicated that 76% of consumers feel comfortable transferring wearable health data to their practitioner. 

• Usage-based auto insurance: 37% of respondents answered it was acceptable for auto insurance companies to collect information via a UBI dongle, such as Progressive’s Snapshot, and offer discounts for safe driving. 45% said it was not acceptable, while 16% said “it depends.”

• Smart thermostat: 27% of respondents said it was acceptable for a smart thermostat in the house to track where the occupant is and share that data. More than half of respondents (55%) said it was not acceptable, and 17% answered “it depends.”

Through focus groups and open-ended answers, Pew narrowed down the top reasons consumers believe sharing information is unacceptable: Through focus groups and open-ended answers, Pew narrowed down the top reasons consumers believe sharing information is unacceptable:

1) The threat of scammers and hackers;
2) Being repeatedly marketed from companies collecting data;
3) They do not want to share their location;
4) They think it’s “creepy”;
5) The companies collecting the data have ulterior motives to use it.

Data privacy will continue to be a big trend as the Internet of Things market matures. Device makers should be transparent about the data being collected and what it’s used for. Further, they should ensure the devices and their associated data storage bases are secure.

To read more of this article and the original story follow this link to Business Insider.

New Android Malware Sprouting Like Weeds

Information stored on an Android smartphone or tablet is vulnerable to almost 4,900 new malware files each day, according to a report G Data SecurityLabs released Wednesday.

Cybercriminals’ interest in the Android operating system has grown, the firm’s Q1 2015 Mobile Malware Report revealed.

“The report suggests that Android devices are becoming a bigger target for the bad guys and more profitable than in previous years,” said Andy Hayter, security evangelist for G Data.

The number of new malware samples in the first quarter increased 6.4 percent (440,267) from the fourth quarter of last year (413,871). The number of malware strains rose by 21 percent compared with the first quarter of 2014 (316,153).

More than 2 million new Android malware strains are likely to surface this year, G Data security predicted.

Just the Start

The 2 million figure is very realistic, due to the increasing use of Android devices for banking and shopping online, G Data suggested.

“The report shows that the OS has a bigger market share than the others, and thus is more interesting to security researchers and malware authors alike. Also, a lot of vendors offer Android devices varying in quality standards, but that is not a problem of the OS itself, but rather of the vendor in question,” Hayter told LinuxInsider.

Google introduced premium SMS Checks last year. After that, the malware models started to spread out, he noted.

“Before that time there were a few very active malware families, such as SMS FakeInstaller,” Hayter said. “Since then there are lots of small families.”

Financially Motivated

At least 41 percent of consumers in Europe and 50 percent in the U.S. use a smartphone or tablet for their banking transactions. Plus, 78 percent of Internet users make purchases online.

The new malware files have a financial foundation, according to the G Data report. At least half of all Android malware now in circulation includes banking Trojans, SMS Trojans and similar malware components.

The actual percentage of malware-infected Android apps easily could be higher, the researchers warned. They only studied malware with a direct financial purpose — many other types of cases might exist.

For example, a malware program might install apps or steal credit card data as an additional process after a payment is made. Because that type of malware would not seem to be financially motivated, it would not have been included in the report’s statistics.

Thin Dividing Line

Free Android apps offer particularly attractive attack vectors to cybercriminals. Many apps, especially free apps, rely on advertising to fund their development.

Bad apps can hide themselves in the background or conceal functions from users. Bad apps also can send legitimate apps’ data to additional advertising networks.

Apps that do such things — like programs running on PC OSes — are called “Potentially Unwanted Programs,” or PUPs. The report categorizes such apps as adware, noting that they often hide in manipulated or fake apps that are installed from sources other than the Google Play Store.

Malware Magnet

Android is a derivative of Linux, an operating system generally considered less likely to be targeted by viruses and malware. However, Android is less rigorous and less secure than other mobile platforms, said Rob Enderle, principal analyst at the Enderle Group.

“There is much more sideloading, which means there is a far easier path to getting viruses on Android devices than any other mobile platform,” he told LinuxInsider.

Google historically has been less focused on security and customer satisfaction than firms that are more closely tied to user revenue, Enderle said. Another reason for Android’s vulnerability is that mobile platforms generally don’t run security software.

Historically, they have been somewhat protected because of their tight ties to curated stores, “but now that smartphones have PC-like performance, they are becoming a magnet for malware,” noted Enderle.

“Google’s lack of focus on this problem, reminiscent of Microsoft’s similar mistake in the late 1990s — which resulted in their having to rethink their OS and create Windows XP — has created a massive exposure for Android users,” he said.

To read more follow this link to Linux Insider.

New malware used to attack energy companies

The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say

 

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.

The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.

The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.

The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.

“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”

Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.

The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.

“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”

For more information and the original story follow this link to Computerworld

Vsenn is a modular smartphone with triple layer encryption

Image via TechSpot

Google’s Project Ara hopes to free users from the yearly upgrade cycle that exists in the smartphone world. With the ability to swap out or upgrade various components of your smartphone, the goal is to reduce waste while also reducing the cost of always having the latest mobile hardware in your pocket. Now, Ara has some competition in the form of security conscious Vsenn, which wants to do something similar along with three layers of encryption.

Engadget points to the Vsenn website, which states that the company was co-founded by an unnamed former Nokia Android X program manager. The site promises modular hardware when it comes to your phone’s camera, battery, processor, and RAM as well as guaranteed Android updates for four years and customization via swappable back covers. The real clincher is that all of your data is protected with triple layer encryption and users have free access to a VPN network and secure cloud service.

For a lot of people, their smartphone is a key to their digital life. With access to everything from email and banking information to hundreds or thousands of photos, the prospect of losing that device or it falling into the wrong hands can be a scary thought. That’s why devices like Vsenn or the BlackPhone (which was shown off at MWC earlier this year and encrypts calls, emails texts, and browsing) garner so much attention.

No word on when consumers can get their hands on a Vsenn phone, but the company has already confirmed that the first of its devices will have a 4.7-inch 468.7 PPI display and will measure 124 x 63 x 8.9 mm. So just a little shorter and narrower and slimmer than the 2013 Moto G.

For more information and the original story follow the source link below.

Source: mobilesyrup

Sophisticated malware has been spying on computers since 2008 (updated)

Highly sophisticated malware isn’t limited to relatively high-profile sabotage code like Stuxnet — sometimes, it’s designed to fly well under the radar. Symantec has discovered Regin, a very complex trojan that has been spying on everyone from governments to individuals since at least 2008. The malware is highly modular, letting its users customize their attacks depending on whether they need to remote control a system, get screenshots or watch network traffic. More importantly, it’s uncannily good at covering its tracks. Regin is encrypted in multiple stages, making it hard to know what’s happening unless you capture every stage; it even has tools to fight forensics, and it can use alternative encryption in a pinch. Researchers at Symantec suspect that the trojan is a government-created surveillance tool, since it likely took “months, if not years” to create.

If it is meant for spying, though, it’s not clear just who wrote the malware or why. Unlike Dragonfly and other instances of professionally-made malware, Regin’s origin hasn’t been narrowed down to a particular country or region. About half of the infections have taken place in Russia and Saudi Arabia, but you can also find victims across India, Iran and multiple European nations. Also, it’s definitely not limited to telecoms or other high-value targets — 48 percent of known victims are people and small businesses. While Regin could easily be part of an online espionage campaign, it’s hard to rule anything out at this point.

Update: Kaspersky Labs did some extra sleuthing and found that Regin can attack cellular’ networks GSM base stations, mapping their infrastructure. Also, sources tell The Intercept that Belgian carrier Belgacom found the trojan on its internal networks. That’s potentially worrisome — while there’s no hard evidence of a connection so far, it suggests that Britain’s GCHQ may have used Regin to infiltrate Belgacom and spy on its users.

For more information and the original story follow the source link below.

Source: Engadget