Windows BITS Service Used to Reinfect Computers with Malware

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia. 

This Hack Lets You Run Any Android App on Your Chromebook

Using a small JavaScript script, the hack, which is detailed in full on GitHub, allows any regular Android APK to be packaged up and, for want of a better term, side-loaded onto a Chromebook. It can then be run under the Android App Runtime in the same way as the ‘official’ Vine, Dulingo and Evernote. 

Restrictions mean that only one Android app can be run at a time.

To watch a Youtube video demonstration and the full original story follow this link to OMG Chrome.

Try It Out

If the thought of waiting for Google to partner up with the maker of your favourite app, game or utility is too much to bear, you could don your hard hat and try it out for yourself.

But be warned: it’s not a guide for the fainthearted or the technically averse. The developer behind the hack,
Vladikoff, cautions that his tool is for ‘proof of concept’ and is provided without any kind of warrant or assurance. The hack is also not endorsed by Google, Chromium or Android.

To follow along you’ll need a Chromebook with the Android Runtime plugin installed, the Android Vine app (which will be replaced during the course of the guide) and an OS X or Linux desktop from which to ‘package’ your app.

Applications tested and said to be working include Twitter, both tablet and mobile modes, and Flipboard (which was demoed running on a Chromebook at Google I/O).

Other apps tested but that crash include Google Chrome for Android (!), Spotify, SoundCloud and Swing Copters.

You can find more details and a download for the script on the project’s GitHub page, linked below.

‘Run Android APKs on Chromebooks’ Guide

Android adware can install itself even when users explicitly reject it

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

A New High-Speed MRI Technique Is Fast Enough To Record Someone Singing

It’s a remarkable technology capable of looking inside a human being, but magnetic resonance imaging—or MRI—machines are finicky and require a patient to remain absolutely still while it does its thing. But researchers at the University of Illinois have found a way to capture up to 100 frames per second on an MRI machine allowing them to record patients in motion.

The need for a faster MRI technique arose when a faculty member at the University of Illinois’ Beckman Institute for Advanced Science and Technology wanted to study how the muscles of the larynx worked in elderly patients while singing, in an attempt to help give them more powerful and pronounced voices. The problem with using MRI machines was that they could only capture images at around ten frames per second which was far too slow to study what was going on with the 100 or so muscles required to sing.

So Zhi-Pei Liang, an electrical and computer engineering professor at the institute, worked with his team to develop a new methodology to extract more frames from an MRI machine—which is a far cheaper solution than trying to rebuild and redesign one of the incredibly expensive devices from the ground up. Here’s how the new technique they came up with is described in an issue of Magnetic Resonance in Medicine:

An imaging method is developed to enable high-speed dynamic speech imaging exploiting low-rank and sparsity of the dynamic images of articulatory motion during speech. The proposed method includes: (a) a novel data acquisition strategy that collects spiral navigators with high temporal frame rate and (b) an image reconstruction method that derives temporal subspaces from navigators and reconstructs high-resolution images from sparsely sampled data with joint low-rank and sparsity constraints.

To read the full story and for more information please follow this link to Gizmodo.

Android Browser flaw a “privacy disaster” for half of Android users

Bug enables malicious sites to grab cookies, passwords from other sites.

A bug quietly reported on September 1 appears to have grave implications for Android users. Android Browser, the open source, WebKit-based browser that used to be part of the Android Open Source Platform (AOSP), has a flaw that enables malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can in turn read cookies and password fields, submit forms, grab keyboard input, or do practically anything else.

Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.

The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.

The Android Browser bug breaks the browser’s handling of the SOP. As Rafay Baloch, the researcher who discovered the problem found, JavaScript constructed in a particular way could ignore the SOP and freely meddle with other sites’ content without restriction.

This means that potentially any site visited in the browser could be stealing sensitive data. It’s a bug that needs fixing, and fast.

As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser. Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome. The core parts of Android Browser were still used to power embedded Web view controls within applications, but even this changed in Android 4.4, when it switched to a Chromium-based browser engine.

But just as Microsoft’s end-of-life for Windows XP didn’t make that operating system magically disappear from the Web, Google’s discontinuation of the open source Browser app hasn’t made it disappear from the Web either. As our monthly look at Web browser usage shows, Android Browser has a little more real-world usage than Chrome for Android, with something like 40-50 percent of Android users using the flawed browser.

The Android Browser is likely to be embedded in third-party products, too, and some Android users have even installed it on their Android 4.4 phones because for one reason or another they prefer it to Chrome.

Google’s own numbers paint an even worse picture. According to the online advertising giant, only 24.5 percent of Android users are using version 4.4. The majority of Android users are using versions that include the broken component, and many of these users are using 4.1.x or below, so they’re not even using versions of Android that use Chrome as the default browser.

Baloch initially reported the bug to Google, but the company told him that it couldn’t reproduce the problem and closed his report. Since he wrote his blog post, a Metasploit module has been developed to enable the popular security testing framework to detect the problem, and Metasploit developers have branded the problem a “privacy disaster.” Baloch says that Google has subsequently changed its response, agreeing that it can reproduce the problem and saying that it is working on a suitable fix.

Just how this fix will be made useful is unclear. While Chrome is updated through the Play Store, the AOSP Browser is generally updated only through operating system updates. Timely availability of Android updates remains a sticking point for the operating system, so even if Google develops a fix, it may well be unavailable to those who actually need it.

Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code. Other third-party browsers for Android may embed the broken AOSP code, and unfortunately for end users, there’s no good way to know if this is the case or not.

Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

Source: Ars Technica

Automotive Grade Linux Delivers Open Automotive Software Stack for the Connected Car

SAN FRANCISCO and TOKYO (AUTOMOTIVE LINUX SUMMIT), June 30, 2014 – Automotive Grade Linux (AGL), a collaborative open source project developing a common, Linux-based software stack for the connected car, today announced that its first open source software release is available for download, bringing the industry one step closer to achieving a standard Linux-based software platform for the connected car.

AGL is building the industry’s only fully open automotive platform, allowing automakers to leverage a growing software stack based on Linux while retaining the ability to create their own branded user experience. Standardizing on a single platform means the industry can rapidly innovate where it counts to create a safe and reliable connected car experience. Open collaboration within the AGL community means support for multi-architectures and features to bolster the in-vehicle infotainment (IVI) experience.

“Openness and collaboration are key to accelerating the development of a common, standard automotive platform so the industry can more quickly achieve its vision of delivering the connected car,” said Dan Cauchy, general manager of automotive, The Linux Foundation. “This AGL release is a great step forward and the community is already looking to build on its work to address a number of additional capabilities and features in subsequent releases. With AGL at the core, the industry will be able to more rapidly innovate and evolve to meet customer needs.”

AGL builds on top of Tizen IVI and adds key applications developed in HTML5 and JavaScript into a single open source reference platform. 

See slideshow of AGL key features including:

• Home Screen
• Dashboard
• Google Maps
• HVAC
• Media Playback
• News Reader (AppCarousel)
• Audio Controls
• Bluetooth Phone
• Smart Device Link Integration

Each component includes a detailed Design Requirements Document (DRD) with descriptions, use cases, HMI flows, graphical assets, architecture diagrams and more. AGL code, DRDs and more are all available on the AGL wiki to give anyone the background and tools needed to use the software and start contributing to the project.

“Using AGL means the industry benefits from the stability and strength of a common Linux distribution, Tizen IVI, at the core while bringing their own unique applications and functionality to market faster,” said Rudolf Strief, director of embedded solutions, The Linux Foundation. “Collaborating within the AGL community helps the industry avoid fragmentation that can waste time and R&D resources that could be put to better use innovating on safety and reliability for drivers.”

AGL is free to download and anyone can participate in the open source community. Learn more: http://automotive.linuxfoundation.org/

For more information follow the source link below.

Source: Linux Foundation

Facebook’s open source library has grown to 9.9M lines of code

Facebook loves to share how much it likes open source, and the social network has followed through on that note with a status update on its activities this year.

Here’s a rundown, by the numbers:

• Launched 63 new projects since January 2014
Total active Github portfolio stands at exactly 

• 200 for projects spread across Facebook, Instagram and Parse

• Facebook’s open source projects have seen 13,000 total commits, an increase of 45 percent from the second half of 2013.

• Projects collectively have netted 20,000 forks and 95,000 followers.

• Facebook’s total open source library stands at approximately 9.9 million lines of code.

The Menlo Park, Calif.-based company highlighted a number of its more popular projects in a blog post on Friday, putting user interface Javascript library React and iOS/OS X animation engine Pop in the spotlight.

The latter has played a large role in a pair of other Facebook projects with which end users might be more familiar.

That would be the first two projects rolled out from Facebook’s Creative Labs department: digital news reader app Paper and Snapchat-competitor Slingshot.

Facebook engineers revealed Pop “spawned a host of extensions and integrations, including the iOS version of our very own Slingshot.” Pop has also grown to become Facebook’s second most popular open source project ever.

Looking forward, Facebook is following through on some of the products it unveiled to developers at F8 in San Francisco back in April. One product making its way out the door today in beta access is Display Node, Facebook’s open source asynchronous UI framework.

Source: ZD Net

IT malpractice: Doc operates on server, costs hospitals $4.8M

Image source Alegrasoft

New York Presbyterian and Columbia University Medical Center settle with HHS to end probe into 2010 patient data leak

An inadvertent data leak that stemmed from a physician’s attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS).

The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday. New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint.

The hospitals also agreed to take “substantive” corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. The HHS will also be provided with periodic progress updates under the agreement.

“Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems,” the statement said.

The $3.3 million settlement with New York Presbyterian is the largest ever obtained by the HHS for a violation of HIPAA security rules.

The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to “deactivate” a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.

The two health care organizations have a mutual agreement under which CU faculty members serve as physicians at NYP. The two entities operate a shared network that links to systems contacting patient health data at NYP.
It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to “deactivate” it.

In a joint statement, the two hospitals blamed the leakage on an “errantly configured” computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.

The leak was discovered after the hospitals received a complaint from an individual who discovered personal health information about his or her deceased partner on the Web.

An investigation by the HHS Office for Civil Rights (OCR) found that neither CU nor NYP had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network.

The OCR also faulted New York Presbyterian not ensuring that only properly authorized systems could access patient data.

In an email, NYP and CU said they have taken substantial steps to strengthen data security controls following the breach.

“For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question,” the statement said. “We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.”

HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations.

In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data.

Last December, a Massachusetts dermatology clinic agreed to pay $150,000 to settle an HHS investigation into the loss of a thumb drive containing unencrypted patient health information.

Source: Computer World

10,000 Linux servers hit by malware serving tsunami of spam and exploits

Two-year-old Windigo may also have infected kernel.org Linux developers.

Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages.

Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation’s kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services.

The Eset researchers, who have been instrumental in uncovering similar campaigns compromising large numbers of servers running the nginx, Lighttpd, and Apache Web servers, said the latest campaign has the potential to inflict significant harm on the Internet at large. They explained:

The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected. It is important to keep in mind that, in this case, each infected system is a server. These usually offer services to numerous users and are equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers. A denial of service attack or a spam-sending operation using one thousand servers is going to be far more effective than the same operation performed with the same number of desktop computers.

For more information and the complete sorry click the source link below.

Source: Ars Technica  

Popcorn Time Shuts Down, Then Gets Resurrected By YTS (YIFY)

A roller-coaster week for controversial movie application Popcorn Time hit a huge low last evening with the news that the creators of the software were throwing in the towel. Well people, not so fast. The people behind YTS (YIFY) inform TorrentFreak that they are taking over the project with immediate effect.

Last Saturday TF reported on the now-controversial torrent streaming app Popcorn Time, a piece that was followed by dozens of mainstream articles in the week that followed. It quickly became evident that this software had broken new ground with its beauty and simplicity.

Unsurprisingly, the first signs of trouble were not far away. During the middle of the week the software was removed from Mega.co.nz. It’s still unclear if that action was taken by Mega under its own steam or after it was prompted by Hollywood, but with the Popcorn Time developers confirming they had nothing to do with it, one or the other must be to blame.

But after a stormy week, with the software receiving critical acclaim, last night the veils were being drawn over the project. In a long announcement on the tool’s website, the Popcorn Time team confirmed they were stepping down.

“Our experiment has put us at the doors of endless debates about piracy and copyright, legal threats and the shady machinery that makes us feel in danger for doing what we love. And that’s not a battle we want a place in.”

The Argentina-based team added that piracy is not a people problem, it’s one based around service created by an industry that “portrays innovation as a threat to their antique recipe to collect value.”

But just as another flood of articles hit the mainstream press, each waving goodbye to Popcorn Time before moving on to something else, there’s important news yet to report.

Popcorn Time is not dead and will live on, seamlessly.

Speaking with TorrentFreak, YTS (formerly YIFY-Torrents) developer Jduncanator has confirmed that Popcorn Time will not die with the withdrawal of its founding team. Instead, YTS will pick up the baton and run.

“The YTS team will now be picking up the Popcorn Time project and continuing on like previously. We are in a better position copyright wise as for us, because it’s build on our API, it’s as if we have built another interface to our website. We are no worse off managing the project than we would be just supplying the movies,” the dev explains.

“It’s our vision at YTS that we see through projects like these and that just because they create a little stir in the public, it doesn’t mean they are shut down. That stir is exactly what the public needs and it’s already evident that people are becoming more aware of copyright-related issues.”

The project, which can now be found here, is open to all former developers who will be given contributor access upon request. The Popcorn Time installer will be made available shortly.

For more on this story and the original post follow the source link.

Source: Torrent Freak