Posts Tagged ‘Trojan’
Mac Trojan ‘SabPub’ Exploits Java and Microsoft Office
Last Updated on Friday, 25 May 2012 04:23 Written by Celframe Security Team Saturday, 20 October 2012 03:47
Over the weekend, security vendors discovered another information-stealing Trojan in the wild, targeting Tibetan sympathizers with vulnerabilities in Java and Microsoft Word.
Two versions of SabPub were discovered in the wild this past weekend, flying undedected for about two months now. Kaspersky’s Costin Raiu wrote in a blog post that SabPub was probably written by the LuckyCat authors.
Version 1: Microsoft Office
One version of SabPub traps Mac (and potentially Windows) users with booby-trapped Microsoft Word documents which exploit the vulnerability ‘MSWord.CVE-2009-00563.a.’
The spear-phishing emails containment a malicious Word attachment entitled ’10thMarch Statemnet’ (with typo) to Tibet sympathizers. March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959.
The Word doc was created in August 2010 and updated in February with SabPub thrown in; “quite normal” for such attacks and seen in other APT’s like Duqu, Raiu notes.
Version 2: Java
A March version of Sabpub also discovered last weekend exploits the same drive-by Java vulnerability seen in Flashback, one of the biggest botnet attacks seen in OS X. Once the backdoor Trojan is downloaded, a victim’s system is connected to a command-and-control center via HTTP. From there the botnet can grab screenshots, upload/download files, and remotely execute commands, Sophos’ Graham Cluley writes. SabPub drops the following two files on a user’s system, so if you are concerned about infection Cluley recommends searching for these files:
/Users//Library/Preferences/com.apple.PubSabAgent.pfile
/Users//Library/LaunchAgents/com.apple.PubSabAGent.plist
In late March, vendors discovered another OS X Trojan, Tibet.C, that exploited Microsoft Word to spy on the computers of Tibetan sympathizers. It was believed come from the GhostNet group of Chinese cyber spies.
You may not be a key target of SabPub, but one day the same malware can be used to target your system. Our advice is the same as always: make sure you’ve downloaded the latest security patches for Windows, MacOS, and Java. Also make sure your antivirus protection is up to date. Due to the MS Office exploit, households with both PCs and Macs would benefit from cross protection from products like Norton One and McAfee All Access.
Tags: Exploits, Microsoft, Office, SabPub, Trojan | Posted under Celframe Security | No Comments
Trojan Dropper Uses Valid Certificate Issued For Swiss Company
Last Updated on Sunday, 18 March 2012 02:26 Written by Celframe Security Team Sunday, 16 September 2012 06:03
A pair of trojan droppers affiliated with a pay-per-click scam are using valid digital signatures from a certificate that was issued for a Swiss company, according to a report on Securelist.
Between December 2011 and March 7, 2012, the Kaspersky Security Network has detected around 5,000 instances of the Mediyes trojan using a certificate issued to Conpavi AG, a Swiss company, according to a post by Kaspersky Lab researcher Vyacheslav Zakorzhevsky. The detections were predominantly in the Western European countries of Germany, Switzerland, Sweden, France, and Italy.
Conpavi conducts the majority of its business with the Swiss municipalities, cantons, and other government agencies. Kaspersky Lab has contacted Verisign, informed them about the threat, and asked them to revoke the certificate.
Mediyes is a dropper program – a kind of malicious program that acts like a pack mule: downloading and installing other programs, such as Trojan horse or remote access tools, on infected systems. Mediyes comes in both 32- and 64-bit varieties and is detected by Kaspersky Lab’s software as ‘Trojan-Dropper.Win32.Mediyes’ and ‘Trojan-Dropper.Win64.Mediyes’ respectively. Both variations inject a DLL into the browser that intercepts and redirects search queries as part of a pay-per-click advertising scheme.
This is not the first time that the CA system has been exploited for malicious purposes. A similar case popped up in November of last year when a piece of malware was found with a valid certificate signed by a Malaysian CA. The compromises at certificate authorities Comodo and DigiNotar also spurred calls within the security community for changes to the certificate authentication system.
This article was editied on March 15 to clarify that the certificate was issued for Conpavi AG, not by the company.
View the original article here
Tags: Certificate, company, Dropper, Issued, Swiss, Trojan, Valid | Posted under Celframe Security | No Comments
SpyEye trojan is used to hide fraudulent money transfers
Last Updated on Monday, 12 March 2012 01:17 Written by Celframe Security Team Monday, 14 May 2012 09:43
Some months ago we have warned you about the dangerous banking trojan called SpyEye. Additionally to its malicious features, such as HTML injection and others, it has been also found to have another feature helping for the scammers to hide the fraud and all the changes made on the compromised acount. This seems to be borrowed from Zeus trojan.
As you have already heard, SpyEye is especially dangerous for its ability to inject new fields into a page and make it ask for specific information which wouldn’t be normally asked from the user. For example, because of this virus, baking page can be made to require login, password, debit card number or other sensitive banking data without any sign that it is done illegally. However, this is not the only bad thing about SpyEye – it has been also found to be powerful enough to hide illegal money transfers made on the compromised account. This new feature seems to be borrowed from the Zeus banking malware that is called ‘the parent’ of SpyEye. Zeus is known for its ability to capture specific balance data and then inject it into the same page after making illegal transfer on user’s account.
According to InfoWorld, SpyEye is clearly designed to keep users unaware about the fraud – malware hides fraudulent transactions and deletes those records that could notify victim about the fraudulent transactions made on the account. Even if a person logs out and logs back into his account, he won’t be capable to see these transactions and will be informed only about the altered balance of his account. As you can see, with a help of SpyEye, fraudsters get ability to capture victim’s credit card details and then easily mask their transactions. This feature makes SpyEye one of the most dangerous trojans that can be used to rip people off.
This entry was posted on Tuesday, January 10th, 2012 at 10:05 am and is filed under News, Security. You can leave a response, or trackback from your own site.View the original article here
Tags: fraudulent, money, SpyEye, transfers, Trojan | Posted under Security | No Comments