VT image

New release YARA 3.0

Over this week a new version of Yara have been released. YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

The new features include the following:

  • Support for modules
  • PE module
  • Cuckoo module
  • Some improvements in the C API
  • More comprehensive documentation
  • BUGFIX: Start anchor (^) not working properly with the “matches” operator
  • BUGFIX: False negative with certain regular expressions
  • BUGFIX: Improper handling of nested includes with relative pathes
  • BUGFIX: \s character class not recognizing \n, \r, \v and \f as spaces
  • BUGFIX: YARA for Win64 scanning only the first 4GB of files.
  • BUGFIX: Segmentation fault when using nested loops
  • BUGFIX: Segmentation fault caused by invalid characters in regular expressions
  • BUGFIX: Segmentation fault while scanning some processes in Windows
  • BUGFIX: Segmentation fault caused by regexp code spanning over non-contiguous memory pages

YARA is used by VirusTotal Malware Intelligence Services and you can install Yara by following this link: https://github.com/plusvic/yara/releases/tag/v3.0.0

Share

“Suspicious sign in prevented” Spam That Links to Malware

New spoofed email has been spotted over this week by TrendMicro that claims to be sourced from Gmail and alert users about a suspicious activity been detected on their email accounts. The email claims a login to gmail account from an unrecognized device with the time of login and source to be from Chicago and invite user to follow a malicious link.

The spam include links pointing to Google Drive a cloud service that is hosting html file used to gather information on victim machine including type of browser and operating system. this to classify victims machine so cybercriminal will leverage the malicious payload associated with the system in use.

Malicious payload will install a backdoor which steals email credentials and user names and passwords. it will also allow attacker to have a key-logger installed on victim machine to have all activities on infected system. According to the blog post attackers are changing hosted files on Google drive within several days. this makes it updated according to their need and to avoid detection by security programs.

login3Spoofed email screenshot by Trendmicro

Cloud hostage have been a good way for distributing malwares because they are not going to be black listed by spam filters which makes the link arrive to targeted users and it can be changed at any time without tracking the source of attackers. If you receive a similar message make sure to ignore and delete the spam and it is possible to report the case to Google so they remove the malicious files.

Share
viproy

Viproy – VoIP Penetration Testing Kit

VoIP security testing is important to verify the quality of your system before it is moved into production. One of the tool that you can consider for pentest VoIP is Viproy.  This tool have been presented on DefCON and include the following:

  1. Finding and Identifying SIP Services
  2. Identifying SIP Software and Vulnerabilities
  3. Identifying Valid Target Numbers, Users, Realm
  4. Unauthenticated Registration (Trunk, VAS, Gateway)
  5. Brute Forcing Valid Accounts and Passwords
  6. Invite Without Registration
  7. Invite Spoofing (After or Before Registration, Via Trunk)
  8. Testing DDoS attack to verify is the system resilient

You can use the tool with Kali with an installation script that you can find with the package or to copy “lib” and “modules” folders’ content to Metasploit root directory. to find more information about this tool follow this link http://www.viproy.com/

Share

Phishing spam targeting AmericanExpress Accounts

New email phishing have been spotted by Dynamoo’s blog that is targeting American express customers,  the fake message notify user that they have a security problem with their account and invite them to decline a new charges by opening the phishing web page which is http://**-**.com/americanexpress/ and logon with their credentials.

American Express Credit Cards, Rewards, Travel and Business Services - Mozilla F_2014-08-10_15-01-14Phishing website screenshot for  American express

The page is similar to the American express official website and each time the victim will type his credential it will display that the User ID and password is incorrect. At the moment there are several similar phishing website while the IPs are belonging to ISPs in Ukrain and Romania.

If you receive a similar fake message make sure to delete/ignore the email and report it to your bank. Usually the bank will never send email to make account changes but they will call customer to make any update.

Share
securitymalware

“Payroll Received by Intuit” A spam that brings Cryptowall to Your System

New spamming message have been spotted by Dynamo’s Blog that attach Cryptowall malware. the virus is a Trojan horse that infect windows operating system and uses RSA2048 encryption to encrypt victims data. this to prevent users from opening their files and provide cyber criminal a control on infected system. If the victim will not make an online payment files are going to be destroyed.

The email claims to be about a successful payment that users made while attaching a copy of victims Remittance. Obviously this email is attaching a zipped copy of Cryptowall that takes executable form. only 9 antivirus on Virus total identify the file to be malicious.

Analysis Results Title Remittance___CopyDecrypt instruction by Cyber criminal for Cryptowall

Within the decrypt instruction attackers are asking victims to use Tor network and Bitcoins for better protecting compromised systems , money and encryption keys from law enforcement. Tor  will complicate tracking cybercriminals while Bitcoins makes it hard to track money transfer.

To protect your system be sure to never open attachments/emails from untrusted sources, update your security software and make sure to have a backup for your important files that will be stored in a safe place.

Share

Nasty Snifula Trojan starts targeting users in Japan

New Snifula Trojan variant have been spotted by Symantec Security Response team in Japan. the malware have compromised more than 30 financial entities with 12 regional agencies across the country. the malware was firstly discovered in 2006 and were used to steal victims financial accounts using man-in-the-browser (MITB) techniques.

According to Symantec the configuration file in the malware is listing 20 credit card sites with 17 online banking service in Japan, 20% of the malicious activity monitored are coming from hosts in Japan to make it on the second place with Germany while UK have the highest number of infected hosts with 24% of the global infected systems.

Graph for snifulaChart for Snifula distribution sourced Symantec

This type of threats is hard to detect because it is customizable to make it adapted to certain regions, easy to distribute over internet with infected web server and strong authentication will not help because the infected user will perform a covered transaction using the same steps and validation required without detecting the actions performed by the malware.

To protect your system make sure to have the latest update for your antivirus and use only hardened software that provide the protection against the MITB attacks.

Share
shazzle

ShazzleMail- Application to maintain your email privacy

Today we see more of new services that offer anonymous surfing and mailing. this because many online service store users information on their systems and this makes end users not safe from reusing the data in the future. ShazzleMail is one of the interesting mail system that you can use to protect your privacy.

ShazzleMail is a free private email application that turns your smart phone into a mail server, delivering your messages directly to your receiver via an SSL encrypted channel with no server copies. Not even Shazzle gets a copy. the application can be installed on laptop , smartphone or even integrate it with Microsoft outlook.

The application will send notification for recipient and create a direct connection from sender to receiver. The ShazzleMail service sends them a web notification e-mail with a link. The recipient only needs to click the link to establish a direct connection with the Sender and receive the email. ShazzleMail sends all communications over a secure line, and keeps your email on your local storage device and not in some third party cloud.

Shazzle Mail Client 1.3.2Screenshot for Shazzle email client (click to enlarge)

This will make sender control the email so he can delete the message at any moment. All email are encrypted locally so even if you lose the device no one can read the content. you can download ShazzleMail over this link: http://shazzlemail.com/downloads

Share