Apple’s iOS 10 beta Code Is Unencrypted

iOS10

At its WWDC 2016 keynote, Apple announced the availability of iOS 10 public beta, the latest version of its operating system software for iPads and iPhones.

There appears to be a shift in Apple’s approach toward software security. Instead of keeping all aspects of its next-generation mobile operating system under lock and key, the company is opening up certain components to developer scrutiny. The unobscured iOS 10 kernel cache is a prime example.

Since the inception of iOS (previously iPhone OS), Apple has obfuscated the kernel to discourage illicit probing that could inherently weaken system integrity. With iOS 10, however, Apple is relaxing those strict policies by leaving the kernel cache unencrypted, a move it says optimizes system performance. As the cache does not include sensitive information, leaving it unobscured poses no risk to end users. Also, opening up the OS might help other researchers to find and report bugs, by giving everyone just as much visibility as an advanced and well-funded research team might have.

If more people report bugs to Apple, it could make it harder for law enforcement and governments to use a tactic the FBI employed to get into an iPhone used by a perpetrator of last year’s mass shooting in San Bernardino, California.

So is Apple ultimately fighting to uphold personal privacy and civil liberties? Or is it fighting for the right to sell any kind of phone it thinks its customers want while other people deal with the negative consequences? If it’s the latter, that’s understandable; like any public company, Apple is obligated to maximize its value to its shareholders. But society is not necessarily best served by letting Apple make whatever phones are optimal for its chosen business strategy, which is to create a shiny mobile vault that people will trust with every aspect of their lives.

New Android Trojan/RAT SpyNote

spynote

The newcomer, named SpyNote, has some very similar features to other popular Android RATs (remote administration tools) that allow malware owners to gain remote administrative control of an Android device, including DroidJack and OmniRat. Spynote has a wide range of backdoor features that include the ability to view all messages on a device, eavesdrop on phone calls, activate the phone’s camera or microphone remotely or track the phone’s GPS location. The APK (Android application package file) containing the SpyNote, gives an attacker complete access to a victim’s phone.

Because of its diversified feature set, SpyNote has the ability to download and install new apps without permission and even to update itself. Apart from that, it can invade your phone and view your SMSs, make calls or overhear the calls you are making or taking, retrieve your contact list, listen to record audios you have made or even use your device`s camera in real time.

SpyNote also has access to some very detailed information such as your Wi-Fi MAC address, the IMEI number of your device and phone`s last GPS location. Like these features aren’t disturbing enough, what`s even more concerning is the fact that SpyNote doesn’t need a root access on the device.

Now, the second version of SpyNote allows impostors to create their own variant of the Android RAT, which will be able to communicate with C&C servers while the building process in still in progress. Upon installation, SpyNote will remove the application’s icon from the victim’s device. Also apparent is that the SpyNote builder application is developed in .NET. Furthermore, this RAT has been configured to communicate to the command and control (C&C) IP address (141.255.147.193) over TCP port 222.

Installing apps from third-party sources can be very risky — those sources often lack the governance provided by official sources such as the Google Play Store, which, even with detailed procedures and algorithms to weed out malicious applications, is not impregnable. Side-loading apps from questionable sources exposes users and their mobile devices to a variety of malware and possible data loss.

New OSX/Keydnap malware-stealing credentials

keydnap
Keydnap, focuses on stealing the content of Apple OS X keychains and installs a permanent backdoor into a victim’s system. The malware has several unusual features. If downloaded, the malware appears within a .zip file which contains an executable disguised as an innocent .txt or .jpg file. However, the file extension contains a space character at the end, and so if the file is double-clicked, it opens in the Terminal app rather than Preview or Text Edit to execute the payload.

Once the backdoor is set and remote attackers have gained entry into the system — which also allows them to hijack sessions and spy on victims — the malware then targets the OS X keychain to gather and steal passwords and keys stored within. “Keydnap will spawn a window asking for the user’s credentials, exactly like the one OS X users usually see when an application requires admin privileges.

If the victim falls for this and enters their credentials, the backdoor will henceforth run as root and the content of the victim’s keychain will be exfiltrated.”
When the user’s credentials have been accessed, the malware uses Tor to report back to the attacker’s C&C server and forward this information on as well as receive fresh commands.

The researchers are not sure how victims become exposed to the malware, but it may be through phishing campaigns, malicious email attachments or downloads from suspicious websites.

Tilde Ransomware-a dangerous windows PC infection

tilde

One method of e-mail attacks is undertaking massive spam campaigns to infect as many users as possible. One of those e-mail subjects may be a free upgrade or a promise of anything for free. Users have also reported e-mails from banking institutions claiming their accounts have been suspected. Most e-mails use deceptive tactics just to get users to start opening the malicious e-mail attachments or URLs which can infect their computer via different combinations of the above mentioned malicious tools.

When the infection takes place, the program immediately encrypts a list of files. It targets a big number of file types, including those that have these extensions: xlw, .slk, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .wks, .odp, .otp, .sxi, .sti, .pps, .pot, .sxd, .std, .pptm, .pptx, .potm, .potx, .uop, .odg, .otg, .sxm, .mml, .docb, .ppam, .ppsx, .ppsm, .sldx, .sldm, .ms11, .lay, .lay6, .asc, .SQLITE3, .SQLITEDB, .sql, .mdb, .dbf, .odb, .frm, .MYD, .MYI, .ibd, .mdf, .ldf, .php, .cpp, .pas, .asm, .vbs, .dip, .dch, .sch, .brd. The list of extensions goes on and on, so it is more or less safe to say that Tilde Ransomware affects almost all of the files you have on your computer, and definitely all the files you use frequently. After the encryption, the infection displays a message that say something like this:
———————————————————-
All your system is encrypted…

Now you have two options to solve the problem:
1. Format your hard disk. This way you’ll lose all your files.
2. Pay 0.8 Bitcoin and get key of decryption. At the end of this ad you’ll see you personal ID and our contact information
————————————————————
What you can do to remove Tilde Ransomware

Delete the latest file you downloaded and opened.
Press Win+R and type %TEMP%. Click OK.
Locate and delete the Simple_Encoder folder.
Change your desktop’s background.
Locate and remove the _RECOVER_INSTRUCTIONS.ini file in each folder on your system.
delete regval HKEY_CURRENT_USER\Control Panel\Desktop\“Wallpaper”=” C:\Documents and Settings\Local\Temp\Simple_Encoder\img.bmp” …note if you are not clear on how to remove registry values ask for help from our tech support
review these locations for any suspicious regvalues:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Scan with Max Total Security (from http://maxsecueantivirus.com). Restore data from previous backup taken by backup utility included in this product.

Python-Based Ransomware HolyCrypt

holycrypt

HolyCrypt is coded in a non-standard language for ransomware, Python, and was put together into an EXE file using the PyInstaller utility. This allows the developer to distribute all of the necessary Python files as a single executable. This version has a static password of test that is used to encrypt the files. At this time it is unknown if the password will be dynamically generated in future versions.

Ransomware targeted only twenty files which is a very poor number for any ransomware family. However, it was an important evidence that HolyCrypt was still a work-in-progress. If infected, your desktop wallpaper will be changed with a new one with the following message:

“YOUR COMPUTER HAS BEEN LOCKED!

Your documents, photos, databases and other important files have been locked with strongest encryption and unique key, generated for this computer. Private decryption key is stored in a secret internet server and nobody can decrypt your files until you pay and obtain the private key.

The server will eliminate the key after 24h.

Open http://test_ransomware.onion.link and follow the instructions of the payment “

Obviously the link where victims are supposed to go to complete the payment is a phoney one. Another evidence that the cybercriminals behind HolyCrypt have not completely finished with their job yet.

As for the ransomware distribution, ransomware developers are using the classic double extension trick, hiding it as a PDF file named ReportXYZ.pdf.exe.

So be careful with downloads and email atatchments and do not open any files if you are not expecting.

JagerDecryptor-another ransomware

jagger

Another ransomware JagerDecrypto has been found. Once the ransomware has infected a system, it will generate a new AES-256 key for each file it encrypts. This AES key is encrypted with RSA and appended to the end of the file along with the AES IV and other information. Of particular interest, any encrypted file will have “!ENC” as the first 4 bytes of the file.

Victims are presented with the above file “Important_Read_Me.html” for the ransom note, and asked to email the criminals at smartfiles9@yandex.com.

These folders are excluded: Application Data, AppData, Program Files (x86), Program Files, Temp, $Recycle.Bin, System Volume Information, Boot, Windows, ProgramData.

Ranscam doesn’t care if you pay the ransom-deletes files anyways

One of the latest pieces such low-budget malware to come down the pike is called Ranscam. Unlike traditional ransomware, which locks up a computer’s files and then demands a bitcoin payment, Ranscam infects a computer, deletes the files and then demands a payment from the victim even though the files are gone and cannot be recovered.

The first thing users will see after the malware has found its way into their system is the ransom note. It looks like the ransom notes that other pieces of ransomware show, but with one seemingly insignificant difference. Instead of directing users to an external location where they are supposed to verify the ransom payment, this note shows a clickable button: “I made payment, please verify.”

ranscam

In reality, the difference is very significant. Whenever a user clicks the button, a message appears, saying the payment was not verified and that one file will be deleted each time the button is pressed without the criminals behind Ranscam having been paid. That is probably supposed to make users nervous and persuade them to pay several times.

There is no way to get back the files deleted by Ranscam; the only way to protect yourself is to be proactive. So we recommend that you don’t open attachments and don’t follow suspicious links. Not much is known about how Ranscam spreads, but the usual suspects are e-mail attachments and malicious or hacked websites. So if you aren’t 100% sure, don’t click.

Back up your data regularly and store the backups on an offline storage device. If some ransomware encrypts or deletes your files, you’re covered.

Use a good Total Security program such as Max Total Security which gives you good anti virus, firewall and backup program.

Rain Rain Go Away-Some Tips

rain

Not really, we do not want rain to go away, after so much wait, drought years , we have good rain this year, but we need to be extremely careful indoors as well as outdoors.

Planning ahead:

1. Get Weather news: The best way to avoid lightning, flash floods, and other dangerous conditions is by not being in danger in the first place. Many ways are available to gain weather information like Watching current weather forecasts on TV or the internet or newspaper.
2. Inspect your vehicle
Make sure your windshield wipers are working correctly, and replace cracked or poor ones.
3. Allow extra time
Traffic congestion is worse in bad weather. Plan ahead and leave early so you have enough time to get to your destination.
4. Slow Down
When it rains, oil and grime on the pavement rise to the surface. Wet streets are extremely slick and slippery, making it more difficult to get traction. When you drive slowly, a greater amount of the tire’s tread makes contact with the road, giving you better traction. Drive at a steady pace and avoid jerky movements when braking, accelerating, or turning.
4. Don’t Tailgate
It takes three times longer to stop on a wet road than a dry one. Increase the distance you normally keep from the car in front of you and be alert for brake lights ahead.
5. Downed Power Lines:
If a power line comes in contact with your vehicle while you are inside, STAY in your car. Wait for help to arrive and honk the horn to attract attention. If other imminent dangers force you to leave the vehicle, do NOT touch the vehicle and the ground at the same time. You should jump out and land with both feet together. Continue to shuffle or hop with both feet till you are at least 50 feet away from your car.
6. Don’t take pictures/Selfies!
Dying to capture the surreal beauty of that thundercloud or show the folks back home what a haboob looks like? Wait till you’re off the road before you snap that picture. When you’re driving, focus on the road and keep both hands on the wheel.

Indoor Safety

1. Never touch wiring during a thunderstorm. It’s too late to unplug electronics if thunder is heard.
2. Corded phones are dangerous during thunderstorms. Lightning traveling through telephone wires has killed people. Cell phone and cordless phones are safe.
3. Wait to use any plumbing-sinks, showers, tubs, and toilets. Plumbing can conduct electricity from lightning strikes from outside.
4. Unplug expensive electronics including TV, stereo, home entertainment centers, and computers modem lines when thunderstorms are expected, and before the storm arrives. Typically, summer thunderstorms form in the early to mid-afternoon, when most people are at work.
5. Stop playing video games connected to the TV.

Pokemon GO

pokymongo

New mobile game “Pokemon Go” has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week but also played a role in armed robberies in Missouri, the discovery of a body in Wyoming and minor injuries to fans distracted by the app and to top it all Malware infected apks too..

Nintendo’s new location-based augmented reality game allows players to catch Pokémon in the real life using their device’s camera and is currently only officially available in the United States, New Zealand, UK and Australia. Five days after its release, the game now is on more Android phones than dating app Tinder, snapchat and its rate of daily active users was neck and neck with social network Twitter, according to analytics firm SimilarWeb.

Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link. In order to download the APK, users are required to “side-load” the malicious app by modifying their Android core security settings, allowing their device’s OS to install apps from “untrusted sources.”

It is discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone.

A simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings -> Apps -> Pokemon GO and then scrolling down to the PERMISSIONS section.

To do so, Go to the Settings → Apps → Pokemon GO and check the game’s permissions.
If you find that the game has asked for permissions like directly call phone numbers, edit and read your SMSes, record audio, read Web history, modify and read your contacts, read and write call logs, and change network connectivity, then you should uninstall the game right away, since it is infected with DroidJack.

Bottom line, just because you can get the latest software on your device does not mean that you should. Instead, downloading available applications from legitimate app stores is the best way to avoid compromising your device and the networks it accesses.

HummingBad Android malware: is your device infected?

hummingbad

The same group of cybercriminals behind a strain of iOS malware uncovered last year have apparently diversified and now dabble in Android malware. The group, dubbed Yingmob, has been running a malware campaign named HummingBad that controls 10 million Android devices globally and rakes in $300,000 a month.

Researchers revealed that a Chinese advertising company had created one of the most pernicious pieces of Android malware yet, they estimated it has infected 10m Android handsets worldwide. Be on you guard … HummingBad can do virtually anything the attacker wants, from spying on your personal information to stealing your bank login details.

The main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generates advertising revenue for its parent company, Yingmob – a practice known as “clickfraud”. It’s a lot like the browser toolbars designed to deliver ads to your computer a decade ago.

The malware is rooting hundreds of devices daily Sometimes the malware is unsuccessful at rooting those infected devices, but not always. As far as the ad fraud campaign goes, it really does it all: HummingBad displays ads – more than 20 million per day, creates clicks – more than 2.5 million per day, and installs bogus apps – more than 50,000 per day.

Malware gains “root access” to Android – the very heart of your phone’s operating system – and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details. Even if the creators of the malware right now only use it for click fraud, they could decide to sell the rootkit on the internet’s black market.

Most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website. The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores – which are far more popular overseas – as the most likely sources. But around 250,000 are based in the US, so could be people who are traveling from Asia to the US, or simply people who ignore Android’s default settings and allow app installs from third-party sites.

You need to install a good Mobile Security for Android such
Max Total Security -Android
  to detect this malware and protect it from
other malware.