Are YOUR Skype chats being watched?

The researchers also warned it is so sophisticated, it can hide from even the most popular anti-virus software, making it extremely difficult to detect.

T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.

It stores critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media.

The Trojan is said to involve what’s known as a multi-stage installation process and checks at each point for any installed anti-virus programs. After checking everything, T9000 installs itself and then collects information stored on the infected system, sending it to the hacker’s server.

The malware is said to have spread originally via spear phishing emails sent to organisations in the US. Spear phishing is an e-mail spoofing fraud attempt that targets a specific group or organisation. The intent is to steal intellectual property, financial data, trade or military secrets and other personal information. However, researchers believe this new backdoor malware is so sophisticated it can adapt to be used against any victim that a cybercriminal wishes to hack.

Ransomware Racket Demanding Bitcoin from India cos.

Earlier this month, the ransomware infected three Indian banks and a pharmaceutical company, demanding one bitcoin per compromised computer and reportedly causing millions of dollars in damage.
LeChiffre is not your typical ransomware and works only if launched into execution manually. The hacker managed to infiltrate the networks of all companies, and then escalated his access to other computers via unprotected Remote Desktop ports.

Once he gained access to a computer, the hacker would download the ransomware from his server and then double-click it to start the encryption process.

LeChiffre’s encryption operates by encrypting the first and last 8192 bytes of each file and then appending the encryption key to the file as a 32-byte blob. The encryption is AES. This ransomware is written in Delphi, and that its interface is in Russian.

“LeChiffre looks very unprofessional , practically, no countermeasures against analysis has been taken, but still it has managed to damage.

Here is LeChiffre message after files are infected:


CryptoJoker Ransomware

A new ransomware has been discovered called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. The CryptoJoker installer is disguised as a PDF file, which means it is probably distributed via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder.

When CryptoJoker encrypts your data it will scan all drives, including mapped network drives, on the victim’s computer for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker.

Files Associated with CryptoJoker:


Registry Entries associated with CryptoJoker;

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe

ModPOS (Modular point of Sale) malware threat rises again

Shopping season swings into high gear, a “highly sophisticated” malware framework that could pose a threat to U.S. retailers using point-of-sale (POS) systems, called ModPOS (for “modular POS”). Security experts are warning of a major new sophisticated POS malware framework which could wreak havoc among US retailers as they head into the busy Black Friday shopping period.

ModPOS is “the most sophisticated point-of-sale (POS) malware , with its complex and sophisticated code base, ModPOS can slip undetected past many types of modern security systems. Its modular nature also provides multiple attack routes, with keylogger, POS scraper and uploader/downloader modules that make it possible to target unique aspects of retailers’ POS systems.

New CryptoWall virus variant v4.0 is out in the wild now

Nasty crypto wall CW4.0 notifies you AFTER it’s done messing with your local and network files, not only data but it also now encrypts file names. Unless you have back up no way any files can be recovered. It is highly recommended to use some backup data program such as provided in Max Total Security which not only backs up but also protects anyone from modifying the files. This way you are fully protected.

The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.

The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.

KEMOGE: a vicious new Android malware

This malware is spotted spreading worldwide quickly, and it allows the complete compromise and takeover of the targeted Android device. The malware has turned up in countries such as the U.S., China, Singapore, Indonesia, Russia, England, and France.

A list of popular applications that have been repackaged with Kemoge are:

Smart Touch
Talking Tom
Light Browser
Easy Locker
Privacy Lock
Other adult applications.

On the initial launch of the adware, Kemoge collects device information and uploads it to the server. Then it starts serving ads from the background, which appear all the time, even on the home screen. After that, Kemoge delivers a .zip payload to the devices, which is encrypted multiple times and is made to look as an .mp4. file. After gaining persistent root, it infiltrates itself further into the system with names similar to the launcher service or other services such as the ones from Facebook or Google.

To avoid malware:

  • Never click on suspicious links from emails/SMS/websites/advertisements.
  • Don’t install apps outside the official app store.
  • Keep Android devices updated to avoid being rooted by public known bugs. (Upgrading to the latest version of OS will provide some security, but it does not guarantee that you will remain protected.

new iOS malware

Recently-discovered malware evades Apple’s App Store security net and infects iPhones and iPads, jailbroken or not, displaying full-page ads on Safari and forcing to download a defunct media player.

Called YiSpecter, the malware YiSpecter can infiltrate any iOS device via a variety of means, posing as a genuine Apple-signed app once installed. Once on your iOS device, the app can then make itself invisible to the user by disguising itself as an actual iOS app, or hiding itself from the home screen – which means the user has no means of deleting it.

On infected iOS devices, YiSpecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 [command and control] server.

There are many ways of installing YiSpecter on the phone, including hijacking traffic from nationwide ISPs, a worm on Windows, offline app installations, and community promotions. The app takes advantage of Apple’s enterprise certificates that are used to sign four app components to fool the operating system into believing it’s a genuine app.

There is a way of removing the malware app and additional apps that it may have installed, but you might require third-party programs that give you access to the phone’s file system – check it out below:

1. In iOS, go to Settings -> General -> Profiles to remove all unknown or untrusted profiles;
2. If there’s any installed apps named “情涩播放器”, “快播私密版” or “快播0”, delete them;
3. Use any third-party iOS management tool (e.g., iFunBox, though note that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X, to connect with your iPhone or iPad;
4. In the management tool, check all installed iOS apps; if there are some apps have names like Phone, Weather, Game Center, Passbook, Notes, or Cydia, delete them. (Note that this step won’t affect original system apps but just delete faked malware.)

UPDATE: Apple checks in to say that this issue has been fixed starting with iOS 8.4 so stay updated and only download from trusted sources like the App Store and pay attention to any warnings as they download apps.

ATM malware in Mexico

GreenDispenser Malware allows an attacker to walk up to an infected ATM and, with a series of pinpad entries, direct the machine to dispense all of its cash.

Once this has been accomplished, the attacker initates a “deep delete” of GreenDispenser, leaving virtually no trace of the malware,

You probably know the internal computers of ATMs are under lock and key, but you may not know the many of the locks can be opened by a single master key. Hackers in Mexico apparently have copies of that key and are programming the computers to steal your money

once installed on an ATM machine, will display a fake error message that reads: “We regret this ATM is temporary out of service.”

Only the hacker can bypass this error, and the malware unusually requires two-factor authentication. The hacker must first enter a pin code that has been hard-coded into the malware, and then use a smartphone to scan a QR code that appears on the ATM screen.

Apple App Store Malware Outbreak

Apple is moving to contain an outbreak of malware-infected apps that may have been downloaded by hundreds of millions of iOS App Store users.

Apple on Sept. 20 confirmed that it had deleted malicious iPhone, iPad and iPod Touch software after multiple information security firms warned that “XcodeGhost” malware had been found embedded in otherwise legitimate apps, many of which were aimed at Chinese-language speakers.

The malicious apps, included Tencent’s WeChat app, which has an estimated 600 million users, although not all of them would be using the iOS client. Other infected Chinese-language apps included China’s most popular car-hailing app, Didi Kuaidi; a streaming-music app from Internet portal NetEase; the Railway 12306 app, which is the country’s only official app for purchasing train tickets; and a mobile banking app from China CITIC Bank.

The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games.

Ghost Push Android Malware

Ghost Push’ is essentially a Android malware apk build that installs unwanted apps on to your Android device which suck up precious resources and generally run a muck with your phone or tablet. Distributed through non-Google app stores, infecting more than 600,000 new users each day, it cannot be removed easily even through “factory reset.

The maker of the antivirus apps reported that the new virus is contaminating smartphones at a faster pace and it estimated that it’s infecting more than 600,000 users each day.