Nov 28 2014

isowall – Completely Isolate A Device From The Local Network

Isowall is a mini-firewall that allows you to completely isolate a device from the local network. This is for allowing infected machines Internet access, but without endangering the local network. Building This project depends upon libpcap, and of course a C compiler. On Debian, the following should work: [crayon-5478cd87c8802324409098/] This will...

Read the full post at darknet.org.uk
Nov 27 2014

Bitcoin Not That Anonymous Afterall

One of the big advantages touted by Bitcoin (and other cryptocurrencies) was always the anonymity of the transactions, yes you can track a wallet address and see the transaction history. But there’s no real way to link that wallet address to a real person (so we thought). I mean other than any leaky fiat exchange [...] The post Bitcoin Not...

Read the full post at darknet.org.uk
Nov 26 2014

Sony Pictures hackers release list of stolen corporate files

On Monday, employees at Sony Pictures Entertainment—the television and movie subsidiary of Sony Corp.—discovered that their internal corporate network had been hijacked. A message from an individual or group claiming responsibility appeared on corporate systems, pledging to release sensitive corporate data taken from the network by 11pm GMT on Monday.

Twitter accounts associated with promoting several movies, including Starship Troopers, were briefly hijacked by the attackers. The attackers posted to at least three Twitter feeds, leaving the same message: “You, the criminals including [Sony Pictures CEO] Michael Lynton will surely go to hell. Nobody can help you.” The image posted with the message shows a digitally edited image of Lynton’s head in a dark, hellish landscape.

As of this morning, the network at many Sony offices still appears to be down. Based on information reportedly shared by employees, it could be down for weeks before being restored. The Twitter accounts appear to be back under Sony Pictures’ control.

Read 5 remaining paragraphs | Comments

Nov 26 2014

Is This Your Photo? No, It’s SMS Spam With Mobile Malware

One of the most important concerns of Internet users is privacy. For this reason one of the most effective phishing attacks is to claim that someone’s video or photo is public; thus the victim cannot resist clicking on the malicious link. Recently some people from Singapore (country code +65) have reported a new SMS spam campaign with the message “Is this your photo?” and a specific URL:

CASTILLO_SMS_SpamSource: DKSG

The message comes from a contact who was previously infected with the malware and includes the name of the receiver to increase its credibility. The URL included in the message is hidden using a shortening service and redirects to the control server that hosts the malicious application. Once the shortened URL is clicked, the file PhotoViewer.apk is downloaded. If the application is installed, the following icon appears in the home launcher:

CASTILLO_icon
The icon belongs to the popular legitimate application Photo Grid, which is available on Google Play. If the recently installed application is opened, the following image related to Photo Grid appears in full-screen mode:

CASTILLO_MainActivity
And that’s all! Apparently no other functions were implemented beyond showing these images. However, if we try to execute the application again, we find that the icon in the home launcher is gone. Does that mean that the application was uninstalled? Not really. We can find it in Settings -> Apps:

CASTILLO_App
So what is this app doing in the background? If we wait for a couple of minutes, the mystery will be revealed:

CASTILLO_SeveralAds

The main purpose of this malware is to obtain as much money as possible from clicks on full-screen ads that appear constantly and several advertisement modules bundled inside the application.

In addition to this payload, the malware has a mechanism to dynamically send SMS spam based on parameters provided by the control server and using the contacts stored on the device and the SIM card. (The isDebug flag is always false):

CASTILLO_SMS_Spam
So far we have seen the URLs hxxp://url7.me/tiNk1 and hxxp://url7.me/NwVk1 (both currently down) and the text “Is this your Photo?” used in the SMS spam campaigns. However, because these parameters are sent from a remote server, they could change at any time (possibly leading to more dangerous threats such as ransomware) if the control server comes back online or if a new variant, with a new server, is released in the wild. Another parameter retrieved from the remote server is “total,” which defines how many randomly selected contacts will receive the SMS spam.

A previous variant of this malware on Google Play pretended to be the famous game “King of Fighters” uploaded by the developer 8stars:

CASTILLO_KoF
Fortunately, the number of installs of this malware was very low (from 100 to 500) before it was removed from Google Play; but taking into account the new variant recently released in the wild, it seems that the malware authors are starting to use other methods and themes to distribute this threat.

McAfee Mobile Security detects this Android threat and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit this link.

The post Is This Your Photo? No, It’s SMS Spam With Mobile Malware appeared first on McAfee.