Garmr – Automate Web Application Security Tests

Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines The purpose of this page is to establish a concise and...

Read the full post at darknet.org.uk

Backoff Point-of-Sale Malware Campaign

Original release date: August 22, 2014

US-CERT is aware of Backoff malware compromising a significant number of major enterprise networks as well as small and medium businesses.

US-CERT encourages administrators and operators of Point-of-Sale systems to review the Backoff malware alert to help determine if your network may be affected.

Organizations that believe they have been infected with Backoff are also encouraged to contact their local US Secret Service Field Office.


This product is provided subject to this Notification and this Privacy & Use policy.


Brazilian PUP Campaign MegaRapido Shows Unwanted Behavior

Some applications go too far in their attempt to get installed on users systems. Many of these fall into the potential unwanted program (PUP) category. One of these is MegaRapido, which primarily targets Brazilians. A recent sample we tested tries to connect to protectmedia.net, which is already marked as suspicious by McAfee SiteAdvisor. Instead of directly parsing the URL, this PUP uses the goo.gl redirection service to obscure its aim.

1one

Late we have observed many other examples of suspicious software using goo.gl redirects to hide their tracks. Using goo.gl, PUPs and other malware try to evade static string-based URL checks by security vendors. On executing, a window appears asking the user to install DealPly add-ons.

2two

The only button provided is “Avançar” (Yes/I agree). Users have no option to decline this offer, abort the installation, or even minimize this window unless they click “Avançar.” This “forceful acceptance grant” is a borderline ransomware activity, which makes this software fall into the PUP category. After accepting the terms, users are asked to give contact details, only numbers from Brazil are deemed valid. However, even after providing a valid Brazilian number, an error message says that SMS sending to the particular number has failed.

1101

Not stopping here, the latest variants have also embedded hardcode that attempts to uninstall certain security products to evade detection.

9

 

We found other redirect strings hidden in the binary; one logged us directly into their web-tracking account.

The following stats are taken from the Extreme web-tracking account of the PUP author.

5five

From that account a lot of intelligence can be inferred. For example, we see the number of hits for this URL, more than 700,000 per month.

Next we see the top three culprits that lead users to the adware page. All of these are marked as suspicious by McAfee SiteAdvisor.

6six

We can see that this particular adware concentrates on Brazil, with more than 12 million hits.

7seven

And that 99.9% of the users who landed on this adware page were using Internet Explorer.

7

McAfee detects these variants as MegaRapido and Midia. Based on hit count, these applications are very prevalent in the wild, and although not technically “malware” they can still annoy users. Keep your antimalware solution and website reputation add-on up to date to avoid being trapped by these PUPs.

The post Brazilian PUP Campaign MegaRapido Shows Unwanted Behavior appeared first on McAfee.