Archive for virus

Android Backdoor ‘GhostCtrl’ Can Silently Record Your Audio, Video and More

Posted in Commentary with tags , on July 19, 2017 by itnerd

Researchers over at Trend Micro have discovered a new Android backdoor that at first glance, seems scary:

The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.

Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.

There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.

Lovely. The malware distributes itself via illegitimate apps for WhatsApp or Pokemon GO. Trend Micro suggests you keep your Android devices up to date and data backed up regularly. They also recommend using an app reputation system that can detect suspicious and malicious apps. In other words, this is a real and present threat and I am sure that we’ll see threats just like this one in the not too distant future.

Spain Takes Down “Ransomware” Gang

Posted in Commentary with tags , on February 14, 2013 by itnerd

If you haven’t heard of “ransom ware”, you need to pay attention to this story. Spanish officials have taken down a gang who specializes in a virus that hold user;s data for  ransom:

The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least $1.35 million annually, said Deputy Interior Minister Francisco Martinez. Their notices to victims were accompanied by false threats claiming they were under investigation for accessing child pornography or illegal file-sharing.

The 27-year-old Russian alleged to be the gang’s founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week.

Europol, which coordinates national police forces across Europe and worked with Spanish authorities on the case, said the operation “dismantled the largest and most complex cybercrime network dedicated to spreading police ransomware.”

Sounds delightful doesn’t it? Here’s how the scam which was propagated via a virus worked:

The virus displayed the national emblem of the police force in each country it appeared, telling people to buy prepaid electronic money cards to pay the fines online.

Authorities estimate less than three per cent of those people whose computers were infected paid, but the amounts added up. The gang also stole data and information from victims’ computers, and didn’t unlock them after the fake fines were paid.

Money was also stolen from the victims’ accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia.

This is another reason to make sure that the security on your computer is up to snuff so that you don’t fall victim to something like this.

Cat And Mouse Game Begins With “Mac Defender” Malware

Posted in Commentary with tags , , on June 1, 2011 by itnerd

It only took 24 hours for a new variant of the “Mac Defender” malware which is designed to avoid Apple’s enhancements to stop it from spreading to appear:

Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

Now the only positive thing about this is that the security update that I mentioned yesterday has a new feature. It has the capability to update itself with new definitions. So Apple could simply update computers with this security update and protect users. However, Apple users now have to deal with something Windows user have had to deal with for years. The possibility that there is a window of opportunity for users to get infected while Apple updates their definitions.

Welcome to the real world Mac users.

Mac Malware: Threat Or Hype? And Where’s Apple?

Posted in Commentary with tags , , on May 23, 2011 by itnerd

Over the last little bit there’s been a lot of news about a new attack against Macs called “Mac Defender.” It relies on you the Mac user to install it so that it can do it’s evil deeds, which is to pay for virus protection that you don’t need. So this is not a virus, as it can not install itself or spread on its own. Instead, it relies upon fooling non-technical users into installing the malware through Mac OS X’s security authentication barrier, and additionally attempts to get users to supply their credit card information. Other than that, it is (for now) harmless. But it is a sign of things to come as the next attack of this sort may do the sort of things that Windows users are used to seeing.

So is this a threat? Yes. Contrary to what Steve Jobs and his merry band of Apple Fanbois are telling the world, the Mac isn’t immune to attacks of any sort. Clearly they know this because Apple are dodging any sort of request for help from users who fell prey to this. That’s bad because the people who create stuff like this focus their attention on the Mac, these attacks are going to get more and more dangerous. The fact that at the moment this is more of a nuisance is irrelevant.

So what do you do? In the absence of Apple doing the responsible thing and stepping up to the plate, it’s best to protect yourself now. I’ve been using the free Sophos anti virus for Mac application for a while now. I’d recommend that you take a look at it as it’s a great way to protect yourself. Is it the only thing you need? No. You still need to exercise some judgement and common sense when surfing the net. No anti virus app will replace that.

In the meantime, Apple needs to turn off the reality distortion field and do the right thing. They need to help users to protect themselves as well as help those who have been hit by this. Parallel to that, they also need to make sure that their OS is secure. After all, look how much mileage Microsoft has gotten by coming out with their own anti virus application as well as trying to make their OS is as secure as possible.

Perhaps Apple should take a page out of their playbook?

Dangerous New Virus From The Old School Hits The Streets

Posted in Commentary with tags , on September 9, 2010 by itnerd

If you get an e-mail that has a title of “here you have” or “Just For you” and you’re running Windows, don’t open it. It’s a dangerous virus that uses methods from the turn of the century… the 21st century…. to spread itself:

The worm arrives via emails with the subject line “Here You Have” or something similar, and the messages contain a link to a site that will download a malicious file to the victim’s PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file, according to an analysis by McAfee researchers.

“The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as,” the analysis says.

From there, it’s 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim’s Outlook address book. The malware also tries to stop any security software or anti-malware programs running on the machine. McAfee’s researchers found that the worm also can spread via network shares and AutoRun.

I can see that I’ll be busy for the next few days judging from this Toronto Star story that says that Google, ABC, Coca-Cola and others have been hit hard. If you don’t want to be one of the unlucky, don’t open any e-mails with the above titles and make sure your virus definitions are up to date.

Be Warned: Trojan Pretends To Be Microsoft Security Essentials

Posted in Commentary with tags , , on February 27, 2010 by itnerd

I spent the day at two clients today. One who needed her laptop tweaked after having a new hard drive installed by a major retailer, and someone who got infected by a very interesting trojan that I’d like to tell you about. Apparently, she clicked on a link that allowed her to download what she thought was Microsoft Security Essentials. But in reality it was a trojan, and she figured it out when it it said that she had to pay to scan her hard drive. I did some research and discovered this Microsoft note on the subject. It is a really nasty bug and it took me the better part of an hour to get rid of it as stuff like this is really difficult to kill.

So be warned, if you see a link or an offer to download “Security Essentials 2010”, you should run quickly in the other direction.

New iPhone Marware Targets The Bank Accounts Of Dutch iPhone Users

Posted in Commentary with tags , on November 23, 2009 by itnerd

If you live in Holland and you’ve jailbroken your iPhone, you may want to take note of this. A pretty bad piece of marware is targeting you. First, here’s what the BBC has to say about it:

It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.

It redirects the bank’s customers to a lookalike site with a log-in screen.

In other words, it’s a phishing scam. Lovely. But it’s actually worse than that according to Intego:

When active on an iPhone, the iBotnet worm changes the root password for the device, in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices.

So given all of that, does it still sound like a good idea to jailbreak your iPhone? The bottom line is that these pieces of marware only affects those users. So if you want to remain secure, don’t jailbreak that iPhone.

New Marware Exploits Jailbroken iPhones

Posted in Commentary with tags , on November 11, 2009 by itnerd

If you thought having your Jailbroken iPhone Rickrolled was the wost thing that could happen to you, think again. Security firm Intego has found a piece of marware that will allow hackers to access personal information stored on certain jailbroken iPhones. Oh if you have an iPod Touch and you’ve jailbroken that, you’re in trouble too. The marware works by being installed onto a computer and then scanning the computer’s network to find vulnerable iPhones:

This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the wifi network in search of data. Hackers could even install this tool on their own iPhones, and use it to scan for jailbroken phones as they go about their daily business.

Lovely. The best way to defend yourself against this is to change the root password of your jailbroken iPhone. An even better defense is to not jailbreak it in the first place. Why? Here’s why:

We would like to stress that users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. While the number of iPhones attacked may be minimal, the amount of personal data that can be compromised strongly suggests that iPhone users should stick with their stock configuration and not jailbreak their devices.

You’ve been warned.

Jailbroken iPhones Open To Exploits…. Oh Noes!

Posted in Commentary with tags , , on November 9, 2009 by itnerd

From the “WTF” file, comes the news that iPhone users in Australia who have jailbroken their phones are wide open to a new worm that upon finding an jailbroken iPhone that still has the default root password on it, changes the background to a picture of Rick Astley and then tries to copy itself to other jailbroken iPhones. This is apparently the second such hack in the last few days and comes after a hacker in Holland did a similar stunt. Instead Rickrolling the phone, the hacker asked for five Euros to “secure” the iPhones that he (or she) just hacked.

If you haven’t jailbroken your iPhone, you can rest easy. This worm won’t be able to affect you. But if you have jailbroken your iPhone, you might want to change root password on it just to be safe.

Conficker Wakes Up And Attacks PC’s By Serving Up Spam And Spyware

Posted in Commentary with tags on April 27, 2009 by itnerd

If you were waiting for the other Conficker shoe to drop, it has now. According to MSNBC, the notorious virus has begun to attack:

Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC’s owner, along with a fake anti-spyware program, Weafer said.

The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.

“This is probably one of the most sophisticated botnets on the planet. The guys behind this are very professional. They absolutely know what they are doing,” said Paul Ferguson, a senior researcher with Trend Micro Inc, the world’s third-largest security software maker.

So much for the theroy that this was just a lot of hype about nothing. I guess I should mention that if you haven’t taken steps to protect yourself, now is a good time to do so. You could start with this article that I wrote about the virus and work from there.