Mozilla was alerted to Gamma’s illegal activities by a group known as the Citizen Lab. The group discovered that the spyware posing as Mozilla Firefox is called either FinSpy or FinFisher, and it was sold to various governments for usage in criminal investigations. FinSpy has command-and-control servers in 36 countries, including the United States, Canada, Japan, and the UK.

Gamma’s fake Firefox was used in a variety of harmful and deceitful ways. The Citizen Lab provided 3 examples of how it was used, including a spyware attack in Bahrain against pro-democracy activists, tricking the people of Malaysia by posing as a document that discusses Malaysia’s upcoming General Elections, and being demonstrated in promotional videos and brochures by Gamma itself.

Luckily for Firefox users, Mozilla assures everyone that the spyware does not infect the real Firefox. Unluckily for Mozilla, this isn’t the first time its product has been misued for the purpose of evil. Back in 2010, there were nearly 200 sites deceitfully using Mozilla’s brands for illegal activities, including distributing malware or requiring users to pay for the sites’ service. Mozilla developer Asa Dotzler’s statement back then still echoes on today, “If you’re being asked to pay for Firefox, it’s a scam.” Also, always make sure that you download Firefox straight from Mozilla, and not some sketchy site.

[via Mozilla]

NQ says that 94.8% of the newly discovered malware were design to infect Android devices. Over 32.8 million Android devices were infected in 2012, over 3x the 10.8 million Android handsets infected back in 2011. The most infected countries are China, with 25.5% of its Android devices being infected, followed by India with 19.4% infected mobile devices, and Russia with 17.9% infected mobile devices. United States and Saudi Arabia are also highly affected, both with 10% of their mobile devices being infected by malware.

There are 4 new pieces of Malware that NQ says is infecting mobile devices. There’s the VDloader, which runs as a client inside Android devices. It then connects to a remote server. It disguises itself as a regular app, and only activates when requested. FireLeaker is disguised as a widget, but remains invisible on your device. It collects specific device info from the victim, including their mobile number, IMEI number, system number, contact data, and more, and it uploads it all to a remote server.

DDSpy is an invisible malware that disguises itself as Gmail, but is invisible in the apps list. It communicates through SMS, and it features a GPS hook, which activates malware based on specific GPS or cell site location. Lastly, we have DyPusher, which uploads specific device information like FireLeaker, but also downloads apps and files to the device without the user’s permission.

NQ says that there are many factors to why these infections are massively spreading. One has to do with the fragmentation in Android, with 39% of users still running Android 2.3 Gingerbread. Second, there is app sideloading, where users install apps via other methods instead of Google Play. Then, to piggyback off of app sideloading, there are 58% young Android users who download around 41+ apps for their devices, many of which who use App Sideloading to do so.

Lastly, many Android users lack security features on their devices, such as passcodes or antivirus software. Yesterday, Lookout demonstrated just how easy it is to hack into someone’s phone. So the lesson for today is, download anti-virus software for your Android device, and don’t install suspicious apps from 3rd parties.

[via NQ]

According to Microsoft’s latest Security Intelligence Report, 24% of all PCs are absent of any kind of anti-malware software. Microsoft says that unprotected computers are 5.5 times more likely to catch a virus than computers that have anti-malware software installed. However, it seems some users are willing to take the risk.

According to the report, the country who has the most unprotected computers roaming around is Egypt, with a whopping 40% of unprotected PCs laying around, with India coming in second at 30%, and Russia with 29%. The US comes in at 26%, with the UK at 21%, which ties for the lowest percentage along with Brazil and Australia.

However, Microsoft notes that the reason for unprotected PCs may not just be about laziness on the users’ part, but they simply may not be well-informed on the importance of having anti-virus software on their computer. There’s also other contributing factors, like free trials expiring without notice, or a virus itself disabling your anti-virus software.

German independent testing lab AV-Test conducted an 18-month study, and gathered up 40 million website provided by seven different search engines. 10 million websites came from Google and Bing each, with 13 million coming from Russian search engine Yandex, and the rest coming from Blekko, Faroo, Teoma, and Baidu.

Surprisingly, though, out of the 40 million sites, AV-Test only found 5,000 websites that were riddled with malware. Yandex had the most percentage of malware websites in its search results, while Bing returned 1,285 malicious results out of its 10 million websites. However, Google only returned a mere 272 malicious results — a lot less than Bing.

Of course, the chances of coming across a malware-infested website in either Google or Bing is slim to none, so whether or not you use Bing or Google, it’s always important to remember to know what you’re clicking on and make sure it’s not a website that’s infested with malicious code. Web browsers will usually warn you if you come across such a website, but it’s always good to have a little common sense anyway.

[via PC Mag]

The trojan is going around via a Skype instant message. The translated message says, “This is my favorite picture of you”, and provides a shortened link. The trojan is spreading quickly, with an average 2000 clicks per hour. Kaspersky has identified the trojan as “Trojan.Win32.Jorik.IRCbot.xkt”, and the process it runs as bitcoin-miner.exe. The malware connects to a C2 server located in Germany with the IP address: 213.165.68.138:9000.

The malware immediately takes control of your computer and increases the victim’s CPU usage drastically. While the trojan’s primary use is for Bitcoin mining, it’s not its only capability. Bitcoin mining isn’t lucrative with just one PC, however, if there are many PCs infected and aimed towards a specific Bitcoin mining pool, it can be worthwhile.

This new trojan is speculated to have surfaced due to the meteoric rise in Bitcoin value. Late last month, it was reported that the value of a Bitcoin was $92, a number that has now reached about $140. The constant rise in value of Bitcoin is more than enough to drive many devious hackers to get creative. So in order to protect yourself from being infected, make sure to get an anti-virus software, and keep it up-to-date. Also be wary of suspicious Skype messages and shortened URLs. We’ll keep you updated if there are any resolutions to this issue.

[via Kaspersky]

The trojan is detected as “Trojan.Yontoo.1” and it was discovered by Russian security firm Doctor Web. Of course, you have to an install a plugin or other piece of software in order for the trojan to activate, but hackers are making it easy for unsuspecting users to take the bait. They’re prompting users to install a plugin before they can watch a mobile trailer, for example.

Of course, we’ve all come across this scenario before, where we don’t have a certain plugin installed in order to view something, so we’re forced to download and install it before continuing. However, it looks like criminals are taking advantage of that tradition by implementing the same kind of system in order to get users to install the trojan.

It’s said that a Windows version of the trojan also exists, but it doesn’t affect Windows 8 users currently. Cross-platform malware isn’t rare most of the time, but this particular one uses its own code to target each specific operating system, as opposed to targeting a universal piece of software like Java, which we’ve heard plenty about recently.

[via The Next Web]

Schiller tweeted earlier today a link to a “Mobile Threat Report” from research and security company F-Secure, most of which highlights various security and malware vulnerabilities in Android. Along with the link, Schiller captioned it with a “be safe out there,” quietly giving a slight jab to Google’s mobile platform.

The report mentions several interesting facets about Android, including the statistic that Android accounted for 79% of just over 300 mobile threats in 2012, while just 0.7% of these threats dealt with iOS. Overall, the report states that iOS is one of the most secure mobile platforms out there, with BlackBerry also topping the list.

Of course, Apple is usually quiet when it comes to discussing their competitors, and they usually keep their fighting words to themselves, but we suppose that Apple execs have an open court when it comes to chatting on Twitter, and Schiller definitely wasn’t holding anything back with his tweet, no matter how subtle he was trying to be.

The MiniDuke virus has affected various Government institutes located in Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary, and the United States. It uses exploits found in Adobe Reader 9, 10, and 11. The code for the MiniDuke’s customized back door was written in “Assembler”. It loads a downloader onto the system that’s only 20kb in size. During system boot, the downloader determines the computer’s unique fingerprint and uses it to encrypt itself from any antivirus program that can identify it.

MiniDuke then creates a Twitter account using its Command and Control (C2) system and creates tweets containing encrypted URLs in hashtags that lead to backdoors. These backdoors provide MiniDuke’s C2 access to the entire computer. It then loads malicious files, disguised as GIF images, onto the computer. This opens up an even bigger backdoor that allows MiniDuke’s C2 to copy files, delete files, make directories, kill processes, and even load more malware onto the computer.

The backdoors have been traced back to two servers located in Panama and Turkey. The latest attack happened on February 20th. Adobe had previously patched its Adobe Reader software, but it seems that MiniDuke was able to find a bypass to it. It was only yesterday when Adobe had to release an emergency update for its Adobe Flash Player because hackers were using it to attack Firefox users.

[via Kaspersky]

The Stuxnet virus attack in 2007 was very specific. It infected the systems that were used to manipulate the centrifuges in 14 industrial sites located in Iran. It shut off valves that supplied uranium hexafluoride gas to the centrifuges, which in turn damaged the centrifuges. It was able to manipulate the systems due to a few security holes inside of the Windows operating system. It then replicated itself over and over, and used the Siemens Step7 software to take advantage of Iran’s systems.

More attacks from Stuxnet happened from 2009 through 2010 in the Natanz facility. The Stuxnet virus manipulated the systems at the Natanz facility and destroyed up to 1000 centrifuges. The virus was able to do so by manipulating the operating speeds of the centrifuges. It would greatly increased the operating speed of several centrifuges, then decrease the operating speeds, and the variation between the two caused the centrifuge’s tubes to expand making the centrifuge destroy itself.

Symantec stated that whoever created Stuxnet created “a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.” It’s still a mysterious to us as to who initiated the Stuxnet virus attacks, but many believed that it was a joint effort between the United States and Israel. The Stuxnet 0.5 discovery doesn’t show much except the evolution of the virus in the succeeding years, and how it was altered to do much more specific and widespread damage.

[via CNET]

The malware attacks have knocked several oil rigs and platforms offline. A facility in the Gulf of Mexico has their systems locked up due to the malware. Misha Govshteyn, co-founder of Alert Logic – a network security company, says “They literally had a worm that was flooding their network, and they’re out in the middle of the ocean.”

Jack Whitsitt, the principal tactical analyst for the National Electric Sector Cybersecurity Organization, stated that typical malware infections may not seriously affect the systems, but there could be a tailored attack, that involves widely distributing malware, that could cause extreme damages. A good example would be the Stuxnet worm that infected computers connected to centrifuges at an Iranian nuclear facility. The worm used the infected computers to manipulate and destroy many of the centrifuges. Because of an incident like that, Whitsitt wants to take all of the steps necessary in ridding the malware from the oil rigs’ systems and protecting the systems from future attacks.

Many of these malware attacks could have been prevented with anti-virus systems and updated system software. However, it seems that many of the infected oil rigs opted against investing into cyber-security systems, which is why an outbreak of malware like this was able to occur. The infected oil rigs, and many rigs who currently don’t have cyber-security protection, will begin to take cyber threats seriously in the future in order to prevent an incident like this from occurring in the future.

[via Houston Chronicle]

Microsoft has made it clear that their research pushes Bamital far beyond the average malicious attack on the public. What they’ve found suggests that a whopping 8 million computers had been affected by Bamital over the past two years alone, including many of the most major search engines. If you’d been using Microsoft’s Bing, Yahoo, Google, or a variety of other smaller engines over the past two years, Microsoft and Symantec are saying this week that you were at risk – but that you aren’t any longer.

That said, there are still users out there with the malware already on their computers. For those folks, Microsoft has provided their Virus and Security Solution Center for remote help. This is a continuation of what Microsoft calls their MARS initiative, aka Microsoft Active Response for Security.

The other big name you’ll want to know if you’re tracking such things is Operation b58. This code-name is the one associated with Symantec and Microsoft taking down Bamital, and is the sixth “botnet disruption operation” Microsoft has initiated in three years. That’s a whole ‘lotta botnet bunker busting! And it’s not just about sitting at home and keying in to the malware tossers from afar – Microsoft has provided photos of, for example, Microsoft DCU’s Richard Boscovich and Craig Schmidt working with a “third-party cyberforensics expert” securing a lovely collection of evidence of the Bamital botnet down in New Jersey at a web-hosting facility that will remain nameless (that’s the image you’re seeing above).

The image you see above with the yellow dot web sort of graphic is what Microsoft describes as Figure 28. This map was included in a legal declaration filed by Microsoft DCU’s Craig Schmidt (also pictured above) in Operation b58. It shows what happens when a computer infected with Bamital sees when they search in Bing for the word Chrome – ads, ads, and more ads. Fun stuff!

[via Microsoft]

The virus was first discovered by US cyber security experts back in 2007, and it’s described as “one of the most financially destructive computer viruses in history.” but the operation actually continued well into 2012. The mastermind behind Gozi, Nikita Kuzmin, was arrested in the US in November 2010 and pled guilty to computer intrusion and fraud charges in May 2011.

As for the two other co-conspirators, Deniss Calovskis and Mihai Ionut Paunescu, Calovskis was arrested in Latvia in November 2012 and Paunescu was arrested in Romania last month. Extradition proceedings for both of them are ongoing as we speak, and they face up to 67 and 60 years in prison, respectively, while Kuzmin faces up to 95 years in the clink.

The Gozivirus infected around 40,000 computers in the US, with 160 of them belonging to NASA, according to court documents. When the virus was discovered in 2007, cyber security expert Don Jackson went undercover in Russian chat rooms to try and obtain a version of the virus for testing purposes. He actually ended up getting several offers for a few thousand dollars each, but ended up severing communication before a deal was made.

[via ABC News]

Image via Flickr

The power plant infected by the USB drive ended up staying offline for three weeks while the issue was fixed. The malware had been introduced via the USB drive of an outside technician who was performing software updates, and was an identity theft trojan. The malware managed to infect approximately 10 computers.

A second power plant that was also infected had malware on multiple computers, some of which were involved with the plant’s operations. Unlike the other plant, no information was provided on how this malware made its way onto the workstations. The first power plant did not have properly updated antivirus software.

The Industrial Control Systems Cyber Emergency Response Team said this in a report. “ICS-CERT’s onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also…discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”

[via USA Today]

Coincidences like this don’t just happen every day. According to Kaspersky Lab, the antivirus group that let loose the info on Red October earlier this week, it was mainly through Word and Excel documents that the security exploit was delivered, either via an email download or possibly through USB sticks plugged into host computers. Security researchers from Seculert assigned to analyze the command and control servers used in the Red October campaign have found a malicious Java applet made to exploit a Java vulnerability they say was patched all the way back in October of 2011.

What this means is that their targets were not computers that were brand new, patched and up to date, but older machines that for one reason or another hadn’t gotten with the program. Another fabulous reason to keep your computer up to date, that’s what this is. According to the Seculert blog where the Java connection announcement was made, “the JAR file of the Java exploit was compiled in February 2012, even though the patch for the vulnerability was available as of October 2011.”

These exploits appear to have been included in pages with the title “We Can Find All News!” The terms “news theme” and “NewsForYou” were also included in the code, this leading the team to believe that it was through a series of pages that suggested they’d be delivering the malicious project via harmless-seeming websites with “fake” news blasts galore. While it would seem strange that the US Department of Homeland Security would wait many, many months to deliver a warning against an attack like this, it is possible that, like the rest of us, they only found out about it here in 2013 – and they’ve not confirmed that this is the same attack, of course, but we shall see!

Kaspersy chief malware expert Vitaly Kamluk spoke on the situation this week, noting that “there are about 300 computers infected that we know about.” These computers include those owned by embassies, government research centers, and aerospace facilities throughout former Soviet states as well as Belgium and India. Most of the attacks appear to have been directed at former Soviet states while Belgium and India each suffered a total of 15 infections, while the United States and Iran were confirmed to have suffered six and seven attacks, respectively.

The team at Kaspersy noted that though they’d found a set of 60 “command and control” servers throughout Germany and Russia that were responsible for these attacks, they each appeared to have been controlled by a sort of “mother ship” server which they’ve not yet located. Each of the attacks thus far appear to have been attached to Microsoft Word or Excel documents and delivered via email. When the document was downloaded and opened, a connection was made between the computer and one of the many command and control servers which then delivered the files necessary to collect secure data.

This Rocra malware was also spread with USB drives as well as through smartphones, not just through desktop machines. Mentions of Russian words throughout the discovered malware systems have been suggested to either point towards the software as being Russian in origin or placed deliberately to make the software appear to have come from Russia when in fact it was made by a different group entirely.

We’ll see more information on this relatively widespread attack in coming weeks, without a doubt. Stay tuned to SlashGear’s hacking tag to see all the action as it comes down.

[via Wall Street Journal]

Some of the more popular titles that the developer rips off are Imangi’s Temple Run game and Glu Mobile’s Contract Killer Zombies. It appears the faux developer has put “Super” at the end of each app name, which should throw a red flag up right away as far as if it’s a legitimate app or not. Plus, all of the icons for all the apps are the same, rather than unique icons for each individual app or game.

Since many people won’t even dare to install these fake and malware-infested applications, we’re not quite sure what the malicious code might be capable of exactly, but several reports suggest that it delivers unwanted ads to several parts of your device. While doesn’t seem like a huge deal, it’s still annoying, and you never know what could be going on behind the scenes.

As always, be careful when downloading apps and make sure you’re not downloading a fake app that’s filled with malware. Usually, though, it’s all about common sense — check the name of the developer, check the reviews, check the descriptions and make sure you’re always downloading from legitimate sources. And if you come across a fake app, report it to Google.

Batchwiper shows up in Task Manager as the legitimate process GrooveMonitor.exe, which then kicks off additional processes under juboot.exe, jucheck.exe, WmiPrv.exe, and SLEEP.EXE. There are no reports of this malware out in the wild, according to Kaspersky Lab, and as of now, no one is sure how the infection is jumping from machine to machine.

Some speculate that the malware is transferred via external drives, such as flash drives, while others say it could be spread via insiders with access to the machines, or as part of another attack. Specifically, Batchwiper purges the data on all disk partitions labelled “D” through “I,” as well as the desktop contents of the user unfortunate enough to log on during the infection’s rampage. This comes after other attacks Iran has been dealt, including Flame.

An Iranian CERT advisory stated, in part: “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.”

[via ars technica]

Apparently, this exploit gives easy access to all of a device’s RAM. This is pretty cool because it means that affected devices could be rooted extremely easily (we’re talking one-click APK), but it’s terrifying for exactly the same reason. With this exploit out in the open, it means that malicious apps could potentially root your device and take control just as easily, which is not a good thing at all.

Our friends at Android Community point out that this exploit affects multiple Galaxy S II models, the international Galaxy S III, and the Galaxy Note line up, so there are plenty of handsets floating around out there that could easily fall victim to malicious apps. Obviously, it’s a good idea to only stick to downloading apps you trust while this exploit remains unfixed, otherwise you might open yourself up to a whole mess of problems.

Luckily, members of the XDA Developers Forum have alerted Samsung to the problem, and you can bet this is an exploit that the company will look to fix fast. If you want to use this exploit to easily root your device, member Chainfire has released a one-click APK you can use. While the ability to root your phone without a lot of work is pretty great, keep in mind that this is still a very dangerous exploit and that you should be vigilant when it comes to which apps you’re downloading. We’ll update you once Samsung says something about this exploit, so keep it tuned here to SlashGear for more!

During his testing, Xuxian Jiang loaded 1,260 instances of Android malware onto the recently-released Nexus 10, and examined which of the 1,260 instances triggered a warning to users. Surprisingly, only 193 of them correctly triggered such a warning, resulting in a measly 15.32% detection rate.

Jiang also discovered that the performance of Google’s own offering lagged behind the performance of numerous third-party antivirus apps such as Avast, Symantec, and Kaspersky. Overall, the detection rates of the third-party antivirus apps were between 51% to 100%, compared with 15% for Google’s offering, which comes built-in with the Google Play app.

However, Jiang points out that VirusTotal, which was recently acquired by Google, had superior detection capabilities, so hopefully Google will integrate VirusTotal’s technology into the core Android OS to act as the malware scanner for downloaded apps that come through. The built-in scanner could quickly improve if Google makes this happens.

[via Ars Technica]

According to Computer World, 4.2′s security system is an extension of the Google Play Store’s security technology, which analyzes apps uploaded to the store for maliciousness. With Android’s new security system, however, the mobile OS will scan apps installed from third-party sources in real time. This offers users protection from malicious apps that aren’t vetted by the Play Store’s security system.

Android’s security system is opt-in. Users who download an app from a third-party source will be prompted the first time around to let Google check them for harmful behavior. The users can then opt-in by tapping “Agree,” or dismiss it and take the risk. If you opt-out the first time around but change your mind later on, you can enable the feature in Security via Settings.

Said Android’s Vice President of Engineering Hiroshi Lockheimer, “We view security as a universal thing. Assuming the user wants this additional insurance policy, we felt like we shouldn’t exclude one source over another.” Apps are checked via Google’s app database. According to Lockheimer, the company has a “catalog of 700,000 applications in the Play Store, and beyond that, we’re always scanning stuff on the Web in terms of APKs that are appearing.”

[via Computer World]

For PC users, the AV Marketplace offers Trend Micro Titanium Internet Security 2013 (free), avast! Free Edition, Avira (free), a 6-month subscription to McAfee Internet Security, a free trial of Norton AntiVirus, Total Defense Free with Free Cloud-Based Security Assessment, AVG Free 2013, Microsoft Security Essentials, a free 6-month subscription to Webroot SecureAnywhere 2013, a free subscription to Kaspersky PURE Total Security, and a 6-month subscription for Panda Internet Security 2013. Mac users can download Kaspersky Security for Mac, avast! Free Edition, Trend Micro Titanium Internet Security 2013, a free trial of Norton, Avira (free), and Sophos Anti-Virus for Mac Home Edition (free). Android users can grab either McAfee Mobile Security or Norton Mobile Security Lite for Android.

This is the latest move from Facebook on increasing user security. The company recently implemented a series of phishing protection mechanisms, as well as the launch of phish@fb.com, where users can report phishing attempts. In July, the company also launched malware checkpoints, and is using a URL blacklist system, which scans links and compares them with their partners’ databases to verify that they aren’t malicious.

According to Facebook’s announcement, “Effective security must be a cooperative effort; by adding these new partners to the Facebook Security family we are sure we can keep our community even better protected from threats both on Facebook and elsewhere on the web.” The company plans to announce new tools in the future. The products from these seven new partners, plus the new mobile apps, are available for download now.

[via Facebook]

The report states, “The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher.” The report goes on to describe two pieces of malware. Loozfon steals information, while FinFisher is spyware that, once installed, can be used to monitor and take remote control of the mobile device it infects.

Back in August, Kaspersky Labs reported that malware targeting Android increased threefold in Q2 of 2012, with 14,900 new malicious programs added to its database. According to the report, nearly half of the items added to its database were “multi-functional trojans” that mined contact info from infected phones, such as names and phone numbers. Backdoor trojans accounted for 18% of the threats detected.

What can you do to help safeguard your Android device from malware? IC3 recommends turning off features on the phone that aren’t needed to “minimize the attack surface of the device,” using encryption, reviewing app publishers and reviews before downloading, and understanding the permissions you give an app, among a few others. The report recommends using a passcode as a first layer of security, and changing the settings so that the passcode is enabled after the phone is idle for a few minutes. While all the tips are fairly straight-forward, it’s good to keep them in mind.

[via CNET]

Not only does the plug-in introduce you to a handful of pesky advertisements, but once you give the app permission to “access your data on all websites”, the plug-in can be used to steal personal information like email addresses and credit card information.

Security company Barracuda Networks discovered the fake app and have issued a statement and a report on the unfortunate situation. They suggest that those who are affected should uninstall the fake app immediately and change their passwords on other websites. Hopefully, the plug-in wasn’t able to do a lot of damage, but who’s to say what personal information it gained from the 82,000 users it affected.

The security company also discovered that some of the plug-ins are from www.playook.info, which is a maker of “free” flash games, but Barracuda Networks took a look at the site’s Whois records and it revealed nothing. They say that hiding behind Whoisguard is considered a very suspicious thing for a business to do. So, if you’re wanting to play Bad Piggies, be sure to go to the source to download and install it. Happy gaming!

[via Pocket Gamer]

Apple and Verizon have admitted to (and fixed) an issue with iPhone 5 that makes data charges go through the roof, while Apple was busy blocking in-app ads for digital stores other than the App Store. A recently discovered Twitter security flaw allows the less favorable people of the world to steal your account, and we found out today that one of The Pirate Bay’s founders is still in jail without any charges. User adoption of Windows 8 seems to be lower than it was for Windows 7, and we caught wind of a new rumor that claims the next Nexus phone could be right around the corner, along with a new version of Jelly Bean.

Mark Zuckerberg visited Russia today to talk about setting up a Facebook research center there, and a particularly funny glitch was seen telling former MobileMe users that their free iCloud storage wouldn’t expire until 2050. There were a couple different team ups today, with Samsung and Peel coming together to offer interactive content during the upcoming presidential debates, and NETGEAR and Qualcomm joining forces to offer a new developer program. The US Navy has helped a team of scientists at Indiana University come up with a particularly scary new bit of malware, while Ten One Design announced the new Pogo Connect Bluetooth 4.0 stylus.

Minecraft Xbox 360 Edition has officially hit 4 million sales, and things aren’t looking too good for the ultrabook. The new MSN portal is taking some design cues from Windows 8, and Netflix has added its “Just For Kids” section to its iPad app. A Google buyout of Viewdle is said to be closing soon, and our old friend the CD turned 30 years old today. Finally tonight, we have a review of the new Vizio All-in-One PC by Chris Burns, so be sure to check it out! That does it for tonight’s Evening Wrap-Up – enjoy the rest of your night everyone!

What does the malware do, exactly? It hijacks your phone’s camera, snapping pictures of your surroundings and sending them back to an offsite server, where malicious folks could use the images to construct a 3D image of your location. Why would they want to do that? To make stealing your stuff easier. Named PlaceRaider, the malicious program runs in the background, muting your phone while snapping images so you don’t hear the shutter sound. In short, you probably won’t have a way of knowing if you’ve downloaded PlaceRaider, even as it snaps pictures of your surroundings and gives crooks a better look at what’s worthy of stealing.

It doesn’t stop there though, as all of the photos are sent through a filter to ensure that pictures that are blurry or dark don’t make it into the 3D image. PlaceRaider can even use the sensors on your phone to figure out its orientation and pinpoint your position.

That would be absolutely terrifying, but the good news is that this piece of malware was developed as a test to see what kind of security flaws exist and are ready to be taken advantage of. Naturally, there will be some out there who think that the government will actually use this to spy on its citizens, but for now, we’re willing to give the US Navy and the folks at Indiana University the benefit of the doubt. The developers installed the malware on Android phones and then handed them off to 20 unsuspecting subjects, asking another group of test subjects to build 3D models of the rooms from the pictures that were snapped. They did, and discovered that it’s pretty easy to steal personal information – such as banking information on personal checks or crucial business secrets – from the pictures and models alike.

Though PlaceRaider was developed and tested on Android, its developers say in the study that it could very easily generalize to other platforms, such as iOS or Windows Phone. On the upside, additional security measures taken by both manufacturers and users could do a lot to stop malware like PlaceRaider from, you know, ruining your life. For instance, manufacturers could make it impossible for the shutter sound to be muted, while an antivirus program could scan the smartphone to make sure there isn’t anything fishy going on in the background. At the very least, it’s probably a good idea to do a little checking around before downloading an app that seems suspicious, which is a good way to avoid the malware problem altogether.

[via Technology Review]

According to the researchers, the cyber espionage tool that targeted the Middle East has likely been operational for more than five years. The researchers also note that the malware was active as recently as May 2012. The details are courtesy of security researchers from Symantec with help from researchers at Kaspersky Lab and others.

The group the researchers found that at least 1000 systems in the Middle East had been controlled by one machine in March. The other command-and-control server deleted spyware and erased its trail in May. Data gleaned from inside the command-and-control servers indicated to the researchers that the software could communicate with five different clients, Flamer and four other programs.

According to the researchers, it’s unclear if the other four clients the command-and-control servers could communicate with are still spying on computers today or were retired years ago in favor of Flamer. The researchers note that some of the code appears to be nothing more than a placeholder rather than an actual client. The researchers did note that some packages used to update malware on victim’s computers and downloaded intelligence was encrypted on the servers could not be decrypted. Comments in the code led the researchers to believe that the four individuals who coded Flamer spoke English.

[via eWeek]

We also found out that Bayonetta 2 will be a Wii U exclusive, as strange as that may seem, and Activision gave us some in-depth details about Black Ops II on Wii U. Nintendo gave us a glimpse at its own take on smart TV with Wii TVii, and this new feature has us intrigued, to say the least. We got word today that Apple’s new Lightning adapters aren’t going to work with some accessories, and the iPhone 5 event video was released as well, meaning you can watch the reveal of the new iPhone, along with the various iPod refreshes that were announced yesterday.

Apple has won a pretty big patent battle against Motorola in Germany, and today eBay revealed that it will soon have a new logo, ditching the old one after 17 years. Microsoft told us what it’s doing to fight the spread of the Nitol Botnet earlier today, and we’re hearing that Google threatened to cut Acer out of the Android party at one point in time. Samsung revealed its new Galaxy Victory 4G LTE earlier today, and we were treated to a list of availability by region for the iPhone 5 and iOS 6. Apple co-founder Steve Wozniak shared his hopes for the iPhone 5 and told us what he thinks of the Apple-Samsung verdict, and that is definitely something you don’t want to miss.

Google showed off the first demo that was shot entirely shot with Glass today, and it seems that the trial run of Isis has been delayed to later date and won’t be happening later this month. NVIDIA has introduced two new Kepler GPUs, and Shuttle Computer Handels has introduced its brand new OMNINAS KD20 2-bay NAS. Finally tonight, NASA has talked about plans to have a manned colony on the surface of the moon, which we have to admit has us pretty excited.

That’s all for tonight’s Evening Wrap-Up! Enjoy the rest of your Thursday night everyone!

Microsoft says that a supply chain becomes unsecure when reseller accepts stock from an untrustworthy source. After launching an investigation into these unsecure supply chains, Microsoft determined that it was being hosted at 3322.org, which contained a “staggering 500 different strains of malware hosted on more than 70,000 sub-domains.” The company obtained an ex parte temporary restraining that allows it to take control of 3322.org, thus stopping the spread of Nitol from it and its sub-domains.

In a write-up on the Microsoft Blog, the company says that 20% of the PCs purchased from an unsecure supply chain during its investigation were infected with malware, which obviously isn’t good. Nitol is capable of spreading to other machines and devices through things like USB flash drives, making the problem even more severe. Once you’ve been infected, all kinds of nasty things can happen to your computer, from the malware distributors remotely activating your webcams and microphones to listen in on what you’re doing, to logging all of your keystrokes and netting your personal information without you ever knowing your security has been breached.

While this is a big step in the right direction in the fight against Nitol, Microsoft is urging distributors, retailers, and resellers to make sure that the machines they buy and then sell to consumers are coming from legitimate sources. Microsoft also says that lawmakers need to do their part to help with the issue. As with most efforts against Malware, Microsoft’s battle against the Nitol Botnet is ongoing, so expect to hear more about it soon. Stay tuned.

The thread is called SMSZombie and is said to be difficult to remove. The good news for Android users outside China is that people who don’t live in that country have little to worry about from the zombie scourge. The vector of attack for the malware is to exploit a vulnerability in the mobile payment system used by China Mobile.

Security company TrustGo says that the SMSZombie malware is spreading within China through forums and has been discovered inside several packages on GFan, which is China’s largest mobile app marketplace. TrustGo contacted GFan to inform them of the infected payloads, but apps with SMSZombie are still available for download and are still being downloaded.

SMSZombieA was first discovered on August 8, and the malware is embedded in several wallpaper apps. The wallpaper apps are noted to use provocative titles and nude images to encourage users to download. For instance, one infected app is called “Android Animated Screensaver: Animated Album I Found When I Fixed My Female Coworker’s Computer.” Once set as the wallpaper app the malware prompt the user to install additional files and if the user agrees to install the files, the payload delivered is called Android System Service.

After that, the malware can obtain administrator privileges on the device and then generates unauthorized payments to premium service providers and may steal bank card numbers and money transfer receipt details. It also deletes any SMS receipts to help hide its tracks.

[via SecurityWeek]

Shamoon doesn’t seem to be widespread, as Seculert reports that it uses a two-stage attack, apparently targeting “several specific companies in a few industries.” Shamoon works its way into a computer that is directly connected to the Internet, and then from there begins to spread to other computers connected to the same network. As stated above, once it’s done stealing what it wants, it begins to cripple the PCs it infected, reminding Kaspersky of the Wiper malware, which attacked PCs in Iran earlier this year and in turn led to the discovery of Flame.

Kaspersky says that it isn’t Wiper, however, pointing out a few key differences. With those differences apparent, Kaspersky says that Shamoon is likely “a copycat, the work of a script kiddies inspired by the story” of Wiper. It’s good to know that Wiper isn’t becoming more widespread, but at the same time its scary that there are those inspired by Wiper’s level of destruction.

Indeed, it’s rare to see malware that actually does damage, as creators typically aren’t interested in anything but stealing information that could lead to some quick cash. With anti-virus companies like Seculert and Kaspersky still looking into Shamoon, this is still a developing story, so keep it tuned to SlashGear for more information – we’ll have additional details if any new ones surface!

[via ComputerWorld]

Kaspersky reports that during the three-month quarter 14,900 new malicious programs targeting Android devices were added to its database. The massive increase in malware indicates according to the company that virus writers are increasingly targeting mobile devices with their malicious programs. It also clearly indicates that the growing popularity of Android is making it an ever-increasing target for nefarious programmers.

Kaspersky reports that 49% of the malicious files added to the database during the quarter were multi-functional Trojans that steal data from telephones such as contact names, e-mail addresses, and telephone numbers. These Trojans were also capable of downloading additional modules from servers run by the programmer. The security company reports that a quarter of the Android specific malware detected were SMS Trojans.

A SMS Trojan is a program that steals money from the victim by sending SMS messages to premium rate numbers without the user knowing. These programs are becoming more widespread and have been seen in 47 different countries whereas a few years ago they were limited to countries of the former USSR, Southeast Asia, and China. One of the most alarming statistics is that 18% of the Android threats detected during the quarter were back doors that could give malicious users full control over an infected device. This type of program is used to build botnets consisting of mobile devices. Trojan Spy programs made up 2% of the discovered malware and according to Kaspersky; this is the most threatening the users. This sort of malware transfer data to give the malicious user access to bank accounts.

The purpose of that font, called Palida Narrow, is currently unknown, though the trojan’s other abilities are more concerning. Gauss can infect USB drives and monitor browsers, sucking passwords, site history and other credentials and sending them to a remote command machine. It also runs a profile on the infected machine and reports that back, including details on network interfaces, BIOS and what drives are present.

Several Lebanese banks have been specifically targeted, with customers of the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais all apparently susceptible. Gauss has also been seen to target users of Citibank and PayPal.

While it shares features with Stuxnet and Flame, Gauss is said to be more complex in how it can hide on a system. Although it uses similar methods to infect removable drives, it’s also capable of “disinfecting” the drive if need be, at other times using it to store data in a hidden file so that it is not discovered by regular local-drive anti-malware scans.

Approximately 2,500 machines are believed to have been infected – more than three times as many as Flame – since what’s said to have been the first victim in September 2011. It’s unclear how the trojan is communicated, and who is remotely operating it.

DNSChanger was undoubtedly a high-risk issue, certainly before the FBI weighed in. The trojan changed user DNS settings so as to rely on compromised servers, serving up pages with malware, sites that secretly collected user-data, and adverts for fake products. The FBI seized the network and a temporary – and safe – DNS replacement system was set up for those unknowingly relying on the dangerous one.

All good things must come to an end, though, and on July 9 the FBI’s mandate to run the replacement servers ran out. With hundreds of thousands of computers still relying on the makeshift DNS provisions to bridge browsers and sites, that meant warning those users that they’d need to take an active role in their system security if they wanted to stay online.

Problem is, the sort of users who were inadvertently infected and didn’t realize might not be the sort who would also go hunting for the latest news in malware. What we lack is a single point of communication to highlight security problems; instead, we have a pretty much all-or-nothing hosepipe of rising hysteria.

Microsoft has attempted something like that single point, with its Security Center in Windows. Apple, late to the game when it comes to malware and virus threats, hasn’t a centralized security hub in OS X, though the company has been doing more to prevent insidious apps working their way into the platform.

Windows Security Center is too easily overlooked. Third-party security firms individually push alerts to their blogs – and to their (generally paid) software packages – but there’s no all-inclusive feed that distills all of that to the user’s desktop in an easily understood way.

It’s a problem with no easy solution. In the aftermath of the DNSChanger anticlimax, there’s likely to be no shortage of accusations that the malware was “over-hyped” and its potential impact “overstated” so as to drive pageviews. Still, while we’ve gotten off easy now – a somewhat breathless and clogged news-cycle notwithstanding – there’s the distinct possibility that the next big security crisis could be made exponentially worse when contingency gives way to uncontrollable FUD and users’ eyes glaze over.

In fact, according to the DNSChanger Working Group, the team established to handle the fall-out of the malware, back on June 13 there were 135,331 unique IPs accessing the top 25 replacement servers. Since then there has been a sizable outreach campaign as ISPs and others attempt to warn those users affected. In late May, around 330,000 systems were believed to be infected.

DNSChanger was a trojan that changed DNS settings – the links to servers which point browsers in the right direction for the sites you request – to alternative, compromised ones. Control of those sites allowed the malware operators to collect user data, show adverts for fake products and otherwise manipulate the internet experience.

Thankfully, the method of cleaning up a DNSChanger infection has improved since the early days, when a complete reinstallation of the OS – whether Windows or OS X – was required. Now, there’s a simple set of tools which do it without all of that headache, though it’s still advisable to run a full backup of personal files beforehand, just in case.

If you’re reading this (and you’ve not been forced to turn to a smartphone or tablet with your regular computer refusing to load sites) then you’re okay, but stand-by for parents and friends who may have complaints.

Since the FBI and other law enforcement agencies seized control of the botnet behind DNSChanger, a temporary DNS server network has been running in its stead so as to keep infected users online. That network will cease operating on Monday.

“The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet” DNSChanger Working Group

The best news is, checking for a DNSChanger infection on your system and, if found, getting rid of it is straightforward. First step is heading to dns-ok.us in your browser: that will tell you whether or not there’s a sign that your computer has been infected. If it’s green, you’re in the clear (though it’s probably still worth forwarding this article on to friends and family – particularly net-confused parents – who might need some assistance checking their own machines).

If it’s red, however, you have a DNSChanger problem. Thankfully there are multiple options to get rid of it: Microsoft has a tool, as do key anti-virus vendors such as McAfee and Norton. There’s a full list of them here, and usually it’s just a case of downloading and running an app to get your computer back on an even keel.

The video starts back in 2007 when the DNSChanger Malware first started, it then being a bit more simple than it is today, looking for your internet settings, guessing your password, and doing general mayhem. They also started a company called Rove Digital, got a whole bunch of DNS servers to process their code magic. The FBI got involved in the situation several years ago and they did bust in on the devils and take control of their servers, but not before the bad guys got millions of dollars from their deeds.

Then is when the good stuff starts.

Intelligently quoting the undeniably great Marcus Antonius from all the way back in 44BC, the folks at Sophos explain how you could still be affected by the DNSChanger Malware from back then even if you are no longer infected.

“The evil that men do lives after them. The good is oft interred with their bones.” – Marcus Antonius, 44BC

Hundreds of thousands of computers could very well still be affected – and at risk of certain doom – if figures shown by the DNSChanger Working Group are true, of course. The part where this gets REALLY good is here: the FBI’s authority to run the interim servers taken from the crooks that were caught sever years ago ends on Monday the 9th of July, 2012. If you have not fixed your computer (assuming it was infected in the first place) by then, you will get knocked off the web.

The video above goes through several ways that you might protect yourself against the evil that could very well be running through your computer right this minute, and again you can also check our DNSChanger: How to find it and how to fix it guide if you get lost. Both work!

“It’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices” Microsoft  engineer Terry Zink wrote in a follow-up to his earlier comments on the botnet. However, the security researcher still isn’t willing to let Android off the hook.

“On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices” Zink theorized. “Before writing my previous post, I considered both options but selected the latter.”

As for Sophos, senior security adviser Chester Wisniewski has confirmed he is rechecking the company’s own findings to see if a fake signature could be responsible for mistaken identity. “We don’t know for sure that it’s coming from Android devices” Wisniewski said on Thursday, though went on to maintain that in his belief it is a botnet running on Android phones rather than something else.

“We either have a new PC botnet that is exploiting Yahoo!’s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages” the researcher wrote. “One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.”

Google, meanwhile, continues to protest Android’s innocence. “The evidence we’ve examined does not support the Android botnet claim” a company spokesperson said. “Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using. We’re continuing to investigate the details.”

[via WSJ]

According to the DNSChanger Working Group established to address the problem, there are still a huge number of computers showing signs of badly routed DNS. The court order allowing the FBI to shut down the fake DNS servers on Monday will potentially mean hundreds of thousands of systems are left unable to look up sites.

Actually finding out whether you’re infected is a simple matter of visiting a checking site. Go to dns-ok.us in your browser, and if the background is green then your computer’s DNS settings are good. If it’s red, however, then you will need to go through some clean-up steps.

There’s a list of tools here, each of which should get your computer up and running properly again. Microsoft has one such tool, as do the main anti-virus vendors such as McAfee and Norton. It’s a good idea to do a backup of files and personal data beforehand, just in case, but the process should – now that the workings of DNSChanger are broadly understood – be simple.

Before people with infected systems will be able to get back online, they will have to clear the computer of the DNSChanger virus. The shutdown of the temporary servers is the final move in an FBI operation called Ghost Click that spanned two years and officially ended in November 2011. The virus changed victim’s DNS servers, routing them to websites of the hacker’s choosing.

Some of those websites were fraudulent in nature according to authorities. Six Estonians behind the fraud ring were arrested by the FBI during the course of the investigation. The virus was originally disseminated via traditional channels, including e-mail and malware. The FBI had replaced the hacker’s nefarious servers with “clean” servers to keep PCs infected by the virus online.

[via CBC]

Zinck took a closer look at the header information and signatures that were being sent out with the spam. All the messages come from compromised Yahoo! accounts and sent through Yahoo! Mail servers, and all also seem to finish with the “Sent from Yahoo! Mail on Android” signature. Zinck postulates that a hacker has developed a botnet that can access Yahoo! Mail accounts on Android devices and send spam messages as a result.

Yahoo! does provide the IP address of where the emails came from, with origin countries including Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. The odds of downloading a malicious app on the Play Store are extremely low, so Zinck believes that users are tracking down pirated versions of apps to avoid paying, or have acquired a fake version of the Yahoo! Mail app.