According to Microsoft’s latest Security Intelligence Report, 24% of all PCs are absent of any kind of anti-malware software. Microsoft says that unprotected computers are 5.5 times more likely to catch a virus than computers that have anti-malware software installed. However, it seems some users are willing to take the risk.

According to the report, the country who has the most unprotected computers roaming around is Egypt, with a whopping 40% of unprotected PCs laying around, with India coming in second at 30%, and Russia with 29%. The US comes in at 26%, with the UK at 21%, which ties for the lowest percentage along with Brazil and Australia.

However, Microsoft notes that the reason for unprotected PCs may not just be about laziness on the users’ part, but they simply may not be well-informed on the importance of having anti-virus software on their computer. There’s also other contributing factors, like free trials expiring without notice, or a virus itself disabling your anti-virus software.

According to the report, those who use social networks, particularly Facebook and Twitter, should be careful, with the instances of phishing websites that spoof popular social networks having jumped a huge 125-percent last year. Not all numbers jumped, however, with the amount of spam sent in 2012 dropping to 69-percent of all email sent during the year.

The number of vulnerabilities found last year clocked in at 5,291, with a fair chunk of them – 415, to be precise – being vulnerabilities with mobile OSs. In line with that is the numbers on data theft, with the report stating that 32-percent of the mobile threats resulted in stolen data. The number of web-based attacks also followed the upward trend, jumping 30-percent.

There were 14 zero-day vulnerabilities last year, as well as some big events, including 600,000 Macs being affected by a virus, and a single waterhole attack hit 500 organizations in one day. Other relevant data is contained in the infograph above, which was made by Symantec. Particularly of note is the increase in the number of web-based attacks that were blocked last year over 2011, jumping from 190,370 to 247,350.

[via Symantec]

The trojan is detected as “Trojan.Yontoo.1” and it was discovered by Russian security firm Doctor Web. Of course, you have to an install a plugin or other piece of software in order for the trojan to activate, but hackers are making it easy for unsuspecting users to take the bait. They’re prompting users to install a plugin before they can watch a mobile trailer, for example.

Of course, we’ve all come across this scenario before, where we don’t have a certain plugin installed in order to view something, so we’re forced to download and install it before continuing. However, it looks like criminals are taking advantage of that tradition by implementing the same kind of system in order to get users to install the trojan.

It’s said that a Windows version of the trojan also exists, but it doesn’t affect Windows 8 users currently. Cross-platform malware isn’t rare most of the time, but this particular one uses its own code to target each specific operating system, as opposed to targeting a universal piece of software like Java, which we’ve heard plenty about recently.

[via The Next Web]

The MiniDuke virus has affected various Government institutes located in Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary, and the United States. It uses exploits found in Adobe Reader 9, 10, and 11. The code for the MiniDuke’s customized back door was written in “Assembler”. It loads a downloader onto the system that’s only 20kb in size. During system boot, the downloader determines the computer’s unique fingerprint and uses it to encrypt itself from any antivirus program that can identify it.

MiniDuke then creates a Twitter account using its Command and Control (C2) system and creates tweets containing encrypted URLs in hashtags that lead to backdoors. These backdoors provide MiniDuke’s C2 access to the entire computer. It then loads malicious files, disguised as GIF images, onto the computer. This opens up an even bigger backdoor that allows MiniDuke’s C2 to copy files, delete files, make directories, kill processes, and even load more malware onto the computer.

The backdoors have been traced back to two servers located in Panama and Turkey. The latest attack happened on February 20th. Adobe had previously patched its Adobe Reader software, but it seems that MiniDuke was able to find a bypass to it. It was only yesterday when Adobe had to release an emergency update for its Adobe Flash Player because hackers were using it to attack Firefox users.

[via Kaspersky]

The Stuxnet virus attack in 2007 was very specific. It infected the systems that were used to manipulate the centrifuges in 14 industrial sites located in Iran. It shut off valves that supplied uranium hexafluoride gas to the centrifuges, which in turn damaged the centrifuges. It was able to manipulate the systems due to a few security holes inside of the Windows operating system. It then replicated itself over and over, and used the Siemens Step7 software to take advantage of Iran’s systems.

More attacks from Stuxnet happened from 2009 through 2010 in the Natanz facility. The Stuxnet virus manipulated the systems at the Natanz facility and destroyed up to 1000 centrifuges. The virus was able to do so by manipulating the operating speeds of the centrifuges. It would greatly increased the operating speed of several centrifuges, then decrease the operating speeds, and the variation between the two caused the centrifuge’s tubes to expand making the centrifuge destroy itself.

Symantec stated that whoever created Stuxnet created “a complicated and sophisticated piece of malware requiring a similar level of skill and effort to produce.” It’s still a mysterious to us as to who initiated the Stuxnet virus attacks, but many believed that it was a joint effort between the United States and Israel. The Stuxnet 0.5 discovery doesn’t show much except the evolution of the virus in the succeeding years, and how it was altered to do much more specific and widespread damage.

[via CNET]

Regardless of their country of origin though, this group is said to have been running their ransomware scam across Europe and are believed to have taken in millions of euros. These crimes were based on a virus that locks a user’s computer and in turn sends them a message that appeared to be a warning from the police. The key here, these messages were demanding a sum of €100 to unlock the computer.

Rob Wainwright, the director of Europol was noted as saying that this is essentially a mass marketing scam and that “even if only 2 percent fall victim to the scam, it is still a very good pickup rate.” He went on to say that 3 percent of those targeted in this scam were believed to have paid. Wainwright didn’t mention any estimates in terms of dollar amounts, however Francisco Martínez, Spain’s secretary of state for security believes they collected more than €1 million in Spain alone.

Dollar amounts aside, an inspector from Spain that helped in the investigation said this organization “had a very well-structured and complex infrastructure.” In addition to the arrests, police also took several computers as well as more than 200 credit cards and €26,000 in cash. Those arrested were charged with varying crimes including money laundering, fraud and involvement in a criminal organization.

[via The New York Times]

The virus was first discovered by US cyber security experts back in 2007, and it’s described as “one of the most financially destructive computer viruses in history.” but the operation actually continued well into 2012. The mastermind behind Gozi, Nikita Kuzmin, was arrested in the US in November 2010 and pled guilty to computer intrusion and fraud charges in May 2011.

As for the two other co-conspirators, Deniss Calovskis and Mihai Ionut Paunescu, Calovskis was arrested in Latvia in November 2012 and Paunescu was arrested in Romania last month. Extradition proceedings for both of them are ongoing as we speak, and they face up to 67 and 60 years in prison, respectively, while Kuzmin faces up to 95 years in the clink.

The Gozivirus infected around 40,000 computers in the US, with 160 of them belonging to NASA, according to court documents. When the virus was discovered in 2007, cyber security expert Don Jackson went undercover in Russian chat rooms to try and obtain a version of the virus for testing purposes. He actually ended up getting several offers for a few thousand dollars each, but ended up severing communication before a deal was made.

[via ABC News]

Image via Flickr

The power plant infected by the USB drive ended up staying offline for three weeks while the issue was fixed. The malware had been introduced via the USB drive of an outside technician who was performing software updates, and was an identity theft trojan. The malware managed to infect approximately 10 computers.

A second power plant that was also infected had malware on multiple computers, some of which were involved with the plant’s operations. Unlike the other plant, no information was provided on how this malware made its way onto the workstations. The first power plant did not have properly updated antivirus software.

The Industrial Control Systems Cyber Emergency Response Team said this in a report. “ICS-CERT’s onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also…discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”

[via USA Today]

Batchwiper shows up in Task Manager as the legitimate process GrooveMonitor.exe, which then kicks off additional processes under juboot.exe, jucheck.exe, WmiPrv.exe, and SLEEP.EXE. There are no reports of this malware out in the wild, according to Kaspersky Lab, and as of now, no one is sure how the infection is jumping from machine to machine.

Some speculate that the malware is transferred via external drives, such as flash drives, while others say it could be spread via insiders with access to the machines, or as part of another attack. Specifically, Batchwiper purges the data on all disk partitions labelled “D” through “I,” as well as the desktop contents of the user unfortunate enough to log on during the infection’s rampage. This comes after other attacks Iran has been dealt, including Flame.

An Iranian CERT advisory stated, in part: “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.”

[via ars technica]

According to the security researchers, various types of social-engineering are being used to encourage Skype IM users to click on the links. Most common appears to be a question along the lines of “lol is this your new profile pic?” which resolves to a file called “Skype_todaysupdate.zip” that downloads the trojan itself.

Trend Micro says that it has observed “upwards of 400 detections in less than 12 hours” from those using its security products, according to TechCrunch, though the actual number is likely to be greater. Both it and Skype point out that users should be wary about clicking links that they’re not expecting and from people that they don’t know.

There’s more information at the Skype forums, and Skype has instructions here on how you can clean your system if you’ve inadvertently been infected.

Skype statement:

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable”

Those people, Kristy Ross, Sam Jain, and Daniel Sundin, were hit with the $163 million fine to repay the victims they ripped off throughout the years. In addition, Ross has been banned from selling software that interferes with a user’s computer. Ross and co. were responsible for one of these seemingly endless scareware schemes, alerting Internet-goers to non-existent problems on their computers, and then charging $39.95 and up to “fix” the issues. The scam ran from 2000 to 2008, and in that time, the trio pulled in tens of millions of dollars from confused and scared PC users.

Three other people involved in the case, Marc D’Souza, Maurice D’Souza, and James Reno, settled with the FTC in 2010, and aren’t required to pay back the $168 million. The group operated under the name of Innovative Marketing Inc., which bought space for legitimate-looking ads on major websites. When users would click on the ads, they would be taken to an Innovative Marketing website, where they were told that any number of malicious programs were discovered on their computer and then urged to purchase bogus software to fix the issues.

This is a big step in the right direction for the FTC, but unfortunately, scareware still runs rampant today. It’s a problem that probably won’t ever go away entirely, so users need to stay vigilant when it comes to surfing the Internet and believing those illegitimate alerts. This may not be the last we’ve heard of scareware, but it’s definitely the last we’ve heard of Innovative Marketing Inc.

[via Threat Post]

Kaspersky detects the virus by checking systems for a font that’s included when the virus infects a computer. The font, Palida Narrow, could be a play on words of Paladin Arrow, according to one Kaspersky Labs researcher. While the virus is primarily used for gathering financial information, there are parts of the code that obfuscate other abilities.

The information that the virus gathers isn’t limited to sensitive banking details, however, with the malicious software also targeting web browsing histories and passwords. The virus also creates a detailed snapshot of the targeted computer’s hardware, designed to help aid any future attacks. The origins of Gauss aren’t known, but experts believe it could be a state-designed virus due to the specific banking institutions it’s targeting. It could be an attempt to gather the financial activity of a group like Hezbollah or the Iranian government.

Even stranger, after the virus was first discovered by Kaspersky Lab back in July, the remote systems used to control it were abruptly shut down. The makeup of the virus also shares features with other espionage related viruses, further backing up the belief that it’s a state-designed effort. Other security experts, however, believe it could simply be the work of coders and criminals that have copied state designs.

[via The Washington Post]

The purpose of that font, called Palida Narrow, is currently unknown, though the trojan’s other abilities are more concerning. Gauss can infect USB drives and monitor browsers, sucking passwords, site history and other credentials and sending them to a remote command machine. It also runs a profile on the infected machine and reports that back, including details on network interfaces, BIOS and what drives are present.

Several Lebanese banks have been specifically targeted, with customers of the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais all apparently susceptible. Gauss has also been seen to target users of Citibank and PayPal.

While it shares features with Stuxnet and Flame, Gauss is said to be more complex in how it can hide on a system. Although it uses similar methods to infect removable drives, it’s also capable of “disinfecting” the drive if need be, at other times using it to store data in a hidden file so that it is not discovered by regular local-drive anti-malware scans.

Approximately 2,500 machines are believed to have been infected – more than three times as many as Flame – since what’s said to have been the first victim in September 2011. It’s unclear how the trojan is communicated, and who is remotely operating it.

Facebook has opened a Malware Checkpoint for Facebook, and it sends people to one of two places. The checkpoint recommends people sign up for Microsoft Security Essentials or McAfee Scan and Repair. Mac users who hit the Malware Checkpoint are referred to the Apple Security Updates website.

Facebook has been notifying site users for a long time if it detects a possible malware infection on their individual machine. It has been linking users to free antivirus software to clean up suspected infections. The big change here is that Facebook is now opening the Malware Checkpoint to all users, whether or not an infection is detected on their computer.

[via CNET]

The number of unique IP addresses DCWG found with the DNSChanger infection was 551,436 back on the 8th of November, 2011. Fast forward to yesterday (the 8th of July, 2012,) and the number had dropped to 210,851. According to country code, the USA returned the most hits for IPs with the infection at 41,557 just yesterday while only Italy, Great Britain, and Germany had over 10,000 racked up.

There will be monitoring of IP addresses that have been affected and subsequently claimed clean, of course, to make sure they aren’t hijacked once more. The DCWG’s job does not end here, but the IP addresses listed at their site: Cleaning Ends will now be monitored by several Service Provider and Security Organizations – that’s what’s included in the future checking to assure no more malicious hijacking.

And in the end, if you’re reading this from your computer connected to the internet, you weren’t infected anyway. So happy day for you! Have a peek at our timeline below to follow the whole saga as it unfolded this summer – and stay tuned for more!

What you’re going to want to do is two things if you’re fearful that your computer may have been affected by this web devil. First, if you’re reading this article from your computer, you have not been affected at all: the virus shuts your web off. If you still have internet, you’re fine. Second, you’ll want to check out the following video to get a grip on what this situation is all about – it’s all very simple, really:

That video comes from the post entitled DNSChanger malware for dummies. There you’ll find a bit more of an explanation, but for those of you really looking to read rather than watch, head to our DNSChanger guide to learn how to find it and how to fix it. For those of you reading this outside the country on your smartphone: remind yourself again that it’s much more likely that your computer back home (wherever that may be) is not infected rather than infected.

“Since midnight last night, when the FBI (via the Internet Services Coalition) disconnected the servers associated with this botnet, we’ve only received a miniscule number of calls, but our customer care and security assurance teams are standing by and are ready to help,” – Douglas

Charlie Douglas is the Comcast senior director of corporate communications and has assured MSNBC that there’s nothing to worry about. The same is true of Verizon, AT&T, and COX, also speaking today saying that the effect of this situation is minimal and tiny, having little impact overall.

Check out the timeline below to learn more about DNSChanger and what it’s done so far!

Since the FBI and other law enforcement agencies seized control of the botnet behind DNSChanger, a temporary DNS server network has been running in its stead so as to keep infected users online. That network will cease operating on Monday.

“The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet” DNSChanger Working Group

The best news is, checking for a DNSChanger infection on your system and, if found, getting rid of it is straightforward. First step is heading to dns-ok.us in your browser: that will tell you whether or not there’s a sign that your computer has been infected. If it’s green, you’re in the clear (though it’s probably still worth forwarding this article on to friends and family – particularly net-confused parents – who might need some assistance checking their own machines).

If it’s red, however, you have a DNSChanger problem. Thankfully there are multiple options to get rid of it: Microsoft has a tool, as do key anti-virus vendors such as McAfee and Norton. There’s a full list of them here, and usually it’s just a case of downloading and running an app to get your computer back on an even keel.

Before people with infected systems will be able to get back online, they will have to clear the computer of the DNSChanger virus. The shutdown of the temporary servers is the final move in an FBI operation called Ghost Click that spanned two years and officially ended in November 2011. The virus changed victim’s DNS servers, routing them to websites of the hacker’s choosing.

Some of those websites were fraudulent in nature according to authorities. Six Estonians behind the fraud ring were arrested by the FBI during the course of the investigation. The virus was originally disseminated via traditional channels, including e-mail and malware. The FBI had replaced the hacker’s nefarious servers with “clean” servers to keep PCs infected by the virus online.

[via CBC]

The Flame virus was first discovered last month when Iran detected a series of cyber attacks on its oil industry. Although the attacks were allegedly carried out by Israel alone, the software used was developed in collaboration with the US, adopting much of the same code as the Stuxnet virus.

The virus is said to be the most sophisticated malware discovered to date. Masquerading as a routine Microsoft software, Flame was able to replicate itself across even highly secure networks, control everyday computer functions, send back secret information, log keystrokes, control computer cameras and microphones, take screen shots, and even extract geolocation data from images.

In researching the methods used by the Flame virus, Microsoft discovered that the attack exploited Window’s Terminal Server Licensing Service, which uses an older cryptography algorithm. It allowed parts of the malware to be signed by certificates that made them appear to be produced by Microsoft.

Microsoft is resolving the issue by issuing an update that blocks software signed by these unauthorized certificates and the company is also terminating its Terminal Server Licensing Service from issuing any new certificates. For more details on the update, you can visit Microsoft’s security advisory page.

The new information we have today comes from a New York Times article created after 18 months of interviews with “American, European and Israeli officials involved in the program, as well as a range of outside experts.” The New York Times notes that none of the names of the people they interviewed will be shared due to the “highly classified” nature of the program.

Interviewees suggest that the effort was actually successful in setting back Iran’s nuclear weapons program “18 months to two years” despite the accidental leak of the virus at the center of it all. To get the worm into the Iranian facility they’d targeted, Stuxnet was placed on a USB flash drive.

“Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others—both spies and unwitting accomplices—with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”" – NYT

Since the software “escaped”, a word used many times in this report, the Stuxnet code was “found then disassembled by security researchers” according to Ars Technica. It appears though that the United States government has things well in hand at this point outside this situation – but do acknowledge the threat for the future.

“He repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons — even under the most careful and limited circumstances — could enable other countries, terrorists or hackers to justify their own attacks. “We discussed the irony, more than once,” one of his aides said.” – NYT

Have a peek at what Stuxnet was – and is – made of in the following video presented by Australian TV program HungryBeast. The direction and Motion Graphics in this movie were done by Patrick Clair

This week the Iranian officials have said that the virus that attacked computers in the oil industry was the Flame malware. Security experts have said that Flame is so powerful that not only can it steal data and files from computer networks you can listen in on computer users. While it’s still unknown where Flame originated, suspicious fingers have been pointed at Israel already.

A disruption of the oil industry within Iran could have serious consequences not only for Iran itself, but also for many other countries since Iran is one the world’s top oil exporters. The origins of Flame are unknown, but some experts you the malware is a technological leap and note that it shares the same high-level engineering as Stuxnet. Stuxnet is believed by some to have been the work of Israeli intelligence. So far, Israel has never confirmed or denied involvement with Stuxnet and other viruses.

[via Philly.com]

Woodward notes that the software was (and is) modular, needing simple additions or subtractions of elements to make its functions highly advanced and able to carry out a variety of attacks. “You just add apps” noted Woodward, comparing the virus to a smartphone in its ability to change on the fly. One of the most advanced elements popping up in the software is Flame’s ability to copy data from nearby Bluetooth-enabled smartphones.

An infected user’s computer will not necessarily show outward signs that it is copying data from nearby cellphones and smartphones, but it will then move that data to the web where Flame’s creators can harvest it. This is just one of many abilities Flame is currently rolling across Iran and surrounding areas this week. Udi Mokady, chief executive of Cyber-Ark, an Israeli developer of information security, spoke up on the virus in brief:

“It’s a live program that communicates back to its master. It asks, ‘Where should I go? What should I do now?’ It’s really almost like a science fiction movie.” – Mokady

Stay tuned as this malicious software – and those affected by it – continue to make headlines across the planet.

[via USA Today]

This page will pop up for your in the Facebook Security section of your Facebook homepage and will, as you can see below, offer you several McAfee-branded virus protection software downloads as well as other brands of similarly situated applications. The basic McAfee Internet Security software is the first download you’ll see in the “AV Marketplace” and will offer you 6 months of service for free. Like all temporarily free software, you’ll then have to begin paying cash to keep it around.

Facebook’s AV Marketplace will also include such names as Microsoft, McAfee, Trend Micro, Sophos and Symantec, each of whom will soon augment Facebook’s URL blacklist system with their own URL blacklist database to keep viruses from you. Keep in mind the new Facebook CISPA support and see how this rings a bell with that. They’re speaking about sharing information with other websites and the government as fast as possible in the name of security, letting each-other know the names and information on virus and hacker-related entities found on any of their networks.

See what you make of it! And head over to the Antivirus Marketplace on Facebook now to see if you need any new software for your computer. Remind yourself that its only temporarily free again, and again, and again.

[via Facebook]

Both Symantec and Kaspersky Labs reported a substantial decrease in the number of infected Macs, which were estimated to be at around 650,000 systems at its peak. Late last week Symantec had reported that the Flashback botnet had shrunk to 270,000 infected systems, while Kaspersky reported 237,000 systems.

Dr. Web is now saying that these numbers aren’t accurate and believes that at the greatest extent of the Flashback botnet, 817,000 systems were infected with an average of 550,000 contacting the command and control servers during any 24-hour period.

Dr. Web believes that the discrepancy in estimates has to do with interception by an unnamed entity to block the botnet’s activity. Infected bots connecting to a server at 74.207.249.7 were put into a suspended state, which made them no longer able to communicate and be registered by security company sinkholes.

Intego, a security firm specializing in Macs, agrees with Dr. Web’s claim that Flashback’s infection numbers have been underestimated.

[via TechWorld]

According to Symantec, there are still 140,000 Macs infected by the Flashback Trojan despite the patches and removal tools offered, while Kaspersky estimates that the infections have dropped to 30,000. Although the numbers vary greatly from different sources, one thing is clear and it’s that more Mac malware are on the way.

Kaspersky explained that the Flashback infections were actually spread through trusted WordPress sites that had been hijacked rather than through the downloading of malicious files. It’s still not clear which groups are behind the Flashback malware, but Kaspersky believes its safe to assume that it is part of “eastern euro-cybercrime.”

Apple’s new Gatekeeper security feature for Mac OS X Mountain Lion will help tighten up security when it’s launched this summer. Kaspersky, of course, also recommends their antivirus software for Mac users.

[via 9to5Mac]

Kaspersky researchers discovered that 98 percent of the infected computers were running Mac OS X. The other 2 percent cannot be confirmed but are believed to most likely be Macs as well, making this the largest Mac-based infection to date.

Unlike a previous malware threat on Macs, the Flashfake attack doesn’t need to trick users into handing over personal information in order to compromise their machines. Instead, this new threat takes advantage of a Java vulnerability that automatically downloads the trojan to users’ machines when they visit an infected website.

Although Apple is said to be working on a removal tool for the malware, the company has been blamed for being too slow to patch the Java vulnerability. Oracle had issued the patch to Windows and Linux machines seven weeks prior to when Apple, which does its own Java maintenance, released the update for Macs.

Mac OS X users are urged to check whether their computers have been infected by using Kaspersky’s secure site at www.flashbackcheck.com. If you find that your Mac is infected, you can use the free Kaspersky Flashfake Removal Tool. Users are also advised to install the latest security updates from Apple.

Moscow-based Kaspersky Lab, the second security firm to confirm these reports, analyzed Flashback’s communication methods and registered a C&C domain before hackers detected it. Infected machines then contacted that domain, revealing the size of the Flashback botnet, which is now at about 600,000 computers.

Although not all of those systems were running Mac OS X, Kapersky estimates that about 98% were indeed Macs. The threat is now being considered “unprecedented, evident, and imminent” by security experts.

Apple has released an update last week to patch the Java vulnerability but has been taking the blame for being too slow to react. Oracle had patched the vulnerability for Windows and Linux systems seven weeks earlier.

[via ComputerWorld]

That’s if you believe the futuristic warnings of security company Fortinet. At a recent security conference, Black Hat Europe, the company’s senior manager of threat research Guillame Lovet discussed what we might be dealing with in the not too distance future. He said there has been research into distinguishing the differences – and similarities – between the way computers fight viruses and the way humans fight viruses. After all, it is no mistake that we use the same word for both cases.

“We came to wonder if there can be some kind of convergence between human viruses and computer viruses. It may sound like a scenario for a bad Hollywood movie, but it is not such a stupid question,” Lovet said. Fortinet actually penned a research paper on the subject, noting that you can boil down a biological disease into a series of formulas and coding. One researcher even compared a Denial of Service attach to HIV, since both aim to overload a system. Is it still just high-concept dialogue or is this an actual threat? At least someone is trying to solve that question.

[via Infoworld]

While there are quite a few applications on the market that have the code in question on them at this point, and at least 1 million but up to 5 million users have already downloaded it in one way or another, there’s nothing to fear. As Symantec notes, this software is only capable of doing a few disagreeable things to your Android device instead of a whole lot, the latter being the one that gets a code into the “malware” category. Instead, we’re only talking about the following:

“In general, it’s changing the home page of the [smartphone's] browser, adding additional shortcuts to the desktop, adding and even removing bookmarks. … It took a while for some consensus then about what was adware or spyware, and what wasn’t, but eventually that consensus was reached.” – Kevin Haley of Symantec

Check the timeline below for more information on which applications have the Counterclank software on them, and avoid them if you must – but don’t worry, they’re safe! What’s considered safe now, that’s what’s up for debate. Haley continued:

“We’re going to see app vendors experiment with how to monetize their apps on Android phones, more so on mobile than on the PC, because mobile apps are sold at very inexpensive prices or given away for free. It’s understandable that we’ll see some pushing the boundaries, or even going beyond them.” – Haley

[via Symantec]

It’s just as basic as that, when it comes down to it: if you’ve picked up a tablet for the first time, or a smartphone for the first time, and you want to grab some apps, you just head to the market and start downloading like a maniac. The step that exists between here and there that, unfortunately, is the only real level of security that exists for Android today is this: reviews by people like your humble narrator. And I don’t do that many reviews of applications. Consumers must trust in well-known publications to tell them if applications are safe to use or not if they’re on Android, giving them the links they need to find apps that don’t cause havoc on their devices – but they don’t, and therein lies the problem with Google’s system.

Google has provided an awesome system in which developers do not need their permission to publish an application, allowing the open market to thrive and grow rampantly. The bad thing about this is that the warning that are embedded in every download, the gates that Google has actually put up to defend against malicious software, are not working. When a consumer downloads an app, there’s a warning that comes up when they’re about to install which tells them what the app is capable of. Have you seen it? Likely if you’re an average citizen, you’ve pushed right past it and installed with fury.

There’s a South Park episode about this situation, in a way, though it uses Apple and their iTunes user agreement as an example instead. The lesson they teach the character Stan in that episode is that you should always, always read the user agreement before agreeing to it. What the agreement amounts to though, instead of it being there for the consumer to know their rights, is a safeguard for the company that placed it – in this case, Google is not to blame as the text they’ve freely given consumers which says things like “Malicious applications can use this to erase or modify your Browser’s data” has rid them of all legal blame.

NOTE also that this newest attack titled Android.Counterclank has been classified as several things: the first as a malware attack, but the most recent, listed by Lookout Mobile Security, as “an aggressive form of an ad network.” Attaching to your device after it explicitly warned you that it was going to do so – fair deal!

[via Lookout]

What we’re looking at here is a fellow by the name of Andrey N. Sabelnikov from the Russian Federation who worked most notably with antivirus vendor Agnitum. Once he began his work on this Kelihos operation, he embedded debug codes into the source of the virus which then allowed the software to download and install the Kelihos machine. It’s undoubtably clear that the fellow in question here got his knowhow from working with the firms he’d worked with in the past whose main goal it is to do away with the viruses he now slung. His LinkedIn page also noted that he’d worked for security vendor Returnil between 2008 and 2011, his stint with Agnitum taking place between 2005 and 2008.

Microsoft wrote the following in a US District Court complaint against Sabelnikov:

“Defendant Andrey N. Sabelnikov is an individual residing in St. Petersburg, Russian Federation. Defendant currently works on a freelance basis for a software development and consulting firm. Prior to his current employment, Defendant worked as a software engineer and project manager at a company that provided firewall, antivirus and security software. [With Kelihos botnet he] used the software to control, operate, maintain and grow the Kelihos botnet, by among other things, infecting innocent users’ computers.” – Microsoft

Harsh words, but certainly not unwarranted. How many hackers do you think studied with the protection agencies they’d hope to bypass in the future? Imagine the ease!

[via Ars Technica]

While a refrigerator magnet has never been hacked and an online virus has never attacked a cork board, I’d wager USPS doesn’t attribute most of its revenue to either one of those tiny bits of in-home convenience. As you’ll see in the video below, USPS instead wants you to understand that the Internet is nothing compared to the “added feeling of security” that a printed statement or receipt adds. The commercial ends with a call for you to visit their webpage telling you how not to use the internet because it is evil.

While USPS is speaking here about “the value of mail to both businesses and consumers,” as they write on their page, we’ve got to ask: why make a video? Why not send a letter to all of your customers in the mail? Have a look at the video and let us know what you think about this new punch to the gut of the internet, and also, if you can remember, let us know the last time you sent a letter.

The announcement came from Chief Cabinet Secretary Osamu Fujimura this week. Computers in the Japanese House were infected in late August according to Fujimura. The computers in the overseas Foreign Affairs offices handle low security information and the separate network that handles high security information was not infected according to officials.

Fujimura is specific in pointing out that there was no leak of confidential information. However, he declined to comments on the specific locations and nature of the attack. If the attack was from emails as previously stated, the source was likely infected file attachments. The computers in the House that were infected in August were identified and cut off from the network. PC World reports that local Japanese media are saying the attacks were malicious and claim that logins and passwords to protect email and other private data were stolen in the attacks.
[via PC World]

The virus first decrypts the paths of the XProtectUpdater plist files and unloads the XProtectUpdater daemon. It then overwrites the XProtectUpdater files with a blank character and also overwrites the plist and binary for the XProtectUpdater.

This process wipes out certain files and prevents XProtect from automatically receiving updates in the future. This makes your computer vulnerable to future attacks since definitions cannot be updated. Although it’s common for viruses to attempt to disable anti-malware safeguards, this may be the first Mac-oriented malware that targets XProtect.

[via MacNN]

About two week ago, the Airforce discovered that the computers at Nevada Creech Air force Base where the pilots of drone missions control their craft from were infected. The military claims that no classified information has been leaked outside the network; however, the virus had survived more than one attempt to remove it.

One source claims that each time the virus is wiped, it comes back. The virus is believed to have infected the classified and non-classified machines at Creech. The full scope of the infection is unknown. The virus is suspected to have been introduced to the network by flash drives used to move data about missions between computers.

[via Physorg]

The system relies on Websense’s ThreatSeeker Cloud system, which rather than use a blacklist of sites deemed unsafe, actually promises to scan the page to figure out whether or not it can be trusted. That, the company reckons, is a more thorough way of doing it, and allows them to check not only for viruses and malware but other content deemed inappropriate, such as racism.

In that way, it’s a marked difference from Google’s blocking system, which warns about potentially dangerous pages using a list of pre-approved sites. Facebook has already implemented a crowd-sourced link checking system, called Web of Trust, which will continue to operate in addition to Websense’s offering.

Among the issues the engineer spotted during reverse-engineering the Sophos software was a short-sightedness in how the app attempts to identify malware and block its installation. Only a small number of potential exploits are examined, Ormandy discovered – it’s unclear if this is intended to reduce the time it takes to scan, so as not to frustrate the user, or for some other reason – and so minor tweaks to standard malware code could allow the app to be loaded.

“Only the most standard, non-modified payloads could be intercepted by this … It’s ridiculously weak” Tavis Ormandy, security researcher

Other potential defects that could be exploited by malware relied on how the security software could react to false-positives and frustrate users to the point where they deactivated it. Ormandy was able to fake the verification signatures Sophos uses to identify malicious code and use it to create a storm of groundless warnings.

Most dangerous, perhaps, was Sophos’ attitude to cryptography. In some cases the encryption key the company used was stored alongside the data it had been used on; if misused, that could allow malware to remain undetected despite the software performing regular scans.

Although Ormandy works at Google, where he is a security engineer, he claims to have completed the research into Sophos in his own time and without either the knowledge or support of his employer. He also gave Sophos a heads-up on his announcements, and the company’s representative at Black Hat, Vanja Svajcer, confirmed that the criticisms were valid and said that efforts to address them were underway.

However, Svajcer also insisted that no evidence that any of the loopholes had been used maliciously had come to light, and suggested that the work involved in tailoring malware to target Sophos’ software specifically would likely be too involved for most authors.

The malware mimics legitimate apps, but once installed, it secretly records all of your phone calls in stores them on your handset’s SD card. It also inserts a configuration file with parameters for a remote server, suggesting that malware can also upload recorded conversations to a remote server.

It’s recommended that Android users exercise more caution and install only apps from trusted sources. Non-market apps can also be blocked by unchecking “Unknown Sources” in your Android device’s Application settings. Anti-virus type of apps for Android devices can also be used to help detect and prevent malware.

[via CA Security]

The memo also insists that AppleCare staff should neither confirm nor deny that the malware has been installed, should not attempt to assist customers in removing it, and should not escalate cases to Tier 2 support. Neither should they be referred to the Apple Store, which “does not provide any additional support for malware.”

Apple is yet to comment on the leak, though it certainly looks like the company is attempting to tread water while it investigates the malware. Despite growing popularity of OS X, the platform is still in the minority when it comes to the attentions of virus and other malware authors. That privileged position may well have left the company wrong-footed today.