Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security (A $54.99 Value) FREE

"Predicting Malicious Behavior: Tools and Techniques for Ensuring Global Security (A $54.99 Value) FREE for a Short Time!"

A groundbreaking exploration of how to identify and fight security threats at every level.

This revolutionary book combines real-world security scenarios with actual tools to predict and prevent incidents of terrorism, network hacking, individual criminal behavior, and more. Written by an expert with intelligence officer experience who invented the technology, it explores the keys to understanding the dark side of human nature, various types of security threats (current and potential), and how to construct a methodology to predict and combat malicious behavior.

• Guides you through the process of predicting malicious behavior, using real world examples and how malicious behavior may be prevented in the future.
• Illustrates ways to understand malicious intent, dissect behavior, and apply the available tools and methods for enhancing security.
• Covers the methodology for predicting malicious behavior, how to apply a predictive methodology, and tools for predicting the likelihood of domestic and global threats.

Predicting Malicious Behavior fuses the behavioral and computer sciences to enlighten anyone concerned with security and to aid professionals in keeping our world safer.


Free Download now

Read more

by Malik korrich ~ mardi 27 octobre 2015 0 commentaires

Another Zero Day Vulnerability Found In Adobe Flash

Another "Zero Day" Vulnerability Found In Adobe Flash

The researchers of TrendMicro found Zero day exploit in Adobe Flash Plugin. The Flash zero-day affects at latest version of Adobe Flash Player versions 19.0.0.185 and 19.0.0.207.

According to research Pawn Storm campaign are behind this attack said Trend Micro and they are targeting by sending Phishing Emails with attached exploit links. Suicide car bomb targets NATO troop convoy Kabul” said TrendMicro

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

Adobe Affected Version by TrendMicro

How Can we Protect?

How to patch flash 0-day: 1) Uninstall flash 2) You don't need flash 3) Stop installing flash

— MalwareTech (@MalwareTechBlog) October 13, 2015

TrendMicro said that they sent report to Adobe. But still Adobe does not patched this vulnerability.

Read more

by Malik korrich ~ mercredi 14 octobre 2015 0 commentaires

YiSpector First iOS Malware That Attacks On Apple iOS Devices

YiSpector: First iOS Malware That Attacks On Apple iOS Devices

YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. 

Cyber Security firm Palo Alto networks researcher Claud Xiao defines that, how this malware attack work on iOS devices which targets in China and Taiwan.

He said in the blog,

Specifically, it’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.

Yispector Infected iOS device

 YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users. It pushes the line barrier of iOS security back another step.

• Whether an iPhone is jailbroken or not, the malware can be successfully downloaded and installed.
• Even if you manually delete the malware, it will automatically re-appear
• Using third-party tools you can find some strange additional “system apps” on infected phones
• On infected phones, in some cases when the user opens a normal app, a full screen advertisement will show.

Palo Alto Networks has released IPS and DNS signatures to block YiSpecter’s malicious traffic. This blog also contains suggestions for how other users can manually remove YiSpecter and avoid potential similar attacks in the future. Apple has also been notified.

According to analysis reports by Qihoo 360 and Cheetah Mobile, YiSpecter was also spread by the Lingdun worm.

A malicious webpage uploaded by Lingdun worm

Lingdun uses fake VeriSign and Symantec certificates to bypass malware detection systems. Its primary goal is to download and to install additional Windows software onto a PC. Most of this additional software is benign but at least one installation was malicious.

Apple said in Statement,

"This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”

How to Remove YiSpecter from Your iOS Devices?

• Go  to Settings –> General –> Profiles and remove all unknown or untrusted profiles.
• Delete any installed apps with names 情涩播放器, 快播私密版 or 快播0.
• You can use any third-party iOS management tool such as iFunBox on Windows or Mac OS X to connect with your iPhone or iPad
• Then check for installed iOS apps like Phone, Weather, Game Center, Passbook, Notes, or Cydia and delete them.

Last month, we reported XcodeGhost malware infected almost 40 popular apps in the Chinese App. Store.

Read more

by Malik korrich ~ mardi 6 octobre 2015 0 commentaires

Your Android Phone is Vulnerable To Remote Hacking With StageFright Bugs

Your Android Phone is Vulnerable To Remote Hacking With StageFright Bugs!

Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. 

Security Researcher of Zimperium Joshua Drake (Vice President of platform research and exploitation at Zimperium) discovered two more vulnerabilities in the Android. His aimed to researching media processing in Android and focused on remote attacks agains current devices.

What is the vulnerability ? 
Processing specially crafted MP3 or MP4 files can lead to arbitrary code execution. -

The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.

• An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
• An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
• 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.

After the execution this Vulnerbaility allow attackers to access to personal data and photos stored on the phone, be able to take photos, record conversations, email and SMS and can download malicious apps remotely.

Google said that new Stagefright bugs will be fixed in next schedule update.

Source: Zimperium

Read more

by Malik korrich ~ jeudi 1 octobre 2015 0 commentaires

Malvertising Campaign Targeting On Top Adult Websites

Oops! Malvertising Campaign Targeting On Top Adult Websites.

Malvertising assault focusing on various grown-up sites, including xhamster, which draws in near a large portion of a billion visitors per month.

What is Malvertising ?
Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

According to report of Malwarebytes,

Malvertising first check that, whether you are running Internet Explorer, and exploits the CVE-2013-7331 Microsoft. XMLDOM ActiveX control vulnerability in Microsoft Windows 8.1 and earlier.

Image by Malwarebytes

The malicious advert served by TrafficHaus was for a dating application called ‘Sex Messenger’ and was displayed often enough that we were able to reliably reproduce the infection in our lab, something that isn’t always feasible when it comes to malvertising.

Malwarebytes researcher also identiify that Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.

Researchers also spotted latest attack on xHamster website that time distributes browser-based ransomeware.

Below websites are latest victim of Malvertising attack

• Forbes
• Yahoo
• Microsoft
• Realtor

How can we protect?

• To update latest OS
• Always Keep your Computer to protect by Internet Security
• Use AdBlocker add-on in your browser

We have also deleted all third party ads due to Malvertising.

Please read: >> Malvertising Hits 10 Million In 10 Days.  You Might Be Under Attack While Surfing The Web.

Read more

by Malik korrich ~ vendredi 25 septembre 2015 0 commentaires

How To Detect Potentially Malicious PHP Files

How To Detect Potentially Malicious PHP Files ?

Here is the tool called PHP-malware-finder by nbs-system. 


What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

• Best PHP Obfuscator
• Carbylamine
• Cipher Design
• Cyklodev
• Joes Web Tools Obfuscator
• Php Obfuscator Encode
• SpinObf
• Weevely3
• atomiku
• cobra obfuscator
• phpencode
• webtoolsvn

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

How to use it?

$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] ...
    -c  Optional path to a configuration file
    -f  Fast mode
    -h  Show this help message
    -v  Verbose mode

Or if you prefer to use yara:

$ yara -r ./malwares.yara /var/www

Download

Read more

by Malik korrich ~ jeudi 24 septembre 2015 0 commentaires

Biggest Security Breach In Apple App Store Gets Malware Infected

Biggest Security Breach In Apple App Store Gets Malware Infected.

Hundred of Apple Apps gets Malware Infected. It's including the top apps like Angry Birds 2 and WeChat Chinese version. Hackers targeted on app developers and once infected app installed on victim iPhone device, they could steal all data including Logins and Passwords.

The Malware known as XcodeGhost, it also read and write information on the users clipboard. Mostly Asian countries were targeted.

According to report of Intercept,
Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden

According to U.S.-based cybersecurity firm Palo Alto Networks Inc.
The attack affected more than three dozen apps. "We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem’"

Apple said in the statement,
We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software."

How can we protect?

Whether you downloaded Xcode from Apple or received Xcode from another source, such as a USB or Thunderbolt disk, or over a local network, you can easily verify the integrity of your copy of Xcode.

To verify the identity of your copy of Xcode run the following command in Terminal on a system with Gatekeeper enabled:
spctl --assess --verbose /Applications/Xcode.app

where /Applications/ is the directory where Xcode is installed. This tool performs the same checks that Gatekeeper uses to validate the code signatures of applications. The tool can take up to several minutes to complete the assessment for Xcode.

The tool should return the following result for a version of Xcode downloaded from the Mac App Store:
/Applications/Xcode.app: accepted
source=Mac App Store

and for a version downloaded from the Apple Developer web site, the result should read either
/Applications/Xcode.app: accepted
source=Apple

or

/Applications/Xcode.app: accepted
source=Apple System

Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode. You should download a clean copy of Xcode and recompile your apps before submitting them for review.


What's new update?

The malicious version of apps removed from Apple App Store and developers update them with fixed all security flaws.

Read more

by Malik korrich ~ mardi 22 septembre 2015 0 commentaires

MALHEUR - Automatic Analysis of Malware Behavior

MALHEUR - Automatic Analysis of Malware Behavior

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It supports four basic actions for analysis which can be applied to reports of recorded behavior:

1. Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

2. Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

3. Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.

4. Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

A detailed description of these techniques as well as technical background on analysis of malicious software is provided in the following articles:

• "Automatic Analysis of Malware Behavior using Machine Learning." Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz Journal of Computer Security (JCS), 19 (4) 639-668, 2011.
• "A Malware Instruction Set for Behavior-Based Analysis." Philipp Trinius, Carsten Willems, Thorsten Holz, and Konrad Rieck Technical report TR-2009-07, University of Mannheim, 2009

Dependencies

• libconfig >= 1.4, http://www.hyperrealm.com/libconfig/
• libarchive >= 2.70, http://libarchive.github.com/

Debian & Ubuntu Linux

The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux

gcc
libconfig9-dev
libarchive-dev

For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.

automake
autoconf
libtool
Mac OS X

For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc. Additionally, the following packages need to be installed via Homebrew

libconfig
libarchive (from homebrew-alt)

OpenBSD

For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake instead of make for building Malheur.

gmake
libconfig
libarchive

For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed

autoconf
automake
libtool

Compilation & Installation

From GIT repository first run

$ ./bootstrap

From tarball run

$ ./configure [options]
$ make
$ make check
$ make install

Options for configure

--prefix=PATH           Set directory prefix for installation

By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.

License
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed without any warranty. See the GNU General Public License for more details.

Copyright
Copyright (c) 2009-2015 Konrad Rieck (konrad@mlsec.org) University of Goettingen, Berlin Institute of Technology

Download

Read more

by Malik korrich ~ vendredi 4 septembre 2015 0 commentaires

Hackers Use iOS Malware "KeyRaider" And Stole 225,000 Apple Account From Jailbroken Devices

Hackers Use iOS Malware "KeyRaider" And Stole 225,000 Apple Account From Jailbroken Devices.

Cyber security research firm Palo Alto Networks found iOS Malware called KeyRaider where its stole 225,000 Apple accounts. 

KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads.

The attack was first discovered by i_82, a student from Yangzhou University and member of WeipTech. WeipTech (Weiphone Tech Team) is an amateur technical group consisting of users from Weiphone – one of the largest Apple fans websites in China. Previously, WeipTech cooperated with us to report on other iOS and OS X malware including AppBuyer and WireLurker.

Paltoalto cooperation with Weiptech and identified 92 Samples of a new iOS Malware called "KeyRaider"

KeyRaider was distributed by Cydia in China, but its effect to other countries as well, like France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

Malicious Code Exist
The KeyRaider malicious code exists in Mach-O dynamic libraries that are used as plugins for the MobileSubstrate framework. Through MobileSubstrate APIs, the malware can hook arbitrary APIs in system processes or in other iOS apps.

• Stealing Apple account (user name and password) and device GUID
• Stealing certificates and private keys used by Apple Push Notification Service
• Preventing the infected device being unlocked by passcode or by iCloud service
• In addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices for ransom.

How to Protect?
Users can use the following method to determine by themselves whether their iOS devices was infected:

1. Install openssh server through Cydia
2. Connect to the device through SSH
3. Go to /Library/MobileSubstrate/DynamicLibraries/, and grep for these strings to all files under this directory:

• wushidou
• gotoip4
• bamu
• getHanzi

If any dylib file contains any one of these strings, we urge users to delete it and delete the plist file with the same filename, then reboot the device.

We also suggest all affected users change their Apple account password after removing the malware, and enable two-factor verifications for Apple IDs

Next time if you want to do Jailbreak of your iOS devices then think first. KeyRaider only effects on Jailbroken iOS devices.

Source: PaltoAltoNetworks 

Read more

by Malik korrich ~ lundi 31 août 2015 0 commentaires

Malvertising Hits 10 Million In 10 Days You Might Be Under Attack While Surfing The Web

Malvertising Hits 10 Million In 10 Days. 
You Might Be Under Attack While Surfing The Web.

Even many of the advertising companies didn't know that they are running Malware ads.

How its happen?
When Advertiser contact to advertising companies. Most of the companies didn't check advertising scripts, where users attach script in back-end. Websites are regularly casualties of malvertising and its infect to web visitors since attacker using these tricks for their malware inside of commercials.

Malvertising Example 1:

Malvertising Example 2:

According to Cyphort,

Malvertising attack is still going strong, using SSL redirector at  https://ads.us.e-planning.net .
In the last 10 days, Cyphort Labs found many more infected domains – they are listed below. Please refrain going to these sites as they are dangerous.  

We have notified e-planning.net about this issue and they are actively working to resolve it. At least 10 million people have visited these websites and were potentially exposed to the Angler exploit kit in the last 10 days according to our estimates and data from Similar Web.


How can we save from Malware Ads?

By using AdBlock Plus .

• Surf the web without annoying ads!
• Can block tracking, malware domains, banners, pop-ups and video ads - even on Facebook and YouTube
• Unobtrusive ads aren't being blocked in order to support websites (configurable)
• It's free! (GPLv3)

Read more

by Malik korrich ~ mardi 28 juillet 2015 0 commentaires

Android Phones Can Be Hacked With Just A Text Message

     Android Phones Can Be Hacked With Just A Text Message

Yes, you heard it right!

About 990 Million Android Phones could be hacked with just a simple text. This is one of the biggest smartphone flaw ever found.

A Security Research Company ‘Zimperium’ claims to have found a bug to tap into the world’s most popular mobile platform. This hack relies on flaw found in Stagefright, a core android component and a media playback service that’s built into Android which is used to process, record and play the multimedia files.

This security hole puts 990 million Android devices at risk. And that is truly a huge number of smartphones. In 2014, more than 1 billion Android phones shipped throughout the world, in accordance with Researcher Strategy Analytics, which expects the number to go up in 2015 and beyond. Zimperium termed Stagefright the "Mother of all Android vulnerabilities". In this attack, the victim would not need to do any mistake like opening an attachment or download a file that's corrupt. The malicious code would take over instantly, the moment you receive a text message. You may not even see anything.

Once the attackers get in, Drake says, they would be able to do anything — may be copy or delete the data, take the control of your camera and microphone to monitor your every move. "It's really up to their imagination what they do once they get in," he said.

Joshua Drake, VP of platform research and exploitation of a mobile security firm Zimperium, reported the flaw to Google earlier this year, but he said that most manufacturers have not made fixes available to the user base till date. 

All the bugs are provided with CVE numbers, used to identify the severe vulnerabilities. They include CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829. When the disclosure lands today, security researchers and attackers could have enough information to get cracking on exploits. Manufacturers have been requested to bring in patches as soon as possible to protect their consumers against this malicious flaw.

Even more information will be disclosed by Drake who deserves much credit for his work in addressing and fixing the issues, in full at the Black Hat and Defcon security events going to taking place in Las Vegas next week.

Read more

by Malik korrich ~ lundi 27 juillet 2015 0 commentaires

Maldroid Framework To Extract Actionable Data From Android Malware

Maldroid: Simple Framework To Extract Actionable Data From Android Malware (C&Cs, phone numbers etc.) .


Maldrolyzer
Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.)

Installation
You have to install the following packets before you start using this project:

Androguard (https://github.com/androguard/androguard)
PyCrypto (easy_install pycrypto)
pyelftools (easy_install pyelftools)
yara (easy_install yara)

Architecture
Idea is really simple and modular. The project has couple of directories, which host a place for you static analysis or output processing:

plugins - this is were the code responsible for the malware identification and data extraction is. Every class has to inherit from Plugin class from templates.
Method recon identifies the malware - put there all of the code you need to make sure you can extract the data. Method extract does the usual extraction. There is no specific format for the extracted data, but it's good to keep it in Python dictionary, so that the output processors could read it in a uniform way.

processing - this is were you put classes that inherit from Output Processor class. They are invoked after the data extraction and get the extracted info.
process method takes the data and produces some kind of a result (i.e. adds a file or C&C to you database, checks if the C&C is live etc.)
If you want to contribute, write a plugin that decodes some new malware family. It's easy, just look at the existing plugins.

Usage

So, you have an APK sample and you don't know what it is and where is the C&C? Type:

python maldrolyzer.py [sample_path]

If maldrolyzer knows the malware family it will display some useful information like:

{'c2': ['http://esaphapss.net/bn/save_message.php'],
 'malware': 'xbot007',
 'md5': 'ce17e4b04536deac4672b98fbee905e0',
 'sha1': 'a48a2b8a5e1cae168ea42bd271f5b5a0c65f59a9',
 'sha256': 'c3a24d1df11baf2614d7b934afba897ce282f961e2988ac7fa85e270e3b3ea7d',
 'sha512': 'a47f3db765bff9a8d794031632a3cf98bffb3e833f90639b18be7e4642845da2ee106a8947338b9244f50b918a32f1a6a952bb18a1f86f8c176e81c2cb4862b9'}

Download

Read more

by Malik korrich ~ lundi 13 avril 2015 0 commentaires