Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Yahoo malware transformed PCs into Bitcoin miners

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

January 9, 2014

Click here to order the best dedicated server and at a great price.

According to Light Cyber, an internet security company, several malicious ads served to Yahoo surfers were designed to convert personal computers and laptops into a powerful Bitcoin mining operation.

The cybercriminals who infected the computers of European Yahoo users apparently wanted to create a very large Bitcoin network that could have yielded several million dollars in the virtual currency.

Researchers at Light Cyber revealed this week that one of the malware programs aimed to use the resources of infected PCs to perform the complex calculations necessary to run a Bitcoin network.

Reported earlier this month by fellow security firm Fox IT, the campaign spread its package by using Yahoo's ad server to deploy malicious ads. The malware took advantage of security vulnerabilities in Java to install itself on computers that visited the site.

Light Cyber founder Giora Engel says that his company detected the attack in its customers' networks four days before it was publicly known and reported by Fox IT.

Engel explained how the firm learned of the malware-- "Many of our customers share threat intelligence with our Magna Cloud, so our research lab noticed this unknown malware and attack campaign coming from our customers' networks and investigated the specific case. As part of the investigation, we found a few tools that were downloaded by the malware. This specific attack campaign incorporated a variety of different monetization techniques using a variety of malwares."

The attackers made sure they exploited each of the millions of infected machines to its full extent by employing Bitcoin miners, WebMoney wallet hackers, personal information extraction, banking information extraction, and various generic remote access tools.

Engel added that Light Cyber detected a portion of the infected computers talking to Bitcoin mining pools on the Web, a sign that they were actually being used for mining.

He also explained how Bitcoin mining works-- "Bitcoin mining is a complex, computationally intensive process that gets harder and harder in time. Bitcoin is mined in several blocks, and since it takes a lot of computing power to mine a block, the miners join forces and form mining pools or bitcoin mining networks in which each one participates with his computing power and gets in return his share of the revenue. In our case, the malware author would be the sole beneficiary of the mining efforts."

To be sure, Bitcoin mining on just a few PCs is not usually worth the effort, Engel added, because the electrical cost of operating the computer is higher than the revenue garnered from the mining itself.

But the malware author stole the computing resources of the affected machines and did it in such large numbers as to turn a profit from the operation.

The malware attack reportedly lasted from December 31 through January 3, when Yahoo took down the malicious ads. On Saturday, Yahoo acknowledged the issue through the following statement-- "At Yahoo, we take the security and privacy of our users very seriously. On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed those advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected."

So far, Yahoo hasn't revealed any details on the infected computers or publicly advised affected users on what they should do. But security firm Surfright shed a bit more light on the situation.

Not every ad on the Yahoo advertisement network contained the malicious iFrame, but if you have an outdated version of Java Runtime and you used Yahoo Mail in the last 6 days, then your computer is most likely infected.

In other internet security news

Yahoo site visitors over the last few days have been served with malware via the Yahoo ad network.

According to an internet security company based in the Netherlands, users clicking on some of the ads were redirected to sites armed with malware code that exploits security vulnerabilities in Java and then installs a variety of different malware.

In a blog post, Fox IT estimated that, based on sample traffic, the number of visits to the site carrying the malicious code was visited around 300,000 times per hour.

"Given a typical infection rate of about 9 percent, this would result in around 27,000 infections every hour. Based on the same sample, the countries most affected by the exploit malware are Romania, Britain and France.

At this time, it's still unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo," Fox IT said on its blog.

The security firm found evidence that the redirects go to domains hosted in the Netherlands, but was unable to identity the perpetrators. Traffic has slowed to the exploit, Fox IT noted, suggesting that Yahoo is addressing the security vulnerability.

Yahoo confirmed the presence of malware on its servers and said it had taken steps to combat the issue.

"We recently identified an ad designed to spread malware to some of our users," Yahoo said in a statement.

"We immediately removed it and will continue to monitor and block any ads being used for this activity," Yahoo added.

In other internet security news

A security blog post from Trend Micro warns that hackers in the wild have brewed up a variant of the now infamous CryptoLocker ransomware that uses worm-like features to spread itself even faster across removable drives.

The recently discovered Crilock-A variant can spread more easily than previous forms of CryptoLocker, and faster as well, making it something that system admins need to look at seriously.

This latest find is also notable because it comes under previously unseen disguises, such as a fake Adobe Photoshop and Microsoft Office software activators that have been seeded on P2P sites.

Analysis of the malware, detected as Worm_Crilock.A, shows that this virus can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants.

The addition of software propagation routines means that the malware can easily spread, unlike other known CRILOCK variants. Aside from its unique propagation techniques, the new malware bears numerous differences from known CryptoLocker variants.

Rather than relying on a downloader malware to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites.

Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create and send spammed messages.

CryptoLocker, the Bitcoin demanding ransomware menace, has infected as many as a quarter of a million computers since it first surfaced in September 2013, according to research from Dell SecureWorks’ Counter Threat Unit.

Earlier versions of the CryptoLocker typically arrived in email as an executable file disguised as a PDF, packed into a .zip attachment.

A spam run targeting millions of U.K. consumers prompted a warning from the British National Crime Agency back in November. Only Windows computers can be infected by the malware.

If it successfully executes itself, CryptoLocker encrypts the contents of a hard drive and any connected LAN drives before demanding payment of up to 2 Bitcoins (payable within 72 hours) for a private key needed to decrypt the data.

The malware uses a well-designed combination of 256-bit AES and 2048-bit RSA encryption technology which means that without backups, victims have little choice but to pay up if they ever want to see their data again.

For now, it's still unclear whether the latest worm-like variant is a copycat or the work of the regional CryptoLocker crew. The latest variant uses hardcoded command and control nodes and omits the utilization of domain generation algorithm (DGA) routines to create multiple potential command points, a more sophisticated feature common in earlier variants.

"Hardcoding the URLs makes it easier to detect and block the related malicious URLs," explain Trend Micro researchers Mark Manahan and Jimelle Monteser.

"DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability."

Trend Micro's blog entry, Defending Against CryptoLocker, outlines various ways of protecting a computer and a network against CryptoLocker malware.

In other internet security news

Based on several internal NSA documents, the German newspaper Der Spiegel reports that the National Security Agency installed multiple backdoors to access personal and corporate computers, hard drives, routers, switches and several other electronic devices from companies such as Cisco, Dell, HP, Western Digital, Seagate, Maxtor, Sony and Samsung.

Specifically, the TAO (Office of Tailored Access Operations) is described as a "squad of digital plumbers" that deals with hard targets-- systems that are very difficult to infiltrate.

The TAO has reportedly been responsible for accessing the protected networks of heads of state worldwide. The agency works closely with the CIA and the FBI to undertake sensitive missions, and has successfully penetrated the security of several undersea fiber-optic cables.

The TAO also intercepts the deliveries of several types of electronic equipment to plant spyware devices in an effort to gain remote access to those systems once they are delivered and become operational.

The Der Spiegel report describes a 50-page product catalog of tools and techniques that an NSA division called ANT, which stands for Advanced or Access Network Technology, uses to gain access to several devices.

This follows a report that the security firm RSA intentionally allowed the NSA to create a backdoor into its encryption tokens.

"For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA's specialists seem already to have gotten past them," the report said.

The ANT department prefers targeting the BIOS-- code on a chip on the motherboard that runs when the machine starts up. The spyware infiltration is largely invisible to other security programs and can persist if a machine is wiped and a new operating system is installed.

With the exception of Dell, the companies cited in the report and contacted by Der Spiegel claimed they had no knowledge of any NSA backdoors into their equipment.

In a blog post Sunday, a Cisco spokesperson wrote-- "At this time, we do not know of any new product security vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it."

"As we have stated before, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security back doors in our products," it added.

The NSA declined to comment on the report but said the TAO was key for national defense. "Tailored Access Operations (TAO) is a unique national asset that is on the front lines of enabling the U.S. NSA to defend the nation and its allies," the agency said in a statement.

"We won't discuss specific allegations regarding the TAO's mission, but its work is centered on computer network exploitation in support of foreign intelligence collection," the NSA added.

The end does not appear to be in sight for the revelations from the documents obtained by Edward Snowden, according to Glenn Greenwald, the journalist who first collaborated with Snowden to publish the material.

In a speech delivered by video to the Chaos Communication Congress (CCC) in Hamburg on Friday, he said, "There are a lot more stories to come, a lot more documents that will be covered. It's important that we understand what it is we're publishing, so what we say about them is accurate."

In other internet security news

In August of this year, Gibson Security, a group of freelance security vulnerability researchers, notified the image search service Snapchat that it had found serious security holes in the system that needed to be addressed quickly.

Having heard absolutely nothing back from Snapchat, the group has now released the details and some security exploit code to back up its claims.

"Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure-- none of them)," said the group in a December 24 missive to the internet security community.

Gibson studied Snapchat's Android app, and claims to have found serious security holes in its private API-– the interface between the software and the Snapchat servers, that enable an attacker to decode and decrypt received data and then build a database linking various users to their cell numbers.

It appears that photos sent via Snapchat are encrypted using AES and a key hardwired into the application's code, allowing anyone to decrypt and view intercepted images. But separately, DDoS (denial-of-service) attacks are also possible, we're told.

"We were able to crunch through no less than thousand phone numbers-- an entire sub-range in the American number format (XXX) YYY-ZZZZ. All that in approximately just seven minutes on a gigabit line on a virtual server," the report states.

Given some asynchronous code optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half, or, in a worst case scenario, in just two minutes.

This means you'd be railing through as many as 6666 phone numbers a minute, or, in our worst case, 5000. The published exploit code can harvest these phone numbers, and a separate piece can register multiple bogus accounts for spamming purposes, we're told.

Snapchat's application allows its predominantly young users base to send up to ten second views of pictures before they are permanently deleted. Given the current fad for sexting, and the ensuing moral panic that it has recently inspired, the service has a significant following among those who wish to send sleazy messages to someone.

This crucial young adult market has had venture capitalists valuing the company at roughly $800 million in June 2013, although Evan Spiegel, Snapchat’s 23-year-old co-founder and CEO reportedly turned down a $3 billion offer from Facebook and a $4 billion counter-bid offer from Chinese eCommerce conglomerate Tencent Holdings.

Snapchat's small audience might be young, but they are also very fickle, and if malware can easily use the newly released information, then those kinds of valuation numbers might fall to the ground faster than how they went up in the first place.

In other internet-security news

Target said earlier this morning that hackers have stolen data from some 40 million credit and debit cards of customers who visited its brick-and-mortar stores during the first three weeks of the holiday season in the second-largest such security breach reported by a major U.S. retailer.

Worse-- in terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was totally unprecedented and never seen before.

The whole thing took place in the nineteen days from the day before Thanksgiving to Sunday, in the heart of the annuel Christmas holiday sales season that is so vital to all major retailers.

Target, the number three retailer in the United States said late Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It didn't disclose how its systems were compromised, however.

Experts said the incident couldn't have come at a worse time for Target, which is working to boost sales away from rivals in the last week of the holiday shopping season.

Several complaints from angry customers began to surface on social media as they learned of it early Thursday morning. "Most of these attacks are just a cost of doing business," said Mark Rasch, a former U.S. cyber crimes prosecutor.

"But an attack that's targeted against a major retailer during the peak of the Christmas season is much more than that because it undermines confidence," he added.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Yahoo.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.