Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Malware is preinstalled on some Chinese smartphones

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 18, 2014

Click here to order the best dedicated server and at a great price.

Internet security startup company G-Data is warning its users about its discovery of malware that is already shipping preinstalled on some Chinese smartphones.

The German research firm said that it followed up on customer tips to study the Star N-9500 mobile phone.

The handsets, sold on eBay and many other online retail sites, are said to primarily be shipped out of China, and can be loosely described as a clone of the Samsung Galaxy S4.

While G-Data said that it has been unable to track down the company behind the N-9500, the security company still believes that one or more organizations are selling the smartphones new with malware bundled in.

G-Data said in its report that researchers have spotted a spyware bundle on handsets being offered for sale in Europe at costs ranging from €130 to €165.

The Android handsets were found to contain a fake copy of the Google Play application and the Uupay Android trojan installed directly in the handset's firmware.

Researchers believe that the malware performs a number of basic spyware functions such as listening in on phone and SMS conversations, reading email messages, and collecting mobile browsing information and account data.

G-Data reported that the infected handset it reviewed was uploading user information to a server in China, though the location of the person (s) actually extracting the data was not known at this time.

The report comes as Android malware continues to increase. Apple CEO Tim Cook recently gloated over a mobile security situation for Android he called a "hellstew" of malware.

Last week, researchers with Kaspersky also noted that malware writers in Russia have been repackaging their ransomware trojans to target mobile phone users in the United States.

China, which has long had a strong market for domestically produced clone hardware and devices, has also seen an underground market for attack tools and services arise in recent years.

In other internet security news

Brace yourself one more time-- a new banking trojan has just been discovered, again. It uses browser hooking schemes to steal data from Internet Explorer, Chrome and Firefox users.

Dubbed Dyreza, it consists of a phishing e-mail (a lesson that's never learned well enough for the approach to fail), and the email message contains what purports to be a zipped document that actually drops the malware payload into the PC, laptop or smartphone.

Danish researchers CSIS say that they've identified various command and control servers, and were able to view money-mule accounts in Latvia associated with the servers.

CSIS also warns that the payload's code segment suggests a future attack is planned, in which the phishing e-mail will purport to be a Flash Player update.

The extra element in Dyreza is that it tries to launch a man-in-the-middle attack to capture what traffic users think is encrypted, and tries to crack two-factor authentication.

An infected user's browser traffic is controlled by the attackers, writes CSIS's Peter Kruse, meaning that attackers “are able to read anything, even SSL traffic in clear text.

In that manner they will also try to circumvent 2FA. PhishMe, which calls the Trojan Dyre, says the infected user will believe they're establishing SSL sessions, but the “attacker can bypass the SSL mechanism of a web page”.

That's because the malware intercepts user requests and redirects them to IPs the attackers control.

Both PhishMe and CSIS believe it's a new RAT (remote access trojan) rather than another Zeus variant.

So far, CSIS has identified Bank of America, Natwest, Citibank, RBS and Ulsterbank as target institutions, but there may be more as time progresses.

In other internet security news

The University of New South Wales said this morning that it has opened a new cyber-security research centre in Canberra.

The university says it's designed to bring together academia, government, defense and business expertise together and in a unified manner.

Instead of having students with an interest in computer security practise on anything they can get a network connection to, the ACCS (Australian Centre for Cyber Security) will have a “practise range” for cyber attacks and this will be outside the classified environment.

The University's press release says that the centre “combines expertise from a range of relevant communities-- political, cyber industry, defence, academic, individual and organizational users and the media.”

The ACCS's research specialities are to include “computer and network security, risk management, international politics, ethics, law and big data analytics for internet security”.

In other words, how to hack, how to prevent hacks, when it's okay to hack, and how to see whether a hack has happened in the first place.

The centre is located at the university's Canberra campus in the Australian Defence Force Academy.

In other internet security news

A scientific researcher from the RSA says he has found an entirely new trojan during his investigations of the criminal underground.

To be sure, Eli Marcus says the "Pandemiya" trojan comprises about 25,000 lines of new code. With most malware based on proven platforms, entirely new code is a rarity in the internet security world.

And Pandemiya is very nasty-- it can steal data from forms, create fake web pages and take screen shots to send back to the botmasters who deploy the malware.

Worse, the virus is modular, very pervasive and unique, thanks to its ability to inject itself into all new processes via the Windows security registry function CreateProcess API.

It even has an upgrade path-- Marcuswrites that a $1,500 version offers basic functions but a $2,000 version allows .dll file plug-ins to enhance its functionality.

A Facebook attack module is also reportedly in the works. "The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach means Pandemiya could become more pervasive in the near future.

Pandemiya can also sign off botnet files, a feat Marcus said helped prevent hijacking and analysis by cops and security personnel.

Dynamically encrypted communications help it to dodge network analysers. Like other trojans, Pandemiya is foisted on machines through exploit kits and drive-by infections that target security vulnerabilities in buggy software such as Java, Silverlight and Flash.

Marcus speculated that the trojan was relatively unknown until now due to its high price and new-kid-on-the-block status compared to the likes of Zeus and Citadel.

The good news is that Pandemiya can easily be removed with a little registry-tweaking and command line action.

In other internet security news

Two young Canadian teenagers have made a mockery of bank security by hacking into an automatic teller machine during a lunch break between classes.

The two 14 year olds, identified as Caleb Turon and Matthew Hewlett, broke into a Bank of Montreal ATM during school lunch by following an online manual for accessing the machine's administrator functions.

The security charade continued when the pair, after being asked by the bank's head of security for proof of their hack, simply broke back into the machine and printed off information including transaction data, surcharge profits and the total cash held in the unit.

Turon and Hewlett gained access to that data by guessing the administrator password on their first attempt, indicating the ATM had default settings enabled.

The kids took it upon themselves to perform a civic duty by dropping the surcharge for transactions to one cent and changing the welcome display screen to-- "Go away. This ATM has been hacked".

Hewlett told the Winnipeg Sun they did not expect the hack to work. "We thought it would be fun to try it, but we were not expecting it to work," he told the newspaper.

The kids may have discovered one of a handful of websites that contained very detailed documentation explaining how to access administrative functions of ATMs.

Those forums existed ostensibly to help service people to access a variety of ATM makes and models but could be used by criminals or apparently even children to break into the units.

The bank said that customer information was not compromised and it would review security of its ATMs.

In other internet security news

Microsoft has reportedly left Windows 7 exposed by only applying patches to its newest operating systems, Windows 8.

Internet security researchers discovered the flaws after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in Windows 7.

They said that the shortcoming could lead to the discovery of zero day security vulnerabilities.

The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.

Researcher Moti Joseph speculated that Microsoft had not applied the fixes to Windows 7 to save money.

"Why is it that Microsoft inserted a safe function into Windows 8 but not Windows 7? The answer is money-- Microsoft does not want to waste development time on older operating systems and they want people to move to higher operating systems," Joseph said in a presentation at the Troopers 2014 Conference.

Microsoft has been contacted for comment, and we are still waiting to hear from the company. Together with malware analyst Marion Marschalek, the two researchers developed a capable tool dubbed DiffRay which would compare Windows 8 with 7, and log any safe functions absent in the older platform.

"It was scary simple, Marschalek said, and it was also faster than finding security vulnerabilities by hand," he added.

Security technicians could then probe those functions to identify the vulnerabilities and various exploits that could be done by potential hackers.

In a demonstration of DiffRay, the researchers found four missing safe functions in Windows 7 that also were present in 8.

"If we get one zero-day from this project, it's worth it," Joseph said. Future work will extend DiffRay's capabilities to find potential security vulnerabilities in Windows 8.1, add intelligence to trace input values for various functions and then incorporate even more intelligent signatures used to find potential security flaws. Duplicates and abundant false positives in the current version would also be ironed out.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: G-Data.

Click here to order the best dedicated server and at a great price.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.












Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer









Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.