Time to remove Quicktime?

If the various installer popups haven’t annoyed you enough to pull the trigger on this software removal. The latest warning from the US Department of Homeland Security may push you over the edge.

Also released by US-CERT, Apple has ended support for Quicktime on windows while zero days for Quicktime have been announced. Time to remove if you don’t have any corporate need for it.

xCode Ghost iOS malware

The “most secure” mobile operating system and app store is taking some hits.

Over the last handful of days it has been discovered that hundred and perhaps thousands of apps created for iOS and approved for the appstore may also contain trojan code inserted into libraries of a modified Apple development tool. The developers of the XcodeGhost were able to talk to affected apps without the developers’ knowledge and possibly siphon off user and device information.

For more check out Lookout’s blog: XcodeGhost Apps which lists a number of confirmed affected apps and a number that may also be affected.

New “Porn App” takes pictures of users for blackmail

A new app not available from any reputable app store “Adult Player” was identified by Zscaler as: a) not delivering the porn that the user was expecting, b) stealthily taking pictures of the user and c) threatening to post the pictures along with their porn-seeking activity online or else they will lock the phone on the user.

Currently the app has failed to pass muster at the Google Play store, but it has been found to be available for direct download online. Unlike many of the other ransomware products out there, users, after paying the $500 are also not getting their phone/data unlocked.

How Not to Start a Security/Encryption Company

Interesting take by Krebs on the failings of a startup called Secure Channels Inc. Yet another company that was very reluctant to share their source code for review, but very willing to promote that their product was unbreakable.

I’m looking forward to similar discussions on other security/encryption products such as Symphony’s secure messaging platform, which, while much less boastful, hasn’t opened up their technology either. Fortunately for us, the NYS Department of Financial Services is at least looking into them.

PDFs in .DOC and now .DOC in PDFs

Phishing/Malware email campaigns have taken to new tactics to try to avoid detection by various malware analysis tools such as Fireeye and their ilk. This latest tactic is to embed different document types inside another one. While the last few weeks it was embedding things inside of word docs. Today we have begun to see evidence of word docs embedded in PDFs.

Check out: link 1 which embeds link 2 (and at VirusTotal)

Terracotta: legitimate VPN or APT source

RSA today released a research report detailing their finds on what they are dubbing Terracotta. It is a series of VPN networks which do carry some significant legitimate VPN traffic to allow users inside of China to subvert the Great Firewall. However, it appears that various APT groups are also utilizing the service. Apparently calls to 1.8800free.info and 2.8800free.info are an indicator that a site has been compromised. However at this date it is difficult to find IP information for the domain or hosts on it.

Continue reading Terracotta: legitimate VPN or APT source

New RIG 3.0 Malware infected over a million users in last 6 weeks

The RIG crimeware kit received a major upgrade in the last few weeks. Infecting about 27,000 victims a day, the new kit is partially utilizing vulnerabilities in Flash made public with the HackingTeam document exposures.

RIG itself needed to be updated after its source code was released by a disgruntled reseller of of toolkit. The new kit is targeting 3 vulnerabilities. CVE-2015-5122 for Adobe Flash, CVE-2014-6332 for Windows OLE and CVE-2013-2551 and attack on IE 6 through IE 10.

Continue reading New RIG 3.0 Malware infected over a million users in last 6 weeks