News

What’s new, security-wise, in Android KitKat?

Date of publication: 08/11/2013, Łukasz Siewierski

malware-iconOn the 31st of October Google released a new version of the Android Operating System – 4.4 called KitKat. This version introduces a number of new features, including a handful of security improvements. It also introduces a new approach to SMS and MMS handling, which breaks the compatibility of some Android malware and makes it easier for users to spot a malware infection. This security improvement comes as a side effect to the new system-wide approach to messaging applications.
Read more

How to identify and remove the VBKlip malware?

Date of publication: 31/10/2013, CERT Polska

malware-icon

In our previous article we described a new VB malware, named VBKlip by us, that was replacing a Bank Account Number that was copied to the Windows clipboard. In order to check whether your computer is infected you have to just simply copy a correct Bank Account Number (e.g.

<span class="text">12 1234 1234 1234 1234 1234 1234</span>

) and paste it into the text editor (e.g. Microsoft Word or Notepad) and compare the pasted number with the copied one. If they are different then your machine is most probably infected with the described malware strain.
Read more

New VB malware that changes bank account number when copying from clipboard

Date of publication: 22/10/2013, CERT Polska

malware-icon

At the start of October we started receiving reports of propagation of a new strain of unusual malware. This malware was dedicated for Polish online banking users and implemented a technique new to our market. We received a sample of this malicious software, written in Visual Basic 6. It used a fairly simple mechanism in order to steal money: whenever a user copied a text that contained a bank account number to the clipboard it switched that account number to a new one. This account was of course controlled by the cybercriminals.
Read more

PowerZeus Incident Case Study

Date of publication: 18/10/2013, CERT Polska

CERT Polska has created a technical report about a KINS/PowerZeus infection affecting Polish online banking users. In July 2013 we obtained information about an attack on Polish online banking users. This attack utilized a new strain of malware, which had similar abilities to the previously described ZeuS family, e.g. changing a page’s content on-the-fly. The malware version described here stole user credentials, when the user logged into the online banking site. Because of the fact that some online banking systems in Poland use text messages based on One Time Passwords, cybercriminals found a way to also steal them. When a user enters credentials it displays a message, supposedly from the bank, that she has to install a special Android application in order to make her transactions more secure. As a result the malware controls both the phone and user machine and the botmasters are able to issue a wire transfer. This report contains details about that operation, technical description of both malware samples, dedicated for Windows and Android, and recommendations for users
Read more

Ransomware still a threat to Polish users

Date of publication: 19/09/2013, CERT Polska

malware-icon

During the summer holidays we observed an increased infection rate of ransomware. We mentioned this type of malware a few times already in the past (here is a description of similar malware and here is information detailing how to remove it from your computer). CERT Polska was able to acquire three samples of this malware from three different sources. In every case we were able to determine the infection vector. Most probably, all of the three samples were created by the same group of cybercriminals. One of the samples came from a hacked .gov.pl website in collaboration with CERT.GOV.PL, second sample was from a hacked website in .eu domain and the last sample was from a malicious advertisement from a .pl website. A case of malware on the governmental website was also a subject of our previous blog post.
Read more

Takeover of Domain Silver, Inc .pl domains – updated with sinkhole statistics

Date of publication: 23/08/2013, CERT Polska

On 30th of July, 2013 NASK terminate its agreement with a registrar, Domain Silver, Inc. We described the reason for that decision in a detailed technical report. Today we publish an updated version of the report with our sinkhole statistics. These statistics were made from 20 different botnets sinkholed by our servers. All of them used domains registered through Domain Silver, Inc. These are not all of the botnets that used Domain Silver as the registrar, but only ones that were sinkholed as of 23rd of July 2013. The botnet malware included ZeuS ICE IX, Citadel, Andromeda/Gamarue and Dorkbot/NgrBot. Among them is also the Citadel plitfi botnet, the takedown of which we described previously in a detailed report. Highlights from the gathered data are:
Read more

Anti-botnet effort continues – takeover of Domain Silver, Inc .pl domains

Date of publication: 31/07/2013, CERT Polska

Today we publish an overview of domains registered through Domain Silver, Inc, a registrar operating in the .pl domain. This Registrar started operating in May 2012. Since that time, the CERT Polska team started to observe a large increase in the amount of malicious domains registered in .pl and to receive many complaints concerning domains registered through Domain Silver. Most of the malicious domains present in the .pl were registered through Domain Silver. In May 2013, dozens of domains used for botnet C&C purpose were seized and sinkholed by NASK and CERT Polska. Following further unsuccessful attempts to remedy the situation, NASK (the .pl ccTLD registry) decided to terminate its agreement with the Registrar. In the following sections of the document we explain what the malicious domains registered were used for (as of 9th July 2013), what botnets used the domains and why they posed a threat to the Internet community.
Read more

Evolution of an Android malware: the story of a friend of ZitMo

Date of publication: 12/06/2013, CERT Polska

malware-icon

Recently we blogged about a new threat to Polish e-banking users called “E-Security”. When a user, whose machine was infected, tried to access her internet banking site she was greeted with a message that instructed her to install “E-Security Certificate” application on her Android phone. This “certificate” was nothing more than a malware capable of forwarding short messages to the attacker. As the attacker had a login, password to the banking transaction system (this is because initially the user machine had to be infected) and could access the SMS one time password it was easily possibly for the attacker to initialize an unauthorized wire transfer from the victim’s account.

We then speculated about the other possible C&C communication channel. Instead of sending short messages via SMS, the malware could send all the messages using the HTTP protocol to a C&C server. This article presents a history of this malware that we were able to recover based on 10 different samples that claimed were four different versions. All of the samples were created for the Android platform.

Read more

Bezpieczeństwo z pewnego źródła

Date of publication: 07/06/2013, CERT Polska

NISHA Logo

Ewolucja Internetu w ostatnich dwóch dekadach przyniosła niesamowite zmiany w codziennym trybie życia i funkcjonowaniu każdego z nas. Nowe technologie przenikają i integrują się z każdym aspektem naszej pracy, życia rodzinnego i odpoczynku. Internet stał się potężnym narzędziem, które niestety jest także wykorzystywane do celów niezgodnych z prawem lub ogólnie przyjętymi normami. Stał się miejscem w którym, podobnie jak w świecie materialnym, na nieświadomą osobę czyhają niebezpieczeństwa. Najliczniejszą grupą jaka ma wpływ na ilość zagrożeń w sieci Internet są użytkownicy komputerów domowych oraz komputerów w małych i średnich firmach. To oni wpływają na poziom bezpieczeństwa Internetu, ponieważ są bezpośrednio narażeni na większość zagrożeń, a jednocześnie są grupą, która najsłabiej potrafi się przed nimi obronić.

Wiele organizacji i ekspertów stara się tej sytuacji przeciwdziałać, jednakże nie zawsze są w stanie dotrzeć do odbiorcy końcowego z ważną informacją, gdyż ginie ona w gąszczu szumu medialnego. Z drugiej strony, odnalezienie jej przez użytkownika końcowego na specjalistycznych portalach nie jest łatwe. CERT Polska oraz NASK starają się wyjść naprzeciw problemowi braku pomostu między specjalistami a zwykłymi użytkownikami komputerów powołując inicjatywę “Bezpieczeństwo z pewnego źródła”. Ma ona na celu zbudowanie platformy wymiany informacji pomiędzy ekspertami, którzy są w stanie dostarczyć sprawdzoną i rzetelną informację, a środowiskiem mediów, które z tą informacją potrafi skutecznie dotrzeć do użytkownika końcowego.

Serdecznie zapraszamy na seminarium “Bezpieczeństwo z pewnego źródła”, które odbędzie się 13 czerwca 2013 r. w Loży (nr 217/218) Stadionu Narodowego w godz. 10:00-14:00 (wejście od Wybrzeża Szczecińskiego). Liczba miejsc ograniczona. W celu rejestracji prosimy o kontakt na adres: [email protected].

Read more

ZeuS-P2P internals – understanding the mechanics: a technical report

Date of publication: 07/06/2013, CERT Polska

zp2p_ico

At the beginning of 2012, we wrote about the emergence of a new version of ZeuS called ZeuS-P2P or Gameover. It utilizes a P2P (Peer-to-Peer) network topology to communicate with a hidden C&C center.This malware is still active and it has been monitored and investigated by CERT Polska for more than a year. In the second half of 2012, it directly affected the Polish users, namely that of internet banking.
Read more