Cyber Security Institute


Wednesday, March 26, 2014

Gameover malware targets accounts on employment websites -

A new variant of the Gameover computer Trojan is targeting job seekers and recruiters by attempting to steal log-in credentials for and accounts. Gameover is one of several Trojan programs that are based on the infamous Zeus …



Tuesday, August 20, 2013

Cybercrime-as-a-Service, the rise of hacking services

With the term attack-as-a-service model is indicated the practice to outsource all the phases of an attack to specialists instead to rent tools and architecture to conduct personally the illegal activities (Malware-as-a-Service). The model on sale for service is very attractive, hackers analyze in a first phase the target for a very cheap price (5$) and only in the presence of vulnerabilities they hack it for a price nearly 50$, of course for large architectures to attack the prices soar from $1000 to 50000. This type of hacking services is an example of unethically pen-testing activity, the criminals seem to not use any automated tool neither Google services to discover vulnerabilities, another singularity is that they do not operate against website and service of their country, a habit already seen in the sale of Kins and Zeus malware.



Friday, August 09, 2013

Linux gets hit by a trojan—it’s time to sudo apt-get scared!

A big selling point of Linux-based operating systems are that they are generally immune to viruses, trojans and malware. However, this is a falsehood—no OS is 100 percent safe when it comes to these things. According to security company RSA, a team of Russian cyber-criminals have developed a trojan, named “Hand of Thief”, which targets Linux.

The security company explains that the trojan is “designed to steal information from machines running the Linux OS. This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates. The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future. At that point, the price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release”.


Thursday, July 25, 2013

Sophisticated Malware Is Stumping Security Pros

The ferocious nature of modern malware is wreaking havoc on some organizations, forcing security professionals to reassess current security policies and consider spending on modernizing defenses to detect attacks, according to a new survey. It found that 74 percent of respondents have increased their security budgets over the past two years in direct response to more sophisticated malware threats. Businesses need to assess their current defenses to avoid making impulsive spending decisions, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group, in his “Malware and the State of Enterprise Security” report.



Wednesday, July 24, 2013

New Trojan could create headaches for banks, customers

The developer’s new malware is called KINS, and he’s selling it for $5,000 a pop, although that price is likely to climb if the malware is a good as he brags it is. “[KINS is] a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors,” Limor Kessem, a cybercrime specialist with RSA, the security division of EMC, wrote in a blog post on Tuesday.



Monday, July 22, 2013

Hackers’ StealRat botnet turns 85,000 unique IPs into malware-spreading tools

Hackers have developed a sophisticated StealRat botnet, capable of bypassing firms’ advanced anti-spam defences, according to security firm Trend Micro. Trend Micro threat response engineer, Jessa De La Torre reported uncovering the botnet, claiming that it uses advanced techniques to hide the malware used in the scam. “While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet’s resiliency,” wrote De La Torre. De La Torre said by removing the interaction between the spam message and the campaign’s central server, the criminals are able to bypass most businesses’ cyber defences.



Monday, July 15, 2013

Business users visit most malicious websites, security academics find

Business users account for 57 per cent of malicious attacks while one in eight Australian IP addresses is hit by one or more Web attacks on any typical day, according to a Deakin and Macquarie University analysis of more than 200 million Web requests from Australian Internet users. The report – entitled Analysis of the Australian Web Threat Landscape and conducted by Deakin and Macquarie academics with the support of security vendor Trend Micro – reflects research that began earlier this year and has since used data analysis on a wealth of data provided on an opt-in basis by users of Trend Micro’s cloud-based security filtering services. The Australian Research Council-funded research is based on data collected during the first two weeks of May, during which devices representing 600,000 distinct IP addresses visited HTTP/HTTPS sites every day. Of 200 million requests analysed during the time, just 400,000 – from around 80,000 distinct IPs – were issued for access to malicious Web pages.


Friday, July 05, 2013

New EU laws approve tougher sentences for cyber criminals

Under new laws the 28 EU member states will be required to set terms of no less than two years in prison for individuals caught illegally accessing information systems, tampering with data, illegally intercepting communications, or creating tools that help commit such offences. This mandated minimum rises to five years if the individuals involved target national systems such as energy plants, public transportation or government servers. The changes also directly address the creation and operation of botnets – groups of hacked computers that are run in tandem to commit offences such as sending out spam and denial of service attacks.


Monday, July 01, 2013

Combating attacks with collaborative threat intelligence

Even those attackers who are deploying more targeted, advanced attacks against a specific industry or organization will reuse the same techniques and exploit code in targeted attacks against similar organizations in the same industry. Another tool in the attacker’s arsenal is that they are highly adept at sharing information with each other. Why wouldn’t defenders likewise collaborate on the source, tools and techniques used for these attacks and reap the tremendous benefits of threat sharing? Not to mention that such collaboration among defenders can also increase the costs associated with executing these attacks.


Wednesday, June 26, 2013

Attackers sign malware using crypto certificate stolen from Opera Software

Hackers penetrated network servers belonging to Opera Software, stole at least one digital certificate, and then used it to distribute malware that incorrectly appeared to be published by the browser maker. “The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware,” Wednesday’s advisory stated. It is possible that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may automatically have received and installed the malicious software.”


Saturday, June 22, 2013

Phishing attacks up 87 per cent: Report

Phishing attacks, the most common form of cyber crime, are on a rise, both in India and globally. According to a recent report by Russian cyber security firm Kaspersky Lab, 37.3 million users around the world were subjected to phishing attacks in 2012-13, up from 87 per cent a year ago. Roughly 10 per cent - 3.7 million annually or around 10,000 per day - of these attacks were targeted at India, which is the third biggest victim after Russia and the US. Kaspersky found that 87.9 per cent of attacks were launched when users were surfing the web services of Yahoo, Facebook, Google and Amazon being targeted the most by hosting fake copies of these websites.


Sunday, June 16, 2013


The Open Web Application Security Project (OWASP) have published the top 10 most dangerous vulnerabilities in web-applications for 2013. This release comes to raise awareness about application security by identifying some of the most critical risks facing organizations. Injection flaws, such as SQL, OS, and LDAP injection remains the top security vulnerability for web application. This widely used bug allows attacker’s hostile data to trick the interpreter into executing unintended commands or accessing data without proper authorization.


Thursday, June 13, 2013

MBR-wiping malware targets German victims

A new MBR-based hack is now targeting German users, who are at risk of having their systems rendered unusable by malware being sent via spam messages. Trend Micro recently uncovered what it terms a “noteworthy backdoor” as an attached file in certain spam variants sent to German recipients. The spam sample the security firm found tells recipients they have to pay a certain debt, the details of which are contained in the attachment. Like any backdoor, it (BKDR_MATSNU.MCB) performs certain malicious commands, which include gathering machine-related information sent to its command-and-control (C&C) server. “This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea,” noted Lenart Bermejo, threat response tech lead at Trend Micro.



Tuesday, June 11, 2013

New backdoor ‘KeyBoy’ malware hits Asia with targeted attacks

Users from Vietnam, India, China, Taiwan and possibly other countries, were targeted as part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, according to researchers from security firm Rapid7. One of the malicious documents found by Rapid7 researchers is written in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests that the targets of attacks where this document was used are part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday in a blog post. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010, and were patched by Microsoft in 2012 as part of the MS12-027 and MS12-060 security bulletins.

Monday, June 03, 2013

Targeted attacks on the rise

There has been a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam, according to the McAfee Threats Report: First Quarter 2013. McAfee Labs has also found continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs). In the company’s latest study, it found almost three times as many samples of Koobface as were seen in the previous quarter, which is a high point for the social networking worm that targets Facebook, Twitter and other social networking service users. But the increase in the number and sophistication of targeted advanced persistent threats (APTs) represented the most notable evolution in the threat landscape, as information becomes as valuable as money on the cybercrime landscape. The report found a 30 percent increase in MBR-related malware and new instances of password-stealing Trojans being repurposed to capture information on individuals and organisations beyond the financial services industry.


Wednesday, May 29, 2013

Hackers exploit Ruby on Rails vulnerability to compromise servers, create botnet

Hackers are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a botnet. The Ruby on Rails development team released a security patch for the vulnerability, which is known as CVE-2013-0156, back in January. “It’s pretty surprising that it’s taken this long [for an exploit] to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” said Jeff Jarmoc, a security consultant with security research firm Matasano Security, Tuesday in a blog post.



Malware’s typical network behaviour makes it easier to spot: Palo Alto

The hardest part of maintaining a security defence is figuring out the things we don’t know – but by applying monitoring to all network traffic and simplifying accessibility to analytics tools, it’s easier than ever to ferret out new malware and seal perimeters that have been compromised by mobile devices, a Palo Alto Networks analyst has advised. While the security solutions market has been flooded with new options for identifying and dealing with malware, “you need to be able to feed it into something that’s actionable, and is going to help the business and actually give you some protection,” Williamson told CSO Australia after his presentation at the AusCERT 2013 security conference. Analysis of 839 different pieces of malware, and 204 million logs, also found that 55% of all malware uses custom UDP (User Datagram Protocol) packets to communicate with command-and-control (C&C) servers; therefore, when a scan of network activity shows that 1.5% of traffic is comprised of unknown UDP packets, Williamson said, it’s not hard to figure out where it’s coming from.


Tuesday, May 28, 2013

91% of targeted attacks start with spear-phishing email

These emails are part of the operations of an emerging and active targeted threat called Safe campaign, the operations of which are documented in the research paper by Trend Micro. These spear-phishing emails contain a malicious attachment and encourage a recipient to open a harmful attachment by attracting him with contextually relevant content. From a threat perspective, Trend Micro has identified five key target organisations including government ministries, technology companies, media outlets, academic research institutions and non-governmental agencies.



Friday, May 24, 2013

Zeus variants are back with a vengeance

After analyzing the feedback from the company’s Smart Protection Network, Trend Micro researchers have noted an upswing in attempted Zeus / Zbot Trojan infections. After being practically non-existent in January, the rest of the months up until the beginning of May have witnesses a continuos rise in numbers of attempted Zeus/Zbot Trojan infections, Trend Micro researchers pointed out. The main goal of the malware is the same as before: stealing any type of online credentials, including those user for online banking, and any kind of personal information that might be of use to criminally-minded individuals. They now create two different folders on the system: one to stash a copy of themselves, and the other to host the stolen and encrypted information and the configuration file they download from a remote server.



Scanner identifies malware strains, could be future of AV

When it comes to spotting malware, signature-based detection, heuristics and cloud-based recognition and information sharing used by many antivirus solutions today work well up a certain point, but the polymorphic malware still gives them a run for their money. At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem. “Using structures, you can detect approximate matches of malware, and it’s possible to pick an entire family of malware pretty easily with just one structure,” he shared with CSO Australia.


2013 will see an explosion in malware

According to the German security company AV-Test, malware has exploded to unprecedented levels in the past five years. More troublingly, they anticipate seeing over 60 million new pieces of malicious software by the end of the 2013. AV-Test went on to say that the system has already recorded “over 20 million samples of new malware between January and the beginning of May.” To put those numbers in context, AV-Test didn’t reach 20 million new samples until August of last year.


Thursday, May 23, 2013

New Citadel malware variant targets Payza online payment platform

A new variant of the Citadel financial malware is targeting users of the Payza online payment platform by launching local in-browser attacks to steal their credentials, according to researchers from security firm Trusteer. Citadel is a Trojan program designed primarily to steal online banking credentials, but is also associated with the Reveton ransomware, which locks down computers and displays rogue alerts claiming to come from law enforcement agencies. Like most banking Trojan programs, Citadel’s hooks into the browser process can modify Web pages opened on infected computers in real time. These rogue local website modifications are known as Man-in-the-Browser (MitB) attacks and are harder for victims to spot than regular phishing attacks because the URLs displayed in the browser address bar are those of legitimate websites. The new Citadel variant discovered by Trusteer researchers contains MitB code that alters the form fields users are asked to fill in on Payza’s log-in page.


Wednesday, May 22, 2013

Keeping Up With the Andromeda Botnet

Last March, [TrendMicro] blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives. However, just months after the first post, they are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.



Thursday, May 16, 2013

New Mac spyware found in the Oslo Freedom Forum

F-secure is reporting on new malware found for OS X, which appears to be a backdoor application that so far is known to take screenshots of the user’s computer and then attempt to upload them to remote servers. It’s a small application called and was found on the Mac of an African activist who was a member of of the Oslo Freedom Forum. When installed, the application is appended to the current Mac user’s log-in items so it runs whenever the affected user account is logged in. It then takes regular screenshots that it places in a visible folder in the user’s home directory called MacApp. It then tries to upload them to the URLs “” and “,” which either are not working or are issuing “public access forbidden” error messages.


Wednesday, May 15, 2013

Malware Behind Oldest, Most Active Spam Botnet Gets Refresh

One of the largest and most notorious spam botnets, known for sending out millions of spam messages every day, has gotten a new communications mechanism that makes it more resilient to take downs, according to security researchers’ analysis. A team of security experts from Dell (NSDQ:Dell) SecureWorks, Damballa Labs and the Georgia Institute of Technology have discovered a new domain name generation algorithm that is part of the Pushdo malware’s back-up command-and-control mechanism. The report, issued by Damballa and Dell SecureWorks, found the malware associated with Pushdo can evade both intrusion detection and prevention systems as well as most antimalware technologies by mimicking legitimate connection attempts to benign websites to confuse signature-based systems.


Monday, May 13, 2013

HBGary Announces Next-Gen Responder™ Pro

In a move to significantly close the gap between discovery and mitigation of targeted attacks, HBGary, a subsidiary of ManTech International Corporation, unveiled the next-generation version of Responder™ Pro, the de facto industry standard in automated Windows® physical memory analysis. By leveraging Digital DNA™ 3.0, HBGary’s flagship technology, Responder™ Pro 2.1 detects the latest rootkits, trojans, zero-days, and malware variants currently undetected by anti-virus, IOCs (indicators of compromise), and other signature-based solutions.

Multi-stage exploit attacks for more effective malware delivery

In the cybercrime world, the de-coupling of the first stage from the payload is designed to make sure that an exploit kit is as generic as possible and can deliver all possible payloads, provided that the payloads only need native execution (either as a standalone executable – files with an “.exe” file extension, or DLL registration via RegSvr32 – files with a “.dll” extension). By utilizing an extra stage, the attack is more likely to bypass some security products: the initially exploited process (Java) launches another Java process (second stage) that appears less suspicious, and only that second stage process runs the final, native payload (the persistent malware dropper).


Wednesday, May 08, 2013

Stats confirm malware built at record rates

The anti-virus maker’s research arm, PandaLabs, found that between January and March of this year, more than 6.5 million new malware strains were built, with trojans comprising 75 percent of those.   In total, trojans were responsible for 80 percent of global computer infections – a record – far outpacing worms, viruses and adware. Across the globe, researchers discovered that more than 31 percent of PCs have been seeded with malware, with machines in China experiencing the highest infection rates (around 50 percent).   In the United States, PandaLabs said 28 percent of computers are infected nationwide, numbers that roughly correspond to previous versions of the report.



Tuesday, May 07, 2013

AutoIt scripting increasingly used by malware developers

AutoIt, a scripting language for automating Windows interface interactions, is increasingly being used by malware developers thanks to its flexibility and low learning curve, according to security researchers from Trend Micro and Bitdefender.



Tuesday, April 30, 2013

Ramnit sleeping malware targets UK financial sector

“Trusteer’s security team recently analysed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam,” said a Trusteer spokesman. The malware reportedly avoids detection by going into an idle sleep mode until its intended victim logs into their online bank account, at which point it activates and presents them with a fraudulent phishing message. “While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account,” explained a Trusteer spokesman. Once connected to the account the malware enters its final stage, presenting its victim with a second bogus message designed to dupe the user into entering a code that will let the malware bypass the system’s final defence.