A botnet capable of delivering almost four billion spam messages per day has been confirmed resurrected—more than four months after Microsoft celebrated its untimely demise. Researchers with Kaspersky Lab reported on Tuesday that Kelihos, a peer-to-peer botnet that also goes by the name Hlux, continues to spew spam in a variety of languages....

Last week Symantec reported 13 potentially malware-carrying Android applications, that it said may make up a family of botnets. Mobile security firm Lookout Mobile, however, is now saying the apps are just an advertising network. “We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK...

It’s natural for viruses to mutate in nature and become stronger over time. The scary thing is that it’s now happening to computer viruses. Mutating viruses are nothing new, they are used to infect machines in a way that can’t be stopped by traditional anti-virus software. The problem comes in with a new report from Softwin, the...

A new variant of the Zeus Trojan that can give hackers access to people’s bank accounts is being spread via phishing e-mails purportedly from financial institutions, the FBI warns.

The unsolicited e-mails seem to come from the National Automated Clearing House Association, the Federal Reserve Bank or the Federal Deposit Insurance Corporation, the FBI says in its warning. Clicking on a link in the e-mail sends the recipient to a website where the malware is downloaded.

“The malware is appropriately called ‘Gameover’ because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions.” The FBI said. “And once the crooks get into your bank account, it’s definitely ‘game over.’”

Gameover is a variant of Zeus, which has been around since at least 2005 and has been widely used in botnet rings that attempt to steal banking information.

In 2010, the FBI, working with law enforcement officials in the United Kingdom, Europe and Ukraine, busted a botnet ring that was trying to transfer $220 million from the United States, in an operation that also involved payments made through the Automated Clearing House. The FBI arrested 39 people, including five in the Ukraine suspected of being the ringleaders and several “mules” in the United States that were moving the money.

In the latest scam, recipients get an e-mail from NACHA, the Fed or FDIC stating either that there is s problem with their bank account or a recent ACH transaction. The e-mail includes a link to a site where the recipient purportedly can resolve the issue, but “once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information,” the FBI said.

With account information in hand, the attackers use a botnet to launch a distributed denial-of-service attack on a financial institution to deny access to legitimate users and most likely to cover up their own thefts, the FBI said.

The mules help launder the money, sometimes by using the stolen funds to buy precious stones and expensive watches, which can then be resold for cash. And although some of the mules are in on the money laundering scheme, an increasing number are unwitting participants lured in by “work at home” advertisements, the FBI said.

Members of the crime ring e-mail people, saying their saw their résumé of a job website, and offer them what appears to be a legitimate job, with a contract and websites to log into, the FBI said. The new “employees” then either open a new bank account or use their own account to receive funds and send them overseas.

The FBI is asking anyone who thinks they’ve targeted by the scheme to contact their bank and file a complaint with the FBI’s Internet Crime Complaint Center.

Meanwhile, the FBI offers three tips for protecting yourself against the Gameover scam and others like it:

1. Be sure your computer’s anti-virus software is up to date.

2. Don’t click on e-mail attachments from unsolicited senders. NACHA, FDIC, and the Federal Reserve all say they don’t send out unsolicited e-mails to bank account holders. If you want to confirm there’s a problem with your account or one of your recent transactions, contact your financial institution directly.

3. Don’t accept unsolicited jobs online that require you to receive funds from numerous bank accounts and then wire the money to overseas accounts — you could get caught up in a criminal investigation.

The Stuxnet virus that last year damaged Iran’s nuclear program was likely one of at least five cyber weapons developed on a single platform whose roots trace back to 2007, according to new research from Russian computer security firm Kaspersky Lab.

Security experts widely believe that the United States and Israel were behind Stuxnet, though the two nations have officially declined to comment on the matter.

A Pentagon spokesman on Wednesday declined comment on Kaspersky’s research, which did not address who was behind Stuxnet.

Stuxnet has already been linked to another virus, the Duqu data-stealing trojan, but Kaspersky’s research suggests the cyber weapons program that targeted Iran may be far more sophisticated than previously known.

Kaspersky’s director of global research & analysis, Costin Raiu, told Reuters on Wednesday that his team has gathered evidence that shows the same platform that was used to build Stuxnet and Duqu was also used to create at least three other pieces of malware.

Raiu said the platform is comprised of a group of compatible software modules designed to fit together, each with different functions. Its developers can build new cyber weapons by simply adding and removing modules.

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” he said.

Kaspersky named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

Researchers with Kaspersky have not found any new types of malware built on the Tilded platform, Raiu said, but they are fairly certain that they exist because shared components of Stuxnet and Duqu appear to be searching for their kin.

When a machine becomes infected with Duqu or Stuxnet, the shared components on the platform search for two unique registry keys on the PC linked to Duqu and Stuxnet that are then used to load the main piece of malware onto the computer, he said.

Kaspersky recently discovered new shared components that search for at least three other unique registry keys, which suggests that the developers of Stuxnet and Duqu also built at least three other pieces of malware using the same platform, he added.

Those modules handle tasks including delivering the malware to a PC, installing it, communicating with its operators, stealing data and replicating itself.

Makers of anti-virus software including Kaspersky, U.S. firm Symantec Corp and Japan’s Trend Micro Inc have already incorporated technology into their products to protect computers from getting infected with Stuxnet and Duqu.

Yet it would be relatively easy for the developers of those highly sophisticated viruses to create other weapons that can evade detection by those anti-virus programs by the modules in the Tilded platform, he said.

Kaspersky believes that Tilded traces back to at least 2007 because specific code installed by Duqu was compiled from a device running a Windows operating system on August 31, 2007.

The Carrier IQ scandal has shifted attention from malicious mobile threats to carrier-sourced spyware over the past month, but a new report suggests the threat of more serious mobile malware continues to intensify.

More than $1 million was stolen from Android smartphones alone in 2011 according to Lookout Security Mobile, which pulled data from more than a million apps and 15 million handsets around the world to compile its 2012 Mobile Threat Predictions report.

The likelihood of an Android user encountering malware grew from 1% to 4% in 2011, and Lookout expects the trend to continue in 2012. Read on for more.

“2011 was a watershed year in terms of the types threats we saw emerging,” Lookout co-founder and CTO Kevin Mahaffey said in a statement. “Threats had greater sophistication and were deployed using more innovative and efficient distribution methods. In 2012, we expect to see the mobile malware business turn profitable. What took 15 years on the PC platform has only taken the mobile ecosystem two years.”

The firm highlights mobile pickpocketing — malware that steals money by making unauthorized use of carrier billing features — mobile botnets and browser attacks as specific threats that will intensify in 2012.

Android users in particular now have a 36% chance globally of clicking an unsafe link, and those odds increase to 40% in the U.S. according to Lookout.

Malware disguised as popular game apps were discovered in the Android Market yesterday by Google’s security team. Despite being removed earlier today by Google, over 10,000 downloads of the malicious apps had already been performed by unwitting Android users.

About a dozen free mobile versions of apps, such as Angry Birds and Assassin’s Creed, were published to the market yesterday morning by developer Logastrod. The author published the apps after including code to the games that would allow SMS messages to be sent to premium line numbers. Vanja Svajcer, of the blog Sophos, detailed the damage unaware downloaders can suffer after installing such apps:

Misusing premium SMS services is the most common model for malicious mobile malware. When a malicious app is installed, it starts sending or receiving messages, which makes the installation very expensive for the user. The damage is often seen only when it is too late, once a monthly bill is received.

Svajcer goes on to criticize Google for having regulations that are too relaxed and permit developers to easily sneak their malicious apps into the Android Market. The benefits of successfully publishing an app to the Market and therefore making money from it outweigh the consequences of being banned by Google from contributing any more apps to the Market. “The attacks on Android Market,” he adds, “will continue as long as the developer requirements stay too relaxed.

Google has implemented security screens that require the user’s acknowledgement that the apps were able to edit, read, and receive text and multimedia messages before the download of the app can be completed, but such a policy appears to not protect the users enough. Obviously, users are likely to breeze past such warnings and it’s not entirely surprising, either, given the wide popularity and reputation of games like Angry Birds. When everybody and their brother has probably downloaded Angry Birds at some point, who would seriously worry that the app they think they’re downloading is not an offering from a reputable developer. Other criticism directed at Google’s failure to protect its users suggest that Google should improve the way in which they educate users to protect themselves more effectively. As it stands, Google leaves its Android users in the lurch because their “caveat emptor approach means it’s up to users to make sure they don’t get swindled while shopping in the company’s official apps bazaar.

That they don’t have a stricter policy for app publishing is a disrespectful gesture towards their customers who clearly are not tech-savvy enough to be suspicious of every download. Worse than simply taking a knee on the issue, Google seems to have excused themselves with the equivalent of an Alfred P. Neuman security policy that simply shrugs, “What, me worry?”

What do you think? Should Google be doing more to keep their Android Market free of malware, or does the responsibility fall to the Android Users. Let us know below in the comments.

Smart devices, social media and increased online activity through app stores and other transaction-based websites are coming together in what one researcher says is a scary combination of factors that have dire implications for national security.

Roger Thompson, recently hired by ICSA Labs, an independent division of Verizon, as the company’s first chief emerging threats researcher, says it’s time for traditional security measures to move forward in a new direction. Malware has exploded to levels that antivirus software can no longer keep pace with, he said. The tactics criminals use to exploit machines is becoming ever more targeted, with social networks and smartphones to aid them in their background research on victims.

How should the industry respond? Thompson spoke with CSO about thoughts for 2012 and further when it comes tomalware, and what needs to change in the fight against it.

You’ve mentioned that think malware lives in “ages.” What is the current age of malware today, as you see it?

This most recent age is the web-attack age. It started in 2005 when things started shifting over to the web-based attacks, exploits and drive-by downloads. That’s still going on and we are in an age where there’s a lot of money to be made and everyone understands that. Criminals are well organized and opportunistic, and they are mostly attacking us via the web. If it were a baseball game, I would say we are in about the fourth inning. This is going to continue for some time.

But I think we are poised to enter a new age, an age of cyber war. I’m fairly confident. For example, look at the Stuxnet worm. No one knows who really did it and no one knows who the target really was, although we can all speculate. But what we may be confident of after discovering Stuxnet is that any country not thinking along the lines of cyber war before, now is.

The United States has plenty of friends in the world, but it also has plenty of people who don’t like it terribly much. If they could do something, like shut off our power, they would.

I feel the new age is one where it’s been proven software can damage hardware now, with Stuxnet. And, more importantly, that software can damage infrastructure — that’s the part that alarms me.

And I don’t believe this stuff is going to be stopped by antivirus software alone. More things need to be done at the IFC level, or possibly at the testing level. Overall, security has to step up.

What form do you think a newer generation of malware might take?

Cross-platform infecting, but Windows based. In terms of Stuxnet, it carried within it malwareto infect the Siemens industrial software and equipment. I expect we will see more of that. And I expect it will be exploit-driven. Someone will open a Flash file or a Word document and the file will drop on the system.

The malware itself won’t change, we’ll just see more of what we have now because the underlying platforms are still the same. They are just going to be using new vulnerabilities, blasting their way in and doing the damage they’re designing it to do.

If you predict malware will be increasingly designed to sabotage companies or government infrastructure, who do you think the target might be? A person with a position of authority, or privileged access, within an organization?

Exactly. And if you want to launch a directed attack against some organization, you need a lot of information about them. You can’t just throw a virus in an email and hope it works. You actually have to craft a special email that looks like it came from a person two floors down, talking about stuff that you should be possibly talking about and attaching a document or something you could be expecting to get from them and that someone might reasonably open. That’s how it works. They call it advanced persistent threats; that’s the buzz word. But really what it is is spearphishing.

If you want to spearphish someone, you have to know them. You have to understand them and know what they are interested in. One thing that alarms me is there are 800 million users on Facebook and most of them can’t even spell security, let alone care about it. Facebook does their best and takes security seriously, but they’ve got a million people developing apps for them and I’m fairly confident that not all the million have security interests in mind.

[Social engineering: My career as a professional bank robber]

And there are so many people building apps for smartphones. Very often, there is no clear way they are getting a dollar out of it. That’s always alarming to me. To build a good app, it takes six months. So if someone is putting some time and effort in to it, you have to question: how they are getting their pay back? If there is a trial version that you eventually upgrade to a pay version, that’s OK. Or if it’s a brand building app, like the Weather Channel, obviously there is a pay-off there.

But if there is no obvious pay off, we should be concerned. We don’t know whether it’s adware or information gathering, but people are creating these apps for a reason.

I’m watching all these things come together and the ingredients are there for a very, very dangerous time. We have a proven situation where some countries are clearly engaging in cyber war, or at least cyber espionage. We’ve proven software can damage hardware and infrastructure. If you want to target all these people in an organization, you need information about them. And the opportunity, between smartphones and Facebook, to leak a lot of information is there.

What changes or new measures are you advocating going forward in a new age of malware?

One thing that bothers me is the world currently expects their antivirus software to protect them. Every bit of AV in the world is basically a signature scanner. Which means it’s great at detecting a virus that it knows about, but it can’t see it if it’s new.

It’s been this way since the early ’90s. The world decided signature scanning was the best thing to do back then. But now, the bad guys realize all they have to do bring out something new and it won’t get detected.

Every AV line in the world gets about 3000 sample submissions every day. Of those, 25 to 30 thousand are new and unique.

Bad guys know when they release a new downloader to install their pay load that within a week it will be discovered and within a few days after that every AV lab will add it. But they don’t care, because they have a ten-day window where they aren’t going to be discovered by everybody and they will swap out the downloader every day. So they are just laughing.

Every AV product does have a behavior layer now, but they don’t work it very much. One of the things I hope to do is encourage vendors to pay more attention to their behavior lab and developers. If the bad guys are facing a disparate number of products, each with a different behavior layer, that alone with make the infrastructure much less penetrable.

So you’re saying AV, as it now operates, is becoming obsolete?

Yes, in my not-so-humble opinion, yes it is. But that can change. There are 25 AV programs in the world. If antivirus software were using behavior detectors rather than signature scanners, it would make a huge impact.

A security researcher has warned of a new exploit in Yahoo Instant Messenger (YIM), which could be used to infect enterprise users’ machines with malware.

Bogdan Botezatu, a researcher at security firm BitDefender, wrote on the company’s blog that even the latest patched version of YIM has the vulnerability that enables a remote attacker to change the victim’s status message.

While this may sound harmless enough, Botezatu explains that a hacker could use this ability to encourage that user’s friends and colleagues to click on a malicious link that will infect their machines.

“The victim’s status message [could be] swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments, or even a PDF bug.

“Whenever a contact clicks on the victim’s status message, chances are they will be infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.”

He added that enabling access to a status message is valuable to hackers, as it is more likely to be seen and clicked on by other people than other types of malicious spam more commonly sent via email.

“Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them.”

However, the potential for financial gain for the criminal doesn’t end there. Affiliate marketing is another way to monetise this form of attack.

“Another lucrative approach to changed status messages is affiliate marketing (ie, sites that pay affiliates for visits or purchases through a custom link),” wrote Botezatu.

“Someone can easily set up an affiliate account, generate custom links for products in a campaign, then massively target YIM victims to change their status with the affiliate link.”

Any YIM user who is able to receive messages from outside their contact list is vulnerable to this attack, claimed Botezatu.

However, some security solutions are able to block it via an http scanner. It is also possible to block it via a YIM setting: “Ignore anyone who is not in your Yahoo! Contacts.”

Botezatu concluded by stating that BitDefender has already provided Yahoo with the details of the vulnerability and provided proof-of-concept code to help close the exploit.

A new Android Trojan program that poses as an SMS management application is sending text messages to predefined premium rate numbers in Europe and Canada, according to security researchers from Kaspersky Lab.

Credit-stealing Trojans that send SMS messages or make calls to premium rate numbers were first designed for Nokia’s Symbian and Java-powered mobile OSes and have existed for years in countries like China or Russia.

However, the rapid adoption rate of Android devices and the openness of Google’s mobile platform has motivated malware writers to look for new victims in the smartphone market.

Until earlier this year, the vast majority of Android Trojans found in the wild targeted Chinese and Russian users mainly because installing apps from unofficial sources is very common in these countries. However, according to Kaspersky Lab senior malware analyst Denis Maslennikov, Android malware writers have shifted their attention toward the international market in recent months.

The new Android Trojan found by Kaspersky is dubbed Trojan-SMS.AndroidOS.Foncy and, judging by various online reports from victims, it appeared sometime in September. The piece of malware is advertised as an application for monitoring SMS messages and is distributed via a file hosting websites, Maslennikov said.

Once installed on a device, the fake app sends four text messages to predefined premium rate numbers in France, Belgium, Switzerland, Luxembourg, Germany, Spain, the UK and Canada, depending on the country corresponding to the SIM card.

When analysing the Trojan, Kaspersky’s experts determined that the code responsible for sending unauthorised text messages in Canada is broken. However, the malware’s authors might have fixed this in newer versions.

“Unfortunately, today SMS Trojans are one the easiest ways for cybercriminals to make easy money fast,” Maslennikov said. “Malicious use of premium rate SMS services is spreading around the world, and I’m pretty sure it’s not going to stop any time soon,” he added.

Despite incidents like these and numerous reports from security companies that claim that the number of Android Trojans is increasing rapidly, not everyone is convinced that the popular mobile OS has a malware problem.

A week ago, Google’s open source manager, Chris DiBona, accused antivirus vendors of preying on people’s fears to sell unnecessary security software for Android.

Security experts disagreed with DiBona’s assessment and said that even though Android Trojans haven’t displayed self-replicating abilities so far, the fact that they were found on the official Android Market on several occasions makes them a real threat.