Slashdot Mirror

0.0.0.0 srrys.pw
0.0.0.0 tr069.pw
0.0.0.0 mziep.pw

* See parent post https://it.slashdot.org/commen... for more/original batch as well...

APK

P.S.=> SOURCE (same as I used yesterday, just updated) https://securelist.com/new-wav... ... apk

0.0.0.0 timeserver.host
0.0.0.0 securityupdates.us
0.0.0.0 l.ocalhost.host

* The last entry in hosts prevents the executable that does this thing's "dirty work" (& it rotates IP addresses so hostname's THE way here) per https://securelist.com/new-wav... (some entries are IP addresses you want to add to your firewall rules tables too).

APK

P.S.=> For the best hosts file multiplatform:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)... apk

0.0.0.0 asushotfix.com
0.0.0.0 liveupdate01.asus.com
0.0.0.0 liveupdate01s.asus.com

* To cripple "shadowhammer's" communique, etc. - et al...

SOURCE https://securelist.com/operati...

APK

P.S.=> For the best hosts file multiplatform:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there)... apk

Someone really wanted a longer term way in and to stay in with lower risk.
The chart on Operation ShadowHammer https://securelist.com/operati... lists nations by (% by country) as
Russia, Germany, France, Italy, the USA, Spain, Poland, the UK ...
The page also has a MAC addresses online tool and an email if a MAC is detected.

Get the Kaspersky support needed at https://securelist.com/operati... for Operation ShadowHammer AC.
Also has an email if MAC addresses are detected.

ll web applications are partly written in C.

The vast majority of web applications are not written in C. The operating system and other underlying software is, but that's not what the OWASP paper was talking about.

Your link was deficient because it didn't include web applications, which is where most of the code written today actually is.

My link had columns for XSS and SQL injection. I explicitly mentioned them in my reply. Aren't you tired of being so wrong about obvious things?

A single buffer overflow can't be exploited on a modern system, it takes more vulnerabilities than that.

It depends on the vulnerability. Also, at the minimum, they often result in a crash. But the fact is that buffer overflows are resulting in exploits.

0.0.0.0 www.celasllc.com
0.0.0.0 celasllc.com
0.0.0.0 black.host
0.0.0.0 libertyvps.net
0.0.0.0 www.domains4bitcoins.com
0.0.0.0 www.namecheap.com
0.0.0.0 www.changeip.com
0.0.0.0 domains4bitcoins.com
0.0.0.0 namecheap.com
0.0.0.0 changeip.com
0.0.0.0 njal.la

"sends the victim's information to a webserver using HTTP and the following URL" FROM https://securelist.com/operati...

(1st 2 links (celasllsc ones) = distribution URLs for it & also where it sends your information - the other IP addresses listed in the article are effectively not needed since you can't draw it into your system in the 1st place BUT you can put those into firewall rules tables also IF you wish (to be safest))

APK

P.S.=> See list above for hosts file level blocking of its information transferral - effectively NULLIFYING its purpose... apk

0.0.0.0 www.celasllc.com
0.0.0.0 celasllc.com
0.0.0.0 black.host
0.0.0.0 libertyvps.net
0.0.0.0 www.domains4bitcoins.com
0.0.0.0 www.namecheap.com
0.0.0.0 www.changeip.com
0.0.0.0 domains4bitcoins.com
0.0.0.0 namecheap.com
0.0.0.0 changeip.com
0.0.0.0 njal.la

"sends the victimâ(TM)s information to a webserver using HTTP and the following URL" FROM https://securelist.com/operati...

(1st 2 links (celasllsc ones) = distribution URLs for it & also where it sends your information - the other IP addresses listed in the article are effectively not needed since you can't draw it into your system in the 1st place BUT you can put those into firewall rules tables also IF you wish (to be safest))

APK

P.S.=> See list above for hosts file level blocking of its information transferral - effectively NULLIFYING its purpose... apk

1 - How can I tell if I'm infected?

When you downloaded and installed the app.

If you don't know if you downloaded or installed the app, you can tell it when your android device phoning home to a few ip like 54.67.109.199, or when it has one of these services that you do not initially have (AndroidAlarmManager, AndroidSystemService, AndroidSystemQueues, ClearSystems, ClipService, AndroidFileManager, AndroidPush, RegistrationService) or when your nonrooted device is somehow rooted. Source

2 - Where can I get it?

Go the Kaspersky Lab Research Report from the article, look at the bottom and find those links yourself.

Disclaimer, your warranty is now void. This comment is not responsible for anything that may happen to your phone by installing the app. You do it at your own risk and take the responsibility upon yourself and you are not to blame the poster or anyone else.

3 - How much does it cost?

free as in herpes.

1 - How can I tell if I'm infected?

When you downloaded and installed the app.

If you don't know if you downloaded or installed the app, you can tell it when your android device phoning home to a few ip like 54.67.109.199, or when it has one of these services that you do not initially have (AndroidAlarmManager, AndroidSystemService, AndroidSystemQueues, ClearSystems, ClipService, AndroidFileManager, AndroidPush, RegistrationService) or when your nonrooted device is somehow rooted. Source

2 - Where can I get it?

Go the Kaspersky Lab Research Report from the article, look at the bottom and find those links yourself.

Disclaimer, your warranty is now void. This comment is not responsible for anything that may happen to your phone by installing the app. You do it at your own risk and take the responsibility upon yourself and you are not to blame the poster or anyone else.

3 - How much does it cost?

free as in herpes.

The files then somehow made their way to the KGB.

And we know that particular rendition of those bits came from Kaspersky how?

Since then he's said that there was a trojan on the PC he got the files from (but the trojan infection wasn't their fault because the PC user had turned off Ka[s]persky for awhile which they also knew) so Russian hackers must've gotten the information that way

And he extensively documented the reasons why he believes that to be the case. On the other side as far as I can tell, we basically have "Kaspersky and the KGB both ended up with copies of files and are both in Russia... oooooo."

See subject & my sources my program gets do it @ diff. intervals ALL AROUND THE CLOCK & I go 'above & beyond it' personally - how?

SECURITY SITES I WILL LIST FOR YOU (these are excellent finding all kinds of exploiters & malicious sites/servers galore for ALL types of threats):

http://blog.talosintelligence....
https://www.welivesecurity.com...
https://blog.malwarebytes.com/
https://researchcenter.paloalt...
https://www.bleepingcomputer.c...
https://securityintelligence.c...
https://www.cyren.com/blog
http://garwarner.blogspot.com/
http://www.malwaretech.com/
https://securelist.com/all/?ca...
https://www.fireeye.com/blog/t...
https://www.secureworks.com/re...
https://research.checkpoint.co...
http://blog.trendmicro.com/tre...
https://www.proofpoint.com/us/...
https://blog.comodo.com/catego...

That's 25 sources in total from the security community that UPDATES all the time around the clock - my program makes easy work of consolidating all that data is all! It works (see testimonials I posted in my other replies to you from /. peers).

APK

P.S.=> ... & YOU, personally, have FULL CONTROL OF THE DATA (try that w/ addons OR a REMOTE DNS - good luck on the latter & the former? You'd best know regular expressions)... apk

Right, but I'm saying that the lawsuit would be dismissed before you even got to the part of the lawsuit where the feds had to give out their evidence. And we're also neglecting that they can mumble "national security" and get out of showing their cards as well...

FWIW, Kaspersky did respond to many of the allegations against it. There were also separate responses about picking up the NSA malware from the contractor's computer. The contractor's computer was backdoored & they ran a scan on it to get rid of that, not really Kaspersky's fault there if the contractor is taking things home they shouldn't be.

Funny thing is that there's a far more interesting technical article about all of this out there that's totally ignored because it was written by Kaspersky. Yet nobody cares that this article is from the Daily Beast, as if we didn't know Chelsea Clinton was there...

Well, the problem here is that ALL the nation states are spying on us, including America. So the NSA/Israel hates Kaspersky because they've detected their Stuxnet-based malware. Kaspersky actually put out this paper describing just how hard it is to attribute anything to any specific actor. You can say that's Russian so you don't have to even listen (which is a bit silly in an article from the Daily Beast, especially if you know Chelsea Clinton's relationship with it) but that doesn't mean they're wrong.

My personal opinion is that all of them are spying on us via whatever means they have and I don't like any of it, though I don't know how to stop any of them. It's reasonable to be outraged by all of it, NSA or FSB, and to take it into account when doing threat modelling. But, frankly, from what we've seen of the TAO catalog, if they want to own you they probably already have. They probably owned your router before it was even shipped to your doorstep. You cannot assume that they're exfiltrating data over any kind of link you could monitor and they may be leaking it via channels you didn't know the existence of.

So in a way I'm glad for the outrage, I just don't see how to channel it to any productive ends. Ideally we'd stop or control this crazy mass spying by every major power on everyone, but the tech is so scary that I don't know just what sort of crazy security measures that would require.

Block these TOR domains in your hosts file to paralyze WannaCry (can't talk to them for orders in the 1st place):

0.0.0.0 gx7ekbenv2riucmf.onion
0.0.0.0 57g7spgrzlojinas.onion
0.0.0.0 Xxlvbrloxvriy2c5.onion
0.0.0.0 76jdd2ir2embyv47.onion
0.0.0.0 cwwnhwhlz52maqm7.onion
0.0.0.0 sqjolphimrr7jqw6.onion

* Per https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

APK

P.S.=> For the best custom hosts file creator bar-none? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for protection vs. other threats online + for more speed, security, reliability & anonymity FOR LESS (yet doing more than ANY other SINGLE "so-called 'solution'" that's "Bolt on 'MoAr'" illogic-logic vs. using what you already have natively in hosts files)... apk

"The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server"

Does it mean that the attackers encrypted the files from a remote location or automatically-downloaded a piece of software to do so? No idea, but I guess that the aforementioned typical infection should be dismissed (otherwise, the report would mentioned it, right?)

The reason why I am writing this new post (even though I am trying to not write too much to see if my mod points come eventually back) is to give a bit more of context to my original comment. I was plainly referring to a very specific claim about a very specific problem and took advantage from it to critic unnecessary-alarmist attitudes. Nothing more and nothing else than that. Too evident/not actually required? Look at the (other) AC comments!

so your rebuttal to my comment is a superlative and a catch phrase? I respect Kaspersky because they are an open company the talks about threats openly, discusses relevant topics and provides insight most other companies keep close to the vest. I suggest you read their blog. you might feel the same way. Just because I respect them doesn't mean I use their products and it doesn't mean I feel they are completely divorced from the Kremlin. Just means i respect them and that they are probably trying to do the right thing, despite the murky waters they live in. https://securelist.com/

These entries in your custom hosts file also block more MIRAI botnet C&C servers (+ other communications parts):

0.0.0.0 timeserver.host
0.0.0.0 securityupdates.us
0.0.0.0 srrys.pw
0.0.0.0 l.ocalhost.host
0.0.0.0 tr069.pw
0.0.0.0 mziep.pw

* FROM - https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/

APK

P.S.=> That's in addition to my original post's list of C&C servers MIRAI botnet utilizes here https://it.slashdot.org/comments.pl?sid=10009063&cid=53507971/ ... apk

No, it's Russian because Volexity did decent attribution, unlike the twits at Slate.

APT29 is a well-studied group. Their malware is compiled during the Russian workday. They skip Russian holidays. They target groups that are strategically significant to Russian government. FireEye says they're Russian. CrowdStrike says they're Russian. Even Kaspersky has tied them to existing Russian tools.

Trump may blame 400-pound bedridden hackers, but some of us actually do the hard work to have a fucking clue.

- A Real Cyber Security Researcher

I wondered that. The link below mentions unusual and fake certificates.

The malware first appeared on tamindir.com at the end of 2015 redirecting mainly Turkish users to a clone of the truecrypt site then last month links were put on winrar.it and winrar.be to point to copies of the winrar site which affected mainly Italian and Belgian users respectively. The malware was after details of encryption and passwords.

There's no word on how the attackers put links to the malware on legitimate sites.

I'd guess it's an espionage group for hire rather than a state actor or the usual economic criminals.

https://securelist.com/blog/re...

"When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. "

The "compromised" issues if finally been understood from the small developer to huge US brands crypto perspective and as junk international "standards".
Other code might be security service friendly by design as a small front company, gov fronted start up or via developers who had to make deals or had cash offers made by govs or got trapped under a US NSL at work.
Its hard to find good crypto that works. Look at the help the security services got over everyday crypto by big US brands under PRISM or VPV security under BULLRUN, Dual_EC_DRBG issues
Microsoft helped Prism decrypt your emails and Skype, says report (July 12, 2013)
http://www.techradar.com/news/...
BULLRUN https://en.wikipedia.org/wiki/...
https://securelist.com/blog/re...
"key loggers and additional data stealers." and "effectively steal disk contents"

The user seeks out the real crypto software solution.
Looking at some site, the user then finds some site GUI with a swapped out download that offers poor crypto but has the look and feel of the real crypto software.
"On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users" (October 3, 2016)
https://securelist.com/blog/re...
"Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well."

See subject: Add the bogus domains it uses as blocked to hosts, e.g.:

0.0.0.0 gezginler.net
0.0.0.0 tamindir.com
0.0.0.0 www.true-crypt.com
0.0.0.0 true-crypt.com

* ... & "voila", there ya go - SOURCE = https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/

(You CANNOT be infected/infested by WHAT YOU CANNOT ACCESS/TOUCH in the 1st place)

APK

P.S.=> It's THAT simple to stall either getting this bogus machination from its hosting sources (or even having it "talk back to mama" should it do that by adding those servers as well)... apk

Why not link to the Kaspersky research at all? https://securelist.com/blog/re...

What's a Skimer?

Using the magical oracle known as "Google", we find the answer to that question is...
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
(you probably get the idea by now: "Skimer" is ATM malware)

Here is the original article on the Kaspersky Labs site in case anyone is interested.

The article at securelist.com has a few more technical details and includes a list of the special track 2 values used to activate the functionality.

I don't understand how these Russian Cyberspies are so careless as to leave a trail all the way back to Moscow.

Equation: The Death Star of Malware Galaxy

It also doesn't provide a graph of spam rate over time. Just three pie charts showing changes over the last three months.

Agreed, remarkably short of information. Usually their reports are accompanied by press releases, and marketing. I wonder what's different this time.

Note that while Symantec uses figures from their email scanning products - it doesn't correspond with figures from larger monitors e.g.
Senderbase - which shows a slight increase of 234.53 billion av.pd (85.93% of global traffic) for the last 12 months, against 222.88 billion av. pd (86.00% of global traffic) for the last 6 months, and 187.14 billion av. pd (86.41% of global traffic) for the last month (nowhere near half).
Securelist 3rd qtr 2014 (note the drop during that period), and 1st qtr. 2015

Backgrounds for dartboards - the main offenders

I also wonder whether any reduction in email spam has just resulted in more spam via SMS and "social" networks (as well as mailing lists).

4. Their report states on page 5, that instead of "PROP" the exploit code used the word "HASHVA" on multiple occasions. While this could be a short form of "hash value", it just by pure coincidence means "thought" in Hebrew ...

People were poopooing the virus, but I think that's because they didn't read the report.

This is a highly sophisticated polymorphic virus using multiple forms of encryption in multiple layers against multiple attack vectors. It's really a piece of work. I don't know why someone would write it and then use it directly against Kaspersky but whoever did it had the cash to hire some very clever people, or was a team of programmers with a genius at the helm and amazing opsec.

Considering the sophistication of the virus I think it would be silly to speculate about who wrote it: whoever it is had to spend a good deal of effort covering their tracks and could easily have compromised multiple third parties just to create red herrings.

They made a big mistake targeting Kapersky as they've given away most of their techniques. It does seem that someone went to an awful lot of trouble creating the malware. The_Mystery_of_Duqu_2_0

Have Kapersky considered running their business off of bootable CDs?

"In 2011, we were able to identify Duqu attacks that used Word Documents containing an exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel mode from a Word Document, a very powerful, extremely rare, technique.

A similar technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, as part of an attack against a prominent international organization. The C&C server used in this 2014 attack as well as other factors have certain similarities with Duqu, however, the malware is different from both Duqu and Duqu 2.0. It is possible that this is a parallel project from the Duqu group and the same zero-day (CVE-2014-4148) might have been used to install Duqu 2.0. Duqu 2.0

They were probably aware that this would come up anyway so their PR department took action. To be hacked when you are a security focused company is hurting their image whatever advanced attack was used. I guess they were blackmailed that somebody will reveal information about breach so they took proactive but image hurting approach. Nevertheless it is curious.

Some technical explanation that I TL'DR as for now ;)
https://securelist.com/files/2...

FYI: Here is the link to Kapersky's report of the incident: https://securelist.com/files/2...

Citing the biggest underachievers online in arstechnica doesn't help your case here.

I could cite Kasparsky Labs if you'd rather.

News about some notebook ad middleware that can be disabled at setup (not unlike those toolbar bullshit installations) get front page position.

While NSA malware infiltrating all top hard drive brands in over 30 countries never get to the front page, I watched this news get deleted 3 times from the firehose.

Looks like the NSA/GCHQ psyop team are busy at work after one of the most effective malware got exposed.

NSA malware found hidden in hard drives for nearly 20 years

Russian security software vendor Kaspersky Lab, which this week released a report revealing that thousands of hard drives from 30 nations have been infected by U.S.-government sanctioned malware in existence for nearly 20 years, today said there's no way of knowing if your computer is infected and intelligence agencies are surveilling it.

Once a hard drive or SSD gets infected with this malicious payload, it's impossible to scan its firmware. To put it simply: For most hard drives, there are functions to write into the hardware's firmware area, but there are no functions to read it back. "It means that we are practically blind, and cannot detect hard drives that have been infected by this malware," said Igor Soumenkov, principal security researcher at Kaspersky Lab. The drives in PCs and Macs that were infected by the malware represented more than a dozen major HDD and SSD makers. Kaspersky all but said it was the NSA that created and used the spyware.

Reuters also cited a former NSA employee as having confirmed the latter. Two of the largest drive makers, Western Digital and Seagate, said prior to the report, they had no idea their drives had been targeted. A WD spokesman said the company has not participated in or supported the development or deployment of cyberespionage technology by government entities, adding that "Western Digital has not provided its source code to government agencies." Seagate said its self encrypting drives are supposed to thwart reverse engineering of its firmware. "This is an astonishing technical accomplishment and is testament to the group's abilities," Kaspersky's report stated."

http://www.computerworld.com/article/2885069/theres-no-way-of-knowing-if-the-nsas-spyware-is-on-your-hard-drive.html

The exact exploits used to gain root i guess no one outside Sony or the hackers will ever know. As for the owning of the client PCs and network, this seems pretty credible. http://securelist.com/blog/res...

"This Turla cd00r-based malware .. can't be discovered via netstat, a commonly used administrative tool" link

'To activate the real remote access service (the attached code starts an inetd to listen on port 5002, which will provide a root shell), one has to send several packets (TCP SYN) to ports on the target system' link

How exactly does this 'Linux trojan' get onto the computers in the first place, without the end user going to a site and downloading the malware and explicidly running it and entering the root password.

Will this sophisticated malware work on anything other than Microsoft Windows

While I do not think you expected sincere answers to this question there is a reason to support the obligatory "of course not" answer. From the Kaspersky analysis ( https://securelist.com/blog/re... )

"The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. "

And since Linux has no registry...

- then again I would not ne surprised to learn that there is a variant of this tool runing on linux which just swaps in a different module to store its VFS at a place hard to detect on linux. Unused space behind the partitions or something...

So, no - no reason to feel safe. Your choice of OS may only protect you until they decide to actually aim at you.

They can't keep up with the known threats

Comparative reviews since February 2009 - February 2014

Out-maneuvered by new threat vectors

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt

Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.

Some of them even get it, Eugene Kaspersky admits :

The contemporary antivirus industry and its problems

OSX. BAckdoor.Morcut-9 is a government trojan, according to https://www.securelist.com/en/... I suspect it's part of the NSA dropper profgram.. I found it in a file I got in a legitimate gaming circle. It's used to spy on people and can be activated remotely. So yes, the article is true

I'm still okay with recommending Android to non-technical users, given that most of them manage just fine on Macs and PCs that face the same primary vector for attack (i.e. the user downloading and installing a trojan).

That said, yeah, Android is really getting a disproportionate share of the malware. More recent reports peg it at 99% of all mobile malware, and Pichai is trying to brush that away as a simple factor of market share, which is rather short-sighted. iOS currently sits around a 16% market share (and falling, due to Android outpacing iOS' rate of growth), which should be more than enough to attract malware. Especially so when you consider that iOS still attracts a comparable (some would argue better) amount of third-party support from developers making apps, as well as the fact that we still get reports like these (tl;dr: this last Christmas season, iOS users accounted for 5x more online purchases than Android users and spent roughly 2x as much on each purcase), making them potentially much more lucrative targets to developers of adware and malware.

Yet, despite all of that, iOS malware rates aren't even being registered on any of the mobile malware reports I can find from the last quarter. I recall them being at something like 0.07% the quarter before that, with Blackberry even registering more malware than them.

Since Windows started issuing certification warnings for third-party software, fewer relatively fewer trojans have effected Windows boxes. The same tactic has always helped reduce the infection rate for Mac OS. iOS fairs even better because all software approved by Apple for Appstore are screened. This is one way of reducing the bandwidth available for perpetrators: reduce the pasturing grounds for bot-herders.

That 99% of all mobile malware targets Android, as per Kaspersky, is evidence enough that the Appstore model works better (see heading 'Malware for Android' in link http://www.securelist.com/en/a...). With well over a billion Android activations to date, this is a whole new playground for bandwidth bandits to exploit (and are exploiting very effectively). Unless Google does something to ensure that their stores are sanitized this epidemic will continue to get worse.

Finally, penalizing countries that continue to support software piracy will also help. The main vector for the propagation of trojans is pirated software. Some countries have so much malware (take a look at the table under the title 'Local threats' in this link http://www.securelist.com/en/a...) that you have to wonder if their national bandwidth capacity is utilized for any productive use at all. Should these countries be penalized in terms of bandwidth available to them unless they proactively combat their piracy markets?

Since Windows started issuing certification warnings for third-party software, fewer relatively fewer trojans have effected Windows boxes. The same tactic has always helped reduce the infection rate for Mac OS. iOS fairs even better because all software approved by Apple for Appstore are screened. This is one way of reducing the bandwidth available for perpetrators: reduce the pasturing grounds for bot-herders.

That 99% of all mobile malware targets Android, as per Kaspersky, is evidence enough that the Appstore model works better (see heading 'Malware for Android' in link http://www.securelist.com/en/a...). With well over a billion Android activations to date, this is a whole new playground for bandwidth bandits to exploit (and are exploiting very effectively). Unless Google does something to ensure that their stores are sanitized this epidemic will continue to get worse.

Finally, penalizing countries that continue to support software piracy will also help. The main vector for the propagation of trojans is pirated software. Some countries have so much malware (take a look at the table under the title 'Local threats' in this link http://www.securelist.com/en/a...) that you have to wonder if their national bandwidth capacity is utilized for any productive use at all. Should these countries be penalized in terms of bandwidth available to them unless they proactively combat their piracy markets?

I would like to know what is meant by "affecting...Linux".

You're right to question the FUD.

SecureList has a MUCH better story that makes it clear "Careto" is closer to a precision-targeting crackers' toolkit rather than typical Windows malware (they have identified a total of 380 unique targets so far). It didn't just use the Flash vulnerability, but had multiple vectors, including Chrome plugins and social engineering techniques.

From their FAQ:

Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?
So far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers, but we have not yet located the Linux backdoor. Additionally, some of the C&C artifacts (logs) indicate that backdoors for Android and Apple iOS may also exist.

Have you seen any evidence of a mobile component - iOS, Android or BlackBerry?
We suspect an iOS backdoor exists but we haven't been able to locate it yet. The suspicion is based on a debug log from one of the C&C servers where a victim in Argentina is identified and logged as having a user agent of "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329". This appears to indicate it is an iPad, although without a sample, it's hard to be sure.

In addition to this, we also suspect the existence of an Android implant. This is based on a unique version identifier sent to the C&C which is "AND1.0.0.0". Communications with this unique identifier have been observed over 3G links, indicating a possible mobile device.

http://www.securelist.com/en/b...

Add the botnet's C&C servers to your custom hosts files as block entries like so:

0.0.0.0 sales.eu5.org
0.0.0.0 www.mobilitysvc.com
0.0.0.0 javaupdate.flashserve.net
0.0.0.0 eu5.org
0.0.0.0 mobilitysvc.com
0.0.0.0 flashserve.net

And "voila" - ,b>this particular exploit "in the wild" out there now, can't TOUCH you (or, conversely - you it either (no way to get hurt by it thus)).

Source data = Kaspersky labs -> http://www.securelist.com/en/b...

APK

P.S.=> What you can't TOUCH, can't hurt you - that's what custom hosts files give users vs. threats like this & other botnets online (best of all, vs. the WORST kind, in fastflux or dynamic dns using ones, fast becoming THE prevalent design that recycles host-domain names they own/paid for)...

... apk

You wouldnt open them, but your browser would unless you (unlike 90% of users) changed the default setting and used an extension or browser which makes those objects click-to-play.

You can argue the point but it is statistically the most common vector, and my experience is that users who are infected are usually not "doing something wrong", other than failing to update their plugins.

it can happen that malware is served up within those - but again, highly unlikely in legitimate sites and mostly mitigated with a good ad-blocker.

You call it unlikely, I call it statistically common. It has historically happened a LOT.

I've no idea what "confirmation bias" means, I've never come across that term before.

It means that you have a hypothesis, and most evidence that you get will be interpreted to support that hypothesis. If you are dealing with home users, you may be aware of certain bad habits they have and use this to reinforce your idea that viruses are because of computer misbehavior. But the two may not be related at all, and my experience when narrowing down the point of infection is that they generally arent.

I'd also consider the possibility of the receptionist herself unknowingly installing a trojan program

I do consider that possibility, and its easily checkable by looking in the downloads folder and in the browser history. Every virus (save maybe one or two) ive seen in the last several years has originated in the temp folder, which is not used except for plugin objects (these users are on firefox / chrome, so no "InternetExplorer-clicked-run-not-save").

Just because it's there in the morning doesn't mean that what installed it only appeared during that previous night.

Well, thats true, but there are actual statistics out there about where this malware comes from:
http://www.securelist.com/en/images/vlill/q2malware2012_pic04_all.png
(Source: http://www.securelist.com/en/analysis/204792228/Monthly_Malware_Statistics_April_2012 )
This shows Adobe + Java accounting for ~70% of detected attacks; these are usually drive-bys that trigger a plugin exploit.

There are other sources showing the same sort of thing, but the basic trend has been to use drive-bys as they are more reliable, and it is incredibly difficult to keep all users up-to-date with all of their plugins. Virus-writers go for the low hanging fruit, and it is simply going to get a higher hit-rate to infect every user with an out of date Adobe plugin than to try to entice users to download and run a file. You have to keep in mind that Adobe Reader is installed on something like 95% of internet-connected computers (one stat I saw said 98%), and that it has historically been riddled with security problems.

You wouldnt open them, but your browser would unless you (unlike 90% of users) changed the default setting and used an extension or browser which makes those objects click-to-play.

You can argue the point but it is statistically the most common vector, and my experience is that users who are infected are usually not "doing something wrong", other than failing to update their plugins.

it can happen that malware is served up within those - but again, highly unlikely in legitimate sites and mostly mitigated with a good ad-blocker.

You call it unlikely, I call it statistically common. It has historically happened a LOT.

I've no idea what "confirmation bias" means, I've never come across that term before.

It means that you have a hypothesis, and most evidence that you get will be interpreted to support that hypothesis. If you are dealing with home users, you may be aware of certain bad habits they have and use this to reinforce your idea that viruses are because of computer misbehavior. But the two may not be related at all, and my experience when narrowing down the point of infection is that they generally arent.

I'd also consider the possibility of the receptionist herself unknowingly installing a trojan program

I do consider that possibility, and its easily checkable by looking in the downloads folder and in the browser history. Every virus (save maybe one or two) ive seen in the last several years has originated in the temp folder, which is not used except for plugin objects (these users are on firefox / chrome, so no "InternetExplorer-clicked-run-not-save").

Just because it's there in the morning doesn't mean that what installed it only appeared during that previous night.

Well, thats true, but there are actual statistics out there about where this malware comes from:
http://www.securelist.com/en/images/vlill/q2malware2012_pic04_all.png
(Source: http://www.securelist.com/en/analysis/204792228/Monthly_Malware_Statistics_April_2012 )
This shows Adobe + Java accounting for ~70% of detected attacks; these are usually drive-bys that trigger a plugin exploit.

There are other sources showing the same sort of thing, but the basic trend has been to use drive-bys as they are more reliable, and it is incredibly difficult to keep all users up-to-date with all of their plugins. Virus-writers go for the low hanging fruit, and it is simply going to get a higher hit-rate to infect every user with an out of date Adobe plugin than to try to entice users to download and run a file. You have to keep in mind that Adobe Reader is installed on something like 95% of internet-connected computers (one stat I saw said 98%), and that it has historically been riddled with security problems.

Opera is not the first nor the last victim of certificate theft. There is evidence that the use of digitally signed malware is increasing since the Stuxnet incident gave this attack vector worldwide exposure.

Both Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months. Many use digital certificates bought with fake identities, but the use of stolen certificates is also common, Craiu and Botezatu said.

Also, unless I'm mistaken, revoking stolen certificates do not prevent malware signed with it from running. Most casual users I think tend to trust certificates (that is what it's for, after all, to certify that its from a trusted source). Not many will bother to check the authenticity of the certificate.

1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?

Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it.

It might be premature to talk about its impact being limited until the full scope of the intrusion and loss of data is made known, and the number of users affected by the intrusion (not disclosed so far).