Slashdot Mirror
Domain: welivesecurity.com
Stories and comments across the archive that link to welivesecurity.com.
Comments · 62
-
actual write-up on the iBanking bot
Hello,
The ITWorld article didn't mention it, so here's a link to the actual write-up on the bot, which is actually called Android/Spy.Agent.AF: Facebook Webinject Leads to iBanking Mobile Bot.
Regards,
Aryeh Goretsky -
Re:considering what is known about the NSA
You say this as though China is innocent of such shenanigans. It's been known for years that they backdoor stuff made in China - we still buy all our crap from them.
-
How about linking some actual information in TFS?
Like this whitepaper that actually contains some details about the malware and how it spreads rather than "OMG! Your server might be infected! Run this shell script to check!".
-
Re:FreeBSD 9.1
Here's the complete check from http://www.welivesecurity.com/...
The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print
ssh: illegal option -- G
to stderr but an infected server will only print the typical “usage” message. One can use the following command to determine if the server he is on is compromised:
$ ssh -G 2>&1 | grep -e illegal -e unknown >
-
Botnet?
What if some botnet is using Tor. Maybe it has being rolled out in the last few days, weeks or months and is now being activated and communicating to it's c&c server over Tor? It would explain the massiveness and the suddenness. I don't believe this sudden rise can be explained ordinary people all using Tor at the same time.
-
Original report from *last week* by ESET
Hello,
Norman has done an excellent job with their report on the malware; however, it should be noted that the initial report came from ESET last week at the CARO anti-malware conference:
Targeted information stealing attacks in South Asia use email, signed binaries
I would also like to point out that while it is easy to assume that the Indian government (or someone connected with it) was responsible for these targeted attacks given the seemingly poor job in hiding their tracks (domain name registrations, embedded metadata, et cetera), it could also be a more sophisticated adversary who specifically manufactured those in an attempt to divert attention from themselves. After all, Pakistan shares borders with Afghanistan, China and Iran, and there are other countries who are likely interested as well, for geopolitical and even economic reasons.
Threat attribution is incredibly difficult, and attempts to blame India at this point may not just be foolish, but counterproductive as well.
Regards,
Aryeh Goretsky -
Checker code: download, compile, run
Thanks for the info !!
Looks like I ain't gonna enjoy lots of sleep from now until next weekend
You could download and compile (for your web server) the detection C code provided here. Then you'll have less uncertainty.
I had to cross-compile it for an old Synology box with a PowerPC 8241 processor; it seems to be clean.
-
Re:Why?
Why isn't there a list of infected sites? Avoiding them would seem to be a priority.
Here is how to make sure you are not one of the infected sites: Compile and run this:
http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.cIf you don't want to vet that, you can get a first-aproximation with "ipcs", just look for the Apache PID, which you can get from "ps aux | grep apache2".
-
Another Link
Here's another link about this issue.
Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.
-
Re:Better Question
Hello,
Not sure which anti-malware software you are using, but a quick check of my employer's gave me half-a-dozen hits:
- Win32/Adware.Yontoo - added Apr 15 2011
- Win32/Adware.Coupons added - Apr 05 2005
- Win32/Adware.Toolbar.MyWebSearch - added Apr 29 2005
- Win32/TrojanDropper.FunWeb - added Jun 08 2004
- Win32/Freeze - added Feb 02 2006
- Win32/Candy -added Nov 10 2006
Not sure about the others, but would not be surprised if they are detected, just with a different name than you wrote. Maybe you just need to change anti-malware software, and make sure detection of Potentially Unwanted Applications is turned on on it.
Regards,
Aryeh Goretsky
-
Re:What about the scammers
Hello,
Were those the Political Opinions of America calls? If so, that's apparently a modified "boiler room" type scam where the goal is to get you to purchase a "free cruise" of the Bahamas out of Florida If you take them up on the offer, apparently you get stuck on a ferry and receive a bunch of high-pressure sales tactics to buy into a time share. Here are a couple of blog entries I wrote about them:
If you were the victim of such a scam, you might want to get in touch with this law firm who is looking into it.
Regards,
Aryeh Goretsky -
Re:What about the scammers
Hello,
Were those the Political Opinions of America calls? If so, that's apparently a modified "boiler room" type scam where the goal is to get you to purchase a "free cruise" of the Bahamas out of Florida If you take them up on the offer, apparently you get stuck on a ferry and receive a bunch of high-pressure sales tactics to buy into a time share. Here are a couple of blog entries I wrote about them:
If you were the victim of such a scam, you might want to get in touch with this law firm who is looking into it.
Regards,
Aryeh Goretsky