Since information is the new currency, cybercriminals are constantly formulating schemes to steal precious data from users. PASSTEAL, their latest attempt at information-stealing, incorporates a password recovery tool that effectively gathers login credentials – even for websites with secured connection.

We have noted several infostealing malware in the past, including TSPY_PIXSTEAL.A that collects image files and sending these to remote FTP servers. PASSTEAL exhibits certain behavior similar to PIXSSTEAL, but this malware steals information quite differently.

TSPY_PASSTEAL.A Gathers Info Stored in Browsers

Detected as TSPY_PASSTEAL.A, this infostealer sniffs out accounts from different online services and applications to steal login credentials and stores these in a .TXT file named {Computer name}.txt.

Unlike most info stealing malware that logs keystrokes to gather data, PASSTEAL uses a password recovery app to extract passwords stored in the browser. The particular sample we analyzed contains compressed data, which is the app “PasswordFox” designed for Firefox.

Once PASSTEAL extracts the data, it executes the command-line switch “/sxml” to save the stolen credentials in an .XML file, which the malware also uses to create a .TXT file. PASSTEAL then connects to a remote FTP server to store the collected information.

Read the rest of this entry »

In the previous quarter, we reported that we protected against more than 142 million threats in the first half of 2012 alone. One prominent threat in this period was ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection.

The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.

Peer-to-peer functionality

Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.

Read the rest of this entry »

Recently, I spoke at the hashdays security conference in Switzerland to talk about the security of Near field communication (NFC) – specifically, how people and businesses can use it securely.

While NFC is not quite yet seeing widespread usage, early adopters – like many readers of this blog – are already using it in their lives. Some mobile manufacturers are touting the addition of NFC in their mobile devices. For my talk, I discussed what aspects of NFC usage can be considered secure, and what can be considered just “convenient”; what businesses can do to keep their customers safe; and what features of NFC should designers implement or completely avoid.

For home users, though, the most important part of my talk was what they can do to keep themselves safe. It’s never too early to pick up good NFC habits. What are these habits that can keep you secure? They are:

• Lock your mobile device. In general, devices have to be turned on or unlocked before they can read any NFC tags. A simple screen lock – even without any password being used – can protect users against these threats.
• For passive tags, use an RFID/NFC-blocking device (such as a wallet). Passive tags will emit fixed information in the presence of a NFC field, which means that there is a slight privacy risk carrying around these devices – if a blocking device is not used. (Anti-static bags can also block RFID devices.) This isn’t the case for mobile devices as their NFC reader automatically turns off once devices are locked, so this precaution is not necessary.
• Use an NFC reader app on your mobile device. By default, most mobile devices will simply open a URL if one is detected on an NFC tag. If you wouldn’t lick a tag, you shouldn’t open it blindly – instead, use an app like NFC TagInfo or NFC TagInfo by NXP to read the tag first. The apps will be able to tell you what information is on the tag – allowing you to make an informed decision if you want to scan it or not.

We’ve seen no indication that NFC has been used in the wild by attackers, but it’s never too early to develop good habits when using this emerging – and promising – technology.