no-image

New MacOS X backdoor variant used in APT attacks

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists. The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as “Backdoor.OSX.MaControl.b”. Read Full Article

no-image

The Day The Stuxnet Died

Deep inside one of Stuxnet’s configuration blocks, a certain 8 bytes variable holds a number which, if read as a date, points to June 24th, 2012. This is actually the date when Stuxnet’s LNK replication sub-routines (http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1) stop working and the worm stops infecting USB memory sticks. Read Full Article

no-image

Android Security Suite Premium = New ZitMo

On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages. Read Full Article

no-image

New APT Attack Shows Technical Advance in Exploit Development

Recently, we came by an interesting targeted attack which was evading most antivirus products. This is a recent spearphish targeting various Tibetan and human rights activists. It demonstrates the level of effort put into infiltrating their groups with some unique characteristics, relative to the many other exploits targeting CVE-2012-0158. Here’s how such e-mails appear:

Read Full Article

no-image

Patch Tuesday June 2012 – IE Client Side and RDP Exposures, 27 Other Vulnerabilities

Microsoft released a set of five bulletins, patching 29 total software vulnerabilities. Multiple remote code execution holes are being patched, but the two most urgent are the Internet Explorer and Remote Desktop Protocol updates. Almost half of the 29 vulnerabilities being patched this month are maintained in versions 6, 7, 8, and 9 of Internet Explorer code, all patched with Security Bulletin MS12-037. Read Full Article

no-image

Back to Stuxnet: the missing link

Two weeks ago, when we announced the discovery of the Flame malware we said that we saw no strong similarity between its code and programming style with that of the Tilded platform (http://www.securelist.com/en/analysis/204792208/Stuxnet_Duqu_The_Evolution_of_Drivers) which Stuxnet and Duqu are based on. Read Full Article