Microsoft Security Advisory (2887505) On September 17th, 2013, Microsoft published Security Advisory 2887505, which coverers a remote code execution vulnerability in all supported versions of Microsoft Internet Explorer. The flaw resides in the handling of objects in memory which have been deleted or improperly allocated. Specifically, a use-after-free flaw in the HTML rendering engine (aka Read more…
Recently we found some new malware samples using AutoIt to hide themselves. On further analysis we found that those sample belong to the Vertexnet botnet. They use multiple layers of obfuscation; once decoded, they connect to a control server to accept commands and transfer stolen data. This sample is packed using a custom packer. On Read more…
Last month, I posted a blog about an increase in the use of AutoIt scripts by malware authors to carry out malicious activities. Attackers have used AutoIt scripts for a long time, and they are gaining in popularity due to their flexible and powerful nature. We have now come across another piece of malware (which Read more…
During our routine patrols of popular marketplaces offering Android applications we recently came across some suspicious applications hosted on the popular Google Play. The applications are distributed as hacking tools, utility tools, and pornographic apps by different developers. Here are images for a few of them: Suspicious applications on Google Play. These apps seem to Read more…
Hesperus, or Hesperbot, is a newly discovered banker malware that steals user information, mainly online banking credentials. In function it is similar to other “bankers” in the wild, especially Zbot. Hesperus means evening star in Greek. It is very active in Turkey and the Czech Republic and is slowly spreading across the globe. This sophisticated Read more…
Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like “&av” (for antivirus?) and “&vm=”(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host Read more…
In the McAfee Labs blog we have covered many techniques that malware uses to evade code-based detection. In my previous blog I discussed procedure prologue and procedure epilogue techniques to evade security systems. We recently came across one more set of fake-alert samples that use a different technique to evade detection. This technique is related Read more…
Bitcoin issues have been front-page news in recent months, especially after its surprising April exchange rate. In the latest McAfee Threats Report, for the second quarter of 2013, we discuss this topic. The following timeline highlights recent events about this virtual currency. In our report we noted the growing interest in malware Bitcoin miners: malware Read more…
As the most popular mobile platform, Android has grown exponentially in recent years, increasing the market for new developers to show their skills with novel applications. However, not all developers have the best intentions in mind; some take advantage of the popularity of Android to develop malicious applications. In this blog we will show the Read more…
During the last two years we have observed the accelerated discovery of Android malware by the security industry. Malware authors today often create and distribute fake “antimalware” apps that simulate the scan of files on a device. These fake apps report fake threats (and sometimes make the device unusable). The goal is to get victims Read more…