Tags Posts tagged with "Malware"


Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!
Linux Mint is one of the best and popular distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.
Here’s why:
Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and manipulated the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.

“Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.

Who are affected?

As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.
The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.
However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.

What had Happened?

Hackers believed to have accessed the underlying server via the team’s WordPress blog and then got shell access to www-data.
From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP:, the investigative team discovered.
The infected ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoorTsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.

Hackers Re-gained Access to Linux Mint Website

However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.
Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire linuxmint.com domain offline to prevent the ISO images from spreading to its users.
The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers’ motive behind the hack is not clear yet.

“What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this,” Lefebvre added.

Hackers Selling Linux Mint Full Website’s Database Online for $85

The hackers are selling the Linux Mint full website’s database for a just $85, which shows a sign of their lack of knowledge.
The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.
Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers’ lack of experience.

Here’s What You Can Do

Users with the ISO image can check its signature in an effort to make sure it is valid.
To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre’s blog post.
If found infected, users are advised to follow these steps:
  • Take the computer offline.
  • Backup all your personal data.
  • Reinstall the operating system (with a clean ISO) or format the partition.
  • Change passwords for sensitive websites and emails.
You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.

An autistic schoolboy hanged himself after receiving a bogus “police” email claiming he had been looking at illegal websites and must pay a £100 fine.

Joseph Edwards was more susceptible to believing the scam was genuine because of his disability, a coroner heard today.

The 17-year-old A-level student was found hanged at his home by his mum, who has since launched a campaign to make children more aware of the dangers from internet scams.

Joseph received the online spam message, purportedly from Cheshire police, claiming that he had been visiting illegal websites on his computer and he would have to pay a large sum of money to avoid officers taking action.

However, the youngster took the bogus message literally because of his autism, leading him to hang himself in his family home in Windsor, Berkshire, the inquest heard.

The schoolboy had spent the day at home, when his mother Jacqueline returned to the house after 6pm, opening the door to find his body hanging in the hallway.

His tearful mother told the hearing at Windsor Guildhall how her son had been a “happy boy”.

“He was generally happy and had just started new friendship circles and was enjoying himself,” she told the coroner.

Edwards was an A-level student with Autism, a developmental disability, that likely made him more susceptible to believing the Internet scam mail, supposedly sent from from Cheshire police, was genuine, a coroner heard on Thursday.
Edwards was so upset and depressed by the accusation and the extortionate demand that he hanged himself hours after falling victim to the crucial threat. He was found hanged at his family home in Windsor by his mother Jacqueline Edwards, who told the coroner that he probably didn’t understand the implications of his actions.

He didn’t seem to have any worries known to me. I don’t think he really understood,” Jacqueline Edwards told the coroner. “Joseph was subjected to a scam on the internet, a threatening, fake police link that was asking for money,” his mother said in a statement. “He would have taken it literally because of his autism and he didn’t want to upset Georgia [his sister] or me.

As far as we all know, a Police ransomware of this type does not encrypt files and usually asks a victim to pay a small fine that last around $200 or €200. It’s normally much easier to remove the threat from infected systems by using dedicated tools specially designed to remove such infections.
According to Detective Sergeant Peter Wall, it will be almost impossible to trace the fraudsters behind the ‘crude’ email, but believe it may have originated outside the UK.
This is not first time when Ransomware has become deadly reason to take someone’s life. Over a year ago, a Romanian family faced same Police Ransomware threat and the Romanian victim hanged himself and his four-year-old son, scarring that his young son would pay for his mistake and his life would be spend in the moment of delusion.
Ransomware is one of the most blatant and obvious criminal’s money making schemes out there, from which Cryptolocker threat had touched the peak, and cyber criminals have developed many Cryptolocker versions (prisonlocker, linkup, icepole, cryptobit) by which you have to safeguard your system.

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a widespread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.
The news broke throughout the WordPress community earlier Sunday morning when Google blacklisted over 11,000 domains due to the latest malware campaign, that has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic.
While there are more than 70 million websites on the Internet currently running WordPress, so this malware campaign could be a great threat to those running their websites on WordPress.
Once infected, you may experience irregular website behavior including unexpected redirects to SoakSoak.ru web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge.
The search engine giant has already been on top of this infection and has added over 11,000 websites to their blacklist that could have seriously affected the revenue potential of website owners, running those blacklisted websites.
The security team at the security firm Sucuri, which is actively investigating the potential vector of the malware, said that the infections are not targeted only at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum.
SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.
If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a Free SiteCheck scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack.
However, if you are behind the Website Firewall, CloudProxy, you are being protected from the SoakSoak malware campaign.
Source : THN

Security researchers from Russian Internet giant Yandex have discovered a new piece of malware that is being used to target Linux and FreeBSD web servers in order to make them a part of the wide botnet, even without the need of any root privileges.
Researchers dubbed the malware as Mayhem, a nasty malware modular that includes a number of payloads to cause malicious things and targets to infect only those machines which are not updated with security patches or less likely to run security software.
So far, researchers have found over 1,400 Linux and FreeBSD servers around the world that have compromised by the malware, with potentially thousands more to come. Most of the compromised machines are located in the USA, Russia, Germany and Canada.
Three security experts, Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russia-based Internet portal Yandex, discovered the malware targeting *nix servers. They were able to trace transmissions from the infected computers to the two command and control (C&C) servers.

In the *nix world, autoupdate technologies aren’t widely used, especially in comparison with desktops and smartphones. The vast majority of web masters and system administrators have to update their software manually and test that their infrastructure works correctly,” the trio wrote in atechnical report for Virus Bulletin.

For ordinary websites, serious maintenance is quite expensive and often webmasters don’t have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets.

Researchers say that this new type of malware can work under restricted privileges on the systems and has been created by keeping multiple functionality in mind. The malicious attack is conducted via a more sophisticated PHP script, that has a low detection rate with the antivirus engines available.
Communication of the system is established with the command and control servers, which can send the malware different instructions. As we mentioned above that Mayhem is a modular, its functions can be expanded through plugins and at the moment some eight plugins have been discovered, those are listed below:
  • rfiscan.so – Find websites that contain a remote file inclusion (RFI) vulnerability
  • wpenum.so – Enumerate users of WordPress sites
  • cmsurls.so – Identify user login pages in sites based on the WordPress CMS
  • bruteforce.so – Brute force passwords for sites based on the WordPress and Joomla CMSs
  • bruteforceng.so – Brute force passwords for almost any login page
  • ftpbrute.so – Brute force FTP accounts
  • crawlerng.so – Crawl web pages (by URL) and extract useful information
  • crawlerip.so – Crawl web pages (by IP) and extract useful information
In case of rfiscan.so, the malware spreads by finding servers hosting websites with a remote file inclusion (RFI) vulnerability that it checks using ‘http://www.google.com/humans.txt’ file. If the HTTP response contains the words ‘we can shake’, then the plugin decides that the website has a remote file inclusionvulnerability.
Once the malware exploits an RFI, or any other weakness mentioned above, and get installed, it will run a PHP script on a victim. The PHP script kills all ‘/usr/bin/host’ processes, check for the system architecture and OS (whether Linux or FreeBSD), and then drops a malicious object identified as ‘libworker.so’.
Meanwhile, the PHP script also defines a variable named ‘AU’, which includes the full URL of the script being executed. It also executes the shell script which is then being executed, then pings its Command-and-Control server.
The malware then creates a hidden file system, known as sd0, and downloads all the above eight plugins, none of which were detected by the VirusTotal malware scanning tool.
Mayhem was first detected in April 2014, and according to the trio, it is a continuation of the “Fort Disco” brute-force campaign that was unearthed by Arbor Networks in 2013.
The Yandex researchers warned people that there may be more plugins in circulation, based on information they discovered on the two detected Command-and-Control servers, including one which specifically exploits the systems that haven’t patched the critical Heartbleed vulnerability in OpenSSL.