Home Tags Adobe

Tag: Adobe

The fix covers 23 holes in the Windows, Mac, Linux, ChromeOS, Android, and iOS. Adobe has released emergency security updates for Flash Player to address critical vulnerabilities that may open the door to a system breach. Version is crucial for users of basically any PC or mobile device, and should be downloaded immediately.

The patch, according to the BBC, fixes 23 holes in the Windows, Mac, Linux, ChromeOS, Android, and iOS. Adobe has, however, admitted that one exploit (CVE-2016-1010) is already in the wild, "being used in limited, targeted attacks." The company did not immediately respond to PCMag's request for comment. In July, Flash Player was patched after a Hacking Team breach left the program vulnerable to attack. Mozilla later moved to block all versions of Flash in Firefox "by default," until Adobe released a more stable version. Facebook in December jumped on the bandwagon, ditching Flash-based video players in favor of HTML5, a more secure framework.

The social network followed Vimeo, Netflix, YouTube, and Twitch in making the switch. Tech titan Google, which teamed up with Adobe last year to intelligently pause non-essential Flash content to preserve your computer battery, recently announced its own plan for display ads to go 100 percent HTML5. Adobe may be down, but it's not out: Late last year, the company unveiled its intention to rename the Flash Professional CC program to Animate CC, expected to arrive sometime this year. "While standards like HTML5 will be the Web platform of the future across all devices, Flash continues to be used in key categories like Web gaming and premium video, where new standards have yet to fully mature," Adobe said in a December statement.
Adobe has issued an emergency update for its Flash media player that patches almost two dozen critical vulnerabilities, including one that's being maliciously exploited in the wild. "These updates address critical vulnerabilities that could potentially...
Microsoft releases thirteen bulletins this month, patching a total of 44 vulnerabilities. More than half of the critical vulnerabilities fixed this month support the web browsers, Internet Explorer and Microsoft Edge.
Vulnerabilities rated critical also exist in Opentype font parsing kernel components, Windows Media Player, and the Windows PDF library. Microsoft reports that none of these vulnerabilities have been publicly disclosed or exploited in the wild. Most everyone running a Windows system that installs these updates will have to reboot that system.

A variety of OS, kernel driver, web browser, and entertainment and productivity applications are affected. Internet Explorer Microsoft Edge Microsoft Mail Library Loading Validation Windows Adobe Type Manager Library OpenType Font Parsing (in the past, atmfd.dll) Windows Media Microsoft Office Windows OLE supporting applications like Microsoft Office (Asycfilt.dll, Ole32.dll, Oleaut32.dll, Olepro32.dll) Windows Security Authority (seclogon.dll) Multiple Drivers (KMD) .Net Framework Microsoft is patching yet another dll sideloading vulnerability, a fairly common problem. Microsoft has been addressing dll pre/side-load problems since Win2k SP4! But this one appears to be a bit of a corner case, requiring the use of Microsoft Mail, and a malicious OLE document be opened for editing on the target’s system. We are anticipating that more than a couple of these vulnerabilities will be attacked in the wild.
In the meantime, we are prioritizing other packages, like Adobe and their updates.
So update your software – now! Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft posted 13 bulletins this month: MS16-023 A cumulative update for Internet Explorer addressing 13 CVE-listed vulnerabilities, including remote code execution flaws.
Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system. MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw. MS16-025 An update for a single remote code execution vulnerability in Windows.

This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." MS16-026 Two CVE-listed vulnerabilities in Windows, one causing denial of service and another allowing remote code execution.
If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system. MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing, both potentially allowing remote code execution.
Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC. MS16-028 Two flaws in the Windows PDF Library that allow for remote code execution if you open a maliciously crafted document. MS16-029 An update for Office addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs. MS16-030 An update for two remote code execution vulnerabilities in Windows OLE. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft.

After that, code execution is possible. MS16-031 An elevation of privilege vulnerability in Windows: applications can abuse handles in memory to gain administrator-level access. MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications can abuse handles in memory to gain administrator-level access. MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain elevation of privilege with a specially-crafted USB drive. MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications can exploit these to execute malicious code at the kernel level. MS16-035 A fix for one security feature bypass flaw in the .NET framework. Adobe, meanwhile, has issued two updates for its products: Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability. Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws. Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ® Sponsored: 2016 global cybersecurity assurance report card
In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months.

Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December's hacker-caused outage that affected 225,000 people. "Locky," a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros.

The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex. The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code.
Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor. The renewed embrace of the macro is also consistent with the modus operandi attackers have exhibited for years. What's the point of burning a highly valuable zero-day vulnerability when a run-of-the-mill social engineering ploy and an easy-to-write visual basic script accomplishes the same thing? Enlarge Phishme.com New dogs learn old tricks The new era of macro-delivered infections poses challenges that didn't exist in the late 1990s.

Back then, getting targets to open a poisoned Office document was usually enough to compromise their computer. Now that macros are disabled by default, the attacker has to create a ruse that convinces the mark to enable macros.

A favorite ploy is to present a document with blurred, obscured, or misformed text, along with the promise that allowing a macro to run will cause that document to be displayed correctly. Judging from the success of Dridex and Locky, it appears the ruse works well. The resurgence underscores some sad truisms in the world of security.

First, old tricks work wonders and often provide attackers with a useful fallback when countermeasures and security improvements threaten the spread of malicious applications.
Second, human gullibility and error are a constant.
Sadly, that's true not only for inebriated people surfing porn in the wee hours, but also end users who clearly should know better—such as those inside the Ukrainian power authority, who were infected with malware known as BlackEnergy. (In fairness, accountants and other types of professionals often rely on macros to do their jobs.) Readers who receive documents in e-mail should think twice about opening them at all.

They should think doubly hard before ever enabling a macro. (In the 10 or so years since Microsoft disabled macros by default, I've never once enabled one, and there has never been a bad outcome.) Unfortunately, there are no readily available patches for the kind of ineptitude that make these types of attacks possible. Or as Ron White put it, you can't fix stupid.

Expect them to remain a core part of the malware scene for the foreseeable future.
Kirby FergusonIn 2014, no company filed more patent lawsuits than eDekka LLC, a Texas-based company with just one asset—US Patent No. 6,266,674.

Fully 168 patent lawsuits came to a sudden halt in October, when US District Judge Rodney Gilstrap stopped the litigation campaign in its tracks. eDekka's patent, which had been used to sue a wide array of online retailers, described nothing more than "the abstract idea of storing and labeling information," Gilstrap found.

Those were "routine tasks that could be performed by a human" and didn't meet the standard for getting a patent.

Gilstrap ruled the patent invalid. Lawyers for eDekka appealed Gilstrap's decision, and the shell company's appeal brief was initially due in December.
It asked for and received an extension until February 26.
Instead of filing a brief blasting the lower-court results, though, eDekka's lawyers simply filed a short document asking to withdraw its appeal. Yesterday, the US Court of Appeals for the Federal Circuit granted the motion. eDekka's story isn't over quite yet, and the ending isn't going to be a happy one for this patent troll.

After Gilstrap invalidated the company's patent, he ordered it to pay attorneys' fees—the first time the judge had ruled a case as "exceptional" under new guidelines in effect as a result of the Supreme Court's 2014 Octane Fitness case. Many of the remaining eDekka defendants, selling everything from shoes to stationery to coffee, filed a fee request (PDF) on December 31.
In January, Gilstrap ordered (PDF) eDekka to pay a total of more than $390,000 in attorneys' fees to 24 defendant companies. The order gave most of the defendants exactly the fees they requested, generally between $13,000 and $16,000 each. (Most of the defendants have banded together in a joint defense group, represented by lawyers from Fish & Richardson.) There's no indication in the court docket that the fees matter has been settled. eDekka is represented by Austin Hansley, a lawyer whose small Texas law firm also represented the second- and third-most litigious patent trolls of 2014. Hansley did not respond to a request for comment on this story. In 2014, Hansley filed more than 100 lawsuits on eDekka's behalf—including 87 in a single week—all in East Texas. He sued a vast array of companies doing business online, with the better-known defendants including Fab, Harry & David, Dress Barn, the National Football League, Etsy, and Estee Lauder. eDekka's lawsuits said that various types of online "shopping cart" technology infringed its information-storage patent. The eDekka patent was originally filed for by Donald Hejna, a Bay Area entrepreneur and inventor whose company, Enounce, previously sued Apple for infringing a patent related to variable-speed video playback.

Enounce claimed it was the first to create technology allowing users to "speed up or slow down the playback rate" of Adobe Flash videos without sound problems.
According to security expert Pedro Vilaca, the malware suggests that Hacking Team might have resurfaced. A security researcher has identified new Mac malware that he says points to Hacking Team, a controversial Italian firm that sells surveillance tools to government and law enforcement agencies, legitimate and repressive alike. According to SentinelOne OS X security expert Pedro Vilaca, the malware suggests that Hacking Team might have resurfaced after it was hacked in July.

That resulted in 400GB of internal documents, including details about Hacking Team's clients, source code, and email communications being posted online. Vilaca pointed to a Trojan known as Morcut, which was uploaded to Google's VirusTotal scanning service last month and had stayed under the radar.
It pointed to Hacking Team's Remote Control System (RCS), however. "Hacking Team appears to have resumed their operations but they are still using their old source code for this," Vilaca wrote in a blog post.  It remains unclear, however, whether they are using old and new source code, the latter which was promised at the time of the July hack. "Or were they just lying about it and resumed operations with the old code since they are probably on a shortage of engineering 'talent?'" Vilaca wrote. Days after the summertime breach, Microsoft released an emergency patch for a security hole, which could allow an attacker to take full control of a remote system if the user opened a particular document or visited a booby-trapped website. Adobe also pushed out a fix for a bug in Flash Player uncovered in the leak. Based on internal documents, Hacking Team sold surveillance tools to government and law enforcement agencies in Australia, Azerbaijan, Bahrain, Chile, Colombia, Cyprus, Czech Republic, Ecuador, Egypt, Ethiopia, Germany, Honduras, Hungary, Italy, Kazakhstan, Luxembourg, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Poland, Russia, Saudi Arabia, Singapore, South Korea, Spain, Sudan, Switzerland, Thailand, the United Arab Emirates, the US, Uzbekistan, and Vietnam.
EnlargeMalware Don't Need Coffee Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. ...
Hewlett Packard Enterprise (HPE) released its 2016 Cyber Risk Report on Feb. 17, providing statistics and some analysis on security trends for the past year. While some things have changed over the course of the last year, many others have not.

Among t...
Graysons Solicitors (www.graysons.co.uk) has saved 300 hours whilst submitting claims to the MOJ (Ministry of Justice) portal by using integration software from Zylpha (www.zylpha.com), the UK’s leading legal systems innovator.

The software, which is integrated with the practice’s existing SolCase & Visualfiles case management systems, automates the transfer of case management information to the MOJ portal for both EL/PL (employer and public liability) and RTA (road traffic accident) casework. Zylpha has also supplied Adobe’s eSign software for documents that require electronic signatures across the practice which offers a broad range of legal services including: personal injury, medical negligence, property family law, wills & administration of estates, elderly client services and other private client work.As Zylpha’s portal integration delivers rapid and full real-time MOJ portal access, the efficiency savings have been significant. Zylpha’s own analytics conclude that whilst each manual application to the MOJ portal would have taken a minimum of 25 minutes manually, the SolCase & VisualFiles integration takes just a matter of seconds. Paul White, Graysons’ IT manager, was keen to highlight the scale of the potential savings commenting; “Over the course of a year, we will have processed over 900 of MOJ portal claims and, based on Zylpha’s research, we will have saved over 300 hours of manual data processing and that doesn’t take into account efficiency gains in responses from insurers and having data contained within our VisualFiles case management system. Separately the Adobe eSign software that Zylpha has supplied has also delivered significant benefits by reducing the time and costs involved in obtaining signatures on legal documents.

The savings and efficiency gains we achieve by using Zylpha’s systems make a significant contribution to our commitment to delivering a contemporary, innovative, efficient and cost effective service to our clients. Paul White, Graysons IT Manager Tim Long Zylpha’s CEO welcomed these comments adding, “As a highly respected and long standing law firm founded in 1925, Graysons has built a strong reputation for delivering the very highest levels of practice management and client support throughout all aspects of its operations.
Innovation has a key role to play here in maintaining these standards and we are delighted that the practice has chosen our MOJ integration portal to support its RTA and EL/PL claims. We look forward to working closely with the team at Graysons Solicitors to see where else our systems might be able to support its work.” Ends About Graysons www.graysons.co.ukGraysons is a 6 partner firm, established in 1925 and based in the legal heart of Sheffield, Paradise Square.
It also has an office in Saltergate, Chesterfield. The firm specialises in personal injury; occupational illness and injury; clinical negligence work; family law; property; wills, estates and trusts; elderly client matters and notary public work.
It has been awarded the Law Society’s Lexcel practice management certificate and is recommended in the Legal 500 for its family and medical negligence work. About Zylpha www.zylpha.com 
Headquartered in Southampton Zylpha is an innovative specialist offering tools for the legal profession including: Secure electronic document production and delivery. Court Bundling. Integration with the MOJ Portal. Links to agencies for AML and Identity Verification. The company, which was founded by Tim Long its CEO, has won widespread acclaim in both the legal and local government sectors for its systems, which transform secure communications for court and case management bundles. For more information please contact:For Graysons:Marketing & PR – Patricia Bint0114 241 9061patricia.bint@graysons.co.uk IT – Paul White0114 241 9021paul.white@graysons.co.uk For Zylpha:Tim Long
Zylpha Ltd.
T: 01962 658881
M: 07917 301496t.long@zylpha.com Or Leigh Richards
The Right Image
T: 0844 / 561 7586
M: 07758 372527

The Evolution of Acecard

While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard.

This family accounted for almost all the banker Trojan attacks in Australia. After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications.
In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords.

Two other apps are targeted by the Trojan for their credit card details.

But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages. Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices.

All three Trojans run on Android. How it all started Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family. It all started with Backdoor.AndroidOS.Torec.a.

The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C; #grab_apps – send a list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to numbers specified in the command; #control_number – change the phone’s control number. Then, in April 2014, a new version emerged with more capabilities.

The additional commands were: #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the SMS interception list; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #sentid – send an SMS with the Trojan’s ID to a specified number. In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a.
It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C. A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields. We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware.

From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family. An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a Here is another example: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a A lot of the class, method and variable names are the same for all three Trojans.

The code of the corresponding methods is either the same or very similar with only minor differences. Acecard’s progress The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number. The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor.

Besides that, we identified two more differences.

Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the list of senders from which SMSs will be intercepted; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send the Trojan’s ID to the C&C; #grab_apps – send the list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number; #sentid – send an SMS with the Trojan’s ID to a specified number; #show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters. The second difference was the number of phishing windows.

Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows: IM services: WhatsApp, Viber, Instagram, Skype; The apps of the VKontakte, Odnoklassniki and Facebook social networks The Gmail client The official Twitter client In the second half of October 2014, we detected the next modification of Acecard.
It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users.

The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users.

This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries. At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US.

The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia. A new modification of Acecard emerged in mid-November 2014.

As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks. This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect. This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down.

This check is carried out in almost all subsequent modifications.
Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware. For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window. There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings. It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015.

Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month. Number of Acecard files detected each month The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans.

The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan. Also at this time, there was an increase in the number of attacks using this malicious program. The number of unique users attacked by Acecard per month In the first half of September, we detected a new modification of Acecard.
Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks. It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window. The subsequent development of Acecard’s “banking business” then got even faster: The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications.

The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks. In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal.

The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS.

This version of Acecard intercepts SMSs from 17 Russian banks. Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks.
Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users.
In that month, the US came third in terms of the number of unique users attacked by this malware. In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app. A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank. It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command. The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems.

Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger. Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France. Number of unique users attacked by country In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users. Propagation In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.

This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard. We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store. A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store The Trojan propagates under the guise of a game, but in reality it has no useful functionality.

The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard.
Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen. We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c.
It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor. The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans.

This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users. MD5 58FED8B5B549BE7ECBFBC6C63B84A7288D260AB2BB36AEAF5B033B80B6BC1E6ACF872ACDC583FE80B8F54957E14355DFFBBCCD640CE75BD618A7F3187EC1B74201E8CEA7DF22B1B3CC560ACB049F8EA0DDCE6CE143CCA26E59063E7A4BB890199D34FC3CFCFFEA760FC1ADD377AA626A03DA636518CCAF432AB68B269F7E6CC305EBAA5C7FFA440455ECB3519F923B56E3FD483AD3731DD62FBE027B4E6880E653888352A4A1E3CB810B2A3F51D0BFC2E1C794A614D5F6AAC38E2AEB77B139DA54332ED8EA9AED12400A75496972D7D75DB57F89A85F647EBBC5BAFBC29C801E702770D70C7AAB793FFD6A107FD08DADCF25782CAC01837ABACBF31130CA4E7507DF64C87EA74F388EF86226BC39EADF
Oracle's Java plug-in is the latest to fall, as browser developers look to simplify their code bases to improve security. In late January, Oracle announced that the company would stop supporting its ubiquitous Java plug-in, which would be, in developer terminology, "deprecated" in the next version of the Java software development kit, slated for release in 2017.The announcement comes not as a surprise but a recognition of a trend among browser developers toward removing the ability of third parties to add code—and potentially security flaws—to their software and users' systems.

Attackers have often exploited vulnerabilities in the two most popular plug-ins—Java and Adobe's Flash—building attacks into popular hacking tools known as exploit kits."With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options," Oracle stated in its Jan. 27 announcement.For two decades, browsers have supported the addition of plug-ins through the use of a standard application programming interface, known as the Netscape Plugin API, or NPAPI.

The ability to add plug-ins allowed developers to boost the functionality and interactivity of browsers.
Video streaming, interactivity and games all started as plug-ins.  Yet, the hazards posed by bugs introduced by developers and the inconsistent updating of plug-ins by developers and end users leave many systems vulnerable to attack.

Browser makers took the first steps to exorcise plug-ins from their software in 2013, when Google and then Mozilla started phasing out support. "There will be an immediate benefit in terms of security from closing off access," Christopher Budd, global threat communications manager for security firm Trend Micro, told eWEEK. "But if you take a step back, removing plug-ins is a huge thing in terms of the history of the Internet.

This amounts to the era of infinite extensibility for the Web coming to a close."The major argument against plug-ins is that they allow unvetted code to affect the security of the browser.

Each additional software extension requires the user to pay attention to another set of developers and their code bases.Not only do users have to worry about updating their browser, but they have to worry about whether the developers are properly securing their code, Daniel Veditz, principal security engineer at Mozilla, told eWEEK in an email interview.
In 2013, Mozilla issued an update to its browser to make the installation of plug-ins a manual procedure."The biggest risk to users is using out-of-date software and as a class, plug-ins have a terrible track record for quickly updating with security fixes—or updating at all," Veditz said. "Users are safer if their exposure to potentially harmful Internet content is limited to a modern browser that focuses on user security and aggressively auto-updates."In the past, the third-party nature of plug-ins lured browser makers into thinking that the add-on software was not their responsibility, said Trend Micro's Budd, who used to work at Microsoft."When I was at Microsoft, when we looked at Java or Adobe, it was a completely different program, totally separate from what we were doing. So it was their thing to take care of and not ours to worry about," he said.