Lenovo Caught Pre-Installing Malware on its Computers Again

Earlier this year, Lenovo was caught pre-installing adware on its computers, eliciting a vociferous backlash from users. The Superfish scandal, however, appears merely to have been its test-run in preparation for its latest ruse: Lenovo ThinkPads, ThinkCentres, and ThinkStations have been found containing user-tracking spyware that is scheduled to run every day and sends usage data to an analytics company.

The spyware was discovered by independent computer security consultant Michael Horowitz while using the free software TaskSchedulerView to persue his ThinkPad. He says:

The task that gave me pause is called “Lenovo Customer Feedback Program 64”. It was running daily. According to the description in the task scheduler: “This task uploads Customer Feedback Program data to Lenovo”.

I have setup my fair share of new Lenovo machines and can’t recall ever being asked about a Customer Feedback program.

The program that runs daily is Lenovo.TVT.CustomerFeedback.Agent.exe and it resides in folder C:\Program Files (x86)\Lenovo\Customer Feedback Program.

Other files in this folder are Lenovo.TVT.CustomerFeedback.Agent.exe.config, Lenovo.TVT.CustomerFeedback.InnovApps.dll and Lenovo.TVT.CustomerFeedback.OmnitureSiteCatalyst.dll.

According to Wikipedia, Omniture is an online marketing and web analytics firm, and SiteCatalyst (since renamed) is their software as a service application for client-side web analytics.

So, while there may not be extra ads on ThinkPads, there is some monitoring and tracking.

On the one hand this is surprising because the machines were refurbished and sold by IBM. On the other hand, considering Lenovo’s recent history, it’s not surprising at all.

Lenovo’s right to use this malware to gather information on its user is buried deep within its Licence Agreement – an .rtf file stored in the obscure folder C:\Program Files (x86)\Lenovo\MetricCollectionSDK\licenses – so is doing nothing illegal, but its behaviour is at the very least unethical and risks violating user trust and damaging its brand.

In lieu of these revelations, Lenovo has issued an official statement regarding data collection which reads:

“Statistical data collection by Lenovo has been the subject of press reports and social media discussion. Similar to other companies in the PC, smartphone and tablet industries and as disclosed in the End User License Agreement, Lenovo products collect non-personally identifiable statistical usage data that is not tracked to any single customer or device. This data helps Lenovo improve both existing and future products.”

“In preparation for Windows 10, all programs preloaded on Lenovo PCs were reviewed by Lenovo and independent 3rd parties from privacy and technical perspectives and are listed in the “programs directory” in Windows, under “settings”. Customers who do not want to participate, can remove the program by going into the “Control Panel”, opening “Add / Remove Programs”, clicking on the program and selecting “uninstall””

Thank you Boing Boing for providing us with this information.

Hacking Team Release Ludicrous Statement

This story is so preposterous that I am going to play a little game called; “who are the hypocrites here.” Hacking Team, who recently fell to a cyber attack have released a statement claiming to be victims and have bluntly claimed that they have “always operated with the law and regulation in an ethical manner.”

You heard it right, when government officials start inventing ludicrous laws which state that hacking citizen’s phones and computers for data is actually legal, you arrive at the juncture where the Italian spyware firm claim that “there was only one Violation of Law in this entire event, and this was “the massive cyber attack on the Hacking Team”

Now I don’t condone hacking, well I do in this case where rival decent hackers exposed nearly 50GB of data, this included internal documents such as internal emails, hacking tools zero day exploits, surveillance tools, source code for Spyware and a spreadsheet listing and every government client with date of purchase and amount paid.

Out of balance and to be fair to Hacking Team, I have viewed their statement and what really stands out is the following few lines.

“The company has always sold strictly within the law and regulation as it applied at the time any sale was made. That is true of reported sales to Ethiopia, Sudan, Russia, South Korea and all other countries”

Well, those are true democracies which really do underpin Hacking Teams morals. The scary thing is, if you give a despot surveillance tools, this could have well led to deaths and suffering of citizens.

There are no winners in these revelations with perceived democratic countries also using these tools along with many dodgy dictators. Hacking Team also state that “there had not been “access to the data collected by company’s clients using purchased spying software, as such information is only stored on the customer’s systems and can’t be accessed by the company itself.”

This is the tip of a seedy and unethical Iceberg, which in the long run, will not protect against every terrorist eventuality, but to only virtually incarcerate the whole world. Anyone who sells spying software to countries which have a habit of executing dissenters is either desperate for cash or completely void of conscious. A sale is possibly within the law, but so is selling a pint of beer to a 16-year-old if bought by an adult with a meal. The only difference is, a pint normally does not result in potential war crimes and more… usually.

Thank you to Hacker News for providing us with this information

Image courtesy of ilquotidianoitaliano

Android News App Used to Distribute Hacking Team’s Spyware

The massive (and wonderful) data theft from Hacking Team has revealed that Italian spyware maker was using a fake Android app as a backdoor method of distribution for its Remote Control System. The app, BeNews, which stole the name of a now-defunct news website to feign legitimacy, was uncovered by Trend Micro’s Wish Wu yesterday.

“We believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device,” writes Wu.

Wu reveals further details on the malicious app and which Android devices it can affect:

“The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers.

Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.”

Wu found the source code for BeNews within the 400GB of stolen data from Hacking Team, a company that has been hammered for its flagrant disregard for civil liberties and human rights. Following the breach, Hacking Team has taken a defiant stance, revealing that it intends to develop a new version of its Remote Control System spyware in order to resume what it describes as its “criminal and intelligence investigations.”

Thank you CSO for providing us with this information.

Hacking Team Were Tracking Bitcoin Users

Leaked documents, published by WikiLeaks, have revealed that Italian spyware firm Hacking Team have the ability to track Bitcoin users, and have been selling the software with which to do it to third parties since January 2014. Hacking Team was recently subjected to a massive 400GB data theft, which included internal e-mails and private documents, which have now been made available, and searchable, in their entirety on the infamous whistleblowing website WikiLeaks.

Internal e-mails show that Hacking Team’s premier spyware bundle, the Remote Control System, was updated in January 2014 to allow it to track “cryptocurrencies, such as BitCoin, and all the related information.”

“The module is able to collect various information: list of contacts and local accounts, wallet (i.e., the money) and the history of transactions,” an e-mail from 12th January, 2014, reads. It continues: “Currently it is intended only for Desktops (Windows, OS X, Linux), while introduction in Mobiles is still under evaluation.”

The Remote Control System, when installed on the target’s computer, uses its keylogger to gain access to their Bitcoin wallet, allowing the surveillant to view transaction histories and balances.

“Here is some relevant context to position them in your pitch: Cryptocurrencies are a way to make untraceable transactions, and we all know that criminals love to easily launder, move, and invest black money,” the Hacking Team e-mail reads. “[Law enforcement agencies,] by using our Intelligence module combined with this new capability, can correlate the usage of cryptocurrencies, defeating the financial opacity they provide.”

Bitcoin’s popularity stems from its anonymity, security, and lack of centralised control. Not any more, it seems.

Thank you Epoch Times for providing us with this information.

How a Hacker Made $45,000 Selling 0Day Exploits to Hacking Team

We previously reported that Italian spyware company, Hacking Team, has been hacked and had 400 GB of data publicly released via torrent websites. Well, Arstechnica reportedly found how easy it was doing business with the latter company by digging through their emails.

It seems that a Russian hacker approached the Hacking Team in 2013 with a few 0day bugs he found on Windows, OS X and iOS operating systems, with price ranges of $30,000 to $45,000. The company apparently was not interested in the latter, but it did show interest in another exploit offered by the hacker, namely the “Adobe Flash Player 9.x/10.x/11.x with the RCE exploit for the current Flash Player 11.9.x for Windows 32/64-bit and OS X 64-bit”.

The correspondence even revealed how the money was transferred to the hacker. According to the findings, the hacker received the money via bank wire transfer in three instalments, one of $20,000 in October 2013, the other of $15,000 in November 2013 and the last one of $10,000 in December 2013. There has not been any evidence of the hacker and the company doing any business up until 2015, when the Russian hacker received another $35,000 in his bank account in Moscow.

Arstechnica also approached the hacker and surprisingly, he explained that such transactions are very common between companies such as Hacking Team and freelance hackers. He stated that such transactions are “routine sales like with ZDI, VCP, pentesters and other legal 0day buyers”. I don’t know about you, but this information is as exciting as it is scary. So what are your thoughts on this?

Thank you arstechnica for providing us with this information

US Army and Law Enforcement Found Purchasing Italian Spyware

Leaked documents have revealed that US law enforcement agencies, including the FBI and DEA, and the US Army have been using an Italian-made spyware package to remotely control people’s computers, while also using it to monitor and record calls, e-mails, keystrokes, and visual information obtained from any connected webcams. The illuminatory documents, 400GB-worth, were dumped online by an anonymous hacker.

The malicious programs utilised were created by an Italian company called Hacking Team – notorious for its invasive surveillance technologies and considered an “Enemy of the Internet” by Reporters Without Borders – which has been pushing its wares to law enforcement and intelligence agencies across the US through practical demonstrations to a number of District Attorneys.

The documents show that the FBI has been using Hacking Team’s spyware since 2011, through its shadowy Remote Operations Unit, but has only rarely been cited in criminal court cases, one of which involved phishing a victim into clicking on a fake Associated Press article link. The FBI has also been found to develop its own spyware packages.

The DEA, after declining Hacking Team’s offer of spyware in 2011 on the grounds that it was “too controversial”, did purchase the malicious software in 2012, which it used in conjunction with Colombian law enforcement, with plans to expand its use across Latin America.

Though the US Army also purchased spyware from Hacking Team in 2011, for use out of Fort Meade, an internal e-mail included in the leaked documents admitted that “they purchased a system right before they got their budget cut…They were never given permission to pull an internet line to their office to install the system. (ridiculous but true!)”

In response to the revelations, Hacking Team spokesperson Eric Rabe said, “we do not disclose the names or locations of our clients” and “we cannot comment on the validity of documents purportedly from our company.”

Though the use of such software to spy on suspects could be legal in the US with the approval of a Judge, the kind of spyware developed by Hacking Team is considered highly unethical, and is akin to the human rights-infringing methods employed by the NSA during its PRISM program.

Thank you The Intercept for providing us with this information.

Here’s How a Hack Took Down Other ‘Legitimate’ Hackers

Before we continue, you might be wondering how could there be ‘legitimate’ hackers. Well, companies such as the one that got hacked, by the name of Hacking Team, exist out there. They usually sell their hacks and services to governments or secret agencies, which make them a key ally and are allowed to continue their work. However, the latest hack proved that even they can be taken down.

Hacking Team is known for selling its services to agencies such as the FBI, DEA, Australian police, or even countries such as Bahrain, Ethiopia, and Sudan. However, the latter could not be proven since they could easily pin everything on their contractors and we all know how good governments and agencies are at denying allegations. Also, they had the ability to keep their code as well as other exploits they used in software products secure, so targeted individuals, companies or even other governments could not do anything about it.

But their operation came to and end, having their systems compromised by a hack that took over 400 GB of data, including their own source codes used for creating the spyware. This means that other developers can now use the data and patch or protect their systems in the future. Hacking Team is said to have been forced to close their company down until further notice, but it’s highly likely they will be operational again in the near future.

There is no official confirmation about who hacked the spyware company, but it is said that Wikileaks focused on latter companies in the past, so nobody can rule out their implications in this. However, sources say that the hack was performed by an independent freelance hacker, so this makes it even harder to pinpoint the attacker.

Thank you The Verge for providing us with this information

Amnesty International Releases Anti-Spyware Program

A new piece of software, called Detekt, designed specifically to protect political activists and dissidents from spyware attacks from their own governments, has been unveiled by Amnesty International. Amnesty produced the software in conjunction with three other rights groups, the Electric Frontier Foundation, Privacy International, and Digitale Gesellschaft.

Detekt was developed to look for the digital footprint that spyware tends to leave on an infected computer. This spyware can monitor keystrokes, grab images from a connected webcam, or even access on-board microphones. Detekt’s scan is so intensive that the computer cannot be used while it is running. The software has been designed for Windows, since that is the most common operating system to be targeted by spying programs.

Tanya O’Carroll, adviser on technology and human rights at Amnesty International, spoke about the impetus behind the creation of Detekt, saying, “These spying tools are marketed on their ability to get round your bog-standard anti-virus.” She added, “It’s easier to name the countries that are not using these spying tools than those that are.”

Claudio Guarnieri, the creator of Detekt, furthered the point, saying, “People think the uses of spyware by governments are isolated cases. They are not.”

Detekt can be downloaded now from resistsurveillance.org.

Source: BBC

Security Experts Say That USB Security is Fundamentally Broken

The common USB stick has become the most common way of sharing and storing files on-the-go. With this in mind, a variety of malware and viruses were created in an attempt to take control of computers who do not have any security measures installed, such as antivirus software. Other means of ‘cleaning’ an USB drive would be to format its content, leading to every file being deleted along with any malware and virus program that might be present on the drive.

However, two security researchers state that security problems with USB drives run deeper than expected. They state that the “risk isn’t just in what they carry, it’s built into the core of how they work.” This is why security researchers Karsten Nohl and Jakob Lell plan to present a proof-of-concept malicious software by the name of BadUSB which is stated to highlight that USB devices have long been fundamentally broken.

BadUSB can be installed on a USB device to completely take over a PC silently, alter files and even redirect the user’s internet traffic. The malware is said to be installed on the flash drive’s firmware and not the memory, which means that the code can remain hidden long after the flash memory has been erased. Also, the researchers state that there is no easy fix for the vulnerability. They say that the USB stick needs to be blocked from sharing its content with the system or, plainly said, the USB drive needs to be physically removed to stop the infection.

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

It is said that the vulnerability is not limited to USB drives. All sort of USB devices, spanning from keyboards to smartphones and even cameras can have their firmware reprogrammed with the malware in question. The researchers have stated that they used the BadUSB program on an Android device, having a “grab bag of evil tricks” happening as a result. Nohl and Lell tell that it replaced software being installed with a corrupted or backdoored version and even impersonated a USB keyboard that suddenly started typing commands.

The researchers tell that the infection can travel both from a computer to the USB and the other way around. Matt Blaze, a computer science professor from the University of Pennsylvania, is also aware of the shallow security veil that USB drives present. He also speculates that the NSA could have made a common practice out of infecting USB devices using this approach.

Matt points to a spying device by the name of ‘Cottonmouth’, which has been revealed in one of Edward Snowden’s leaks. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. However, the exact mechanism for that USB attack wasn’t described.

Thank you Wired for providing us with this information
Image courtesy of Wired

GoZeuS Returns a Month after Authorities Take Measures Against the Malware

Though authorities had taken action against the GoZeuS and CryptoLocker malware which stole hundreds of thousands of banking logins from users and blackmail them for millions of pounds, it seems that the malwares are back. A month after the campaign, online criminals seem to have tried to rebuild the sophisticated software named GameOver ZeuS, having researchers warn that new threats using much of the same code are aimed at UK users.

Reports say that the ‘original strain’ of the malware targeted by authorities around the world, including the NSA and the FBI, has been in a decline since the campaign started. However, it appears that criminals are now re-establishing the GameOver botnets by taking the original code and reworking it to avoid detection, much like a biological virus modifies its genetic code in order to survive medicine administered against it.

A security company by the name of Malcovery has stated that the new trojan based on the GameOver Zeus binary is spreading through spam emails, claiming to be from the NatWest bank, coming with an attached statement in the content. Anyone who opens the ‘statement’ are said to risk infection, since traditional anti-virus software cannot detect the malicious software. Also, the CEO of Heimdal Security, Morten Kjærsgaard, states that the heads of the original GoZeuS will try to use lesser-known strains in order to avoid law enforcement agencies detecting it.

“Until we start to see a more clear movement pattern of these new Zeus variants, which are starting to surface, we can’t say anything definitive about their extent,” said Kjærsgaard. “There is no doubt though, that many small malware variants could pose the same financial problem for end users as one big nasty piece of malware.” he added.

While the GameOver Zeus botnet earned more than $100 million for its creators, more infections are likely to take place given the new strains. In June however, US authorities are said to have named Evgeniy Bogachev, a Russian national, as the main suspect behind the original malware.

Thank you The Guardian for providing us with this information
Image courtesy of The Guardian

Russia To Hack Strategic Companies Worldwide Using The ‘Energetic Bear’ Campaign

Reports say that Russia and its government have been hacking energetic companies in Europe, Asia and the US. It comes under a sort of campaign named “Energetic Bear”, which is said to target companies in 23 or more countries . The information comes from the cyber security firm called CrowdStrike which posted a report about its findings in this matter.

Up until now, China was considered one of the “active” countries to target specific companies in order to steal key information for their own profit. This time, CrowdStrike points its finger to Russia. This does not come as a surprise, since there are experienced hackers in the country known for stealing passwords and credit card information during the years. Another case that puts Russia on the radar is the incident in Estonia seven years ago, where Russia reportedly unleashed a cyber attack on Estonia to disable the country’s technological equipment, including the Internet in the country.

“It’s always hard to get a smoking gun in these type of cases,” said Dmitri Alperovitch, the cofounder and CTO of CrowdStrike. Any specific names and details of those behind the attack are unclear, but Alperovitch is confident that the Russian government was involved.

The reason why CrowdStrike thinks the government is involved is based on the hacking activity. They say that the hackers work on a 9 to 5 basis (Moscow hours), the working hours of a normal government employee. The study was based on two years of monitoring the activity out of Russia. Other aspects that point to the Russian government’s involvement lie in the targets so far. It is said that the companies which suffered attacks are Russian competitors, which makes sense for them to gather sensitive information to their advantage as an outcome of the Energetic Bear project.

The methods used are considered to be as complex as the Chinese, using spyware on websites they expect victims to access, commonly known as strategic web compromise. The hackers also targeted European defence contractors, governments and energy companies worldwide to gather trade secrets, sensitive data and intellectual property.

Thank you Mashable for providing us with this information

Yahoo! Infected With Malicious Ads, Targets Great Britain, Romania, France and Pakistan

Fox-IT, a security product and service company in the Netherlands, stated that computers visiting Yahoo on January 3 were infected with malware from the Yahoo ad network ads.yahoo.com. Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially. The ads were in the form of IFRAMEs hosted on the following domains:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

The ads redirected users to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands, which is perhaps related to why Fox-IT’s customers were affected so quickly. The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware such as ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs.

Fox-IT’s research shows the 83% of the attacks targeted Romania, Great Britain, France and Pakistan. There were none attacks however in the US. They speculate that the distribution was made through a function of the Yahoo! ads which was affected by the malware. Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.

Thank you ZDNet for providing us with this information

Thousands Of Idiots Download GTA V PC Installer, Guess What Happened Next!

Many users are clearly eager to get their hands on Grand Theft Auto V, even more so when it comes to the PC. So much so that thousands of players are willing to download a huge 18GB file that promised to be the game, then install it and then wonder why their computers are pillaged by viruses.

Are these people idiots? No doubt about it! Downloading a torrent of a game that hasn’t even been announced for PC, let alone released is madness. Yet for all their foolishness, these fools were fooled by the best as the torrent in question not only looked like a legit file, but also acted like one. It was verified, has a high SEO ranking (comes out near the top on Google search) and the installer looked legit right up until the last moment when it asks you to fill out your private details on a website in return for a serial key.

Of course when you complete your 18GB download, hand over your private data and allow what I can only assume to be 18GB of spyware to run loose on your system, you still don’t get to play GTA V PC… why am I not surprised. I also suspect Rockstar might not be in such a rush to pull this one from download sites, it’s the ultimate honey pot and I’m amazed people fell for it.

Lesson of the day: If it looks too good to be true, it probably is.

Thank you Wccftech for providing us with this information.

Images courtesy of eTeknix and Wccftech.