A researcher at McAfee has discovered a Java-based, cross-platform botnet that can infect both Mac and Windows systems. The malware agent, dubbed “IncognitoRAT”, is a Java-based Trojan in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on multiple platforms. The malicious code is available for Windows, Mac OS X, and as propagation vector using the iPhone/iPad. Only the Windows version of the malicious downloader has been spotted actually spreading in the wild.
The original infection source is a Windows executable created using the JarToExe tool, which includes the ability to convert Java’s .jar files into .exe files, add program icons and version information, and protect and encrypt Java programs. It relies on the victim system to have Java Runtime Environment installed and must be connected to the Internet.
As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities, including:
Java Registry Wrapper, used to access the Windows Registry and execute the malware every time the computer starts.
Java Remote Control, to view the screen and control keyboard and mouse.
JLayer MP3 Library, to remotely play MP3 files on the infected machine.
RNP-VideoPlayer, to play videos remotely.
JavaMail, to send stolen information to an email account.
Freedom for Media Java, an open source media framework to watch and record images from a remote webcam.
One thing that is rather odd is that the botnet agent might crash the infected machines, and apparently shows a curious message to the user:
Today’s fraud schemes are more sophisticated than ever, and the two cases below are examples of the complex white collar crime cases that continue to proliferate in the down economy. Desperate people do desperate things. Some seem to forget to stop when things cease to be desperate.
In the first case, the former CFO and CEO of a supplier and reconditioner of athletic equipment are facing charges of 9 substantive counts of mail fraud, 12 substantive counts of wire fraud, and mail and wire fraud conspiracy for allegedly directing a long-running scam against schools in New Jersey and elsewhere.
As reported earlier this month, arts & crafts chain Michaels Stores disclosed that criminals had tampered with point-of-sale PIN pad devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and PIN codes. As originally suspected, new information from the investigation shows that many Michaels stores across the US have discovered compromised payment terminals. Investigators said that at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast.
Have you seen these Facebook wall postings? “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.”
Are you curious? This is a classic social engineering scam luring users into signing up for premium mobile services and spamming their friends, promising to show a list of profile visitors. It even instructs users to disable ad-blocking programs.
It all starts with a little spam message or wall posting from one of the victims; “WOAH!!…You really have to see this,finally a simple way to see who views your facebook profile.” –> [URL]” Following the URL link takes the new victim to a site on an external domain (like ilikefacebook.in). The site displays fake Facebook-style notifications claiming to be example of alerts users will receive whenever someone views their profile. The logo for a well-known malicious app called Profile Spy is also present on the page.
Users are also told that in order to sign-up for the Profile Spy application they need to like and share the application. After the victims have heavily spammed their profile with messages promoting this scam, they are taken to a window claiming that they also need to take a survey. “Then the ‘verification’ launches you into one of those endless surveys (you get a choice of 6) the point of which is to collect your cell phone number so you can be billed $9.99 per month,” GFI Labs warns.
This scam has been seen on Facebook as far back as mid 2010, and around 29,000 users clicked the “Like” button and 27,000 the “Share” button in its first month. This scam has spread to other social media outlets and pops up in Twitter fairly often as well. There is no feature on Facebook which allows viewing profile visitors, and considering the privacy implications, it will probably never be allowed. Any message or application that claims otherwise is most definitely a scam.
It appears that third parties, in particular advertisers, have accidentally gotten access to Facebook accounts including user profiles, photographs, chat, and the ability to post messages and gather personal information. Fortunately, they may not have realized that they have these abilities. According to Symantec, over 100,000 applications can leak access tokens that remain valid for some period of time. They might sit in log files of various advertisers just waiting to be abused.
Facebook is planning to move away from access tokens and adopting OAuth 2.0,an open standard co-authored with Yahoo, Twitter, Google, and others, and HTTPS. Until then, we can do something to invalidate the access tokens: Change your password! Do it regularly, unless you don’t care about your Facebook privacy and don’t use the same password anywhere else…
You can change your facebook password by clicking the upper right “Account” menu and choosing “Account Settings”. The 4th option down allows you to change your password.