11.5 C
London
Friday, October 20, 2017
Home Tags Cross-platform

Tag: cross-platform

In a nutshell Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants. This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes) The backdoor is also able to execute arbitrary commands on the victim’s computer To communicate it’s using strong AES-256-CBC encryption Background Back in January this year we found a new family of cross-platform backdoors for desktop environments.

After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A.
It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL.

This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample. “Unpacked” Backdoor.OSX.Mokes.a Its filename was “unpacked” when we got our hands on it, but we’re assuming that in-the-wild it comes packed, just like its Linux variant. Startup When executed for the first time, the malware copies itself to the first available of the following locations, in this order: $HOME/Library/App Store/storeuserd $HOME/Library/com.apple.spotlight/SpotlightHelper $HOME/Library/Dock/com.apple.dock.cache $HOME/Library/Skype/SkypeHelper $HOME/Library/Dropbox/DropboxCache $HOME/Library/Google/Chrome/nacld $HOME/Library/Firefox/Profiles/profiled Corresponding to that location, it creates a plist-file to achieve persistence on the system: After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80: The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length.

Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm. Backdoor functionality Its next task is to setup the backdoor features: Capturing Audio Monitoring Removable Storage Capturing Screen (every 30 sec.) Scanning the file system for Office documents (xls, xlsx, doc, docx) The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system. Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available. $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots) $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures) $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs) $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data) DDMMyy = date: 070916 = 2016-09-07HHmmss = time: 154411 = 15:44:11nnn = milliseconds If the environment variable $TMPDIR is not defined, “/tmp/” is used as the location (http://doc.qt.io/qt-4.8/qdir.html#tempPath). Hints from the author The author of this malware again left some references to the corresponding source files: Detection We detect this type of malware as HEUR:Backdoor.OSX.Mokes.a IOCs Hash:664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c Files:$HOME/LibraryApp Store/storeuserd$HOME/Library/com.apple.spotlight/SpotlightHelper$HOME/Library/Dock/com.apple.dock.cache$HOME/Library/Skype/SkypeHelper$HOME/Library/Dropbox/DropboxCache$HOME/Library/Google/Chrome/nacld$HOME/Library/Firefox/Profiles/profiled$HOME/Library/LaunchAgents/$filename.plist$TMPDIR/ss*-$date-$time-$ms.sst$TMPDIR/aa*-$date-$time-$ms.aat$TMPDIR/kk*-$date-$time-$ms.kkt$TMPDIR/dd*-$date-$time-$ms.ddt Hosts:158.69.241[.]141jikenick12and67[.]comcameforcameand33212[.]com User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Microsoft has expanded its bug bounty programs to cover the open-source .Net Core and ASP.Net Core application development platforms. The .Net Core and ASP.Net Core technologies are used to create server applications that can run on Windows, Linux, and Mac.

The ability to write code once and have it run on multiple platforms have made these technologies popular with enterprise software developers. Microsoft will pay monetary rewards between $500 and $15,000 for critical vulnerabilities in the RTM (release to manufacturing), Beta, or RC (release candidate) releases of these platforms. Flaws in Microsoft's cross-platform Kestrel web server are also covered by the new bug bounty program, as well as vulnerabilities in the default ASP.Net Core templates provided with the ASP.Net Web Tools Extension for Visual Studio 2015 or later. The supported platforms are the Windows and Linux versions of .Net Core and ASP.Net Core, and higher quality reports will be rewarded with a higher bounty, Microsoft said in a blog post. The company has ongoing bug bounty programs for Office 365, Azure, and Microsoft Edge.
It also rewards researchers for finding novel exploitation techniques against the protections built into Windows, as well as for defensive ideas that can lead to new exploit mitigations. By expanding the vulnerability rewards program to software development tools, Microsoft will draw attention to their security and indirectly benefit companies who use these technologies for their custom applications. According to the latest State of Software Security report from application security vendor Veracode, .Net is the second most popular programming language in the enterprise space after Java. Moreover, while Java's popularity has been on the decline for the last few years, the adoption rate for .Net has steadily increased, according to Veracode's data.
If you’ve ever hacked for a living -- wearing a white hat, I hope -- you probably can’t stand the unrealistic light most shows and movies shine on hacking and hackers. On the big and small screens, supergenius hackers enjoy instantaneous success and always manage to stay one step ahead of the law. Typically they’re portrayed in one of two views: Either they dress like refugees from a cyberpunk fashion show and have hot model girlfriends, or they’re solitary fat guys juiced up on energy drinks hacking away in their trashed bedrooms. The dirty secret is that hacking tends to be tedious work -- not exactly Hollywood fare. Yet Hollywood has worked its magic on the minds of the masses. Many times I’ve had friends get upset that I couldn’t instantly crack their wireless network or Facebook account when they forgot their passwords. I’ve even seen newbies on a penetration testing team surprised that we don’t immediately break into every server we come across without a little research first. In real life, hacking is 95 percent monotony and 5 percent excitement, where focused dedication is more than a virtue. It’s almost the only trait that matters. So much for the reality-based community. Courtesy of Hollywood, here are the hacking misfires that bug me most. 1. Instant password guessing Many if not most movies with hacking scenes show the protagonist under lethal pressure to crack the master password in less than a minute. A perfect example is 2001’s "Swordfish," in which the evil character played by John Travolta holds a gun to the head of the hacker leader, Stanley, played by Hugh Jackman. Stanley sweats bullets under threat, typing different passwords so fast it’s obvious he can’t be typing anything coherent at all. At the last second, after trying hundreds of different passwords, he pulls the right one out of thin air. Has any computer system in any movie ever locked out an attacker after a certain number of password tries? In other hacker movies, the protagonist seems to guess the correct password right off the bat. The hacker looks around the office, sees a picture of the CEO playing golf, and seems to know that “Titleist” is the right password. While trying words associated with the victim’s hobby is a well-known guessing technique, I’ve never seen anyone get it right on the first pass. Real password guessing usually takes hundreds (if not hundreds of thousands) of attempts. If account lockout isn’t enabled, hackers can use automated dictionary-hybrid programs to do all the guessing. Today, because most passwords are complex and run eight characters or more in length, manual guessing isn’t very fruitful. In fact, today, most password “guessing” is really password cracking. Cracking starts by capturing the password hashes first (which takes superadmin access), then using a brute-force or dictionary automation program to convert the hashes into their plaintext equivalents. Or to be truly modern about it, the passwords aren’t guessed or cracked at all. Instead, the attackers use the captured hashes, with no conversion necessary, to authenticate to other computers. 2. Cross-platform hacking One the most cringe-inducing moments of all time appeared in 1996’s “Independence Day," when Jeff Goldblum’s character writes and inserts a computer virus into the mothership’s computers, which then brings down the shields and leads to the aliens' downfall. When I first saw that scene, I wondered: "Gee, did he use Cobol or C++?" It’s ridiculous to think an alien race would use computer systems that could run our programs. Their systems wouldn’t use the same character sets, language conversion tables, or built-in instructions on their CPUs. In real life, most malware programs have a hard time running on different versions of the same operating system, much less on different operating systems or platforms. I’ve seen movies in which a hacker on a Unix computer writes code for a Microsoft Windows victim. While that could actually be done, it would be 99 percent wasted effort. Real malware writer codes their creations on the same platform as the target system. 3. All systems are interconnected Another incredibly unrealistic portrayal: One malware program or command manipulates dozens of disparate systems all at once. Sandra Bullock’s nemesis in 1995’s “The Net” provides a case in point. After spurning a would-be paramour turned murderer, Bullock’s character suffers an attack that erases her online life (no mortgage record, no driver’s license, no credit cards, no paycheck). The best part? Her antagonist does it with a couple of commands! He even erases all paper trails and backups, not to mention everyone’s memory of her. It’s laughable on many levels, not the least of which is how interconnected the movie seems to think all these systems are. With minimum effort, dozens of unrelated systems are accessed and manipulated. In real life, you can’t find a single environment where all such systems talk so well together. Go to any organization -- a government department, a corporation, a bank, a hospital -- and you’ll invariably find a hodgepodge of systems that IT wishes could seamlessly talk to each other. In real life it takes months for a company to erase the trail of a single entity, and that’s when they own the systems, have the passwords, and know what they’re doing. If the bad guy really could do what he seems to be doing in “The Net,” he could earn millions working for corporations. He would be a data god! 4. All information pops up instantly When any information is requested, the “computer nerd” types in a single command, and the answer comes back in seconds. This seems to happen several times a week on crime shows. The protagonist will ask something like, “Where is the bad guy using his ATM card right now?” Ta-da, the screen immediately returns the exact address. Or “How many murders were committed in the upper boroughs by a guy using a knife and wearing pink shorts?” Voila, the answer is 12. Contrast this with asking your own log management system how many logons Roger had today. You can easily wait two to three minutes for the answer -- with no guarantee the answer will be accurate. 5. Every program is a hacker’s dream program Almost every hacker movie shows s great, custom-made program with an incredible graphical UI perfect for whatever the hacker is doing. In real life, almost all the programs used by hackers are created by someone else, used by millions of other hackers, and have a horrible UI. You get a CLI and a set of commands that demand an unnatural amount of human memory to recall. The commands often wrap around from one line to the next. Fact is, you don’t even need the most up-to-date program. Most successful hacks target vulnerabilities and exploits many years old. When I was a full-time penetration tester, rarely did I break in using a brand-new vulnerability. It was far more common to find a flaw from five to 10 years ago that had never been patched. One show gets hacking right You can always tell when a show cares about how it portrays hacking, but there’s nothing quite like the USA Network’s "Mr. Robot." Although the protagonist is a supergenius -- who, yes, frequently enjoys instantaneous success -- every typed command or program is a real typed command or program. What he does could really happen, albeit with the normal Hollywood hyperbole. I remember when I saw the first few episodes. I was filled with glee to see all the realness. It proved that Hollywood could produce a hacker-driven drama using actual hacker commands and tools. Not only that, but the show is a wild success. I hope others follow the path blazed by "Mr. Robot." Think of those hardcore contingents of loyal, upscale fans! I’m not holding my breath, though. Reality always demands more tedious work than most people want to watch.
It's common practice for security suite vendors to offer three levels of protection: a standalone antivirus, an entry-level security suite, and a mega-suite with additional features. Recently we've seen the rise of another level, the cross-platform multi-device suite. Kaspersky's entry-level suite is itself a cross-platform offering, with support for Windows, Mac, and Android.

To that suite's bountiful feature collection, Kaspersky Total Security adds a backup system, enhanced parental control, a password manager, and an excellent cross-platform parental control system, as well as data encryption and secure file deletion. Most of its components are great, some are good, none are bad.
It's a winner. You can get a three-license subscription for $89.99 per year, but as with the entry-level suite, a five-license subscription costs just $10 more.

Do you need more than five? For $149.99 per year you can install Kaspersky on 10 systems. Note that this specifically refers to the Windows, Mac, and Android security suites. You can install the parental control system and password manager on as many Windows, Mac, iOS, or Android devices as you like. Like the antivirus and entry-level suite, Kaspersky Total Security got a minor makeover with this release.
Its main window still displays two rows of four icons, but the icons and text have been flattened and simplified in the current edition, and the additional explanatory text below each icon is gone.

The green banner at the top remains, indicating that the suite is operating correctly.
If something needs attention, the banner turns yellow or red.

Clicking the Details button both lets you know what's wrong and helps you fix it. Getting the suite installed starts at the My Kaspersky online portal. Here you can download the installer for the suite and also download installers for Kaspersky Safe Kids and Kaspersky Password Manager.

The portal also lets you email installation links, which is more convenient if you're installing on a smartphone. Shared Antivirus FeaturesAs with Kaspersky's entry-level suite, the antivirus protection in this mega-suite is identical to what you get with the standalone Kaspersky Anti-Virus.
I'll keep my summary of antivirus features brief, since you can refer to that review for full details. I follow test results from five independent antivirus testing labs and also note whether vendors have received non-scored certification from two additional labs. Kaspersky doesn't bother with the certifications, and has recently stopped participating in the RAP (reactive and proactive) test at Virus Bulletin.

Three of the other four labs give Kaspersky their best possible scores across the board.

Tests by the remaining lab, MRG-Effitas, are extremely tough, with the majority of products simply failing.

From this lab, Kaspersky got one top score and one next-to-top score.
In my aggregate scoring system, Kaspersky gets a phenomenal 9.9 of 10 possible points. In addition to tracking scores from the major testing labs, I run my own hands-on antivirus tests. Kaspersky earned 8.4 of 10 possible points in the malware blocking test and 64 percent protection in the malicious URL blocking test. Webroot SecureAnywhere Internet Security Complete (2016) earned a perfect 10 points for malware blocking. Norton and McAfee LiveSafe (2016) managed to block 91 percent of the malicious downloads. However, when my scores don't jibe with what the labs report, I give more weight to the labs and their massive testing resources. For years I've used Symantec Norton Security Premium as a touchstone for rating phishing protection, reporting how badly other products lag behind Norton's detection rate. Webroot and Bitdefender Total Security 2016 scored slightly better than Norton in this test, but Kaspersky beat all competitors, with a detection rate 4 percentage points better than Norton's. Kaspersky packs plenty of bonus features into the standalone antivirus. Notable among them are the bootable Kaspersky Rescue Disk and an On-Screen Keyboard designed to foil keyloggers, even hardware keyloggers.

For full details about those bonus features, read my review of the antivirus software. Shared Suite FeaturesBesides the features shared with Kaspersky's standalone antivirus, this suite shares quite a few elements with the entry-level Kaspersky Internet Security suite.
I'll refer you to that review for the details on these shared features. Here's a summary. The typical third-party firewall puts your PCs ports in stealth mode, making them invisible to the outside world. Kaspersky's designers stopped bothering with stealth mode years ago, reasoning that, since they can fend off all attacks, there's no need to expend resources stealthing ports.

Firewalls also typically control how and whether other programs can use your Internet and network connections. Kaspersky eschews the confusing popup queries spewed by lesser firewalls, choosing instead to handle program control internally.
Its Automatic Exploit Prevention fends off exploit attacks against system or application vulnerabilities, even zero-day attacks.

And it didn't yield to direct attack in testing. If your email provider doesn't filter out spam automatically, you should turn on Kaspersky's spam filter.
It handles both POP3 and IMAP accounts and integrates with Microsoft Outlook, but you can use it with any email client.

Controls are simple—just a big three-position slider for security level.
In testing, it didn't slow the process of downloading mail, and it didn't discard any valid mail at all.
It did miss 16.1 percent of undeniable spam, more than in last year's test, but that's still quite a decent score. New for the 2017 product line, Secure Connection is an easy-to-use VPNt hat you can use to protect your network traffic when on untrusted networks.

The version supplied with the suite gives you 200MB of traffic per day on unlimited devices.
If you pay for a subscription, there's no limit on traffic, and you get to choose which country your server is in. However, the paid edition is limited to five devices. Safe Money has been a Kaspersky feature for many years. When you try to visit a financial website, it offers to launch that site in the Safe Money browser instead, which isolates the transaction from other processes.

A glowing green border identifies the Safe Money browser. New in this edition, Software Updater works in the background to identify important applications that aren't fully up to date.
In most cases it can apply the updates for you automatically.

All you need to do is click Update all.
Software Cleaner, also new, scours your system looking for programs with sneaky installation behaviors, hidden programs, and other probably unwanted software, and offers to uninstall them.
It also finds programs you hardly ever use. Trusted Application Mode locks down your system by suppressing all programs that aren't among the 1.6 million trusted programs in Kaspesrsky's online database.

Application Control warns you before permitting suspicious changes to things like browser settings; digging deeper lets you control what programs launch at startup. Webcam access control and a tool to catch sneaky installers that jam unwanted crapware onto your PC are among the other suite-specific bonus features. Kaspersky Safe KidsParental control in the entry-level Kaspersky suite is unchanged since last year.

Those who spring for Kaspersky Total Security get parental control handled by Kaspersky Safe Kids.
It's a very good parental control utility; please read my review for full details. Note that Kaspersky Safe Kids (for iPhone) is an Editors' Choice for iOS-based parental control. Safe Kids doesn't impose any limits on the number of children or devices it manages. You start by creating a profile for each child using the My Kaspersky online console. Next, you install it on every Windows, Mac, iOS, or Android device in your household, associating a child profile with each.
In the case of Macs and Windows boxes, you can associate a profile with each user account. You can set Safe Kids to block access to websites matching 14 content categories, or you can have it simply warn the child (and notify you if your child ignores the warning).

This isn't a static database.

The content filter analyzes pages in real time.
In testing, it permitted access to a short-story site in general, but blocked erotic stories on the site.
I did find that Safe Kids, like the basic Kaspersky parental control system, doesn't lock down secure anonymizing proxies when used in off-brand browsers.
If that's a concern, parents can prohibit the browsers category in general and then make exceptions for the ones the kids use. That application-blocking feature is pretty elaborate. You can block 14 app categories, or block access to specific applications. You can even put time limits on certain apps.
It's also possible to limit the use of each of the child's devices, with the option to block access when time's up or just display a warning. Parents can log in to the Web console to check the child's current location (or rather, the location of the child's mobile device.

There's also an option to define geofences, identifying where the child should be at specific times of day. You get a notification when they cross into or out of those spaces.

Extensive alerts and detailed reporting round out this impressive parental control package. Kaspersky Password ManagerLike Safe Kids, Kaspersky Password Manager is a cross-platform tool.
It syncs your saved passwords across all of your Windows, Mac, iOS, and Android devices. Read my review to learn the nitty-gritty details, or you can just read my summary here. On installation, the password manager prompts you to create a strong master password, something you can remember but nobody else would guess.
It also offers to import any passwords stored insecurely in Chrome, Firefox, or Internet Explorer, and optionally turns off password capture in Firefox and IE. Password management works as expected. When you log in to a secure site, Kaspersky offers to save your credentials. When you return, it fills in what it saved. You can also pick from a browser menu of your secure sites to visit a site and log in.
If you have a lot of saved sites you can organize them into groups, or simply use the built-in search function. You can create one or more identities, storing personal information and separately record credit cards and bank accounts. When I reviewed this product last year, I found that it would not fill Web forms in Windows using that saved information.
Since then, the form-filling feature has been removed. Kaspersky does let you save secure notes and application passwords, but it lacks other advanced features like two-factor authentication and secure sharing.
It handles basic password management tasks well enough that it wouldn't make a lot of sense to pay separately for a standalone password manager.

But you might consider relying on one of the best free password managers. Backup and RestoreSecure online backup is a common feature in high-end security suites, but the way it's handled varies widely.
Some suites don't give you anything you couldn't get for free from Mozy or IDrive. Others, Norton and Webroot among them, offer 25GB of hosted secure storage. Kaspersky takes an unusual approach, letting you link its backup to a folder on your Dropbox account. Note that the files aren't encrypted in any way.

They're protected only by the security of your Dropbox account.

That being the case, I'd advise enabling two-factor authentication for Dropbox. A wizard walks you through the process of configuring a backup job. You start by choosing which files to back up.
If you accept the default configuration, it backs up everything in your Desktop and Documents folders, and their subfolders. You can also create backup jobs for pictures, videos, or movies, or create a custom backup job. Next, you choose the backup destination.

As noted, this can be your Dropbox account. You can also back up to any local, removable, or network drive, or to an FTP server. However, backup to optical media isn't supported. By default, your backup job runs on demand. You can choose instead to have it run daily, on weekdays, on weekends, or on a weekly or monthly schedule.
Some backup tools include elaborate scheduling systems to, say, run a backup on the third Wednesday of every month. Kaspersky keeps it simple. You can choose the day of the week for a weekly backup, but monthly backups always run on the first of the month. Restoring files is equally simple. You start by choosing the backup set you want to restore, then select the files and folders you want restored.

The default is to restore them all. You can choose to restore them to their original location or restore to a new location, retaining the folder structure.

By default, the restore operation prompts you before overwriting an existing file, but you can set it to always overwrite, never overwrite, or keep both versions. Subsequent backups only upload changed files, naturally.

And Kaspersky retains multiple versions.
If today's edits accidentally scrambled an important document, you can restore yesterday's version. Overall, it's a simple, effective backup system, and linking with Dropbox lets Kaspersky avoid having to maintain a fleet of online backup servers. Data Encryption and File ShredderKaspersky's antivirus should fend off any data-stealing Trojans, but your files could be vulnerable to a less-subtle attack, like a coworker sitting down at your desk while you go for coffee.

That's where Kaspersky's Data Encryption comes in. To get started with the encryption feature, you create a data vault, an encrypted storage location that holds your sensitive files. When the vault is open, it looks just like a disk drive.

After you lock the vault, its contents are totally inaccessible.

Bitdefender and McAfee, among others, offer a similar feature. The vault wizard lets you drag and drop files or folders to be encrypted. Next, you choose a name for the vault and a location for the file that represents it.

At this point, you set the vault size, which can't be changed after vault creation.

Finally, you enter a password for opening the vault.

As you type, Kaspersky rates password strength.

Don't lose this password, as there's no way to recover the files without it. Of course, copying files into the vault does nothing to protect the unencrypted originals.

As a final step, Kaspersky offers to securely delete the originals. You can also use the File Shredder tool to securely delete arbitrary files and folders, preventing forensic recovery of sensitive items.

By default, this tool overwrites files once before deletion. You can choose from a number of other secure deletion algorithms, some performing as many as seven overwrite passes, but for anything but world-shattering secrets, it's probably unnecessary. Some Impact on PerformanceThe modern security suite avoids putting a drag on system performance by keeping all of its components integrated into one smoothly running system.

This suite breaks that mold, with its separate installation of Safe Kids and Kaspersky Password Manager.
Indeed, while the average suite occupies around 400MB of disk space, Kaspersky Total Security weighed in at 865MB, as determined by measuring free disk space before and after installation. According to my tests, it does affect performance more than the entry-level suite. On my first round of testing, its boot-time numbers were terrible, because at each boot both Safe Kids and the password manager popped up asking me to set their initial configuration.
I halted the test, got those components configured, and tried again.

Averaging repeated measures of boot time from before and after installing the suite, I found it took 42 percent longer for the computer to fully boot up, or about 32 seconds longer.

The entry-level suite added just 18 percent. To measure a suite's effect on day-to-day file management activities, I time a script that moves and copies a large file collection between drives.
I also time a script that repeatedly zips and unzips that same file collection.

Both Kaspersky suites exhibited no performance drag at all on the zip test, and both added 29 percent to the time for the file move/copy test. Even though Kaspersky is on the low side in the chart above, that doesn't mean it has a serious effect on performance. Yes, it slowed the boot process, but you probably don't reboot more than once a day. On the flip side, other products have done much better in this test. Webroot in particular had no measurable effect on any of my three tests. See How We Test Security Software Multi-Device FeaturesTo install Kaspersky's protection on your Windows, Mac, iOS, and Android devices, you log in to the online My Kaspersky portal.

The downloads page lists all of the components that are available as part of your license, with links to download an installer for the appropriate operating systems. You can also send these download links to an email address, which is probably easier than navigating My Kaspersky on a smartphone. Kaspersky Internet Security for Mac isn't as feature-rich as the Windows edition.

Certainly it doesn't compare to Kaspersky Total Security.
It does include antivirus and a Network Attack Blocker.
Safe Money, phishing protection, and webcam protection are among the other shared features.
Safe Kids and Kaspersky Password Manager are fully available and functional on the Mac platform.
Installing the security suite uses one of your licenses; the other two components don't. Android fans can use one license to install Kaspersky Internet Security (for Android), which PCMag's Max Eddy found to be good, but not great. Read Max Eddy's review for the full details.
In summary, the Android app's malware and phishing protection are very good.

Antitheft features go beyond simple remote locate, lock, and wipe, adding the ability to snap a mug shot of the thief.

The app can block unwanted phone calls, and notify you when someone swaps out the SIM card.

As with Mac installations, you can install Safe Kids and Kaspersky Password Manager on as many Android devices as you like. Like many security vendors, Kaspersky doesn't offer an antivirus or security suite for iOS devices, but you can install Safe Kids and the password manager on all of your iOS devices. Features GaloreKaspersky Total Security has something for all your devices, be they Windows, Mac, Android, or iOS.
It's definitely a cross-platform multi-device suite, though iOS users only get parental control and password management.

The password manager won't match its top competitors, and the spam filter slipped a little this year, but most of the many suite components are excellent. It does get a bit pricey for full coverage; a 10-device license lists for $149.99 per year.
Symantec Norton Security Premium protects 10 devices, including iPhones and iPads, for $89.99 per year, and throws in 25GB of secure hosted online backup.
Its parental control system is on par with Kaspersky's.

That same price lets you protect unlimited devices with McAfee LiveSafe, and McAfee also includes a password manager. Kaspersky Total Security is a very worthy contender, but Norton and McAfee are our Editors' Choice honorees for cross-platform multi-device security. However, Kaspersky boasts an amazing collection of extremely useful security features.
It's a rock-solid mega-suite on Windows, definitely comparable with Editors' Choice Bitdefender Total Security. Kaspersky joins Bitdefender as a security mega-suite Editors' Choice winner. Sub-Ratings:Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.Firewall: Antivirus: Performance: Antispam: Privacy: Parental Control: Back to top PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.
Researchers claim they can stop malware before it executes Black Hat EndGame vulnerability researchers Cody Pierce, Matt Spisak, and Kenneth Fitch have created a defence framework to protect against deeper modern attacks. The security trio with roots in the HP Zero Day Initiative, the National Security Agency, and the Department of Defence, have extended a hardware defense tool already in use for some Microsoft assets to apply to common programs. Pierce, Spisal, and Fitch will demonstrate the processor-based Hardware-Assisted Control Flow Integrity protection at the Black Hat conference in Las Vegas this week in work they say will "raise the [exploitation] bar significantly". Their cross-platform Intel platform framework moves the focus of defence from increasingly-obsolete post-exploitation return-oriented programming to attacks that hit close to memory. It introduces runtime performance overheads some three times greater than those Redmond endures to apply the protection to Visual Studio on Windows 8.1 and 10, the team told ThreatPost, yet the impact remains "acceptable". The team say in a synopsis of their work that the security industry has gone to "great lengths" to complicate exploitation without much effect, pointing their fingers at code re-use attacks such as return-oriented programming. "Unfortunately, the reality is that once attackers have control over code execution it's only a matter of time before they can circumvent these defenses, as the recent rise of EMET bypasses illustrates," they say. "Our approach blocks exploits before they gain execution, preventing the opportunity to bypass mitigations." Earlier work has demonstrated the effectiveness of using chip Performance Monitoring Units to detect return-oriented programming attacks.

The trio's work generalises the approach to help detect attacks in real time and guard COTS binaries from control-flow hijack attempts stemming from use-after-free and memory corruption vulnerabilities. The trio will demonstrate their work defending against exploits that otherwise would defeat lauded but perhaps dated tools like Microsoft's enhanced mitigation toolkit. ® Sponsored: Global DDoS threat landscape report
You know the drill, people: patch and push Developers using Intel's Crosswalk SSL library: it's time to patch and push out an upgrade. Crosswalk is a cross-platform library that supports deployment to Android, iOS and Windows Phone, but the bug is Android-specific. The library has a bug in how it handles SSL errors, and as a result, end users on Android could be tricked into accepting MITM certificates. As consultancy Nightwatch Cyber Security explains, if a user accepts one invalid or self-signed SSL certificate, Crosswalk remembers that choice and applies it to all future certificates. In other words, if an attacker tricked a user into accepting a bad cert from (for example) a Wi-Fi hotspot, Crosswalk would retain that choice forever, so a future MITM attack would pass without presenting any certificate warning to the end user: “This applies even to connections over different WiFi hotspots and different certificates”, the advisory states. As with all toolchain bugs, its impact is as big as the reach of the downstream apps that use it: the number-one app in Crosswalk's showcase, “Pirate Treasures”, claims 10 million downloads, and all off the top fifteen have more than 500,000 downloads. All three branches of Crosswalk for Android – stable, beta and “canary” – need to be upgraded, and fixed apps pushed to users. ® Sponsored: Global DDoS threat landscape report
FLocker malware shows regional preferences Researchers at Trend Micro have spotted a new variant of ransomware code that can be used to lock down Android-powered smartphones and televisions. The FLocker (short for the Frantic Locker) malware has been in circulation since at least April 2015 and has concentrated on locking down smartphone handsets running the latest builds of Android.

But the writer keeps on adding new features and has now extended the code to give smart TV owners problems too. Not everyone is vulnerable, however.

After the malware file is downloaded via an infected website or SMS file, it waits for 30 minutes before scanning its surrounding.
If it determines the device is in Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia or Belarus, then it shuts down. If the user isn't in one of those countries, the code will try and install a command and control system on the smartphone or TV.

This requires the user to give the app admin permissions, but if that isn't forthcoming the malware will freeze the screen and then ask again under the guise of an operating system update to fix the "problem." Once installed, it will flash up a message on an infected phone or TV claiming to be a law enforcement organization and demanding a $200 fine to be paid in iTunes gift cards – which is never the preferred method of payment to a government body – in exchange for the code to unlock the device. "If an Android TV gets infected, we suggest user to contact the device vendor for a solution at first.

Another way of removing the malware is possible if the user can enable ADB debugging," the advisory reads. "Users can connect their device with a PC and launch the ADB shell and execute the command 'PM clear %pkg%.' This kills the ransomware process and unlocks the screen. Users can then deactivate the device admin privilege granted to the application and uninstall the app." This kind of cross-platform vulnerability is going to get a lot worse as more and more devices share operating system features with their computing and smartphone cousins. You can expect this to become a much bigger problem. ® Sponsored: Rise of the machines
Cross-platform nasty is simplicity itself to exploit, so get patching peeps British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”. Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool. If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes: “Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.” Entertainingly, it's a cross-platform bug that affects Windows, Mac, and *nix platforms.
In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access. The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get”, he writes. Kernel memory corruption in Symantec/Norton antivirus, CVE-2016-2208 (more patches soon). https://t.co/Sqhm0a48Fp pic.twitter.com/F22xDIelSU — Tavis Ormandy (@taviso) May 17, 2016 Either e-mail or browser attacks will work, Ormandy says, attaching a test case file to his post. Ormandy tweeted that Live Update will carry some fixes, while others will require a patch. ® Sponsored: Rise of the machines
The newest big thing in security is the cross-platform multi-device security suite.
Instead of seeking out different products for your Windows, Mac, and mobile devices, you use the same multi-device subscription on all of them, and you can manage them from a central console.
Some offer a specific number of licenses, others aren't limited.

AVG Protection Free (2016) has the distinction of offering multi-device protection at no cost. However, that great price point can't outweigh the fact that the security protection it offers doesn't measure up to that of the top products in this field.

AVG Protection Free helps you manage installations of AVG's free antivirus products for Windows, Mac OS, and Android (sorry, no iOS support). You can choose a 30-day trial of the non-free AVG Protection (2016).
If you do so and then decide you want to keep the Pro features, you'll pay $59.99 per year for unlimited devices. McAfee LiveSafe (2016) lists for $89.99 per year, for unlimited devices, but it adds support for iOS and Blackberry, and its Mac support is a full suite, not just antivirus like AVG.

For that same $89.99 you could also choose a 10-license subscription for Symantec Norton Security Deluxe, with 25GB of hosted online backup as a bonus. None of the competing services offer a free edition, though. Very ZenAs with the paid edition, installation of AVG Protection Free starts with AVG Zen, the management tool. You also need to create an online management account.

This account is what links all your devices through Zen. Like most of AVG's products, Zen uses color-coded circles to report your security status in various areas.

Four panels represent Protection, Performance, Safe Surf, and Web Tuneup.

A complete circle means you've got all available protection in the specified area; a partial circle means there's more you could add. When the circle is green, all's well with the world.
If it's yellow or red, the specified component needs attention. I installed AVG Protection on a Windows 8.1 test system, opting to go straight to the free edition rather than start a 30-day trial of the paid version.

As soon as Zen was installed, it started a background installation of the free antivirus. Once that installation completed, I got a three-quarter green circle in the Protection panel.

Completing that circle would require upgrading to the paid edition, so I left it alone. Clicking the Web TuneUp panel smoothly installed that feature on my browsers, giving me a complete green circle in that panel. Web TuneUp warns when you're about to visit an iffy or dangerous site, actively prevents tracking of your Web surfing habits, and lets you clear your browser history with one click. Safe Surf, AVG's VPN, is an extra cost, so that panel stayed blank.

As for the Performance panel, clicking that one installed AVG PC TuneUp. Note, though, that this is a one-day free trial, so don't start it until you have some free time to exercise this tool's powerful performance enhancement features. Extending protection to additional devices is a snap. You click a button to start the process, choose Windows, Mac OS, or Android, and send an email to an account used on the device in question.

The email contains a link to download the appropriate app.
Install Zen, install the antivirus, and link the installation to your account by logging in.

That's it.

The new device shows up in Zen's lineup across the top. You can check the status of any device by clicking it, and you can even remotely launch a scan or an update. Protection for WindowsOn your Windows devices, AVG Protection installs AVG AntiVirus Free (2016).

Do please read that review for full details on the antivirus.
I will summarize my findings here. All five of the antivirus testing labs I follow include AVG in their evaluations. My aggregate lab test score calculation for AVG gives it 8.4 of 10 possible points. Kaspersky holds the best aggregate score, 9.7 points. In my own hands-on testing, AVG earned 8.8 of 10 possible points, which is good, but not at the top.

Top score among products tested with the same samples goes to Bitdefender Total Security 2016, with 9.3 points.

Tested against a newer sample set, Webroot SecureAnywhere Internet Security Complete (2016) managed a perfect 10. In my malicious URL blocking test, AVG blocked 73 percent of the samples.
Symantec Norton Security Premium blocked 91 percent of the malware downloads, and Avira Antivirus Pro 2016 fended off 99 percent.
In my antiphishing test, AVG lagged 28 percentage points behind Norton. This product's antivirus protection isn't quite as good as the very best commercial antivirus tools, but it's impressive for a free antivirus.

AVG AntiVirus Free is an Editors' Choice for free antivirus, sharing that honor with Avast Free Antivirus 2016 and Panda Free Antivirus (2016). Protection for AndroidTo get a feel for AVG's Android protection, I sent a link to a Nexus 9 that I use for testing.

The user interface has changed since we reviewed AVG AntiVirus Security (for Android); no more color-coded circles! But the feature set remains effectively the same; refer to that review for additional details. Zen on the tablet retains those familiar circles, and works just as it does on Windows. For a complete installation, you need enable Anti-Theft and make AVG a Device Administrator. You'll probably also want to click the link that installs the free AVG Cleaner for Android.

As with AVG Protection itself, you can opt to get a 30-day trial of the paid edition.
I chose not to do so, and therefore found myself viewing banner ads across the bottom of the app's display. AVG scans your apps for malware and can optionally scan external storage.
It also finds and flags problems with security settings, offering instructions for correcting configuration errors.

The Safe Web Surfing feature steers your browser away from malicious and fraudulent URLs. Performance features include a task killer, to save battery life by ending unnecessary tasks, as well as a battery power tracker with an option to automatically turn off power-hungry features when battery power gets low.

AVG can also track your storage usage and monitor use of your data plan by apps. There's probably a better chance your Android device will be lost or stolen than that it will suffer a malware attack.

AVG offers a full-scale anti-theft component. You can use coded text messages or the online console to remotely locate, lock, or wipe the device, or trigger a noise to help you find a mislaid tablet.

That's it for the free edition.

The for-pay edition adds Camera Trap, which snap a thief's photo, and can also lock the device if a thief removes the SIM card.
It can protect private data and user-specified apps with a PIN code.

And it can back up your apps to an SD card. The free app installed by AVG Protection Free includes antivirus and anti-theft, the pillars of an Android security product, but lacks a number of useful features from the paid app. Our Editors' Choice products for Android antivirus are Norton Security and Antivirus (for Android) and Bitdefender Mobile Security and Antivirus (for Android). Like AVG, both of these offer a free edition with only the most necessary features. Mac ProtectionAVG AntiVirus (for Mac) is a free product. You could download and install it without any connection to AVG Protection, but then you'd miss out on the remote-control power of AVG Zen. This free, simple product offers protection against viruses and other types of malware.
It scans on demand and in real time.

To make sure your other devices don't get infected by way of the Mac, it looks for PC and Android malware as well.

And of course you'll find the user interface familiar. Keep those circles green! Norton gives Mac users rather more in the way of features.
It includes a firewall, a vulnerability scanner, and password protection for files, among other things. McAfee LiveSafe is somewhere between, with antivirus, firewall, Web reputation reporting, and password management. Free Isn't EnoughI rated the paid AVG Protection three stars, meaning it's good, but not outstanding.

For Windows devices, the paid edition installs AVG Internet Security, which doesn't rate as highly as the free antivirus because other components don't measure up.

Android protection in the paid edition is good, but Macs just get a simple always-free antivirus. With AVG Protection Free, the Android app loses Pro-only features and PCs just get a free antivirus—a good one—rather than a full security suite.
It's great that this product is free, and you still get the helpful remote management of AVG Zen, but competing (paid) cross-platform suites offer so much more.
In this instance, you really do get what you pay for. Symantec Norton Security Deluxe excels in just about every area and comes with 25GB of hosted online storage.
It protects PCs and Macs with a full security suite, and its Android version is an Editors' Choice. Where Symantec lets you protect 10 devices, McAfee LiveSafe puts no limit on the number of Windows, Mac OS, Android, iOS, and Blackberry devices you can connect.

These two are our Editors' Choice cross-platform multi-device security suites.
Updated nss packages that fix one security issue are now available forRed Hat Enterprise Linux 5.Red Hat Product Security has rated this update as having Critical securityimpact.

A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section. Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications.A heap-based buffer overflow flaw was found in the way NSS parsed certainASN.1 structures.

An attacker could use this flaw to create a speciallycrafted certificate which, when parsed by NSS, could cause it to crash, orexecute arbitrary code, using the permissions of the user running anapplication compiled against the NSS library. (CVE-2016-1950)Red Hat would like to thank the Mozilla project for reporting this issue.Upstream acknowledges Francis Gabriel as the original reporter.All nss users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue.

For the update to takeeffect, all applications linked to the nss library must be restarted, orthe system rebooted. Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258RHEL Desktop Workstation (v. 5 client) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd   x86_64: nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: 4d831042af7dfa6e80ad6bf9579cd4efSHA-256: 65ddd0935783f0ac00c61fd3e13d7fb6509f01d3afa423c7dbfdb4c3aabc4281 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-pkcs11-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: c1a2ac387761f45260de137e35545280SHA-256: fb02c20684a651c675e5b81fcba40487e1c8e6cfdcb90d261888347980b9bef9   Red Hat Enterprise Linux (v. 5 server) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-tools-3.19.1-4.el5_11.i386.rpm     MD5: 4dc8eec54f5690c46382ff359057ab2aSHA-256: 8fe0677dc573438c67b08a066581839480190c417fd42f45b426bf9a35a27693   IA-64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.ia64.rpm     MD5: a35672e89acaa20191c2a1d75da4cf71SHA-256: 27ea8e9c557bd3ec8ee5c1f44c9c73a44e55887d83216f6b529c6cb78c95fdd7 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.ia64.rpm     MD5: ac3a0adacec8c1952bc40e06d3435bdfSHA-256: 192132ea5cc4e1ba95fdd88208fbf20b0f9b55bbbfe86e749f060a9c30b83c3f nss-devel-3.19.1-4.el5_11.ia64.rpm     MD5: b002cc06061fe42fa347d0c058ea4811SHA-256: 6a9a2d5772f1ed63cbd4c26a5614ece8fe687840ca3da17d1fb114864085852c nss-pkcs11-devel-3.19.1-4.el5_11.ia64.rpm     MD5: 2a10e4e1437184cd437d1a43b5501d0cSHA-256: 47c9c10468f87486ecda09fde342a1a5279d2fddc83d20fb090ac8bfa73c82a6 nss-tools-3.19.1-4.el5_11.ia64.rpm     MD5: 12b8332fe8ac7dc222bb58d44e3708cdSHA-256: 501dba43ca3c730875eb36dfaadebed45504d76fd1a7ca08b7f8a52127d2c097   PPC: nss-3.19.1-4.el5_11.ppc.rpm     MD5: 5f7cba235a6dfda6d50ca13db34ce18dSHA-256: b25d4537c0b393d46ec963030f6fc920e062f70a38dc63ff575a7fc875dd03cf nss-3.19.1-4.el5_11.ppc64.rpm     MD5: f4e685a10dfcf8347dad8d1a2a644933SHA-256: d037cd5df70a5548f0f6fb385e0cdfaa45c1a08ba0c3377c0e39461925b08d68 nss-debuginfo-3.19.1-4.el5_11.ppc.rpm     MD5: 63f5dcca54604214dc325f4b611ab278SHA-256: 3232b8e8c0ca0442031caf6ee5cfc59b164ddbae71ea0647877d8e000a20dc93 nss-debuginfo-3.19.1-4.el5_11.ppc64.rpm     MD5: 202e7f031d0f9c208146a3122d6e2254SHA-256: a935fa28c0fe4abd58ee34124089aa04c36f83032b86ca2425b03773b0e412e0 nss-devel-3.19.1-4.el5_11.ppc.rpm     MD5: baf4fc80ff841213fd3a7c3a67960cdcSHA-256: f34e24e14ba59f3d4c6cfe02155fe10bbb4ad62a8d41e356477a22ef35f84238 nss-devel-3.19.1-4.el5_11.ppc64.rpm     MD5: 914d98205a78f05982fc15b82f5eaf73SHA-256: f25ab7119e9df59585263f5fabc8ca336d592d16ef2e742ad0cbcf9b83a4ae6f nss-pkcs11-devel-3.19.1-4.el5_11.ppc.rpm     MD5: 818fad2e71a84adfc38100213c7a45dcSHA-256: 8e0c8f779047f96ed7511e28b159e4dfc4aa2fbd6e3aaf6f6529d7c30afe0b74 nss-pkcs11-devel-3.19.1-4.el5_11.ppc64.rpm     MD5: 5bc98dee078cc79717e2f213d0bfc727SHA-256: 55fe6615b778c780abf646158796a8e4d659205dc2f3bb55b5d58dddedf51450 nss-tools-3.19.1-4.el5_11.ppc.rpm     MD5: 18b786adc652500b133554e106a5d1eaSHA-256: 160ef3d5462c29caaaba55dafdaea301158c696a3671f9195a0683f858b76200   s390x: nss-3.19.1-4.el5_11.s390.rpm     MD5: 6952cec820827c2a220c5dd037bceb68SHA-256: 0c6e38e62e89941560c23c04f2a6bbc1015a484f8859719d323680f1de3574c1 nss-3.19.1-4.el5_11.s390x.rpm     MD5: 791a8d37c6cba0c5a1dfed5b2d05f984SHA-256: 203c91421553c236aa4510142607ad9faa771e3ede0b4ea1f189e21d447feb46 nss-debuginfo-3.19.1-4.el5_11.s390.rpm     MD5: 5a3c7b1fb3d3cd3ca8715ecf68c57c27SHA-256: c72d63adf72c06f88911d929276e94f8e178629a66b01ca12eddfa25df7da77c nss-debuginfo-3.19.1-4.el5_11.s390x.rpm     MD5: bb2633f65366110d759fe4a52c048ae5SHA-256: efd7c0a5246413c2b753a562948d24ca4c30746925281295ef4fbc34cf749f41 nss-devel-3.19.1-4.el5_11.s390.rpm     MD5: 9624cff8b5026550f9d649ea5a64e56fSHA-256: e954423ebfc1da59eaf7323b08824d8eac9757e8944dd6dcbd1546eedd98392a nss-devel-3.19.1-4.el5_11.s390x.rpm     MD5: ee26742a2127da92358babfd40a579e6SHA-256: e6969d38708320399711a4d97829d92643899420cfd11608eafe12437435474e nss-pkcs11-devel-3.19.1-4.el5_11.s390.rpm     MD5: c19938f16265b38c90a1180a6a06d044SHA-256: 73506eaa4e80c3bd63fc77724d5861a7d2c8288d1042057629e5630b6f0f7612 nss-pkcs11-devel-3.19.1-4.el5_11.s390x.rpm     MD5: de2245af4b71574cbaef743c42af6c5fSHA-256: ed427c79215cfc23771c775776ea90e4d10601f069f65e41806f6dabda2caade nss-tools-3.19.1-4.el5_11.s390x.rpm     MD5: 8f3644756fef8157ab0459a4829562b2SHA-256: 7a9873d6f863882a8456341af4ac51c03b4f88586872accb5143c2865f0b2f8a   x86_64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.x86_64.rpm     MD5: 4976117843e939b48d8944c3d863c2b3SHA-256: 943076eece09883a2319211f72064bb9cbd3ca45ee8f0d754a58e0a91e38ea8b nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-devel-3.19.1-4.el5_11.i386.rpm     MD5: e9ac998fc83624b5e42b8ef508c70db4SHA-256: 7d77d7819b16fc71965ed86ca7e10f6be48c5997a13512fb8d77f56d3bf13b74 nss-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: 4d831042af7dfa6e80ad6bf9579cd4efSHA-256: 65ddd0935783f0ac00c61fd3e13d7fb6509f01d3afa423c7dbfdb4c3aabc4281 nss-pkcs11-devel-3.19.1-4.el5_11.i386.rpm     MD5: 472d167a003745770ca3d0b7c7109ed4SHA-256: 333a39e4714a367ac8f46a26c3adb6981b8e54b09b4a241c43a84c0a2a8195fd nss-pkcs11-devel-3.19.1-4.el5_11.x86_64.rpm     MD5: c1a2ac387761f45260de137e35545280SHA-256: fb02c20684a651c675e5b81fcba40487e1c8e6cfdcb90d261888347980b9bef9 nss-tools-3.19.1-4.el5_11.x86_64.rpm     MD5: e6937b5083bac59f1f9a23eeeb650f43SHA-256: 8076efffecd7eb91da1bb1115921bfd4b250e599597c1daeb920a9e620fa7550   Red Hat Enterprise Linux Desktop (v. 5 client) SRPMS: nss-3.19.1-4.el5_11.src.rpm     MD5: 544778df37f1d2d9ce9e11098bc3b210SHA-256: e2ed10921358fe438dc597b79575e0288375277682c1f794f616d118703cec72   IA-32: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-tools-3.19.1-4.el5_11.i386.rpm     MD5: 4dc8eec54f5690c46382ff359057ab2aSHA-256: 8fe0677dc573438c67b08a066581839480190c417fd42f45b426bf9a35a27693   x86_64: nss-3.19.1-4.el5_11.i386.rpm     MD5: 83ca14029531b9d549bb8df9f5aac525SHA-256: 450dd70148a25759d516bb7f9ee6864a8038221cd23cffa78dd4c97a6fcaf5b2 nss-3.19.1-4.el5_11.x86_64.rpm     MD5: 4976117843e939b48d8944c3d863c2b3SHA-256: 943076eece09883a2319211f72064bb9cbd3ca45ee8f0d754a58e0a91e38ea8b nss-debuginfo-3.19.1-4.el5_11.i386.rpm     MD5: d8f4b1ead7c0738185923b7485a9f4f1SHA-256: e1dca4fae0064ec73069503185f570703b50abe5d1186e83465d84fbc0ad01dd nss-debuginfo-3.19.1-4.el5_11.x86_64.rpm     MD5: 45061cba17fae1dfe581a415d44773bfSHA-256: 72a6d9440442e9e6765d9f22877b72a83bfa00dcfe9a704b50e565f69795d1d3 nss-tools-3.19.1-4.el5_11.x86_64.rpm     MD5: e6937b5083bac59f1f9a23eeeb650f43SHA-256: 8076efffecd7eb91da1bb1115921bfd4b250e599597c1daeb920a9e620fa7550   (The unlinked packages above are only available from the Red Hat Network) 1310509 - CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
Brazilian cybercriminals have been “competing” with their Russian-speaking “colleagues” for a while in who makes more Trojan bankers and whose are most effective.

A few days ago we found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive), which is very particular by its nature – it’s able to run on Linux, OS X, and of course Windows.

Actually, it’s also able to run under certain circumstances even on mobile devices. Social engineering Social engineering actually varies from vehicle taxes or fines to boleto’s payment system and even a kind of electronic debt call center. Some emails come with download links to Jar files, while others directly spread Jar inside archives, so the end user does not need to download anything from the Internet. Infection Everything happens when the victims make a click – and we should remember Brazilian cybercriminals are experts in social engineering.
So, right, the victim makes a click. What happens next? That also varies.
It depends on which group is behind that particular attack. We say this because we have seen different cyber-criminal gangs from Brazil that are clearly not related actively using Jar files to seed bankers. The fact is, as long as the victim has Java locally installed, the “Banloader” will run and it doesn’t matter if it’s OS X, Linux or Windows. Some groups just go for traditional PAC modifications, redirecting victims to fake bank websites: While others work with slightly more complex obfuscating Jar routines using DES or RSA algos. Once deobfuscated it’s clear it drops a file to the system, which is actually the Banker in charge of stealing the victim’s money: Interesting strings Whether it’s intentional or not, the cybercriminals left strings. Here are the strings found in different Jar-based Trojan Banker samples: “liberdade” – freedom, liberty“maravilha” – miracle, thing of beauty Why is it important? Because Jar files run on Windows, OS X and Linux, wherever Java is installed.

This is the very first step cybercriminals from Brazil have made towards “cross-platforming“. What does it mean? Brazilian Trojan Banker coders are now making Trojans running on all platforms and not only Windows. Does it mean that OS X and Linux users are now also a target of Brazilian bankers? Not yet. We say this because the banloaders (initial components) come in Jar but the final components (dropped malware) are still designed to run in Windows or they use a Windows system in the case of PAC abusing. However, it’s clear the first step to cross-platforming has just been made.
So, it’s a matter of time till we will find Brazilian bankers running on all platforms. Are Brazilian coders going to release full bankers – bandleaders and bankers running exclusively on Jar? There is no reason to believe they won’t.

They have just started and they won’t stop. How stealthy is their Jar malware? Actually, the general detection rate for ALL AV vendors is extremely low. What is the detection name Kaspersky Lab products use to detect this threat? Depending on the characteristics of each sample it may fall into one of the following families: Trojan-Banker.Java.AgentTrojan-Downloader.Java.BanloadTrojan-Downloader.Java.Agent Where are most of the victims located? Naturally Brazil, Spain and then Portugal, the United States, Argentina and Mexico. Why are there victims in Germany and China? The same malware techniques have been used by other threat actors and detected under the same malware family.

cross-platform Adwind RAT

Kaspersky Lab researcher Vitaly Kamluk gave a talk about the latest version of the cross-platform Adwind RAT.

The remote access Trojan is unique in that it’s written in JavaScript, giving this version — which is also known as Frutas, AlienSpy and JSocket — the flexibility to be used liberally in cybercrime operations as well as in targeted attacks.

From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.