Texas Students Hijack a U.S. Government Drone in Midair

There are a lot of cool things you can do with 1,000 bucks, but scientists at an Austin, Texas college have come across one that is often overlooked: for less than a grand, how’d you like to hijack a drone? And Play with it?

The University of Texas at Austin team successfully nabbed the drone on a dare from the Department of Homeland Security. They managed to do it through spoofing, a technique where a signal from hackers pretends to be the same as one sent to the drone's GPS.

A group of researchers led by Professor Todd Humphreys from the University of Texas at Austin Radionavigation Laboratory recently succeeded in raising the eyebrows of the US government. With just around $1,000 in parts, Humphreys’ team took control of an unmanned aerial vehicle owned by the college, all in front of the US Department of Homeland Security.

After being challenged by his lab, the DHS dared Humphreys’ crew to hack into a drone and take command. Much to their chagrin, they did exactly that.

Explanation:
Humphrey tells Fox News that for a few hundreds dollar his team was able to “spoof” the GPS system on board the drone, a technique that involves mimicking the actual signals sent to the global positioning device and then eventually tricking the target into following a new set of commands. And, for just $1,000, Humphreys says the spoofer his team assembled was the most advanced one ever built.
“Spoofing a GPS receiver on a UAV is just another way of hijacking a plane,” Humphreys tells Fox. The real danger here, however, is that the government is currently considering plans that will allow local law enforcement agencies and other organizations from coast-to-coast to control drones of their own in America’s airspace.
“In five or ten years you have 30,000 drones in the airspace,” he tells Fox News. “Each one of these could be a potential missile used against us.”
Domestic drones are already being used by the DHS and other governmental agencies, and several small-time law enforcement groups have accumulated UAVs of their own as they await clearance from the Federal Aviation Administration. Indeed, by 2020 there expects to be tens of thousands of drones diving and dipping through US airspace. With that futuristic reality only a few years away, Humphreys’ experiment suggests that the FAA may have their work cut out for them if they think it’s as easy as just approving domestic use anytime soon. After all, reports Newser, domestic drones are likely to use the same unencrypted GPS signals provided to civilians, allowing seemingly anyone with $1,000 and the right research to hack into the system and harness a UAV for their own personal use.

References: Link1 , Link2 

Banking Trojan Cleans Out Your Account Silently

Researchers at Tokyo-based anti-virus firm Trend Micro have discovered a new twist on banking Trojans that doesn't interact with the victim at all.
Standard banking Trojans dupe an account holder to log into a duplicate of his bank's website, thereby conning him into giving up his username, password and account number, which they use to log in after he's done.
    This new variant, which can be grafted into the existing banking Trojans ZeuS or SpyEye, infects computers the old-fashioned way: It either infects Web browsers via a drive-by download or piggybacks as an attachment on a phishing email.

    It then hides in the Web browser and waits for the user to log into his bank's site. Once he does, it introduces special software that triggers an automatic transfer system that moves money out of the victim's account to another account within the same bank, and covers up the evidence so that neither the user nor the bank notice right away.

    "As long as a system remains infected with an ATS, its user will not be able to see the illegitimate transactions made from his/her accounts," wrote Trend Micro researcher Loucif Kharouni. "This essentially brings to the fore automated online banking fraud because cybercriminals no longer need user intervention to obtain money."

    Pulling off such a heist is complicated. The malware must often be custom-made for each bank website, which involves lots of research and coding on the part of the malware authors, and results in expensive prices for each piece in cybercrime bazaars.

    Destination accounts must also be created at the targeted banks so that the malware has a place to deposit the stolen money, and a network of "money mules" must be recruited to access the destination accounts and move the money again, this time out of the bank.

    Furthermore, writes Kharouni, the amounts transferred must be fairly small in order not to trigger alerts within the banking system. The Trend Micro researchers saw amounts ranging from 500 euro to 13,000 euro ($635 to $16,500 in U.S. dollars).

    The most commonly targeted banks are in Britain, Italy and Germany, countries where, according to Trend Micro, online-banking verification practices are strong — and hence necessitate the use of stealthy malware that needs no verification at all.

     American banks are apparently not on the menu yet. Kharouni cites two reasons: First, it's not easy for online criminals based in Eastern Europe to open up accounts in U.S. banks; and second, most American banks have weak verification methods that make the older, cheaper variants of banking Trojans still profitable on these shores.

     To avoid being hit by a banking Trojan, whether old or new, make sure to have robust anti-virus softwareinstalled on your PC or Mac, and set it to automatically update its malware definitions.

Reference : Link1

Zemra DDOS Crimeware Kit Revealed that Make Hell for Organizations

A new crimeware kit identified by Security Experts that’s mainly designed to launch distributed denial-of-service (DDOS) attacks against companies, with the purpose of damaging there reputation and blackmailing them. It was firstly revelled by underground hacking forum about June 25, 2012. And it cost only 100 EUR. 

Zemra is similar to other crime packs such as ZeuS and SpyEye, being controlled from the same type of panel which allows the botmaster to launch commands and view the number of infections.

Backdoor.Zemra’s main functionality is to launch DDOS attacks, but it also comes with a number of other interesting features. It’s able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary. 

Following are functions in Zemra

 - Intuitive control panel

 - DDos (HTTP / SYN Flood / UDP)

 - Download and execution of binary files

 - Loader (Load and run).

 - Cheat visits (visits to the page views).

 - USB Spread (spread through pen drives)

 - Socks5 (picks up socks proxy on the infected machine)

 - Update (Updates the bot)

 - [color = red] The process can not be completed because the He is critical.

 - 256 Bit AES encryption of traffic from the bot to the server

 - Anti-Debugger

 - Self uninstall

 - System information collection

Download Zemra

To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

References :  Link1 , Link2