Android Malware: Breaking New Ground and Old Taboos

April 8, 2013, 7:05 am

≫ Next: South Korea, Starbucks, and Android/Smsilence

≪ Previous: Trojan:Android/Pincer.A

$

0

0

Last Thursday's post links to "Stels"analysis by Dell SecureWorks. (Read it!) Stels is a versatile Android trojan which has recently started spreading via the Cutwail spam botnet.

Android malware being distributed by a mass-market crimeware gang — could be a game changer.

So, how did Stels spread before Cutwail?

Here's a few slightly older Stels variants and the dates we first saw them, all distributed (at least) via a web portal called spaces.ru.

  •  efb387ae109f6c04474a993884fe389e88be386f — Dec 5th
  •  8b99a836572231ffdcb111628fc1dcfb5d9ee31d — Dec 7th
  •  109b2adde84bb7a4ebf59d518863254e9f01c489 — Dec 10th
  •  9384480d82326e89ce52dd3582cf0d6869d59944 — Dec 13th
  •  8abc7ee0071ac32188c3262cf4ff76cc6436b48f — Jan 3rd

We detect numerous versions of Stels as Trojan:Android/SmsSpy.K. And this screenshot from our Malware Sample Management System (MSMS) gives a very good idea of the social engineering involved:



Games, utilities, and other "freeware" applications targeting Russians.

Targeting Russians… that's actually unusual in the world of Windows malware.

Conficker.A, for example, checks what keyboard layout is currently being used on the system with the GetKeyboardLayout Windows API and does not infect the system if the layout is Ukrainian.

A more recent example is Citadel (banking trojan), which does not run on machines that have either Russian or Ukrainian keyboards among the available input languages, checked with GetKeyboardLayoutList API.

From Citadel's machine(?) translated "readme" (http://pastebin.com/gRqQ2693):

—————

#
Important Note:
#
Our software does not work on Russian systems, if found Russian or Ukrainian keyboard layout – the software allows failure. This introduction is done in order to combat the CIS downloads. Treat it as you want, for us it is a taboo.

—————

Here's what happens with an old version of Citadel when it encounters a Ukrainian keyboard layout.



Current versions of Citadel silently quit without the crash error.

Thus far, Russian authored Android malware has needed to target follow Russians due to the billing schemes related to SMS fraud. (Premium numbers only work within their country of origin.)

Now that Android malware has expanded into a more "traditional" distribution channel — is it only a matter of time before we discover an Android trojan that reestablishes old taboos and refuses to infect Android devices using Russian as its display language?

On 08/04/13 At 04:35 PM

---

South Korea, Starbucks, and Android/Smsilence

April 10, 2013, 12:55 pm

≫ Next: Toomas Hendrik Ilves on Cybersecurity

≪ Previous: Android Malware: Breaking New Ground and Old Taboos

$

0

0

Several weeks ago, an McAfee researcher named Michael Zhang analyzed an Android trojan which specifically targets South Korean phones. It's called Smsilence, and it uses bait such as "Starbucks coupon" apps (ex: starbug.apk).

Here's the phone number check looking for country code +82:



A detail not included in Zhang's post: the URLs / IP addresses to which SMS are forwarded are associated with Hong Kong.

And given the current political tensions in the region… a trojan which very specifically targets South Korean phones and then forwards information to China seems… worrisome.

SHA1: 04d58cbe352ba98d50510b661091bac5852fe7f4

On 10/04/13 At 10:34 PM

Toomas Hendrik Ilves on Cybersecurity

April 14, 2013, 10:15 pm

≫ Next: Wired on Cyberwar. In 1996.

≪ Previous: South Korea, Starbucks, and Android/Smsilence

$

0

0

Published last Thursday — Cybersecurity: A View From the Front— a New York Times Op-Ed by Estonian President Toomas Hendrik Ilves, is highly recommended reading.



Hat tip to @JarnoLim

On 15/04/13 At 08:15 AM

Wired on Cyberwar. In 1996.

April 25, 2013, 3:44 am

≫ Next: Infosec's Hall of Fame 2013

≪ Previous: Toomas Hendrik Ilves on Cybersecurity

$

0

0

I heard Wired Magazine is turning 20.

Congratulations!

As I used to subscribe to the magazine around '93-'96, I went looking for my old copies, and I did find a stack. One of the weirdest things about these old magazines was that while they were speaking about the net from cover to cover, they did not have a single URL or a web address. Because the web didn't really exist in 1993.

I found this one cover from August 1996 especially striking. Somewhere below the mugshots of John Romero (@romero) and John Carmack (@ID_AA_Carmack) is the text "Ready for Cyberwar". Cyberwar? In 1996? I had to look up the article.

Turns out, the article in question is an interview with Winn Schwartau. I'll take the liberty of quoting the most interesting part of the article — which was well ahead of it's time — below.

Thanks, Wired.
Mikko Hypponen

On 22/04/13 At 01:55 PM

Infosec's Hall of Fame 2013

April 25, 2013, 3:44 am

≫ Next: CVE-2013-2423 Java Vulnerability Exploit ITW

≪ Previous: Wired on Cyberwar. In 1996.

$

0

0

Infosecurity Europe 2013 opened its doors today. And tomorrow…

Our own Mikko Hypponen will be inducted into Infosec's Hall of Fame.



Congratulations Mikko!

Session details here.

On 23/04/13 At 12:42 PM

CVE-2013-2423 Java Vulnerability Exploit ITW

April 25, 2013, 3:44 am

≫ Next: Apple's Root Certs Include the DoD

≪ Previous: Infosec's Hall of Fame 2013

$

0

0

A few days after Oracle released its critical patch for Java, and CVE-2013-2423 is already being exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening (as of this post):



For a closer look, the image below contains a comparison of the classes found in the Metasploit module and that of the ITW sample:



Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day after.

Information about the PoC can be found here.

Files are detected as Exploit:Java/Majava.B.

Sample hashes:
1a3386cc00b9d3188aae69c1a0dfe6ef3aa27bfa
23acb0bee1efe17aae75f8138f885724ead1640f


Post by — Karmina and @Timo

---

On 23/04/13 At 02:36 PM

Apple's Root Certs Include the DoD

April 25, 2013, 3:44 am

≫ Next: Another Document Targeting Uyghur Mac Users

≪ Previous: CVE-2013-2423 Java Vulnerability Exploit ITW

$

0

0

Fun Fact!

Among the trusted root certificates used by Mac OS X, iOS 5 and iOS 6…




…are two from the United States Department of Defense (DoD).

Interesting, no?

On 24/04/13 At 06:39 PM

Another Document Targeting Uyghur Mac Users

April 25, 2013, 3:44 am

≫ Next: The Fog of Cyber Defence

≪ Previous: Apple's Root Certs Include the DoD

$

0

0

We spotted a new variant of the documents used in the cyber attacks against Uyghur back in February.

This variant was first submitted to VirusTotal on April 11 from China. This time it uses IUHRDF, which may be a reference to International Uyghur Human Rights & Democracy Foundation, instead of Captain as the author:



The payload is still the same besides using different filenames and command and control server.

It uses "alma.apple.cloudns.org" as the command and control server:



It creates the following copy of itself and launch point:

~/Library/Application Support/.realPlayerUpdate
~/library/launchagents/realPlayerUpdate.plist

Or it may create the following instead (when executed with 2parameters):

/Library/Application Support/.realPlayerUpdate
/library/LaunchDaemons/realPlayerUpdate.plist

It remains pretty much the same malware and is generically detected as Backdoor:OSX/CallMe.A since February.

MD5: ee84c5d626bf8450782f24fd7d2f3ae6 - poadasjkdasuodrr.doc
MD5: 544539ea546e88ff462814ba96afef1a - .realPlayerUpdate

On 25/04/13 At 01:39 PM

---

The Fog of Cyber Defence

May 3, 2013, 2:04 am

≫ Next: Facebook is Testing Tags For "What"

≪ Previous: Another Document Targeting Uyghur Mac Users

$

0

0

The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint.

The book was written by twenty authors:

Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries - (Jari Rantapelkonen & Harry Kantola)
Sovereignty in the Cyber Domain - (Topi Tuukkanen)
Cyberspace, the Role of State, and Goal of Digital Finland - (Jari Rantapelkonen & Saara Jantunen)
Exercising Power in Social Media - (Margarita Jaitner)
Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 - (Kari Alenius)
The Origins and the Future of Cyber Security in the Finnish Defence Forces - (Anssi Kärkkäinen)
Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation - (Kristin Hemmer Mørkestøl)
Cyber Security in Sweden from the Past to the Future - (Roland Heickerö)
A Rugged Nation - (Simo Huopio)
Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration - (Erka Koivunen)
Cyberwar: Another Revolution in Military Affairs? - (Tero Palokangas)
What Can We Say About Cyberwar Based on Cybernetics? - (Sakari Ahvenainen)
The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War - (Jan Hanska)
Theoretical Offensive Cyber Militia Models - (Rain Ottis)
Offensive Cyber Capabilities are Needed Because of Deterrence - (Jarno Limnéll)
Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment - (Jouko Vankka & Tapio Saarelainen)
The Care and Maintenance of Cyberweapons - (Timo Kiravuo & Mikko Särelä)
The Exploit Marketplace - (Mikko Hyppönen)

The Fog of Cyber Defence can be downloaded as a PDF file from http://urn.fi/URN:ISBN:978-951-25-2431-0

On 30/04/13 At 06:53 AM

Facebook is Testing Tags For "What"

May 3, 2013, 2:04 am

≫ Next: Online Activities Related to Elections in Malaysia

≪ Previous: The Fog of Cyber Defence

$

0

0

Facebook has gradually added different tags to its "Status" updates.

Currently, most users have the ability to tag: who, when and where.



Those options could soon include: what. (Roll out is limited at the moment.)



And not just what you are doing — but what you're feeling.



As long as everybody you're friends with gets the joke…



…you should be safe.



But let's say your boss mistakes "a pan galactic gargle blaster" for a real drink and reprimands you for drinking alcohol on the job.

That could leave you feeling quite annoyed.



How do I share my feelings or what I'm doing in a status update?

Carefully.

---

On 30/04/13 At 12:06 PM

Online Activities Related to Elections in Malaysia

May 3, 2013, 2:04 am

≫ Next: Twitter's Password Fails

≪ Previous: Facebook is Testing Tags For "What"

$

0

0

Malaysia's 2013 general elections are scheduled for Sunday, May 5, 2013. Political news coverage is currently inundating all news outlets, including social networking sites, as the country's political parties go into high gear in the final run-up to polling day.

The huge media interest creates an opportunity for malware writers to gain new victims using established social engineering techniques — and sure enough, this week Citizen Lab released a report indicating that a sample of the sophisticated FinFisher (a.k.a. FinSpy) surveillance malware was discovered in a document crafted specifically for this event.

The malware was distributed in a booby-trapped Malay-language Microsoft Word document named "SENARAI CADANGAN CALON PRU KE-13 MENGIKUT NEGERI.doc" (In English: "List of proposed candidates for 13th General Elections according to states").



The report speculates that the attack document is targeting Malaysians looking for more information related to one of the most closely contested elections in the country's history. F-Secure detects the document in question as Trojan:W32/FinSpy.D.

Finfisher is produced by an European company called the Gamma Group. As we mentioned in a previous post, the company was present at the ISS World 2011 gathering hosted in Kuala Lumpur, Malaysia. The ISS event serves as a trade fair for surveillance software (attendance is by "invitation" or if you are a "telco service provider, government employees or law enforcement officer").



Additionally, there have been reports alleging that multiple news and social media sites, including YouTube, Facebook, and Malaysiakini (a popular Malaysian online news site) have been subjected to various forms of disruption, including defacements, denial of service attacks, and filtering.

F-Secure Labs is observing the situation. We saw a rise in malware detections during April 2013 in Malaysia. However, we don't really know if the increase was due to election-related activity or something else.

On 03/05/13 At 11:57 AM

Twitter's Password Fails

May 10, 2013, 8:01 am

≫ Next: Webinar: Monday, May 13th

≪ Previous: Online Activities Related to Elections in Malaysia

$

0

0

Let's say you want to hack Jack Dorsey's online banking account. Where to start? His username?

Challenging… his online banking username is a secret. But how about his Twitter account?

Oh, that's easy. It's @jack.

That's the problem with "social" usernames — they're meant to be known.



Another problem, Twitter appears to validate e-mail addresses:



Looks like nobody's home at jackd@twitter.com:



Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:



But that's less than useless if Twitter won't actually let you add your number:



And just how "personal" is a phone number anyway?



Two-factor authentication?

Sure.

But Twitter should first stop validating e-mail addresses.

And then maybe it could add an option to disallow logins via the publicly known username.

Edited to add: On second thought…

How about this?

Twitter should stop validating e-mailing addresses in its password reset form.

And then, discriminate between using e-mail and username. If an account is accessed with the username— don't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".

Example: regular @AP staff could login with "AP"— no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).

Discriminating between e-mail and username — a way to distinguish between "admins" and "users".

On 07/05/13 At 12:51 PM

Webinar: Monday, May 13th

May 10, 2013, 8:01 am

≫ Next: Webinar: Embedded

≪ Previous: Twitter's Password Fails

$

0

0

It's time to schedule another F-Secure Labs webinar!

We're trying out Google's "Hangouts On Air" this go-around:



Details: F-Secure Labs Threat Report Preview Webinar

Hope to see you there.

On 10/05/13 At 05:43 PM

Webinar: Embedded

May 13, 2013, 3:52 am

≫ Next: Download: Mobile Threat Report Q1 2013

≪ Previous: Webinar: Monday, May 13th

$

0

0

F-Secure Labs Webinar: Mobile Threat Report Q1 2013

On 13/05/13 At 01:51 PM

Download: Mobile Threat Report Q1 2013

May 16, 2013, 4:21 am

≫ Next: Mac Spyware Found at Oslo Freedom Forum

≪ Previous: Webinar: Embedded

$

0

0

Our Mobile Threat Report Q1 2013 is now publicly available.



All of our past reports are also available in the "Labs" section of f-secure.com.

On 15/05/13 At 12:45 PM

---

Mac Spyware Found at Oslo Freedom Forum

May 16, 2013, 4:21 am

≫ Next: LulzSec sentencing in UK

≪ Previous: Download: Mobile Threat Report Q1 2013

$

0

0

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.



The launch point:



It dumps screenshots into a folder called MacApp:



Functions:



There are two C&C servers related to this sample:


securitytable.org


docsforum.info

One C&C doesn't currently resolve, and the other:


Forbidden

Our detection is called: Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)

On 16/05/13 At 12:29 PM

LulzSec sentencing in UK

May 16, 2013, 4:21 am

≫ Next: BBC News: LulzSec Hacker Interview

≪ Previous: Mac Spyware Found at Oslo Freedom Forum

$

0

0

LulzSec - the rockband of hacker groups - had three of their six members sentenced today in London.

LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec.

LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down.

LulzSec had 6 core members:

• Topiary aka Jake Davis (@aTopiary), UK
  
• T-Flow aka Mustafa Al-Bassam (@let_it_tflow), UK
  
• Kayla aka Ryan Ackroyd (@lolspoon), UK
  
• Sabu aka Hector Monsegur (@anonymouSabu), United States
  
• Pwnsauce aka Darren Martyn (*_pwnsauce) Ireland
  
• AVunit (@AvunitAnon), identity unknown

The first three were sentenced today.

• Jake Davis got a 24 month sentence. He will serve 12 months in a young offenders institute
  
• Mustafa Al-Bassam got a 20 month sentence, suspended for two years and 300 hours of community work.
  
• Ryan Ackroyd got a 30 month sentence. He will serve 15 months.

A botnet master associated with Lulzsec was sentenced at the same time: Ryan Cleary (aka Viral). He got a 32 month sentence. He will serve 16 months.

Sabu was arrested in June 2011. He pleaded guilty and has been working with FBI since. He's yet to be sentenced.

Darren Martyn was indicted in March 2012. He's yet to be sentenced.

So, five of the LulzSec six has been caught. The remaining mystery is the 6th member: Avunit.

Who was Avunit? How come none of the other members have given him up?

We have no idea who Avunit is. We have no identity. We don't even know which continent he is from.

PS. Obligatory nyan.cat.

---

On 16/05/13 At 01:32 PM

BBC News: LulzSec Hacker Interview

May 17, 2013, 2:56 am

≫ Next: Big Hangover

≪ Previous: LulzSec sentencing in UK

$

0

0

BBC News has a 13 minute report that's worth a view.



LulzSec hacker: 'Internet is a world devoid of empathy'

On 17/05/13 At 12:54 PM

Big Hangover

May 24, 2013, 4:37 am

≫ Next: Mac Spyware: OSX/KitM (Kumar in the Mac)

≪ Previous: BBC News: LulzSec Hacker Interview

$

0

0

The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.

Yesterday, the folks from Norman released their Hangover Report.

HANGOVER REPORT (tot.114pg): Indian APT group hacked Telenor, others; related to the MacOS trojans found at OFF blogs.norman.com/2013/security-…

— Snorre Fagerland (@SnorreFagerland) May 20, 2013

Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.

Also related, from the folks at ESET: Targeted information stealing attacks in South Asia use email, signed binaries

Apple has reportedly revoked the Developer ID used by KitM.A.

On 21/05/13 At 01:35 PM

Mac Spyware: OSX/KitM (Kumar in the Mac)

May 24, 2013, 4:37 am

≫ Next: Mac Spyware Bait: Lebenslauf für Praktitkum

≪ Previous: Big Hangover

$

0

0

There's another case of Backdoor:OSX/KitM.A in the wild.

A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)

So, that brings us to this bit of advice for those of you who might be targets.

This is the default "Gatekeeper" security setting:


Mac App Store and identified developers

This is the setting that you want, unless you're actively installing software:


Mac App Store

This is the prompt that results when OSX/KitM attempts to install with the stricter setting:



If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

SHA1: 290898b23a85bcd7747589d6f072a844e11eec65

On 22/05/13 At 12:45 PM