Mac Spyware Bait: Lebenslauf für Praktitkum

May 24, 2013, 4:37 am

≫ Next: Twitter's 2FA: SMS Double-Duty

≪ Previous: Mac Spyware: OSX/KitM (Kumar in the Mac)

$

0

0

As a follow up to yesterday's Kumar in the Mac post… have you received e-mail attachments such as this?



Attachments:

  •  Christmas_Card.app.zip
  •  Content_for_Article.app.zip
  •  Content_of_article_for_[NAME REMOVED].app.zip
  •  Interview_Venue_and_Questions.zip
  •  Lebenslauf_für_Praktitkum.zip (Translates as: CV for Internship.)

If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.

Here's a list of binaries signed by Apple Developer "Rajinder Kumar".

Detected as Trojan-Spy:OSX/HackBack.B:

  •  1eedde872cc14492b2e6570229c0f9bc54b3f258
  •  6737d668487000207ce6522ea2b32c7e0bd0b7cb
  •  a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0
  •  505e2e25909710a96739ba16b99201cc60521af9
  •  45a4b01ef316fa79c638cb8c28d288996fd9b95a
  •  290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.

Detected as Backdoor:OSX/KitM.A (includes screenshot feature):

  •  4395a2da164e09721700815ea3f816cddb9d676e

Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.

Be vigilant.

More information:
Mac Spyware Found at Oslo Freedom Forum
Big Hangover

On 23/05/13 At 10:12 AM

---

Twitter's 2FA: SMS Double-Duty

May 24, 2013, 4:37 am

≫ Next: The Future: No Hiding Place

≪ Previous: Mac Spyware Bait: Lebenslauf für Praktitkum

$

0

0

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.



We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".



Then the attacker can enable the account's 2FA.



Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)



And then click "Yes".



That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.



The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so.

On 24/05/13 At 12:40 PM

The Future: No Hiding Place

May 29, 2013, 2:56 am

≫ Next: F-Secure Globe

≪ Previous: Twitter's 2FA: SMS Double-Duty

$

0

0

This week's issue of The Economist has a very interesting article.

No hiding place: A plan to assess people's personal characteristics from their Twitter-streams



Researchers at IBM's Almaden Research Centre in San Jose, California think they can determine a person's presumptive personality from just 50 Tweets:

"In a test of the new system, Dr Haber analysed three months' worth of data from 90m users of Twitter.
His software was able to parse someone's presumptive personality reasonably well from just 50 tweets,
and very well indeed from 200."

So… marketers will finally be able to determine truly effective ways to target consumers?

We should be so lucky if it were just marketers.

Here's another Economist article from April.

How might your choice of browser affect your job prospects?



According to "Big Data"— you'll be a better employee if you use a non-default web browser.

One shudders to imagine how HR recruiters will use people's presumptive personalities.

(Targeted ads will be the least of our worries.)

It's enough to make you want to cut your tail off: Delete Your Oldest Tweets Using Twitter Archive Eraser

On 29/05/13 At 12:42 PM

F-Secure Globe

May 30, 2013, 2:40 am

≫ Next: Coursera Offers Malware MOOC

≪ Previous: The Future: No Hiding Place

$

0

0

A visualization project using some of our customer upstream data: F-Secure Globe



By Liew Swee Meng — based on The WebGL Globe

On 30/05/13 At 12:40 PM

Coursera Offers Malware MOOC

June 6, 2013, 12:34 am

≫ Next: Our Mac Team Wants Beta Users

≪ Previous: F-Secure Globe

$

0

0

"A massive open online course is an online course aimed at large-scale interactive participation and open access via the web." And here's a MOOC we think you'll be interested in…

Coursera is offering a class called: Malicious Software and its Underground Economy



According to instructor Lorenzo Cavallaro:

"Students will learn how traditional and mobile malware work, how they are analyzed and detected, peering through the underground ecosystem that drives this profitable but illegal business."

Sounds intriguing.

On 03/06/13 At 12:35 PM

Our Mac Team Wants Beta Users

June 6, 2013, 12:34 am

≫ Next: Not the Mobile Antivirus You Were Looking For

≪ Previous: Coursera Offers Malware MOOC

$

0

0

This is Rasmus.



According to his Twitter bio: he's a long-haired over-intoxicated geek from Sweden living in Finland, who likes shiny unixy things.

He's a senior software engineer/developer on our Mac Protection team (and a generally good guy).

If you're also a geek — Rasmus thinks it would be "neat" (that's a quote) if you'd give our "Safe Anywhere Mac Technology Preview" a try. The team is developing a new feature that they want to roll out in a few weeks time. So… if you have the skills to run beta software, Rasmus (and team) would really appreciate the feedback.

Cheers!

On 04/06/13 At 12:55 PM

Not the Mobile Antivirus You Were Looking For

June 6, 2013, 12:34 am

≫ Next: Bad Bad Piggies On Google Play

≪ Previous: Our Mac Team Wants Beta Users

$

0

0

While browsing Malaysiakini (a popular Malaysian website) on an Android phone, one of our analysts spotted this advertisement:



Clicking on the ad led to an external site displaying the following:



Looks reminiscent of the kind of text we've seen for years on webpages pushing rogues for Windows systems (and sometimes Mac).

Clicking on the "Download and Scan Now" button leads to an image, which looks like an antivirus app:



Clicking on the image brings you to a page that asks for your phone number and displays some interesting text:



"This is an ongoing subscription service until you quit. You will receive 4 sms per week and chargeable at RM4 per message. Only [REMOVED] user will receives max 3 sms per week and chargeable at RM4 per message. Data charges are billed separately by mobile operators."

So, it's an SMS subscription service. Provide a phone number, and the user gets an SMS message with registration instructions for the service.

Once registered, another SMS is sent providing a download link. When we tried the link, the only thing we got was a message saying "Sorry, you have exceeded the allowed download limit." The site's index page claims to be "under construction."

Fortunately, the SMS with the registration instructions also included instructions for stopping the service.

We normally recommend users read the permissions requested when downloading a mobile app. In this case, reading the text before downloading would also be prudent. This was probably not the service a user was looking for when they clicked on the ad.

Our Browsing Protection feature currently rates the site hosting the supposed APK download as Suspicious.

Updated to add:

Like Windows-based Rogueware, this "Android Antivirus" scam recognizes other operating systems — but fails to fine tune the bait.

iOS:



Windows Phone:

On 06/06/13 At 07:03 AM

Bad Bad Piggies On Google Play

June 12, 2013, 5:20 am

≫ Next: Fake Antivirus Scan Scam Via Google Play App Ads

≪ Previous: Not the Mobile Antivirus You Were Looking For

$

0

0

One of these things is not like the others.



No, not the "Full Guide"— we're referring to the "Bad Pigs" by Dan Stokes.

The app's description:



Wow. More than 10,000 installs since May 25, 2013.

AppBrain, an Android app portal, doesn't correct for relevance, so "Bad Pigs" ranks first.



Dan's contact address is: hgfdhsdgjhd@gmail.com.

That's fishy.



AppBrain has a very nice feature which lists "Concerns" as well as permissions required.



Boy, that's a long list of extra permissions. These particular piggies aren't just bad — they're evil.

Dan Stokes has a few other apps as well.



"Fruit Chop Ninja" also has more than 10,000 installs.

And here's an interesting note: the app ID, and therefore the URL, includes the word "Rovio".



Our Mobile Security product detects and blocks this as Android/FakeInst.CI.

We've reported the issue to Google (and Rovio) and the apps are no longer indexed by Google's search.

Stay safe out there.

On 12/06/13 At 03:11 PM

---

Fake Antivirus Scan Scam Via Google Play App Ads

June 13, 2013, 2:53 am

≫ Next: Rogue Headlines in Google News

≪ Previous: Bad Bad Piggies On Google Play

$

0

0

Yesterday, we wrote about some very bad piggies: pirated Rovio software being used to push unwanted ads at Google Play users.

What kind of ads?

Here's an example from an ad-network we've been tracking since we came across it back in March.

Yesterday, the ad-network directed Finnish IP addresses to an ad for a poker game app.

But today, the ad redirects to a fake "antivirus" scam:



The scam's Finnish localization sucks…

…at least until you scroll down to the legal disclaimer at the bottom which claims it's all for "entertainment" purposes.



Just enter your phone number for the service and…

Ouch!

Fifteen euro a week? Do not want.

Stay Safe Out There

On 13/06/13 At 12:39 PM

Rogue Headlines in Google News

July 4, 2013, 10:09 am

≫ Next: Post-PC Attack Site: Only Interested in Smartphones/Tablets

≪ Previous: Fake Antivirus Scan Scam Via Google Play App Ads

$

0

0

A spam campaign is currently abusing Google News.

Search Engine Optimization (SEO) black hats are injecting "jailbreak" headlines into an iOS thread.



Here's a view of the full coverage:



The so-called "news" link readers to schemes offering iPhone jailbreaks.



Here's an iPhone view:





The good news: it appears that current SEO abuse is limited to spammers.

The bad news: where spammers go — exploit kits are surely soon to follow.

Let's hope Google's search engineers plug this hole quickly.

On 17/06/13 At 09:12 AM

Post-PC Attack Site: Only Interested in Smartphones/Tablets

July 4, 2013, 10:09 am

≫ Next: Do you cover up your webcam?

≪ Previous: Rogue Headlines in Google News

$

0

0

We've discovered a server that only attacks and/or spams smartphones and tablets — and not PCs.

A Swedish-based colleague of ours, Johan, was recently using his (Android) phone to search for boat trips in the Galapagos Islands. He found a site called Vagabond. And on Vagabond he found an entry with a link to: galacruises.com.

From a Windows-based browser, the link redirects to a site called islasgalapagos.travel.

But the results are much different if a mobile device is used…



Mobile browsers are redirected to a .info domain which in turn redirects yet again.

Sometimes it redirects to a popular game on Google Play:



But much of the time, it's NSFW sites (here seen from a Windows Phone):



And sometimes… malware! (As was the case for Johan.)



Here you can see that the malicious .APK file was blocked by one of our "online" detections.



Specific "disk" detection identifies the threat as a variant of FakeInstaller: Trojan:Android/FakeInst.AV.

Our Mobile Security Safe Browser blocks the offending website:



Note: visiting the .info site without the attack's parameter will result in a redirection to google.com.

A site with an index page that redirects to google.com? Always a clue something's afoot.

Be Safe Out There.

On 19/06/13 At 12:50 PM

Do you cover up your webcam?

July 4, 2013, 10:09 am

≫ Next: The Geography of Malware

≪ Previous: Post-PC Attack Site: Only Interested in Smartphones/Tablets

$

0

0

(Web)camjacking is in the news.

This morning from BBC News: Webcams taken over by hackers, charity warns

As part of the report, BBC Radio 5 live interviewed a Finnish hacker who supposedly sells "female bots".


Related audio

And last Friday from Forbes: Two-Year-Old Flash Bug Still Allows Webcam Spying On Chrome Users

You should update to the latest version of Chrome or else you'll be vulnerable to a bug that allows camjacking via Flash.

Researcher Egor Homakov's proof of concept: Click and say Cheese



Your software should always be up to date — but perhaps the best advice is to cover up your cam!

Sydney Morning Herald: Taping over prying eyes of web spies



This is how Mikko does it:

On 20/06/13 At 01:01 PM

The Geography of Malware

July 4, 2013, 10:09 am

≫ Next: Bitcoin to Mikko's 50,000th Twitter Follower

≪ Previous: Do you cover up your webcam?

$

0

0

Yesterday, Google announced on its Online Security Blog that it will now include Safe Browsing statistics in its Transparency Report.

The Safe Browsing Malware Dashboard is fascinating.

Here's last week's Malware Distribution by Autonomous System, using just the "Attack Sites" filter:



The location of the attack sites by AS?

  •  USA
  •  Russia
  •  Ukraine

Hmm, the USA (San Diego) is at the top.

And now let's look at one year's time range:



And the locations?

  •  Transnistria
  •  Romania
  •  Latvia

Specialist Ltd in Transnistria?

A search for that yields a result from Dynamoo's Blog:



"Transnistria, a breakaway part of the former Soviet Republic of Moldavia. No UN members recognise Transnistria, and effectively it sits beyond the reach of international law enforcement."

There's always something new to learn regarding the geography of malware…

A picture gallery from Telegraph.co.uk: Welcome to Transnistria: a Soviet breakaway territory in Eastern Europe

On 26/06/13 At 01:19 PM

Bitcoin to Mikko's 50,000th Twitter Follower

July 4, 2013, 10:09 am

≫ Next: Android Hack-Tool Steals PC Info

≪ Previous: The Geography of Malware

$

0

0

I started on Twitter in March 2009.



I never would have thought this to happen, but I've gained a remarkable amount of followers since. Thank You. In fact, with almost 50,000 followers, I'm actually one of the most followed Finns on Twitter.



So I want to give something back.

My 50,000th follower will get a physical Bitcoin coin worth 1 BTC, made by Casascius.



But rewarding my latest follower and ignoring all the rest wouldn't be fair. So, I'll give another 1 BTC coin to a random follower.

The winners will also get a copy of Thomas Rid's new book Cyber War Will Not Take Place.



Rules and conditions: I select who wins. No complaints. Winners get the coins and books via mail.

Thanks,
Mikko

On 27/06/13 At 12:24 PM

Android Hack-Tool Steals PC Info

July 4, 2013, 10:09 am

≫ Next: Redux: Metadata Matters

≪ Previous: Bitcoin to Mikko's 50,000th Twitter Follower

$

0

0

Over the weekend, Yeh, one of our Security Response Analysts, came across some interesting analysis on a Chinese language forum about an Android app that basically turns a mobile device into a hack-tool capable of stealing information from a connected Windows machine.

He managed to find a sample (MD5:283d16309a5a35a13f8fa4c5e1ae01b1) for further investigation. When executed, the sample (detected as Hack-Tool:Android/UsbCleaver.A) installs an app named USBCleaver on the device:



When the app is launched, it directs the user to download a ZIP file from a remote server:



It then unzips the downloaded file to the following location: /mnt/sdcard/usbcleaver/system folder.

The files saved are essentially utilities used to retrieve specific pieces of information when the device is connected via USB to a Windows machine. Note: we detect most of the files with older detections.

The following details are grabbed from the connected PC machine:

  •   Browser passwords (Firefox, Chrome and IE)
  •   The PC's Wi-Fi password
  •   The PC's network information

The app gives the user the option of choosing what information they want to retrieve:







To run the utilities, the sample creates an autorun.inf and go.bat file at /mnt/sdcard. When the device is connected to a Windows computer, the autorun script gets triggered, which then silently runs the go.bat file in the background, which in turn runs the specified files from the usbcleaver/system folder.

The collected details are stored on the device at /mnt/sdcard/usbcleaver/logs.The app's user can click on the "Log Files" button to view the information retrieved from the PC:



This isn't the first Android trojan reported this year with PC-infecting capabilities, since that "distinction" belongs to the trojan-spy apps family we detect as Sscul (listed in our Q1 2013 Mobile Threat Report).

Unlike the Sscul malware however, which is more focused on remote eavesdropping, USBCleaver seems to be designed to facilitate a targeted attack by gathering details that would be helpful in a later infiltration attempt.

Fortunately, USBCleaver's Windows-infecting routine can be blocked by a simple measure that's been standard security advice for the last couple years: disabling the Autorun by default (this is already standard on Windows 7 machines). An additional mitigating factor is that most older Windows systems need to have mobile drivers manually installed in order for this attack to work.

—————

Analysis by — Yeh

On 01/07/13 At 07:07 AM

---

Redux: Metadata Matters

July 4, 2013, 10:09 am

≫ Next: Who won the free Bitcoins?

≪ Previous: Android Hack-Tool Steals PC Info

$

0

0

The term "metadata" is nothing new to us. One year ago, we linked to the story of German Green party politician, Malte Spitz.

Given current events, a refresher on just what metadata is seems useful. From our June 29, 2012 post:

"A 2008 German law required all telecommunications providers with more than 10,000 customers to retain six months worth of data on all calls, messages and connections. Germany's Constitutional Court ruled the law unconstitutional in 2010.

Spitz acquired (meta)data from his telecom provider covering a period from August 2009 to February 2010. Zeit Online has made the raw data available via Google Docs. To demonstrate just how much of a personal profile can be crafted, Zeit Online augmented the data with publicly available information such as Spitz's tweets and blog entries."

(Meta)data or metadata… it's all data.

Anyway, the result is an incredibly cool, very revealing, interactive map:


Source: http://www.zeit.de/datenschutz/malte-spitz-data-retention

Now you can hear Spitz himself…

PRI's The World interviewed Spitz yesterday on its July 2nd broadcast.



Also of interest, from Geoffrey Nunberg: Calling It "Metadata" Doesn't Make Surveillance Less Intrusive

On 03/07/13 At 10:53 AM

Who won the free Bitcoins?

July 4, 2013, 10:09 am

≫ Next: Signed Mac Malware Using Right-to-Left Override Trick

≪ Previous: Redux: Metadata Matters

$

0

0

As mentioned a week ago, I was running a competition where I would give a physical Bitcoin coin to my 50,000th follower on Twitter.

Well, it happened last night. My 50,000th follower was an account called WantBTC.



WantBTC is actually a bot, run by Eric Bauersachs.



Eric was running a script with 16 Twitter bots competing for the 50,000th follower slot. Hard work paid off, and he won!



Eric will be getting the Bitcoin and a copy of Thomas Rid's upcoming book Cyber War Will Not Take Place. Congratulations!

However, I also promised a Bitcoin and the book to a random follower of mine. Which one got it? Did you get it? You'll have to watch the video to find out.



Thanks all!
@Mikko

On 04/07/13 At 08:07 PM

Signed Mac Malware Using Right-to-Left Override Trick

July 15, 2013, 6:00 am

≫ Next: On "FBI""Ransomware" and Macs

≪ Previous: Who won the free Bitcoins?

$

0

0

Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.

We've spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.



The objective here is not as convoluted as the one described in Kreb's post. Here it's simply to hide the real extension. The malware could have just used "Recent New.pdf.app". However OS X has already considered this and displays the real extension as a precaution.




The malware is written in Python and it uses py2app for distribution. Just like Hackback, it's signed with an Apple Developer ID.



However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.



The malware drops and open a decoy document on execution.



Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.



The malware connects to the following pages to obtain the address of its command and control server:

  •  http://www.youtube.com/watch?v=DZZ3tTTBiTs
  •  http://www.youtube.com/watch?v=ky4M9kxUM7Y
  •  http://hjdullink.nl/images/re.php

It parses for the address in the string "just something i made up for fun, check out my website at (address) bye bye".

The YouTube page look like this:



Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.



The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.

The malware is detected by F-Secure as Backdoor:Python/Janicab.A.

Updated to add:

Here are the stats from one of the YouTube videos being used as a C&C locater:





The videos predate the Janicab.A binary by at least a month. Based on the stats, it seems likely there are earlier variants in the wild.

On 15/07/13 At 10:48 AM

On "FBI""Ransomware" and Macs

July 17, 2013, 5:59 am

≫ Next: Surveillance Will Soon Be the Lesser of Your Worries

≪ Previous: Signed Mac Malware Using Right-to-Left Override Trick

$

0

0

On Monday, Malwarebytes researcher Jerome Segura posted a nice write up (and video) about FBI themed ransom scams targeting users of Apple Mac OS X.

The basics are as such:

  •  Segura discovered the scam via a Bing Images search for Taylor Swift.
  •  A compromised site hosting the image linked to a webpage mimicking police ransomware.
  •  Only it isn't really "ware" in the normal sense of a ransomware trojan.
  •  The scam uses clever persistent JavaScript in its attempt to trick people into paying a supposed fine.

And now we'd like to contribute some additional notes.

Located in Canada, Segura was directed to an FBI themed webpage. This is probably due to his North American IP address, or else he was using a US-based proxy.

In Europe, the result is Europol themed:



And the scam uses a Europol-themed URL:



Also, such scams are not just targeting Macs, as this comment from The Safe Mac explains.



Crimeware kits are always targeting everything all the time. Windows, Macs, every OS.

But most of the time… there isn't a good exploit vector with which to target Macs with malware, so they are redirected to something "spammy" instead. For example, now that the ransom scam has been exposed, this is what the FBI and Europol URLs are currently redirecting to:



Find Your Adult Friend: a site which uses scraped images. (Avoid.)

On 17/07/13 At 03:34 PM

Surveillance Will Soon Be the Lesser of Your Worries

July 18, 2013, 6:43 am

≫ Next: Augmenting Society's Collective IQ

≪ Previous: On "FBI""Ransomware" and Macs

$

0

0

The debate continues regarding the U.S. Government's domestic surveillance programs— which U.S. privacy advocates argue are a violation of Fourth Amendment constitutional protections.

Meanwhile in Europe:



Laws to force suspects to decrypt their data?


(Dutch judges: Decryption orders could violate human rights)

The law could be a violation Article 6 of the ECHR. As in Article 6 of the European Convention on Human Rights— which like the Fifth Amendment of the U.S. Constitution— provides protections to individuals from being forced to incriminate themselves.

Refuse to provide your password?

Go to jail.

The issue needs more debate.

But what happens when you can't refuse? After all, science is getting better at understanding kinesic information leakage (video).

And technology is rapidly attempting to automate what science has learned…

Wired.com: Deception Is Futile When Big Brother’s Lie Detector Turns Its Eyes on You

In the not too distant future — even your own mind won't be able to protect secrets.

Wanted: a new kind of firewall.

On 18/07/13 At 04:05 PM