Android malware steals info from one million phone owners
August 1, 2010 by admin
Filed under Security News
Updated A developer of Android apps has been accused of using their apps to steal information from more than one million smartphone users.
John Hering and Kevin MaHaffey, of mobile security firm Lookout, told the Black Hat security conference in Las Vegas that they discovered that a wallpaper app developed by Jackeey Wallpaper (who have created over 70 different applications for the Google Android mobile operating system) secretly transmitted affected phones’ numbers, subscriber identifiers, and voicemail numbers to a server in Shenzen, China.
Over a million people are believed to have downloaded the app – which Sophos has not yet seen – from the Android Market (Google’s equivalent to the Apple iPhone AppStore).
This isn’t the first time that the Android smartphone operating system has apparently been targeted by malware, of course.
One of the challenges that owners of smartphones running the Android operating system face is that it is not as closely monitored as Apple’s equivalent, and adopts a more relaxed philosophy as to what apps can be published.
Although there’s much criticism that Apple has received for the way it controls the iPhone environment, it’s clear that the only malware attacks we’ve seen to date on that platform (such as Duh and the infamous rickrolling Ikee worms) have affected users who have chosen to jailbreak their iPhones and escape the relative safety of the AppStore.
Yes, malware has previously emerged for jailbroken iPhones, but the malicious applications have not made it onto users’ devices via Apple’s highly guarded AppStore.
It remains to be seen how many users will treat security as a factor when choosing between the rival mobile operating systems.
Update Some media reports suggested incorrectly that voicemail passwords were accessed by the wallpaper app, and it’s important to make clear that this is not true.
Shortcut zero-day attack code goes public
July 20, 2010 by admin
Filed under Security News
If you’ve been following Chet Wisniewski’s blog over the last few days you will already know about the serious zero-day vulnerability that has been found in versions of Windows.
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
Sophos detects the malware we’ve seen so far using the exploit as W32/Stuxnet-B and Troj/Cplink-A.
Contract_05_07_2010.zip – all you’ll contract is a malware infection
July 8, 2010 by admin
Filed under Security News
SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.
A typical email reads:
Subject: Permit for retirement
Message body:
Good day,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>Attached file: Contract_05_07_2010.zip
Beware ‘Your log 05.07.2010′ emails – they carry malware
July 8, 2010 by admin
Filed under Security News
Malicious hackers are spamming out emails around the world disguised as a changelog, with the intention of infecting recipient’s Windows computers with the attachment.
A typical email reads as follows, although there can be minor variations in the message body:
Subject: Your log 05.07.2010
Message body:
Dear Customers,
as promised your changelog is attached,
<name>Attached file: Changelog_05_07_2010.zip
The emails, by the way, are always signed off by the first name of the person who is mentioned in the message’s from: field. That field is, of course, forged – it’s not really that person who sent you the email so don’t blame them if you get infected!
Guest blog: Adobe, make my day. Disable JavaScript by default
July 5, 2010 by admin
Filed under Security News
Users around the world will be pleased to learn that Adobe has managed to release an accelerated security update for Adobe Reader and Acrobat (APSB10-15) before the planned release date (13th July). The latest version of Adobe Acrobat and Reader for Windows is now 9.3.3.
The security update includes fixes for 17 vulnerabilities, which means that the guys from Adobe PSIRT have been working very hard in the last month or so.
From the malware protection point of view the most important vulnerability patched with the latest update is CVE-2010-1297 which has been actively exploited since its discovery on June 5th.
Although the vulnerability affected Adobe Flash, the main vehicle for delivering malicious payloads were PDF files. A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality. This exploit is more complex than the usual exploits we have become used to in the last few years and it may mark a new trend in the direction of writing exploits and shellcode.
The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled. This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.
Backdoors in Twitter, Now in Arabic
June 30, 2010 by admin
Filed under Security News
Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon.
Over the past two weeks, several Twitter accounts were created for the sole purpose of tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allows an unauthorized user access to the infected machine. Interestingly, these backdoor programs are uploaded at either freewebtown.com or leadhoster.com, both free web hosting sites.
 |
 |
| For some of our readers, these things aren’t new, but what caught my eye are these tweets written in Arabic: |
 |
Cybercrime groups it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever huh?
Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter Search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?
Malware Sales Through Social Networks
June 30, 2010 by admin
Filed under Security News
Social media has affected business organizations in many different ways through the years and these effects caused the development of a rather complicated relationship between the two.
Social media has proven to be an effective marketing tool for businesses. Data collected last year from Fortune’s Global 100 revealed that more than 50 percent of the said companies have Twitter, Facebook, and YouTube accounts. On the other hand, social media tools such as social networks have been reported to affect office productivity and also serve as popular media for online threats.
In the same way that businesses use social media, cybercriminals do as well. Just recently, we saw an advertisement for fake point-of-sale (POS) devices in an underground forum where the seller offered a fake POS device for 1,000 EUR.
This time, we found an advertisement for a malicious tool, in a more “mainstream” channel.
The YouTube video above is actually an advertisement for a distributed denial-of-service (DDoS) tool. A screenshot of the tool is shown on the video while features and other details such as the price and the URL where to purchase the tool are indicated in the details. (It has since been taken down by YouTube.)
Notably, the video had more than 600 views. Though the number is relatively small, one can’t help but wonder how many of those viewers were enticed enough to visit the given site and to purchase the tool. After all, it’s only US$15.
The said post is just one of the many malware ads in social networks. If anything, the above-mentioned advertisement only goes to show that cybercriminals are using social networks the same way legitimate businesses do to gain “customers” even if the customers in question are other cybercriminals.
For best practices to follow in managing a social network account, you can check our white paper, “Security Guide to Social Networks.”
New Symbian Malware On The Scene
June 30, 2010 by admin
Filed under Security News
New versions of mobile operating like Apple’s iOS and Google’s Android may be in the news of late, but for all the publicity both receive older Symbian operating systems still make up around half of all smartphones sold in 2009. Advanced Threat Researcher Paul Ferguson came across a new suspicious application running on the S60 platform:
Calling itself ZvirOK, the application has one primary payload: to send a text message to the number 7250, with the text mumym xxx joker90. The intent behind this is unclear: perhaps it could be related to pay services frequently provided by mobile operators. This could cost the user money, particularly if these fees are high. Beyond that, however, no one can really say for sure.
Trend Micro products detect this malicious application as SYMBOS_FLOCK.I. The Python script responsible for sending the text message is detected as TROJ_FLOCK.I.
Apple secretly updates Mac malware protection
June 20, 2010 by admin
Filed under Security News
Apple’s 10.6.4 operating system upgrade earlier this week silently updated the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook.
Although there is no mention of it that we could find in Apple’s release notes for Mac OS X 10.6.4, or the accompanying security bulletin, Apple has updatedXProtect.plist – the rudimentary file that contains elementary signatures of a handful of Mac threats – to detect what they call HellRTS.
HellRTS, which Sophos products have been detecting as OSX/Pinhead-B since April, has been distributed by malicious hackers disguised as iPhoto, the photo application which ships on modern Mac computers.
If you did get infected by this malware then hackers would be able to send spam email from your Mac, take screenshots of what you are doing, access your files and clipboard and much more.
Unfortunately, many Mac users seem oblivious to security threats which can run on their computers. And that isn’t helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. “Shh! Don’t tell folks that we have to protect against malware on Mac OS X!”
It seems their own employees can be amongst the worst offenders when it comes to giving users security advice. Just a few days ago I saw a former colleague of minetweet about the poor advice about malware protection being offered in Apple retail stores.
Critical patches: Update your Adobe Flash player now
June 11, 2010 by admin
Filed under Security News
Adobe has issued a security bulletin detailing critical vulnerabilities that have been discovered in the current versions of Adobe Flash Player for Windows, Macintosh, Solaris and Linux.
An update issued by Adobe claims to resolve 32 vulnerabilities in Flash Player – which if left unpatched could leave open a door for hackers to infect innocent users’ computers. Some of the security holes are already being exploited by malicious hackers.
Adobe is recommending that users upgrade to Adobe Flash Player 10.1.53.64.
If you’re not sure which version of the Adobe Flash Player you have installed, visit theAbout Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Adobe further recommends that users of Adobe AIR version 1.5.3.9130 and earlier versions update to Adobe AIR 2.02.12610.
It is becoming more and more common for cybercriminals to exploit vulnerabilities in Adobe’s software – so it would be a very good idea for everyone to update vulnerable computers as soon as possible.
