SYMBOS_FLOCK.I – Where Does It Come From?

Yesterday we blogged about a new piece of Symbian malware, which we detected as SYMBOS_FLOCK.I. This malware targets users of older Series 60 devices.

 

Overall, the malware itself is very simple in its operation. It first prompts the user to install an application called ZvirOK 5.2!. The name here suggested there are previous versions of this malware in existence (that, or it took the malware writer at least 5 attempts to get it right). Alternatively, the malware author wanted us to think that this is a legitimate application, and added the version number to make it appear as such.

 

Another interesting fact here is that the word Zvirok (Зверёк) roughly translates from Russian as “small animal”, which can sometimes be used as a nickname—indicating that this malware is of Russian origin. However, the Symbian Installer package (the .SIS file) specified the language of the application as PRC Chinese, which leads to confusion from where this malware really came from.

 

After installation, the malware executes a very simple Python script which uses some of Nokia Python libraries to send an SMS containing the text mumym xxx joker90 to the number 7205. The number 7205 is what is known as an SMS Short Code, a special shortened phone number for SMS or MMS messages that is normally used for competitions and marketing and can often be quite expensive to use. The malware does not spread itself in any way.

The number of digits in SMS shortcodes varies from country to country – for example in the US it is normally 5 or 6 digits, whereas in the UK it is fixed at 5 digits and begins with either a 6 or 8. Unfortunately both China and Russia both use 4 digit SMS shortcodes – so there is no further hint here on the origin of this malware.

 

The last clue perhaps is in the SMS content itself. Its highly likely that the phrase Joker90 refers to a particular model of scooter from Honda. Perhaps this SMS shortcode is used to enter a competion to win one of these scooters. If that is the case, I’m leaning towards China as the source of this malware, as scooters are more popular in China than in Russia, generally speaking.

 

Regardless of the source however, this will not be the last of these types of malware that we see in the future. Creating these malware is fairly trivial, and there is also a modest amount of money to be made. It is doubtful that any major cybercriminal will be packing up their botnets and moving to mobile malware anytime soon, but it continues to be used as an introduction to crime for the attackers on the first steps of the cybercrime ladder.

 

Malware Sales Through Social Networks

Social media has affected business organizations in many different ways through the years and these effects caused the development of a rather complicated relationship between the two.

 

Social media has proven to be an effective marketing tool for businesses. Data collected last year from Fortune’s Global 100 revealed that more than 50 percent of the said companies have Twitter, Facebook, and YouTube accounts. On the other hand, social media tools such as social networks have been reported to affect office productivity and also serve as popular media for online threats.

 

In the same way that businesses use social media, cybercriminals do as well. Just recently, we saw an advertisement for fake point-of-sale (POS) devices in an underground forum where the seller offered a fake POS device for 1,000 EUR.

 

This time, we found an advertisement for a malicious tool, in a more “mainstream” channel.

 

 

 

 

The YouTube video above is actually an advertisement for a distributed denial-of-service (DDoS) tool. A screenshot of the tool is shown on the video while features and other details such as the price and the URL where to purchase the tool are indicated in the details. (It has since been taken down by YouTube.)

 

Notably, the video had more than 600 views. Though the number is relatively small, one can’t help but wonder how many of those viewers were enticed enough to visit the given site and to purchase the tool. After all, it’s only US$15.

 

The said post is just one of the many malware ads in social networks. If anything, the above-mentioned advertisement only goes to show that cybercriminals are using social networks the same way legitimate businesses do to gain “customers” even if the customers in question are other cybercriminals.

 

For best practices to follow in managing a social network account, you can check our white paper, “Security Guide to Social Networks.”

 

 

Perform a security scan by Symantec Security Check

Is your computer safe from online threats? The Security Scan performs the following tests and offers recommendations based on the results:

Hacker Exposure Check
Checks whether your computer allows unknown or unauthorized Internet communications.

Windows Vulnerability Check
Checks whether basic information about your computer, including your PC’s network identity, is exposed to hackers.

Trojan Horse Check
Checks whether your computer is safe from Trojan horses.

 

 

Apple Safari zero-day exploit revealed

 

 

Apple’s Safari browser contains a critical, unpatched bug that attackers can use to infect Windows PCs with malicious code, researchers at US-CERT and other security firms said today.

 

Hackers could compromise PCs with simple “drive-by” attack tactics, researchers added.

 

The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski on Friday. The bug is caused by an error in the handling of the browser’s parent windows.

 

Apple Safari gets security fix in update | Apple Safari 4 browser | How to use Greasemonkey scripts with IE, Chrome and Safari

 

“This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows,” said Secunia’s alert.

 

The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based e-mail within Safari, added US-CERT in its advisory. That scenario likely would involve tricking users into opening malicious messages in a Web mail service, such as Gmail or Windows Live Hotmail.

 

Both Secunia and US-CERT confirmed today that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition. Secunia rated the vulnerability as “highly critical,” the second-most-dangerous ranking in its five-step threat scoring system.

 

It’s not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple’s software. “Other versions may also be affected,” cautioned US-CERT.

 

Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.

 

US-CERT urged users of the Windows version of Safari to disable JavaScript as a temporary defense.

 

Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser. It’s not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.

 

Apple patched Miller’s $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X. Miller accessed the ATS bug via Safari during Pwn2Own.

 

 

By Gregg Keizer, techworld.com

Rogue Toolbars Serve Up Facebook Phishing Pages

There are a number of Toolbars out there in the wild with a nasty sting in the tail for anybody using them to login to Facebook. We’ve seen two of these so far; it’s possible there are more.

 

 

Promoted as toolbars that allow you to cheat at popular Zynga games such as Mafia Wars, they appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.

 

Should the end-user hit the “Facebook” button, however, things start to go wrong very quickly. In testing, what opened up for us wasn’t the real Facebook login screen – it was a verified Facebook Phish.

 

 

Taken to apps-facebook-inthemafia(dot)tk, only the anti-phish protection in both IE and Firefox would probably have saved the end-user from entering their details into the fake page. mafiamafiamafiamafia(dot)t35(dot)com was also flagged on Phishtank, and it looks like we arrived just in time to catch the suspicious activity taking place because the t35 URL was deactivated shortly after.

 

The story doesn’t end there, however – once the above domain went down at around 5:20 GMT, it was around 90 minutes or less before the toolbars were now pointing to a fresh URL!

 

 

As you can see from the above screenshot, the toolbars now took end-users to apps-inthemafias-facebook(dot)tk, which was a cover for another t35 URL: mafiawars200uk(dot)t35(dot)com. Again, it wasn’t too long before the domain looked like this:

 

 

Currently, the toolbars we have point to the real Facebook URL – the obvious danger is that they could suddenly switch to another fake site and continue harvesting Facebook logins. I’ve reported both Toolbars (which can be created by anyone through this Community Toolbar form) to Conduit, and hopefully action will be taken shortly. If we see any new phish pages linked to, I’ll update this entry.

 

For now, some handy tips:

1) If you install a toolbar from the ourtoolbar(dot)com domain, pay attention to what kind of toolbar it is. Does it promise “cheats” for Zynga games? If so, you might want to avoid logging into Facebook by clicking buttons on the toolbar itself.

2) If you do click a Facebook button on one of these toolbars, are you taken to a .tk domain? If so, check at the bottom of the page – the phish page creators are a little lazy, and have left a rather large clue that you’re not on the real Facebook site:

Adverts and a T35 hosting notice – probably a bit of a giveaway (you can also View Source in your browser and confirm you’re on a T35 domain and not Facebook).

 

We detect this as Trojan.Fbphishbar. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

 

 

by paperghost at sunbeltblog.blogspot.com

Twitter fights back against spam, phishing, and other malicious links

In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.

 

In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.

 

As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.

 

Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.

 

It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:

 

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.

 

The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.

 

* Image source: wonderferret’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

Hackers exploit Oscar film awards to spread scareware

 

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

 

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

 

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

 

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

 

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

 

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

 

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

 

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

 

By Graham Cluley, Sophos

President Obama Wants You to Protect Your Computer (Video)

President Obama explains how the growth of digital networks has increased the need to invest in online security, as well as steps individuals can take to protect themselves from online threats. October 14, 2009. (Public Domain)

 

1H 2009: Malware Threat Grows Ever Larger

Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.

TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.

Read more