There's a lot of talk about targeted attacks against defense contractors.
These attacks are still continuing.
We found this sample last week (md5: f393f34f268ddff34521d136e5555752).
It's a PDF file, apparently sent to an employee of a targeted company as an email attachment.
After this, a decoy PDF file is shown to the end user. The decoy is a call for papers for 2012 AIAA Strategic and Tactical Missile Systems Conference, which is a US conference classified as SECRET:
Android malware seems to be all the rage at the moment. Here's a few comments on a couple interesting side issues we've been discussing as we've seen them crop up during analyses.
First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as 'free apps'.
The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn't ask for anything other than Internet access:
However the later versions get a bit more personal than that:
With the changes, the app is able to access various bits of information from the device: the carrier and country, the device's ID, e-mail address and phone number.
The information is sent out to a remote server.
An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.
What was interesting is that both the earlier 'unremarkable' and later 'suspect' versions of the app appear to be from the same developers:
It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We're still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.
This case is interesting to us as we see it as an evolution in Android application development, specifically 'greyware'. This kind of behavior seems to bear out one of our earlier predictions, where an 'established' developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user's privacy.
The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.
In another case even more recently, we've been discussing the odd behavior of another reported Android app, this time a trojan.
It didn't make sense that the trojan intercepted an SMS message and then reported it to a loopback address:
From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.
However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:
That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.
Analysis and post by: Zimry, Irene, Raulf and Leong
So, in 2009 I attended TED in Long Beach, California. Attending a TED conference isn't straightforward: you need to apply and have two people recommend you. Sitting in the same audience with people like Al Gore, Bill Gates and Paul Simon blew me away. I wanted to do a TED Talk myself.
I've always been lucky. So earlier this year I was invited to speak at TEDGlobal 2011.
Photo: Robert Leslie / TED
TEDGlobal 2011 has been a blast. I did my talk yesterday to a crowd more intensive than I've ever seen. It went well.
Photo: James Duncan Davidson / TED
I believe it's the only TED Talk I've seen that used an overhead projector and transparencies, as commented here by comedian Robin Ince:
I'll let you know when the video is posted to TED.COM.
Thanks to everybody who helped me pull my talk together, especially Misha Glenny, Petteri Kankkunen, Juuso Koponen, Joachim Viide, Jani Kenttälä, Miguel Rodriguez and F-Secure Labdev!
What's JailbreakMe? It's an easy way to jailbreak an Apple iOS device using a PDF (related) vulnerability.
It's done with a "drive-by" style exploit.
All somebody needs to jailbreak their (newer) iPad/iPhone/iPod is to visit jailbreakme.com and to touch the free/install button. The German Federal Office for Information Security has issued a warning about this. They're concerned about the potential for targeted malicious attacks using trojanized versions of the JailbreakMe exploit.
And that's certainly possible, in theory.
We've been asked: do we anticipate any attacks against iOS devices?
Targeted attacks? No, not really. It could happen, but we don't really anticipate any as such.
However, we wouldn't be at all surprised if some AntiSec hacker group attempted something "for the lulz".
And just how would somebody attack iOS devices? Via attachments?
Attachments? No. E-mail is so not the attack vector in this case (never was on an iOS device). What folks should be careful with are their social media apps, particularly Twitter.
Heck, the links wouldn't even need to be malicious.
We can easily imagine AntiSec hackers tweeting links directly to jailbreak PDF files. When somebody clicks on such a link from their Twitter app, it would open Safari — as Apple doesn't allow for other default browsers — and then Safari would attempt to view the PDF. And then… jailbreak.
In the current AntiSec climate, the hackers might even claim that they're doing people a favor. After all, currently, the only PDF patch available is made for jailbroken devices.
You might want to be very careful what you click on between now and the time Apple releases iOS 4.3.4.
Here's a list of our JailbreakMe 2.0 posts from August 2010 (much of it is still relevant):
Heh, guess he didn't like that we were calling from Helsinki.
If you receive a text message such as this, the best course of action is to do a Web search for the sending number. It doesn't take very long before you'll find some crowd-sourced information, typically on websites such as WhoCallsMe.