Author Misha Glenny was interviewed by broadcast journalist Charlie Rose recently. The majority of discussion was based on Misha's current book, DarkMarket: Cyberthieves, Cybercops and You.
The interview is 20 minutes long, a provides an excellent summary of the threats currently facing the Internet.
With a 2-minute video, BBC News program "Click" does a very decent job explaining to the laymen how banking trojans such as ZeuS attempt to avoid detection by antivirus software:
During the call, which is currently posted on YouTube, members of the USA's FBI can be heard discussing several Anonymous and LulzSec related cases with investigators from the UK.
Today's leak helps explain just how "Anonymous Sabu" (leader of the LulzSec group) appeared to have insider information regarding the postponement of Jake Davis a.k.a. Topiary's (LulzSec member) trial on January 27th.
Sabu appeared to have some sort of insider information.
And in fact, he did… Topiary's trial date and its delay was discussed during the conference call.
Anonymous has promised additional FBI related releases today. Those could also be quite interesting as it appears that an active member of the FBI's e-mail has somehow been compromised…
Several weeks ago, we asked members of our community forums, and our blog readers to submit ideas for a new set of F-Secure Labs Laptop Stickers. Well, we finally find some time to pick the finalists.
You can see them, and vote for 10 of your favorites, on polldaddy.com.
The poll will be open for at least another week, so please feel free to share, tweet, et cetera.
And then of course we'll figure out some kind of way for folks to win a copy of the final set.
In a recent episode, a computer virus crashes a computer. And sets it on fire. The virus got in via a fractal. Embedded on a bone of a shooting victim.
We've been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here's another trojan that fits the bill.
OpFake was first found on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app… whose only permission request is to send SMS messages:
Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the messages on launch:
In previous cases, we usually saw these SMS messages hard-coded into the classes; this time, the message contents and telephone numbers are stored in a "config.xml" file and are encoded. Here's the garbled code:
The string becomes readable when decoded using base64 decoding, showing the SMS messages sent by the app on execution:
Amidst my usual adventure with Android malware analysis, I saw this snippet of code while skimming through a particular sample's class modules.
Figure 1
Late last year, I was looking deeper into the Portable Network Graphics (PNG) image format, especially the fields that hold textual information. Upon seeing the code, it immediately triggered my suspicion as to why would the application need to check for the existence of the "tEXt" chunk of a PNG file.
I continued to glance through the code and found out where this particular code gets called to identify the image file of interest.
Figure 2
This part of the code tells that the file of interest uses the resource name "icon.png" and is bundled with the application. The image would then be opened and passed to the method where the code that checks for the PNG chunk (Figure 1) is called.
Inspection of the APK package's resources yields three files with similar name. Since it is only interested in the first occurrence of the tEXt chunk, I quickly pulled out a hex viewer and inspected the first tEXt chunk in every file. They all contain the same binary data for that specific chunk. Here is how the image appears when rendered as well as its internal representation in a hex viewer.
Figure 3
This image is also used as the application's icon, therefore, it would be very visible during and after its installation on a device.
Figure 4
As of this moment, the data in Figure 3 made little sense to me but it is also not normal for the tEXt chunk to have a binary data or unreadable string, so I continued to analyze the rest of the code in Figure 1. Further analysis revealed that it reads the hidden data in Figure 3 and performs XOR bitwise operation against a hardcoded text streams (the "key") for each and every byte read.
Figure 5
I am more of a Python person so I created this small script to decode the hidden information from Figure 3, which algorithm is based on what I understood with the rest of the code in Figure 5. After executing the script (Figure 6.a), and to my surprise, I saw some readable English words and numbers!
While it still doesn't give a clear picture of what those plain text information signify to the application, at this point I figured out that it employs steganography to hide these data (Figure 6.b) from within the tEXt chunk data of the PNG file (Figure 3). Looking at the strict definition of steganography though, it's debatable whether this sample would really be considered steganographic, since it is just a simple embedding of encoded data in one of the chunks of the PNG file.
Figure 6
Continuing with the analysis of the rest of the code in Figure 5, it further strengthens the fact that those hidden information (partial screenshot shown below) are used to support the main motive of the application (i.e., sending SMS to premium numbers).
Figure 7
In addition to discovering the code above, I've also run the application on an Android device emulator to verify that it is indeed using those information for the SMS sending operation. And here it shows that an outgoing SMS event was captured with details similar to the decoded data in Figure 6.b (except for the last four digits of the "Message" below). The event happened as soon as I hit the "Next" button from the main UI of the newly installed application.
Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered).
So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services.
Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections.
The diagram below basically shows the whole flow of the agenda.
All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitted. This monetization happens within the Cost Per Action (CPA) marketing model, which is behind most social media spam. Geo-location techniques are used in an attempt to broaden the spammer's survey completion rate. Depending on the location, the fake Facebook page issues a survey that redirects to a specific affiliate marketer.
Firefox and Chrome are used as avenues to further spread the scam via Facebook by use of a fraudulent YouTube browser plugin. A fake Facebook page displays a plugin installation if visited from either of those two browsers.
Spammers recently began using plugins as part of their cat and mouse battle with Facebook.
Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service. Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page.
Perhaps, in an attempt to confuse defenses, it also produces a random non-existent domain using the format wowvideo[random number].com. However, only the Amazon S3 web service and bit.ly URLs are working links.
Below is the structure of the post:
Title: [Video] Father Melts Baby's Brain With Motorboat Sounds Messages:
• hahaha this video will bend your mind • have you all seen this yet? • stop it! his eyes are going to pop out!! • Its eyes are black because it has no soul • must be experimental technology from mother russia! • im afraid i have some bad news • i want you to all see this
Summary: Total meltdown! I bet you have never seen this before! Main URL: www.wowvideo[random number].com
Here's an example:
The offending add-ons can be removed using "Uninstall" in Firefox and "Remove" in Chrome:
On a side note, the Firefox plugin which was distributed… was archived on a Mac.
Just in case you thought this was a "Windows" problem. ;-)
