Laptop Stickers 2012: Last Call

F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Copyright (c) 2007 F-Secure Corporation. All Rights Reserved. tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002312.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com There's only one day left to vote in our <a href="http://bitly.com/FSLaptopStickers2012">laptop sticker poll</a>. Here's a screenshot of the front runners: <img width="754" height="470" border="0" src="http://www.f-secure.com/weblog/archives/LaptopStickerPollStats.png" alt="Laptop Stickers Poll, 2012" /> Given the popularity of Mikko's <a href="http://www.f-secure.com/weblog/archives/00002307.html">recent post</a>, we thought "Seems legit" would be at the top&hellip; Almost ironic: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=724929">Certificates for sale. Trust me.</a> On 09/02/12 At 05:55 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Laptop Stickers 2012: Last Call tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002311.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Author Misha Glenny was interviewed by broadcast journalist Charlie Rose recently. The majority of discussion was based on Misha's current book, DarkMarket: Cyberthieves, Cybercops and You. The interview is 20 minutes long, a provides an excellent summary of the threats currently facing the Internet. <a href="http://www.charlierose.com/view/interview/11967"><img width="472" height="361" border="0" src="http://www.f-secure.com/weblog/archives/MishaGlennyDarkMarket.png" alt="Misha Glenny, DarkMarket" /></a> <a href="http://www.charlierose.com/view/interview/11967">Click to watch</a> On 08/02/12 At 01:50 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Video: DarkMarket tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002310.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com With a 2-minute video, BBC News program "<a href="http://www.bbc.co.uk/click/">Click</a>" does a very decent job explaining to the laymen how banking trojans such as ZeuS attempt to avoid detection by antivirus software: <a href="http://news.bbc.co.uk/2/hi/programmes/click_online/9692842.stm"><img border="1" src="http://www.f-secure.com/weblog/archives/zeusanim.gif" alt="zeus animation"> </a> <a href="http://news.bbc.co.uk/2/hi/programmes/click_online/9692842.stm">Click to watch</a> On 06/02/12 At 02:11 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z How to Explain Man-in-the-Browser Attacks tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002309.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Breaking: a faction of Anonymous <a href="http://www.ibtimes.co.uk/articles/292421/20120203/fbi-friday-anonymous-hackers-download-conference-call.htm">has released an MP3 recording of an FBI conference call</a> which took place on January 17th. During the call, which is currently posted on YouTube, members of the USA's FBI can be heard discussing several Anonymous and LulzSec related cases with investigators from the UK. <img width="610" height="510" border="0" src="http://www.f-secure.com/weblog/archives/ConferenceCallAnonLulz.png" alt="Anon/LulzSec Conference Call" /> Today's leak helps explain just how "Anonymous Sabu" (leader of the LulzSec group) appeared to have insider information regarding the postponement of Jake Davis a.k.a. Topiary's (LulzSec member) trial on January 27th. Sabu appeared to have some sort of insider information. <img width="640" height="400" border="0" src="http://www.f-secure.com/weblog/archives/AnonSabuJan27.png" alt="anonymouSabu/status/162689939341979648" /> And in fact, he did&hellip; Topiary's trial date and its delay was discussed during the conference call. Anonymous has promised additional FBI related releases today. Those could also be quite interesting as it appears that an active member of the FBI's e-mail has somehow been compromised&hellip; Stay tuned. On 03/02/12 At 11:33 AM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Anonymous Leaks FBI Conference Call tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002308.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Several weeks ago, we asked members of our community forums, and our blog readers <a href="http://community.f-secure.com/t5/News-and-Feedback/F-Secure-Labs-Laptop-Stickers-Contest/td-p/4677/highlight/true">to submit ideas</a> for a new set of F-Secure Labs Laptop Stickers. Well, we finally find some time to pick the finalists. You can see them, and vote for 10 of your favorites, <a href="http://bitly.com/FSLaptopStickers2012">on polldaddy.com</a>. <a href="http://bitly.com/FSLaptopStickers2012"><img width="645" height="741" border="0" src="http://www.f-secure.com/weblog/archives/LaptopStickersPoll2012.png" alt="Laptop Stickers Poll, 2012" /></a> The poll will be open for at least another week, so please feel free to share, tweet, et cetera. And then of course we'll figure out some kind of way for folks to win a copy of the final set. Cheers! On 02/02/12 At 04:37 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Laptop Stickers 2012: Vote! tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002307.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Here's a clip from a US TV show called "Bones". In <a href="http://www.imdb.com/title/tt2076424/">a recent episode</a>, a computer virus crashes a computer. And sets it on fire. The virus got in via a fractal. Embedded on a bone of a shooting victim. Seems Legit. <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="550" height="452" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="wmode" value="transparent" /><param name="allowscriptaccess" value="always" /><param name="src" value="http://www.liveleak.com/e/e27_1327440153" /><embed type="application/x-shockwave-flash" width="550" height="452" src="http://www.liveleak.com/e/e27_1327440153" allowscriptaccess="always" wmode="transparent"></embed></object> <a href="http://www.liveleak.com/view?i=e27_1327440153"><img width="450" height="253" border="1" src="http://www.f-secure.com/weblog/archives/706_bones_recap.jpg" alt="Bones S7E6 TV series Fractal Computer virus"> </a> <hr> On 31/01/12 At 10:57 AM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Seems Legit tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002306.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We've been seeing cases of malware that first debuted on other operating systems being ported over to Android. Here's another trojan that fits the bill. OpFake was <a href="http://www.f-secure.com/weblog/archives/00002261.html">first found</a> on Symbian and Windows Mobile. In its latest incarnation on Android, the trojan (still) appears to be an Opera Mini app&hellip; whose only permission request is to send SMS messages: <img width="250" height="420" border="1" src="http://www.f-secure.com/weblog/archives/android_opfake_permission.png" alt="Android OpFake, permission" /> Turns out the app (we detect it as Trojan:Android/OpFake.D) sends the messages on launch: <img width="392" height="158" border="1" src="http://www.f-secure.com/weblog/archives/android_opfake_sent_sms.png" alt="Android OpFake, SMS" /> In previous cases, we usually saw these SMS messages hard-coded into the classes; this time, the message contents and telephone numbers are stored in a "config.xml" file and are encoded. Here's the garbled code: <img width="400" height="90" border="0" src="http://www.f-secure.com/weblog/archives/android_opfake_garbled_code.png" alt="Android OpFake, garbled code" /> The string becomes readable when decoded using base64 decoding, showing the SMS messages sent by the app on execution: <img width="400" height="235" border="0" src="http://www.f-secure.com/weblog/archives/android_opfake_decoded_code.png" alt="Android OpFake, decoded code /> This Android version (SHA1: 4b4af6d0dfb797f66edd9a8c532dc59e66777072) simply continues the OpFake "tradition" of encoding its configuration files, so by itself, that's not new. It does however fit into a current trend of Android malware increasingly using encoding, encryption, and other techniques (which have been standard for years on other platform) to hide its code or actions from analysis. ThreatSolutions post by &mdash; Irene On 31/01/12 At 07:28 AM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Trojan:Android/OpFake.D Still Encodes Its Config File tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002305.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Amidst my usual adventure with Android malware analysis, I saw this snippet of code while skimming through a particular sample's class modules. <img width="500" height="69" border="1" src="http://www.f-secure.com/weblog/archives/fig1_finding_tEXT_chunk.png" alt="Figure 1, finding tEXT chunk" /> Figure 1 Late last year, I was looking deeper into the Portable Network Graphics (PNG) image format, especially the fields that hold textual information. Upon seeing the code, it immediately triggered my suspicion as to why would the application need to check for the existence of the "tEXt" chunk of a PNG file. I continued to glance through the code and found out where this particular code gets called to identify the image file of interest. <img width="600" height="127" border="1" src="http://www.f-secure.com/weblog/archives/fig2_method_checking_tEXT.png" alt="Figure 2, method checking tEXT" /> Figure 2 This part of the code tells that the file of interest uses the resource name "icon.png" and is bundled with the application. The image would then be opened and passed to the method where the code that checks for the PNG chunk (Figure 1) is called. Inspection of the APK package's resources yields three files with similar name. Since it is only interested in the first occurrence of the tEXt chunk, I quickly pulled out a hex viewer and inspected the first tEXt chunk in every file. They all contain the same binary data for that specific chunk. Here is how the image appears when rendered as well as its internal representation in a hex viewer. <img width="600" height="208" border="1" src="http://www.f-secure.com/weblog/archives/fig3_tEXT_chunk_marker.png" alt="Figure 3, tEXT chunk marker" /> Figure 3 This image is also used as the application's icon, therefore, it would be very visible during and after its installation on a device. <img width="450" height="425" border="1" src="http://www.f-secure.com/weblog/archives/fig4_app_icon.png" alt="Figure 4, app icon" /> Figure 4 As of this moment, the data in Figure 3 made little sense to me but it is also not normal for the tEXt chunk to have a binary data or unreadable string, so I continued to analyze the rest of the code in Figure 1. Further analysis revealed that it reads the hidden data in Figure 3 and performs XOR bitwise operation against a hardcoded text streams (the "key") for each and every byte read. <img width="750" height="93" border="1" src="http://www.f-secure.com/weblog/archives/fig5_hidden_data_decryption.png" alt="Figure 5, hidden data decryption" /> Figure 5 I am more of a Python person so I created this small script to decode the hidden information from Figure 3, which algorithm is based on what I understood with the rest of the code in Figure 5. After executing the script (Figure 6.a), and to my surprise, I saw some readable English words and numbers! While it still doesn't give a clear picture of what those plain text information signify to the application, at this point I figured out that it employs steganography to hide these data (Figure 6.b) from within the tEXt chunk data of the PNG file (Figure 3). Looking at the strict definition of <a href="http://www.webopedia.com/TERM/S/steganography.html">steganography</a> though, it's debatable whether this sample would really be considered steganographic, since it is just a simple embedding of encoded data in one of the chunks of the PNG file. <img width="602" height="467" border="1" src="http://www.f-secure.com/weblog/archives/fig6_decrypt_hidden_data.png" alt="Figure 6, decrypt hidden data" /> Figure 6 Continuing with the analysis of the rest of the code in Figure 5, it further strengthens the fact that those hidden information (partial screenshot shown below) are used to support the main motive of the application (i.e., sending SMS to premium numbers). <img width="450" height="358" border="1" src="http://www.f-secure.com/weblog/archives/fig7_hidden_info_screenshot.png" alt="fig7_hidden_info_screenshot" /> Figure 7 In addition to discovering the code above, I've also run the application on an Android device emulator to verify that it is indeed using those information for the SMS sending operation. And here it shows that an outgoing SMS event was captured with details similar to the decoded data in Figure 6.b (except for the last four digits of the "Message" below). The event happened as soon as I hit the "Next" button from the main UI of the newly installed application. <img width="400" height="328" border="1" src="http://www.f-secure.com/weblog/archives/fig8_outgoing_sms_event.png" alt="fig8_outgoing_sms_event" /> Figure 8 SHA1: ac118892190417c39a9ccbc81ce740cf4777fde1 Detection: Trojan:Android/FakeRegSMS.B Threat Solutions post by &mdash; Jessie &mdash;&mdash;&mdash;&mdash;&mdash; Updated to add on January 30, 2012: Modifications to the title and text, to elaborate further on steganography. On 30/01/12 At 07:47 AM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Android malware employs steganography? Not quite... tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002304.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered). So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services. Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections. The diagram below basically shows the whole flow of the agenda. <img width="606" height="718" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud01.png" alt="Facebook, Amazon S3, Spam diagram" /> All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitted. This monetization happens within the Cost Per Action (CPA) marketing model, which is behind most social media spam. Geo-location techniques are used in an attempt to broaden the spammer's survey completion rate. Depending on the location, the fake Facebook page issues a survey that redirects to a specific affiliate marketer. <img width="579" height="556" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud02.png" alt="Father Melts Baby's Brain With Motorboat Sounds" /> Firefox and Chrome are used as avenues to further spread the scam via Facebook by use of a fraudulent YouTube browser plugin. A fake Facebook page displays a plugin installation if visited from either of those two browsers. Spammers recently began using plugins as part of their cat and mouse battle with Facebook. <img width="500" height="329" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud03.png" alt="Father Melts Baby's Brain With Motorboat Sounds" /> Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service. Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page. Perhaps, in an attempt to confuse defenses, it also produces a random non-existent domain using the format wowvideo[random number].com. However, only the Amazon S3 web service and bit.ly URLs are working links. Below is the structure of the post: Title: [Video] Father Melts Baby's Brain With Motorboat Sounds Messages: &nbsp;&nbsp;&bull;&nbsp;&nbsp;hahaha this video will bend your mind &nbsp;&nbsp;&bull;&nbsp;&nbsp;have you all seen this yet? &nbsp;&nbsp;&bull;&nbsp;&nbsp;stop it! his eyes are going to pop out!! &nbsp;&nbsp;&bull;&nbsp;&nbsp;Its eyes are black because it has no soul &nbsp;&nbsp;&bull;&nbsp;&nbsp;must be experimental technology from mother russia! &nbsp;&nbsp;&bull;&nbsp;&nbsp;im afraid i have some bad news &nbsp;&nbsp;&bull;&nbsp;&nbsp;i want you to all see this Summary: Total meltdown! I bet you have never seen this before! Main URL: www.wowvideo[random number].com Here's an example: <img width="474" height="164" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud04.png" alt="Father Melts Baby's Brain With Motorboat Sounds" /> The offending add-ons can be removed using "Uninstall" in Firefox and "Remove" in Chrome: <img width="749" height="220" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud05.png" alt="Chrome Extensions" /> <img width="391" height="285" border="0" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud06.png" alt="Firefox Extensions" /> On a side note, the Firefox plugin which was distributed&hellip; was archived on a Mac. <img width="532" height="122" border="1" src="http://www.f-secure.com/weblog/archives/FacebookSpamAmazonCloud07.png" alt="Mac OS X" /> Just in case you thought this was a "Windows" problem. ;-) Threats Insight post by &mdash; Karmina On 26/01/12 At 01:48 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Facebook Spammers Use Amazon's Cloud tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002303.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Many of the sites that <a href="http://www.f-secure.com/weblog/archives/00002302.html">we blogged about on Monday</a> are still offline after being targeted by DDoS attacks. Hackers have promised <a href="https://twitter.com/#!/SgtSecondary/status/161800483231645696">to continue until the 26th</a>. According to Polskie Radio: "Over a thousand people gathered in Warsaw, Tuesday evening, to oppose the anti-internet piracy ACTA agreement, which PM Tusk confirmed that Poland will sign on Thursday." The signing is scheduled to take place in Tokyo, Japan. #Insert joke here: How do you hack a Polish government official's laptop? <img width="616" height="385" border="0" src="http://www.f-secure.com/weblog/archives/PolishPasswordSecurity.jpg" alt="Polish password security" /> &hellip;the username and password are written on the sticker. On 25/01/12 At 06:34 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Cracking Polish Passwords tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002302.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com There's breaking news coming out of Poland. Hackers, reportedly associated with Anonymous, have been attacking Polish government websites to protest this week's scheduled signing of the Anti-Counterfeiting Trade Agreement (ACTA). <a href="http://on.wsj.com/xAemwK"><img width="517" height="380" border="0" src="http://www.f-secure.com/weblog/archives/WSJ_PolandHackers.png" alt="http://blogs.wsj.com/emergingeurope/2012/01/23/hackers-hit-polish-government-websites/?mod=wsj_share_twitter" /></a> ACTA is <a href="http://en.wikipedia.org/wiki/Anti-Counterfeiting_Trade_Agreement">an intellectual property</a> treaty. Poland announced on January 19 that it would sign the treaty on January 26, 2012. A Twitter account called @AnonymousWiki called for action against the Polish government. All of this follows on the heels of <a href="http://www.f-secure.com/weblog/archives/00002301.html">SOPA protests</a> and Anonymous <a href="http://news.cnet.com/8301-1009_3-57362437-83/anonymous-goes-nuclear-everybody-loses/">attacks against US government websites</a> due to the FBI's takedown of Megaupload. Websites targeted by DDoS attacks include: abw.gov.pl; arimr.gov.pl; ets.gov.pl; knf.gov.pl; mf.gov.pl; mkidn.gov.pl; mzios.gov.pl; pip.gov.pl; praca.gov.pl; premier.gov.pl; stat.gov.pl; uzp.gov.pl. Here's a screenshot of premier.gov.pl, currently down, from Google's cache: <img width="768" height="600" border="0" src="http://www.f-secure.com/weblog/archives/PolandStopACTA.png" alt="premier.gov.pl" /> The <a href="http://youtu.be/QKAH3Xj1bQc">embedded video</a> on the defaced page is a parody of <a href="http://en.wikipedia.org/wiki/Wojciech_Jaruzelski">Wojciech Jaruzelski's</a> (Poland's last Communist leader) announcement of martial law on December 13th, 1981. <img width="483" height="402" border="0" src="http://www.f-secure.com/weblog/archives/Jaruzelski.jpg" alt="Wojciech Jaruzelski" /> And, what is also quite interesting and shocking &mdash; hackers have claimed that the password and login to premier.gov.pl's admin panel was admin (login) and admin1 (password). There are also reports a hacked laptop belonging to a deputy of Micha&#322; Boni, Poland's Minister of Administration and Digitization. This situation will develop further. Updated to add: Though it is among the sites listed above, we would like clarify that premier.gov.pl was not DDoS attacked, but rather, was hacked and defaced by a group called the Polish Underground, who, according to a Polish colleague of ours, explicitly deny having anything to do with Anonymous. On 23/01/12 At 04:06 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Pole Position: Poland Attacked by Anti-ACTA Hackers tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002301.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We're sure that most of you have at least heard of SOPA. Major websites such as Wikipedia <a href="http://en.wikipedia.org/wiki/Wikipedia:SOPA_initiative/Learn_more">have blacked out</a> sections of their content today to raise awareness. In some locations, Google has blacked out its logo. <img width="446" height="257" border="1" src="http://www.f-secure.com/weblog/archives/google-black.png" alt="Google" /> The concern of many speech and privacy advocates is that SOPA, which stands for Stop Online Piracy Act, greatly expands the legal authority of US government agencies to seize control of foreign hosted websites, in the name of combating piracy. <img width="768" height="576" border="0" src="http://www.f-secure.com/weblog/archives/ThisSiteSeized_ICE.png" alt="This domain name has been seized by U.S. Immigration and Customs Enforcement�" /> And the issue isn't just about Hollywood and "content piracy". Pharmaceutical companies are also involved, and some Canadian based sites are joining today's blackout as well. They fear being lumped in with fake viagra spam related sites. <img width="760" height="573" border="0" src="http://www.f-secure.com/weblog/archives/RxRights.png" alt="RxRights.org" /> The related US House and Senate bills can be read from thomas.gov: <a href="http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3261:">SOPA</a>; and <a href="http://thomas.loc.gov/cgi-bin/query/z?c112:S.968:">PIPA</a>, ProtectIP Act. Ethics, law, and politics aside, we at F-Secure Labs are concerned more about implementation. Laws such as SOPA seem almost guaranteed to start an Internet "arms race" as speech advocates (and yes, pirates) innovate new technologies. And then those new technologies will get co-opted by criminals (which we've seen happen far too often). Seems better not to start an arms race if you can avoid it. Also of interest, TED.com will be putting Mikko's <a href="http://www.f-secure.com/weblog/archives/00002274.html">TEDxBrussels talk</a> on their front page today as part of their SOPA awareness. Read more about it from the <a href="http://blog.ted.com/2012/01/18/what-were-doing-about-pipasopa-talking/">TED Blog</a>. On 18/01/12 At 02:07 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z What the heck is SOPA? tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002300.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Brod, a researcher on our Threat Research team has been tasked with tracking emerging Mac based threats. Microsoft Excel is one of the tools he uses to chart variants. From April to December 2011, there have been several dozen new Mac threats. Well, that's nothing when compared to Windows malware &mdash; but it's definitely something when compared to the number of Mac threats seen prior to 2011. Keep in mind that by "new", we're referring to unique variants, and not the raw number of unique binaries that we've seen. We prefer a more conservative approach when counting malware. The more generic and family based, the better. Here's an overview: <img width="741" height="610" border="0" src="http://www.f-secure.com/weblog/archives/MacMalwareSummary2011.png" alt="Mac Malware Summary 2011" /> Want a closer look? Download Brod's spreadsheet: <a href="http://www.f-secure.com/weblog/archives/Mac.Threats.2011.xlsx">Mac Threats 2011</a>. As we correctly predicted back in May (<a href="http://youtu.be/oxfdFeEoxuk">YouTube video</a>), Mac malware has not scaled continuously due to market share, but rather, is more the result of opportunist "bubble economies" that have produced new threats in fits and starts. We expect more of the same for 2012. Edit: A small revision has been to the spreadsheet linked above. On 16/01/12 At 05:02 PM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Mac Malware Summary 2011 (Q2/Q3/Q4) tag:www.f-secure.com,2012-02-09:%2Fweblog%2Farchives%2F00002299.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Yesterday, we stumbled across this ad from an Android-related site: <img width="513" height="201" border="1" src="http://www.f-secure.com/weblog/archives/android_malicious_website.jpg" alt="android_malicious_website" /> Clicking this led to a malicious Android Market. Note that this isn't the official Android Market, but a fraudulent site designed to look something like the real thing. <img width="420" height="465" border="1" width="400" src="http://www.f-secure.com/weblog/archives/android_malicious_website_2.jpg" alt="malicious website" /> Samples found here are detected as Trojan:Android/FakeNotify.A. As usual, other malicious sites are hosted on the same IP address as the malicious Android Market. One site that came to our attention claimed to unlock hidden features of the phone. This same site was also found to be promoted in Russian forums. Upon visiting the site, it indicates that it is a "Phone Optimizer": <img width="300" height="399" border="1" src="http://www.f-secure.com/weblog/archives/phone_optimizer_text.jpg" alt="phone_optimizer_text" /> The text above mentions that mobile phone manufacturers are known to hide phone functionalities in order to earn money. The idea is that the manufacturers would then earn money through an OS update that unlocks the hidden features. This site claims to check your phone for such hidden features and unlock them. Here's an example of the scan result, and its English translation: <img width="300" height="500" border="1" src="http://www.f-secure.com/weblog/archives/phone_optimizer_scan.jpg" alt="phone optimizer scan" /> <img width="290" height="329" border="1" src="http://www.f-secure.com/weblog/archives/phone_optimizer_scan_translation.jpg" alt="phone optimizer scan translation" /> The phone model was correctly identified by checking the User Agent. The download link leads to a malicious file that sends premium SMS to a number based on the country location. The malicious page does not only target Android devices. If accessed using an Android phone, it issues a file called optimizer.apk; otherwise, it downloads the file optimizer.jar. We detect this malware as Trojan:Android/FakeNotify.A (the APK), and Trojan:Java/FakeNotify.C (the JAR). Our Browsing Protection for Mobile is able to block the malicious links identified in this blogpost: <img width="300" height="390" border="1" src="http://www.f-secure.com/weblog/archives/bp_block.jpg" alt="browsing protection block" /> Incidentally, for our readers: If you guys come upon suspicious mobile samples, please feel free to send them to us for analysis at: android-labs[at]f-secure[dot]com. Please include the keyword "Sample" in the e-mail's subject line. Threat Insight post by &mdash; Raulf and Karmina (Also, thanks to Dima for his Russian contribution and English translation.) <hr> On 10/01/12 At 10:13 AM 2012-02-09T17:59:15Z 2012-02-09T17:59:15Z Unlock Your Phone's Hidden Features!... Not. XML::Atom::SimpleFeed 2012-02-09T17:59:15Z Weblog of F-Secure Antivirus Research Team F-Secure Antivirus Research Weblog