NEWS FROM THE LAB - April 2011
 

 

Friday, April 29, 2011

 
Malware authors: Don't hassle the Hoff on F-Secure's watch! Posted by Mika @ 05:13 GMT

A while back we noticed that malware authors seem to have a thing for Chuck Norris. And why not: Chuck Norris kicks ass! We have been monitoring the situation carefully and have found several malware that show some sort of interest or tribute towards Mr. Norris.

We started thinking; if our automation can detect malware by looking for references to Chuck Norris, what else can we do? Then it hit us: we need to look for references to David Hasselhoff. Obvious, when you think about it!

The Hoff t-shirt
Picture (C) F-Secure Corporation

Sure enough — there is malware that references "the Hoff".

As an example Backdoor:W32/IndSocket.A (a7de748dc32a8edda9e81a201e2a83da8f60bd42) which is a remote administration trojan (RAT) and consists of a client and a backdoor. It allows the attacker to do certain things on a compromised computer; the typical things, such as running programs, logging keystrokes, and changing the wallpaper of user's Windows desktop. There is a catch, though; the attacker cannot choose which wallpaper to use. When the attacker clicks the "David Hasselhoff Atach" (sic) button on the remote trojan control panel, the wallpaper changes automatically to a well known picture of the "Knight Rider" with two strategically placed puppies.

indsocket options
Picture (C) F-Secure Corporation

So, if you yourself did not change your wallpaper to a picture of "The Hoff", you know what hit you. We're sure our customers rest easily knowing our Internet Security includes "Anti-Hassle Hoff Technology(TM)".

 
 

 
 
Thursday, April 28, 2011

 
Be Careful If Searching For Images of Kate Middleton's Dress Posted by Sean @ 14:41 GMT

Real-world events occasionally generate a massive number of online searches. Japan's recent earthquake and the subsequent tsunami that followed is a good example of a sudden event that turned the world's attention to Google. And as topics trend in Google's search results, Search Engine Optimization (SEO) attacks are attempted. Our March 11th post urged caution while searching for information.

The post also noted that Google has been doing a pretty good job of keeping SEO attacks at bay and filtered out of their search results. Web results that is…

Since October of last year, we've seen a steady growth in image based SEO attacks. Because Google is winning the (cat and mouse) battle against malicious site SEO, some attackers have shifted to image searches. Image based SEO attacks are more of a technical challenge. Instead of following trends and then connecting to a hosted attack site, the attacker must instead connect a trending topic to a particular image, and then link that image to a compromised site, which then links to the attacker's site.

It's a fascinating evolution that our Threat Insights team has been investigating.

But we'll provide more details about that in a future post.

Today, we want to mention what's likely to be a heavily searched for image tomorrow, Kate Middleton's wedding dress.

People aren't simply going to want to read about the wedding of Prince William and Kate Middleton, they're going to want to see it. And so tomorrow, we expect Google's image search to be more popular than ever.

We're already seeing some "royal wedding coverage" SEO attacks.

Here's an example which includes some well known footballers in the results:

SEO image attacks

The image is called "0611-soccer-studs1-credit.jpg" is linked to "lingerie-now.com".

Google's preview is loaded in the front, while the host site is loaded in the background.

SEO image attacks

What happens next is that the background site is linked to the attack site, which takes over the page and displays a warning message, an attempted scareware attack.

SEO image attacks

You can see the linkages here:

SEO image attacks

The site then renders an animated "Online Scan":

SEO image attacks

All of the results are nonsense of course, this example is from a clean test machine:

SEO image attacks

Unfortunately, SEO driven scareware attacks are very successful, relatively speaking. Consumers have been scammed out of millions of dollars by this type of attack.

So be wary of this potential threat if you're among those searching for wedding pictures.

SEO image attacks

Goggle's Web search result for "royal wedding" places the couple's official site at the top of the page.

And here's another timely example of an image based SEO attack targeting those that searched for US President Barak Obama's birth certificate, which was released by the White House yesterday, from GFI Labs' Christopher Boyd.

 
 

 
 
Wednesday, April 27, 2011

 
Questions and Answers on the Sony Hacks Posted by Mikko @ 13:09 GMT

PlayStation Network is currently undergoing maintenance.

Q: What is PSN?
A: It's the Sony PlayStation Network, an online gaming network.

Q: What devices can access it?
A: Sony PlayStation 3 (PS3) Sony PlayStation Portable (PSP). You can also use your PSN login on the Sony discussion forums.

Q: If I have a Playstation 3, do I also have a PSN account?
A: Not necessarily. PS3s and PSPs work fine without an Internet connection. However, the majority of users do use the online access feature and thus have created an account.

Q: Why does a gaming network have credit card information?
A: PSN is also a media delivery network. Users buy games, movies and music from there with their credit cards.

Q: How long has PSN been down?
A: Since 20th of April, 2011.

Q: What was stolen?
A: Sony believes that the stolen information includes name, address, e-mail address, birth date, password, and handle of all PSN users. They also believe credit card numbers may have been stolen, but not their security (CVV) codes.

Q: How many accounts were stolen?
A: Up to 77 million. Which would make this one of the biggest data breaches ever.

Q: What should end users do?
A: If you have used the same username/e-mail address with the same password in some other service, change the password now. When PSN comes back online, change your password there as well.

Q: What should end users do regarding their credit cards?
A: They should follow their credit card bills careful for any signs of fraudulent purchases. If you see any signs of fraud, report it to your credit card issuer.

Q: What kind of credit cards do you recommend for online use?
A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology.

Q: Who hacked PSN?
A: We don't know.

Q: Was it "Anonymous"?
A: Anonymous has recently launched several attacks against Sony to protest Sony's tactics. However, Anonymous has announced they are not behind this breach.

Sony vs Anonymous

Q: What's the connection to Rebug?
A: Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit. In some cases, this could be used to steal content from PSN shops for free. While the Rebug hack could be used to steal credentials and credit cards numbers from the PS3 unit it's running on, there's no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the breach in any way.

Q: So, this could never happen on the gaming networks of XBOX and Wii, right?
A: We wouldn't bet on that.

Here's a link to Sony's official PSN hack Q&A.

Added questions on 3rd of May, 2011:

Q: What's SOE?
A: It's Sony Online Entertainment System, which is an online gaming network like PSN but for PC games.

Q: Does SOE have any games I would have heard of?
A: Yes, EverQuest (also known as EverCrack for its addictiveness). There are some other games too, including Star Wars Galaxies, The Matrix Online, PlanetSide and DC Universe Online.

EverQuest II image from mmofront.com

Q: What happened with SOE?
A: It was hacked as well. Sony announced on the 3rd of May that attackers had stolen personal information for a 24.6 million SOE accounts, including names, addresses, telephone numbers, e-mail addresses, gender, date of birth, login ID, and hashed passwords. Combining stolen records from PSN and SOE takes the total over 100 million stolen accounts, which must be some sort of a record. This is pretty big. For example, we have scores of employees at F-Secure who are affected.

Q: Did they steal anything else?
A: Yes. They were able to steal "an outdated database from 2007", which included 12,700 credit or debit card numbers and 10,700 direct debit records of European customers. That means bank account information.

Q: Why did Sony have "an outdated database from 2007" online?
A: Beats us.

Q: Were the credit card numbers in the "outdated database from 2007" encrypted?
A: Sony isn't telling.

Q: What do they say?
A: They have an announcement to SOE customers here.

Q: Any idea who did it?
A: We don't know. But there is some speculation there could be a connection to layoffs that just happened in Sony's Denver, Seattle and Tucson studios.

Q: Why do people hate Sony?
A: The MAKE magazine has a long article on this. To summarize, Sony has long history of going after legitimate innovation, hobbyists, and competition. Examples:

  •  Shipping hidden Windows rootkits on music CDs
  •  Threatening hobbyists for creating software that enables Sony's Aibo robot dog to dance
  •  Shutting down vendors who want to write emulators that would allow playing your old original PlayStation 1 CDs on your PC
  •  Suing companies that build systems for bypassing region restrictions
  •  Killing Linux support on PS3
  •  Suing makers, hackers, and tinkers such as Geohot
  •  And now: losing your personal info, your credit card number and your bank account details

 
 

 
 
Tuesday, April 26, 2011

 
Corporate Malware Development Posted by Mikko @ 09:05 GMT

The Washington Times has published a long article on companies that develop backdoors and trojans for governmental use.

The article got started after we broke the news on the connections between Gamma Technologies, Elaman GmbH and the Egyptian Government.

Elaman / Gamma Technologies
Photo by R�diger Trost, F-Secure GmbH

It's more than unsettling to realize there are large companies out there developing backdoors, exploits and trojans.

Elaman / Gamma Technologies
Elaman HQ Photo by R�diger Trost, F-Secure GmbH

Of course, most of these are designed for "lawful interception".

Lawful interception has been around forever. Originally it meant just tapping landline phone calls, by the operator. Eventually it expanded to mobile calls and text messages. And then it expanded to tapping e-mails and web surfing information. However, if the suspect accesses a website that uses SSL (such as, say, Gmail), the operator can't tap it. This created a need to use malware and backdoors to infect the target's computer. Once you infect a machine, you can monitor everything done on it.

Finfisher offer

In theory, there's nothing wrong in lawful interception. When it's done by the police. In a democratic nation. With a court order. And where the suspect is actually guilty. In all other cases, it is problematic.

Other companies mentioned in Eli Lake's article include HBGary Federal and Endgame Systems.

 
 

 
 
Monday, April 25, 2011

 
A second round of cyber attacks against Iran underway? Posted by Mikko @ 14:40 GMT

Today, leaders in Iran announced that after Stuxnet, they are now fighting a new cyber attack.

News coverage from Mardomak (Farsi)
News coverage from Mehr (English)
News coverage from AFP (English)

They talk about a new unknown malware, codenamed "Stars".

We have no further information on this attack at this time.

We can't tie this case to any particular sample we might already have.

We don't know if this is another cyber attack launched by US Government.

We don't know if Iran officials have just found some ordinary Windows worm and announced it to be a cyberwar attack.

Hopefully we'll find out more soon.

Stuxnet cartoon
Cartoon (c) Bob Englehart, licensed from Daryl Cagle's Professional Cartoonists Index

 
 

 
 
Thursday, April 21, 2011

 
Actually, iPhone Sends Your Location to Apple Twice a Day Posted by Mikko @ 07:30 GMT

Forensic researcher Alex Levinson has discovered a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).

In practice, this file contains your travel history.

Apple iPhone location

It should be noted that this file can't be accessed by third-party apps on an iPhone, as you need root rights to reach it. However, the file is copied to your PC or Mac during standard iPhone sync operations and is accessible from there.

Yesterday, security researchers Pete Warden and Alasdair Allan released an application that can take such a file and show your movements on a map.

UFED Physical Pro iPhone forensic examinationNow, this sounds bad from a privacy viewpoint. For example, authorities could gain a court order to do a forensic examination on your phone to figure out where you've been.

But why is Apple collecting this information to begin with? We don't know for sure. But we're guessing it's likely related to Apple's global location database.

Like Google, Apple maintains a global database of the locations of Wi-Fi networks. They use this to get an estimate of your location without using GPS. For example, if your handset sees three hotspots which have MAC addresses that Apple knows are within a certain city block in London, it's a fair bet you're in that city block.

We know how Google collected their location database: they recorded them world-wide while they had their Google Maps Street View cars driving around the globe.

Where did Apple get their location database? They used to license it from a company called Skyhook. How did Skyhook obtain this information? Well, they had their own cars drive around the world, just like Google.

However, the Skyhook database is expensive. So beginning with iPhone OS 3.2 released in April 2010, Apple started replacing the Skyhook location database with their own location database.

And the real question is: How did Apple create their own location database? They did not have cars driving around the world. They didn't need to. They had existing iPhone owners around the world do the work for them.

If you run a modern iPhone, it will send your location history to Apple twice a day. This is the default operation of the device.

Apple iPhone location

How can they do this? By asking for your permission first. There is an opt-in process during initial iTunes installation, but the prompt is highly misleading:

iTunes location

The iTunes prompt talks about helping Apple with Diagnostics information. It says nothing about recording your locations. If you take the time to read Apple's Privacy Policy, it does explain what they are doing:

     To provide location-based services on Apple products, Apple and our partners
     and licensees may collect, use, and share precise location data, including the
     real-time geographic location of your Apple computer or device.
     This location data is collected anonymously in a form that does not personally
     identify you and is used by Apple and our partners and licensees to provide and
     improve location-based products and services.

We believe the new secret location database found on the devices is connected to this functionality. Apparently iPhones always collect your location information, even if it's not getting sent to Apple.

 
 

 
 
Monday, April 18, 2011

 
The Increasingly Shapeshifting Web Posted by Sean @ 17:27 GMT

Short URL services are problematic, and they are becoming even more so in combination with IP location technologies.

From twitter.com earlier today:

http://twitter.com/#!/olasher/status/59923780021141504

If you look closely, you'll notice it's one spambot, @olasher, replying to another spambot, @MorabsShimb3554. Lame, right?

Well, the @olasher account was too obvious, Twitter suspended the account within hours of its creation. The @MorabsShimb3554 is more subtle however, and attempts to fly under the radar (successfully so far) by asking the reader to "copy & paste" the ow.ly link.

The ow.ly short link directs through maxbounty.com, and from Finland, redirects to http://fi.toluna.com/Register.aspx, but with an affiliate ID attached, which is how the spammer hopes to make money.

There's no good way of telling just how many sites the ow.ly link opens, it's entirely subjective to the user's point of origin (IP address) and the number of MaxBounty commissions.

Twitter has a very nice tool tip feature that attempts to help by expanding short URLs, but it suffers from being too USA-centric. The links displayed are based on twitter.com's home IP address. It works great for legitimate links, but not always so well for spammy and/or malicious links, because results vary according to location.

And sometimes Twitter can't expand to the end point for some other reason.

Let's look at the link that was being pushed by @olasher:

http://bit.ly/gwkWzD+

It pointed to adf.ly, that's another short URL service, one which attempts to monetize short URL with an advertisement that the viewer needs to click past.

adf.ly

From a Finnish based IP address, the adf.ly URL will open to legitimate sites such as Groupon's citydeal.fi. Again, with an affiliate ID attached. There could be many dozens of variations within Europe alone.

Groupon, CityDeal

Once you click to skip the ad, you'll be directed to amazon.com.

Amazon affiliate iPad

And yes, there's another affiliate ID on the iPad 2 page as well.

All of the links used in this example are rather harmless. Unfortunately, short URL services with IP location technologies and benign affiliate ID spam are just the tip of the iceberg. More malicious links are on the horizon.

So what can be done?

Feature suggestion to bit.ly et al. — disallow URL to other short URL services, there's no real legitimate reason for this.

Short URLs are useful, please make them less so for spammers and scareware vendors.

 
 

 
 
Friday, April 15, 2011

 
Heavy Use of Social Media in Finnish Elections Posted by Sean @ 14:55 GMT

vaalit.fiFinland's parliamentary elections take place this weekend, on Sunday, April 17th. According to the Ministry of Justice's election statistics, 31.2% of Finland's eligible voters (4,159,857 people) have already cast their votes in early balloting. 2007's elections received a 67.9% overall turnout.

Finnish political campaigns last two weeks, an incredibly short period of time when compared to a country such as the United States (which is already preparing for November 2012 elections).

In a year of reduced campaign budgets, many candidates are utilizing social media sites such as Facebook and Twitter in their outreach efforts.

Some candidates, such as Foreign Affairs Minister, Alexander Stubb, have obviously been using Twitter for some time (one would almost expect it from a self-declared foreign affairs geek), while others, such as Prime Minister, Mari Kiviniemi, actually use social media less frequently.

Even Finland's Ministry of Justice has its own Facebook page for the elections.

That Finnish candidates and government use social media is not really surprising. According to a March 2010 US State Department Social Media report: Finland has a high level of Internet penetration and usage in comparison to other European nations. Internet usage is such a daily part of life for most Finns, that there is now a law requiring universal Internet access. It's considered a fundamentally important utility.

Analysts will have to wait until post-election to begin determining just how much of an effect social media played in the results. But one thing seems certain, in a country where anybody can download a Master list of all 2,315 candidates in Excel format and their demography statistics in PDF format, 2015's parliamentary elections could require a master list of "official" social media accounts.

 
 

 
 
Thursday, April 14, 2011

 
Poll: Should law enforcement "hijack" botnets? Posted by Sean @ 11:34 GMT

The New Haven office of the Federal Bureau of Investigation (FBI) hijacked and "killed" the Coreflood botnet this week. You can read more about it from Kim Zetter at Wired.com. Zetter's article references similar action which was taken by Dutch authorities against the Bredolab botnet. We blogged about it last October.

Shutting down a botnet isn't technically difficult. Bots often include instructions to uninstall themselves. But sending instructions for a bot to do so is legally considered "unauthorized use", and so antivirus companies don't do this. This has sometimes been an issue of debate on this very blog, see the comments of this post, for an example.

It is always been our assertion that only governments and their law enforcement agencies could authorize a botnet shutdown. And even then it is a tricky issue… should the FBI be allowed to kill a bot installed on a non-USA (e.g. Canadian) computer? Are they restricting themselves to US based IP addresses?

What are your thoughts?

Poll: Should law enforcement agencies seek to "hijack" and shutdown botnets?

Poll: Hijacking Botnets

Updated to add: The FBI is seeking written approval before uninstalling Coreflood from infected machines according to this article by Gregg Keizer at Computer World.

 
 

 
 
Tuesday, April 12, 2011

 
Limit Flash Exploit Exposure, Uninstall ActiveX Version Posted by Sean @ 15:27 GMT

Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:

"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

And… this new vulnerability is currently being exploited in the wild:

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform."

Flash files in embedded in Office?

This attack vector prompted the following question from Brian Krebs: Does anyone know of a reliable way to disable the rendering of Flash objects in MS Office files across the board?

Our thought is why disable what you can easily uninstall?

We don't generally use Internet Explorer, so we don't need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?

This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed.

Some controls on this presentation can't be activated.

The "Non-IE" versions of Flash Player are of course still vulnerable to exploit, but it's harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.

Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:

Flash control panel applet

Looks promising:

Flash Player Settings Manager

Updated to add: Adobe has revised its advisory. Flash Player for browsers will be updated on April 15th, other versions are to follow later. SANS Diary has a nice table illustrating the update schedule.

 
 

 
 
Monday, April 11, 2011

 
Video - "Windows Activation" Ransom Trojan Posted by Sean @ 14:57 GMT

We recently came across a ransom trojan that prompts the following:

"Windows license locked!"

ransom_Trojan.Generic.KDV.153863

The trojan claims that "you should complete activation" and provides several phones numbers.

ransom_Trojan.Generic.KDV.153863

The numbers:

  •  002392216368
  •  002392216469
  •  004525970180
  •  00261221000181
  •  00261221000183
  •  00881935211841

While these numbers may look like generic service numbers, they aren't. They go to various countries ("00" is the prefix for international dialing). The countries are: S�o Tom� and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).

The trojan claims that the call is "free of charge" but it isn't, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.

After three minutes or so, the caller is given this unlock code: 1351236.

The unlock code appears to be the same every time the number is called.

It's a pretty clever bit of social engineering and some victims may never even realize that they've been scammed.

Here's a video demonstration on the Labs YouTube channel, which also includes some discussion of other ransom trojans.



The GPcode screenshots referenced in the video can be seen here and here.

We detect this trojan (md5: 9a6f87b4be79d0090944c198a68012b6) as Trojan.Generic.KDV.153863.

A full audio recording of our call to the ransom number is here (MP3, 4 minutes).

 
 

 
 
Friday, April 8, 2011

 
Virus That Blocks Itself Posted by ThreatSolutions @ 08:42 GMT

Virus:W32/Ramnit is no stranger to many malware analysts/researchers, as it was in the wild back in 2010.

Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an "easter egg" — waiting to be discovered.

One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.

In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not easily visible to users and able to bypass the firewall.

Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:

ramnit infection

The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.

Another noteworthy detail in Ramnit is its "easter egg", found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:

antidot

Basically, this easter egg navigates to the registry key and looks for "WASAntidot":

antidot

When we try to create "WASAntidot" registry key on a test machine, we see this:

antidot activate

Voila! The machine is safe from Ramnit infection now!

Threat Solutions post by — Wayne

 
 

 
 
Thursday, April 7, 2011

 
We're Hiring Posted by Mikko @ 12:25 GMT

FYI for all you geeks out there… we have several open positions at F-Secure, including Labs positions in Helsinki or Kuala Lumpur.

jobs

For example, we're looking for an Exploit Analyst to analyze vulnerabilities and reverse engineer exploit code.

Think you're up for it? Apply within.

 
 

 
 
Wednesday, April 6, 2011

 
Social Engineering Fail? Posted by Response @ 05:59 GMT

We've been seeing a run of malware distributed via spammed e-mails in the last couple days.

The e-mail messages and the malware aren't particularly new. The message is fake and pretends to be related to a delivery service; attached to it is a disguised ZIP file containing a trojan-downloader.

If the ZIP file is run, what a user would see is:

DHL Express Services

"Hmm, I have an incoming parcel from DHL. I'd better check the attached document for the tracking number. Uh wait… or was it from FedEx?"

User confused, as well as infected.

Threat Solutions post by — Broderick

 
 

 
 
Monday, April 4, 2011

 
Trojan:SymbOS/Spitmo.A Posted by Sean @ 17:23 GMT

SpyEye IMEIOn March 17th, we noted a new man-in-the-mobile attack, SpyEye edition.

Here are the notes from our Threat Research team:

This variant of SpyEye has been used in an attack against a European bank. The bank uses SMS based mTANs to authorize transfers. The trojan injects fields into the bank's webpage and asks the customer to input his mobile phone number and the IMEI of the phone. The bank customer is then told the information is needed so a "certificate" can be sent to the phone and is informed that it can take up to three days before the certificate is ready.

Our detection for this (and other SpyEye variants made with the same kit) is Trojan-Spy:W32/Spyeye.AG.

The so-called certificate, the Symbian component of the malware, is detected as Trojan:SymbOS/Spitmo.A.

Spitmo.A contains the malicious executable (sms.exe) and another installer which contains an executable named SmsControl.exe. SmsControl.exe will just display the message "Die Seriennummer des Zertifikats: Ü88689-1299F" to fool the user into thinking that the installer was indeed a certificate.

The name SmsControl.exe is quite a co-incidence as a variant of ZeusMitmo used the same filename for the file containing the actual trojan. Faking the trojan to be a certificate is also a trick that ZeusMitmo has used. However, the code itself looks completely different than in ZeusMitmo. Full details of how the SMS based mTANs are delivered to the attacker are still under investigation, but it looks as if they are delivered via HTTP and not by SMS as with ZeusMitmo.

The trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank's website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate. A possible source for the certificate is OPDA (http://cer.opda.cn/en), as searching for the unusually long organization name ("Beijing shi ji yi jia wang dian zi shang wu you xian gong si") returns hits related to OPDA. The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.

Trojan contents:

  •  c:\Private\E13D4ECD\settings.dat — contains two URLs http://[*].net/input.php and http://[*].net/delete.php
     — also contains: c:\Data\delete.sis — sms.exe contains code to silently install other applications
  •  c:\Private\E13D4ECD\first.dat — an empty file, deleted by sms.exe if present, used as execution check
  •  c:\sys\bin\Sms.exe — payload, executed after installation
  •  c:\private\101f875a\import\[E13D4ECD].rsc — runs sms.exe when the phone is turned on

Embedded installer SmsControl.sis:

  •  c:\resource\apps\SmsControl.r01
  •  c:\private\10003a3f\import\apps\SmsControl_reg.r01
  •  c:\resource\apps\SmsControl_aif.mif
  •  c:\Private\EAF7F915\data.txt — contains the message displayed to the user
  •  c:\sys\bin\SmsControl.exe — executed after installation, displays decoy message

Updated to add SHA-1:

Spitmo.A: 11d21bb2a63da2a0374a1dbbe21ddb4c5d18b43e
SpyEye trojan: d7d60f4a8ae05aa633c36a10b52464ee3295c18d

And here's a screenshot of the decoy message:

Spitmo.A decoy message

 
 

 
 
Friday, April 1, 2011

 
Hacker Group Changes Millions of Passwords to "password"; Only 38% of Users Notice Posted by Mikko @ 06:31 GMT

passwordsPasswords from over 3,000,000 user accounts were apparently set to "password" late last night in a wide-spread hack that affected hundreds of news, retail and Web 2.0 sites. Most affected users are completely unaware of the attack.

According to current statistics, 62% of affected users would not notice such a change as their password was already "password".

Several sites have reported that they are taking steps to protect compromised accounts. In addition, many sites are creating a new rule to ban using the word "password" as a password.

Users are reacting fiercely to the hack but even more so to the ban many sites are putting on one of the world's most popular passwords. Online riots are to be expected.

The hacker group named "Obvious" has claimed credit for last evening's attack. Thousands of hacked Twitter and Facebook accounts posted the message "We are all Obvious! Don't Expect Us".

A 1.9 GB file containing more than 3,000,000 user names — and one password — is now available for download as a torrent file via The Pirate Bay.

To avoid problems like this in the future, we are recommending users to change their password everywhere to "password1", which is obviously more secure.