Android has become the main target for mobile malware.
Here's "Hot Girls 1", which was still yesterday available for download to your Android phone from Android Market:
This application was originally harmless. However, a malicious developer called "Magic Photo Studio" downloaded the original application, modified it and re-uploaded it to Android Market.
As an end result, when installing "Hot Girls 1", you might notice that it requires suspicious rights, especially for an application which is just supposed to show you pictures of, well, hot girls:
The malicious developer has inserted code that triggers when the phone receives a call.
The added code will connect to a server and send details about the infected handset to the malware authors. So we're talking about a mobile botnet.
Our Android security product F-Secure Mobile Security blocks this as a variant of the DroidDream trojan, with the detection name Trojan:Android/DroidDream.B.
Dozens of examples of infected applications have been found from Android Market, uploaded under such developer names as Magic Photo Studio, BeeGoo and Mango Studio. Google has now removed them from the Market.
Spreadsheets can even contain functionality, such as forms, and these can be published to the whole world.
Unfortunately, that means we regularly see phishing sites via Google Docs spreadsheets and hosted on spreadsheets.google.com.
Here are some examples:
These are nasty attacks, as the phishing pages are hosted on the real google.com, complete with a valid SSL certificate.
While researching these, we ran into this Google spreadsheet form:
And for the life of us, we just can't figure out if this is phishing or if it's a valid page run by Google [see below for the answer].
Initially, the page obviously looks like phishing: it's hosted on the public spreadsheets.google.com server where anyone can host forms. And it asks for your Google Voice number, your e-mail address and the secret PIN code.
Updated to add: The consensus on Twitter seems to be that it's a phishing site. The jury's still out though.
Updated to add: We got contacted by a Google employee.
They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I'm afraid we can't do that.
We've seen this one before, but there's been a new run today.
Some clown is trying to pose as us. If you see an e-mail like the one below, please ignore it:
From: email@example.com Reply-To: firstname.lastname@example.org Subject: Security Maintenance.F-Secure HTK4S To: undisclosed-recipients:;
Dear Email Subscriber,
Your e-mail account needs to be improved with our new F-Secure HTK4S anti-virus/anti-spam 2011-version. Fill in the columns below or your account will be temporarily excluded from our services.
E-mail Address: Password: Phone Number:
Please note that your password is encrypted with 1024-bit RSA keys for increased security.
Copyright 2011. All Rights Reserved.
We've seen this same desperate attempt in multiple languages (done with machine translation), for example:
From: Tampere University of Technology Reply-To: email@example.com Subject: Hyvä tilin käyttäjä To: undisclosed-recipients:;
Hyvä tilin käyttäjä, HTK4S virus on havaittu webmailiin tilin kansiot, ja sinun webmail-tili on päivitetty uuden F-Secure HTK4S anti-virus/anti-Spam versio 2011 aiheutuvien vahinkojen välttämiseksi meidän webmail ja tärkeitä tiedostoja. Täytä sarakkeet alla ja lähettää takaisin tai sähköpostisi keskeytetään tilapäisesti palveluistamme.
In 1990s, we used to have a Mac product. It eventually got discontinued due to lack of threats.
Then, in October 2007, we saw something unusual: a DNS Changer Trojan for OS X.
We estimated the risk level of new Mac malware and as a result, we started developing F-Secure Anti-Virus for Mac.
While we have seen new Mac malware every now and then, many experts have been downplaying the malware risk on Mac OS X systems. But the fact is that we are seeing more and more activity.
Just during the last week, we've seen a significant rise of infections with Mac scareware trojans. These trojans are distributed via poisoned Google Images Search links.
The trojans attempt to trick the user into believing their Mac is infected — when it's actually clean. Once the user is convinced he has a problem, he will purchase a license for the fake security product called MacDefender, MacSecurity, MacProtector or MacGuard.
The trick is actually quite convincing. The user is redirected to a web page which doesn't look like a web page at all. Instead it resembles Mac's Finder:
While this looks bad, it's just a webpage which has been designed to look like Finder.
Here's a short video showing how Google Images search will take the user to a page that tries to scare him.
The user still has to install the fake security product offered to him. The latest versions of the malware use a separate downloader which is able to install the trojan without ever prompting for the root password:
Here's what the rogue application looks like when it has been installed:
Once the user has installed the rogue product, it will further try to convince the user he's infected with something. This is done by randomly opening porn websites.
Even a stubborn user will be convinced he has a problem when random porn sites will pop up every few minutes on his system.
It's important to notice that these are fake security products. They don't protect the system in any way. They simply try to scam the user into purchasing them for no reason.
This is a widespread scam and we have lots of reports of real-world infections.
How can Mac users protect themselves?
So far, our Mac product has only been available via our operator (ISP) partners.
While doing some spam research a couple of years ago, we did a series of test purchases from spam e-mails.
We bought pills, software, cigarettes, et cetera. We were a bit surprised that almost all of the orders went through and actually delivered goods. Sure, the Windows CD we got was a poor clone and the Rolex was obviously fake, but at least they sent us something.
We were carefully watching the credit card accounts we created for our tests but we never saw any fraudulent use of them.
The most surprising outcome from this test was that we didn't see more spam to the e-mail addresses we used to order the goods.
Our findings were reinforced today by an excellent new study published by University of California researchers (with an impressive list of authors).
The researchers not only did test purchases from spam, they also tracked down the botnets used to send the e-mails, the hosting systems to host the spam sites and the banks that moved the money.
One of the most interesting details in the study is this: almost all spam sales worldwide are handled by just three banks.
The banks? They were:
• DnB NOR (a Norwegian bank) • St. Kitts-Nevis-Anguilla National Bank (in the Caribbean) • Azerigazbank (from Azerbaijan)
We have to remember that spam is actually very profitable for the banks and credit card companies that move the money. That might affect how likely they are to actually do something about this.
This site goes to great lengths to make sure you double-check that the URL you're on is accounts.craigslist.org.
And it isn't.
This has got to be one of the stupidest phishing attacks I've ever seen.
Nobody will ever fall for that.
Except they will.
You see, people aren't reading e-mail on their computers any more. They are reading it on their phones. So they'll receive the phishing scam e-mails on their phone and they'll open the scam sites on their phones.
Let's have a look at what the site looks like on iPhone, Android and Nokia devices.
Now it isn't very obvious any more. (And it's particularly well formated for iPhone…)
As you can see, the small screen estate on smartphones makes phishing easier.
When you add this with the fact that most smartphones have no phishing e-mail filters and no web blocking of scam sites, we can only come up with one result: phishing works much better on phones than on PCs.
The next time you see another post on a phishing attack and think "there's no way I'm going to fall for that", you might want to reconsider. As general users become adept at detecting a phishing attempt, the authors are changing their tactics and are taking the time to learn about the target beforehand.
This e-mail for instance, was sent to a person who recently made a purchase from the AppStore on his iPad. The "coincidental" timing is enough to warrant at least an attention from the intended recipient. Combined with tricks such as spoofed address and vague links, the recipient might even fall for the trap.
So what happens if the recipient clicked on the link? Turns out that the link leads to a drugstore site. Odd. We are expecting it go to a fake iTunes/AppStore page, in which the recipient would be prompted to input his account details. But that didn't happen.
For several weeks now, Google Image search results have been increasingly tainted by Search Engine Optimization (SEO) poisoning. Numerous sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.
Google's method of crawling for and ranking images is part of the problem.
This is an example of a poisoned link from Google Image results:
Notice that imgurl and imgrefurl don't match. The image is "hotlinked". And even though the image is actually hosted on a server at enterupdate.com, Google will display the image preview and site information as though it's from the referring (compromised) site.
But then there are legitimate reasons for displaying the referring site as the "home" of the image. For example, our Safe and Savvy blog is powered by VIP WordPress.com, and its images are hosted on servers belonging to WordPress. If Google didn't consider the referring source of the image and ignored hotlinking (as Bing appears to), this search result wouldn't be very useful.
On the topic of WordPress, the poisoned image of actress Olivia Wilde, from the example above, is embedded in an html page located within a folder called wp-images. The compromised site is a WordPress.org blog.
Here's a selection of the olivia-wilde-twitter.html page:
As you can see, the text is complete gibberish. All of the page's hyperlinks connect to additional pages located on the same site, and all of the images are hotlinked and are loaded from external sources.
The html also includes a section focused on topics that have been more or less directly pulled from Google Trends.
All of this investigation brings us to a useful Google Web search that can be used to locate compromised sites. Searching for inurl:wp-images and a currently "trending topic" yields plenty of results that attempt an SEO attack.
Needless to say, we don't recommend such a search unless you're doing so from a research network. (And then you should also use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.)
Surely nobody would sell stolen credit cards on Twitter?
Except they do.
For example, check out Mr. SshoaibAhmed:
Let's follow the link…
Indeed, he seems to sell credit card info, most likely collected with keyloggers from infected home computers.
The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from:
The "vis" stands for VISA, "mas" for MasterCard, "dis" for Discovery, and "amex" for American Express cards.
Alternatively, if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150.
But keyloggers collect more than credit cards. They also record passwords when you log into online services.
So this vendor is also selling access to other people's online bank accounts. An account with a balance of $28,000 sells for $1,000:
Finally, to prove he really has the goods, the vendor posts "demo" information. Which basically is personal information on a handful of victims, including names, home addresses, credit card numbers, and passwords (heavily redacted here):
The accounts shown above have been reported to relevant authorities.
Some of the most common banking trojans we run into are versions of ZeuS (ZBot) and SpyEye. These are not your average bots. They are commercially developed crimeware. The trick is that the groups that develop and sell ZeuS and SpyEye do not use them themselves.
Customers that buy ZeuS or SpyEye are the ones that actually attack the banks, and doing so, they take a higher risk of getting caught.
This is the equivalent of somebody selling instructions on how to break into banks vault, complete with the tools to do it — but not actually breaking in themselves.
Last week there was an outbreak on Facebook of video spam related to Osama bin Laden's death. The previous spam was basically variations of this:
If a curious user clicked on the link in the spam, it would eventually bring them to a page which basically makes the user manually send out spam to his own Facebook contacts, under the guise of a "security check" to view the video:
The user essentially does a copy and paste execute of the script:
That code messages the user's first-degree friends (with spam).
So we were analyzing the previous run of video spam on our test machine and today, woke up to find our Facebook Inboxes with tons of new spam, which has been revised so that we don't even need to copy and paste the script any more. How convenient.
The spam we received looked like this:
Then, we'd be expected to clicked the ==VERIFY MY ACCOUNT== at the bottom (note: we do not recommend this).
Then we saw this at the bottom of our browser:
The code would post the same message on our Facebook account's Wall as the message the previous spam run sent out to the first-degree contacts.
Next, a pop up box appeared:
And then redirects to this page:
It is not really clear as to what the aim of the author is, there does not seem to be any obvious monetary gain. But it is definitely an upgrade on the previous spam run.
On a side note — posted "via iPhone"? No, not really. Assigning the 6628568379 to the app_id parameter apparently makes Facebook recognize that the posting is from an iPhone:
For example, visiting http://www.facebook.com/apps/application.php?id=6628568379 would lead to http://www.facebook.com/iphone.
The English language version website of a major Russian newspaper Pravda (Правда, i.e. "The Truth") has been hacked.
There are no visible changes done to the site. Instead, the page silently loads exploit scripts that try to infect the user via vulnerabilities in Java. If successful, the visitors computer gets hit by a bot that allows outsiders to access and use the computer.
An attack like this is particularly devious. An end user might go to the same news website every morning for years, learning to trust it. Then one day it has become dangerous and will take over your computer, just by opening your favorite page.
Five years ago, if somebody managed to break into a major site like this, they would typically delete all content and post stupid pictures on the front page. Nowadays they do an invisible modification on the site, trying to stay undetected as long as possible, hoping to gain access to thousands of visitors computers.
Recent events have highlighted that certification — and the lack of accountability in code signing and SSL certificates — have become a major issue.
Having an SSL certificate is a way for website owners to prove to their sites' visitors that they really are the genuine owners. Most Internet users and even major Internet companies implicitly trust the Certification Authorities (CAs). CAs sell SSL certificates for the encryption of web traffic, which enables secure transactions such as online banking and shopping across https connections.
However, the current certification system dates from the 1990s and has not scaled well to the sheer size and complexity of the Internet today. In addition to the major certification companies such as Verisign, GoDaddy and Comodo, there are hundreds or even thousands of regional CAs that are basically resellers for the larger companies.
Comodo recently announced that a hacker had gained entry to its systems by obtaining the password and username of one of Comodo's Italian resellers. The hacker, who has since publicly claimed that he is from Iran, issued nine rogue certificates through the company. The certificates were issued for popular domains like google.com, yahoo.com and skype.com.
It just boggles the mind that a small reseller in Italy can issue a certificate for google.com in the first place. You would think that would trip some sanity check somewhere. It didn't.
What can you do with such a certificate? If you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to a fake https://login.skype.com address and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their e-mail when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn't notice this was going on.
In August 2010 Jarno Niemelä, Senior Researcher at F-Secure, started investigating a case of identity theft also involving Comodo, after discovering a malware sample that was signed by a code signing certificate. He tracked down the company mentioned in the certificate, and found a small consulting firm.
Niemelä contacted the company and asked whether they were aware that their code signing certificate had been stolen. Their response was that *they did not have any code signing certificates*. In fact, they didn't even produce software and therefore had nothing to sign. Clearly someone else had obtained the certificate in their name; they had been a victim of corporate identity theft.
With the help of the victim and Comodo, Niemelä discovered that the certificate had been requested in the name of an actual employee and that Comodo had used both e-mail and phone call verification to check the identity of the applicant. Unfortunately, the fraudster had access to the employee's e-mail and Comodo's phone call verification had either ended up with the wrong person or had failed due to a misunderstanding.
In fact, the compromised employee had also received a phone call from Thawte, another CA company. When Thawte asked if she had requested a code signing certificate in the company's name, she answered "No". Thawte then aborted the certification process.
This case shows that the malware authors will try multiple CAs until they find a way in.
When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. It is likely that we will see more cases where an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.
Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However, these systems are maintained by humans and are thus fallible. We have to accept the fact that with the current systems, certificates are not fool proof.
Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so:
When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.
C:/RECYCLER/server.exe does the following:
• Drops a file in the system's temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service.
It attempts to connect to a C&C hosted at ucparlnet.com.
The payload has the ability to:
• Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server
Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.
As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.
Updated to add: Here's a picture of an e-mail spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the e-mail is forged.
I was examining some Facebook spam this morning, hosted on a Page using an iframe tab application of some sort.
(Facebook appears to have a handle on spam Applications at the moment, as the current batch of spam is abusing Pages rather than Applications.)
In any case, the iframe content of the Page was not encrypted, and so I needed to temporarily disable my account's https option.
When I returned to my New Feed, I saw this promotion:
Help Protect Your Account with Secure Browsing (https)
I shouldn't have seen the prompt, as my account already had the https feature enabled, and the page was already https encrypted, but, well, Facebook is buggy like that.
Anyway, it seems that Facebook is poking users to Enable Secure Browsing.
Good. Kudos to Facebook.
Now that the https setting is persistent and the feature appears to be dynamic, everybody should consider using it; there's plenty of benefits and very little down side. If your Facebook account is not yet https enabled and you don't yet see the prompt, you can also find the option in your Account Settings under "Account Security".
We have just received the first samples of malware trying to ride on the death of Osama bin Laden.
A file called Fotos_Osama_Bin_Laden.zip is being spammed via e-mail. The archive contains a file called Fotos_Osama_Bin_Laden.exe (md5: d57a1ef18383a8684c525cf415588490).
Of course, running this file won't show pictures of dead bin Laden. Instead it executes a banking trojan belonging to the Banload family. It will install itself on the system (as msapps\msinfo\42636.exe) and starts to monitor your online banking sessions (via a BHO), trying to redirect your payments to wrong accounts.
We detect this one as Trojan-Downloader:W32/Banload.BKHJ.
As a general advice: It's unlikely you'll find pictures or videos of Bin Laden's death online — but searching for one will certainly take you to sites with malware. Take care.