Now we have heard of new incidents involving a money scam. The scam works by the user receiving an innocent-looking web page link over SMS, along with social engineering text that makes the user curious enough to click the link.
If the user opens the link in the phone's web browser he will get a page informing him he has just registered to a service –– a service which will automatically cost some euros per month. After which our user obviously decides the SMS message is spam and closes his phone web browser without clicking anything.
And normally this would be the end of it, as our user did not enter any personal information the spam company can use to identify him and send him the bill.
However in this particular case things work a bit differently. Even though the user did not enter any information about himself, he will still get a charge in his phone bill as he was subscribed to a premium content service.
How did that happen?
The key to how this scam works is the browser in the phone. By default, web browsers in phones are set to use a WAP gateway to get on the Internet. A WAP gateway is a way to identify the customer online and provides billing information for the service. Thus just visiting a page with the phone web browser over a WAP connection is enough to give a less than honest company enough information to issue a charge that will be automatically added to the user's phone bill.
Whether this practice is legal depends on which country the user happens to live in, and as we are not lawyers we are not going to speculate further on that.
There is a very easy way to be safe from this kind of scam, just don't use the WAP gateway. Normally GSM service providers send Internet configuration messages that also contains access point settings that do not use the WAP gateway. To take the non-WAP access point into use you need to search for an option in the phone web browser settings menu that says 'access point' or something similar and change this away from anything saying 'WAP services'.
The downside of not using a WAP gateway when accessing the web is that you will not be able to access premium content, if you are used to that; the positive side is that random websites will not be able to easily identify you.
Another option is to check whether your phone company allows you to set a block on premium rate billing and specify what kind of services you want to use. For example, most Finnish operators allow a user to specify that they want to use information services and public services such as SMS tram and metro tickets, but still block third party entertainment services.
In Las Vegas, the first day of the Black Hat briefings is nearly complete. Black Hat is one of the biggest security conferences and always attracts skilled researchers to present their work.
Having worked quite a bit with our BlackLight rootkit scanning technology I ended up sitting a lot in the Rootkit track sessions. Day 1 included some interesting presentations:
Stoned Bootkit, Peter Kleissner
Peter presented an open development framework for creating rootkits that activate early on in the boot process using the Master Boot Record. Most of the technology is something we've seen in previous research, but the scary part lies in the extensibility of the Stoned Bootkit.
Peter briefly touched on some sample extensions. One example was the CO2 rootkit plugin that used ACPI to slow the CPU down to save the environment! Now this is all very nice, but I expect that the most enthusiastic users for the Stoned Bootkit framework will be in the malware author community. And please take my word on this: they're not in it to save the rain forests.
Introducing Ring -3 Rootkits, Alexander Tereshkin and Rafal Wojtczuk
Rootkits keep developing. In the past years, they've gone from usermode (Ring 3) to the kernel (Ring 0), from kernel to the hypervisor (Ring -1) and all the way to System Management Mode (Ring -2).
Alexander and Rafal explored the possibility of running malicious code in the Intel AMT execution environment. AMT is meant for remote management, but unfortunately what is remote management for the good guys is a rootkitted backdoor for the attackers. I'm betting this is not the end of the rootkit countdown, though. Anyone care to guess where the Ring -4 rootkits will run? I'm sure we'll see soon.
Of course not everything has been about rootkits. The first day included not one but two interesting talks on X.509, which is one of the building blocks of SSL/TLS.
Among other things, Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site. Nice work from both researchers!
Signing off from Las Vegas, Antti
P.S. If you are attending, don't miss Mikko's talk on the Conficker worm on Thursday afternoon!
However, we've now seen a shift in the hostnames. The attackers seem to registering misleading domain names on purpose, and have now been seen using hosts with names such as:
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates…" In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia.
Three weeks ago we posted a series of screenshots of bait document files used in targeted attacks. These are files that have been used to infect specific individuals in different organizations in order to gain access to their computer.
All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.
Again, this was just a quick sampling; we get a lot of these.
We'll be blogging more tomorrow about a change in the hostnames used in these attacks.
P.S. Feel free to leave suggestions for translations of the non-English documents in the comments section.
We recently saw this malicious file being spread in e-mails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file.
When the file was opened, it created several new files to the hard drive:
The executables contain backdoor functionality, including an elaborate keylogger.
And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file. This is what the document looks like.
We detect this file (MD5 d8a9fb16318130ccd7924e03b33070c1) as Agent.avzq.
There has been lots of media coverage for the Yxe aka Sexy Space aka Sexy View mobile worm. So here's a Q&A to answer some questions on it:
Q: Why is this worm important? A: It's the first text message worm in history.
Q: I thought text message worms were just urban legends! A: Definitely not.
Q: How can you attach a worm into a text message? A: You can't. Instead, the worm puts a web link pointing to the worm's web site into a text message.
Q: A link? Can you click on a link in a text message? A: Yes. On practically all smartphones. Just like you can click on a link in an e-mail.
Q: Why would I click on such a link? A: Because the link is in a convincing message.
Q: Convincing how? A: Convincing as in a text message coming from your best friend with a message like "Check this out!" and a web link.
Q: Would such a message be spoofed or would it really come from my friend's phone? A:Yxe send its messages to phone numbers found in the phonebook. So if your friend gets infected, you get the message from his phone.
Q: What kind of messages does it send? A: These vary, as the worm downloads a fresh message template from a website.
Q: Is this a mobile botnet? A: Not really. The only remote control the worm has is the above update mechanism to change what kind of text messages are being sent. But it's close.
Q: What happens if I follow the link? A: The link will take you to a website which will automatically push a SIS installation package to your phone. You get one prompt: Install Sexy Space? Yes or No.
Q: No security warnings? A: No.
Q: But there should be a security warning, unless the SIS package has been signed! A: It has been signed.
Q: Why did Symbian sign it? A: We believe the virus writer submitted the malware through the Express Signing procedure, where most applications are not inspected by humans.
Q: Ok, so I click Yes. What happens then? A: The worm will install itself on your device, and will send a similar text message to all contacts listed in your phonebook. These messages are sent in your name and from your phone.
Q: Who pays for these messages? A: You do. If you're infected, you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents.
Q: In addition of spreading, what does the worm do? A: It steals information from the local phone and sends it away, including the IMEI number of the phone.
Q: What's the motive? A: We don't know.
Q: Where are these YXE worms written? A: In China.
Q: Which companies submitted these YXE worms for signing? A: Companies called XiaMen Jinlonghuatian Technology Co. Ltd., ShenZhen ChenGuangWuXian Tech. Co. Ltd. and XinZhongLi TianJin Co. Ltd.
Q: Has Symbian revoked these certificates yet? A: Yes.
Q: So the problem is over, then? A: No. The revocation certificates are not immediately distributed to all the hundreds of millions of Symbian smartphones. The default setting in most Symbian phones has to be changed to enable them to receive revocation certificates. To do this, go to Application Manager's Settings and set the Online certificate check to Must be passed.
Here's a picture of what you should do:
Q: How widespread is this? A: Not very. We have very few confirmed reports. Yxe seems to be a problem only in China and Middle East at the moment.
Q: Which phones are affected by this? A: All Symbian Series 60 3rd Edition phones by Nokia, LG and Samsung. So, for example, best-selling phones like Nokia N95 or Nokia E71.
Q: Who cares. Nobody uses Symbian anyway. iPhone rocks. A: Symbian has 49% market share of the smartphone market. iPhone has 10%.
Yesterday a new vulnerability was announced in Microsoft Office Web Components and as with all new exploits that can be used in drive-by downloads we tried it with F-Secure ISTP and ExploitShield. Yet again ExploitShield protected the user without the need for any updates. Here's the video showing the exploit in action when ISTP is installed together with Internet Explorer 6 and Internet Explorer 8.
The author of that research, Alberto Moreno Tablado, recently contacted us to let us know there's an update.
From Tablado:
The vulnerability was first disclosed on January 2009 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6. However, further investigations proved that the issue is in a 3rd party driver installed by HTC. Microsoft states that the OBEX FTP server driver affected is a 3rd party driver installed by HTC on its devices running Windows Mobile, so the vulnerability only affects to this vendor specifically and other vendors' Windows Mobile devices are not affected.
Furthermore, in January it appeared that vulnerable devices needed to be paired with their attackers. Tablado now states that more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this [requirement].
The following devices are reported as vulnerable:
• HTC devices running Windows Mobile 6 Professional • HTC devices running Windows Mobile 6 Standard • HTC devices running Windows Mobile 6.1 Professional • HTC devices running Windows Mobile 6.1 Standard
No one particular browser is completely secure and today brings additional evidence of this fact with the posting of a Firefox exploit that allows for the execution of arbitrary code. The current version of Firefox (3.5) is affected and older versions may be as well.
The vulnerability in Firefox 3.5 is caused due to an error when processing JavaScript code handling. See our vulnerability description for additional information. The exploit, discovered by SBerry, was posted to a popular exploit site yesterday.
Joshua, one of our Browsing Protection researchers tested this Firefox exploit against our Exploit Shield technology.
And the result was good. Our Exploit Shield heuristically detected it as shellcode and blocked the exploit.
0-Day browser protection against 0-Day exploits. Exploit Shield will be part of this year's product release.
Note: Firefox is a great browser… but you still want to practice safe surfing habits.
—————
Updated to add: In case there is any confusion, our earlier post regarding Firefox 3.5 discussed exploits targeting outdated web apps/plugins in the updated browser; whereas this exploit targets a vulnerability in the browser itself.
Would you like to have a remote network drive to backup/store your personal data?
Well then, the folks at Steek offer 1GB of free secured online storage. It's fully integrated with Windows Explorer and works like an external hard drive.
There's a new Microsoft Security Advisory (973472) to review while waiting for tomorrow's Microsoft Updates.
A vulnerability exists in the ActiveX control used by, wait for it… Internet Explorer to display Excel spreadsheets (Office Web Components). It doesn't affect Office 2007 but many other versions are vulnerable.
Considering the timing of this advisory, it isn't likely to be patched tomorrow, so check out the workaround instructions.
Microsoft states that they're aware of "attacks attempting to exploit the vulnerability".
So Firefox 3.5 is available and it has quickly become a hot download item, with almost 24 million downloads worldwide so far. The browser itself is touted as faster, safer and just better — but that's no reason not to be cautious.
One of our Vulnerability Analysts turned up this video the other day. The video title says "Firefox Exploit" but so far in our analysis, it looks like the exploits aren't really targeting Firefox.
The attack itself is rather comprehensive — there are at least 3 exploits being tried and their execution is a little involved. The exploits target vulnerable Adobe Flash players (CVE-2007-0071) and Microsoft ActiveX Controls (CVE-2008-0015). The last exploit has been making the rounds in the wild recently.
Still, the vector being used is the tried and true route of a vulnerable web application. So it's basically the same old hole in a brand new dress. Updating the browser — good. Not updating web apps at the same time — not so good. Just as a precaution, don't forget to update all your plugins, apps and so on when you update your browser!
Having said that, our Exploit team is currently digging deeper into certain features of the exploits. We'll add updates if and when any more interesting features turn up.
—————
Updated to add: The exploits in the malicious website are targeting the following vulnerabilities:
Three of the vulnerabilities are related to ActiveX Controls. CVE-2009-1136 is the subject of the latest Microsoft Security Advisory (973472) and is also the subject of one of our later posts (see above). Visiting the malicious site with Internet Explorer 6 and 7 caused the browsers to crash and the payload to run.
It looks like the only vulnerability that has more impact on Firefox 3.5 is CVE-2007-0071, which affects Flash players. Visiting the website with the latest Flash player, or without it installed, may not trigger the drive-by download.
Still, that doesn't mean the user is 100% protected if they do visit the website. The site's contents appears to have changed since that video came out, so it is possible the exploits (and targeted vulnerabilities) have changed as well.
So whatever browser or web app version is installed, just don't visit a known malicious website.
—————
Updated again to add: An actual exploit targeting the Firefox 3.5 browser itself – rather than an outdated web app or plugin – has since been reported.
We've analyzed this new variant, which we call Worm:SymbOS/Yxe.D, and from our point of view there are no major differences from our original detection.
Except for one thing…
This Yxe.D variant is signed with a certificate from yet another company.
So now there are two Symbian approved worm vendors for S60 3rd Edition phones.
Other targets, like whitehouse.gov seem to be unaffected (then again, whitehouse.gov runs under Akamai, making it a much harder target).
Some sources have linked this attack to the 5-year old Mydoom worm family. Here's what we know of this: a pack of sample files related to this attack has been making rounds between antivirus labs.
One of those files (MD5: 93322e3614babd2f36131d604fb42905) really is a Mydoom variant.
We detect it as Email-Worm.Win32.Mydoom.hw. However, we can't find any evidence that this particular file would attack any of the targets currently under DDoS.
Others question the data sources, but while they may doubt the percentages, they agree that IE's market share is generally falling.
Whatever its market share, one thing is certain — web browser competition is quite healthy at the moment and consumers have plenty of options to choice from.
We hosted a June 2008 poll asking about our reader's preferred browser.
As mentioned in the previous post there's a new 0-day vulnerability in Microsoft's ActiveX Video Controls, more specifically in the file msvidctl.dll. Microsoft now has published an advisory about the vulnerability and in the advisory they recommend that you set the killbit to disable the vulnerable CLSIDs, all 45 of them.
As this vulnerability is actively being used in drive-by downloads it's a good idea to do this.
Or, you could download our free Internet Security Technology Preview or our standalone ExploitShield beta, which also protects against this — proactively, without the need for updates.
We tried our Internet Security Technology Preview (on which our upcoming 2010 product will be based) and its Browsing Protection against this new exploit and it worked like a charm. It blocked the exploit attempt without the need for any signatures/shields. The generic exploit protection is pretty awesome, as is ExploitShield itself.
Here's a video of how ISTP does against the new vulnerability and what happens if you disable parts of the protection technologies.
It's always interesting to browse through the bait document files used in targeted attacks. These are files that have been used to infect specific individuals in different organizations in order to gain access to their computer.
All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.
This is just a quick sampling; we get a lot of these.
Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.
(picture from apple.com)
This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model. It's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction is required which is unlike current mobile malware. InfoWorld has the original story here.
Charlie plans to reveal more information at BlackHat USA.
PS. I'm shift manager for one of our three daily response shifts this week and I'm tweeting about what we're doing on the shift over at http://twitter.com/patrikrunald.
—————
Updated to add: Dan Goodin has more at The Register.
The Wall Street Journal reports that Beijing has delayed its mandate to have Green Dam Youth Escort filtering software installed on all new Windows computers sold in China. The deadline was originally July 1st.
Firefox 3.5 was released yesterday. I've been waiting to try out the Private Browsing Mode, so I installed it today.
Here are the privacy settings from my installation of Firefox 3.0.1.
And when I installed Firefox 3.5 the Private Browsing option was disabled. What?
Seems that the installation recognized my 3.0.1 settings as the equivalent of Private Browsing and preconfigured 3.5 to "Automatically start Firefox in a private browsing session".
Very nice work.
So, nothing changed at all. Except now I have easy options to reconfigure por… paranoi… err, Private Browsing if I opt to do so.
With all the talk of Michael Jackson spam and Michael Jackson malware going on, it was mildly interesting today when a Fellow in our KUL Lab received an SMS – with link – that mentioned the King of Pop as well:
The IP address appears to be registered in Malaysia but fortunately the link doesn't seem to work.