News from the Lab Archive : January 2004 to September 2015

NEWS FROM THE LAB - June 2011

ARCHIVES | SEARCH

Thursday, June 30, 2011

Tricky New Facebook Spam Technique	Posted by Sean @ 20:53 GMT

We've (re)discovered an interesting new run of Facebook CPA survey spam.

It uses this subject line: This girl killed herself after her dad posted a secret of her on her fb wall.

The spammer used this template two weeks ago and it then linked to a webpage hosted at thedominio.info.

Today, the spam links to apps.facebook.com. Directly to a Facebook app, very interesting…

It's been quite some time since we've seen a direct link to an app. In their constant cat and mouse battle with Facebook, spammers have long been forced to use short URL services and other redirection tricks.

Let's see what's new.

The spam uses the same image, subject and description, but links to an app. This benefits the spammer in two ways. First, it reduces his overhead because he needs to maintain fewer external resources. Secondly, reputation services such as Web of Trust rate apps.facebook.com as safe, so there are likely to be fewer warnings about the link.

We've detected three applications so far.

  •  girl1 — http://apps.facebook.com/storynumb/
  •  girl2 — http://apps.facebook.com/girlstoryyl/
  •  girl3 — http://apps.facebook.com/seeingstoey/

But there's not much to see from those apps. If the Facebook user clicks on the link, the application will immediately redirect them to url-linkay.tk where this "video player" is displayed (thedominio.info now redirects to url-linkay.tk.).

This part is a typical clickjacking using a transparent frame to hide the Facebook like plugin button.

Clicking on the play button "likes" the page and spreads it to your Facebook News Feed.

Firefox users with NoScript installed will get this ClearClick Warning dialog which shows the contents of the transparent frame.

Users without some sort of clickjacking protection will be redirected back to Facebook, to another app page.

  •  all the story — http://apps.facebook.com/allthestorylive/

This app hosts the CPA survey that the spammer profits from.

This particular spam template pulls its content from www.promotiontrack.mobi.

Attempting to close the tab/page generates the follow dialog:

"Help keep this content free." WTH? Please… what "content"?

Somehow the app works without actually adding itself to the user's Facebook profile.

While it doesn't appear to spread as quickly as some other spam templates, based on the number of active users, the spammer may still have earned himself a couple of thousand of dollars.

We'll be sending additional details to Facebook's security team so they can fix the "feature" that allows for this technique.

Updated to add on July 1st: The spam template is now pulling its content from www.impressionvalue.mobi.

Tuesday, June 28, 2011

Krebs Trojan Pushes Adult Website	Posted by Sean @ 15:19 GMT

Complete malware analysis is often limited by real-world circumstances.

Many of the trojans that we analyze will attempt to connect to a remote server for further instructions. At this point, we know that the software is not legitimate and should be blocked from installation on our customer's computers. We don't really need to examine it any further (and often times, the server is offline). But just what would that trojan do if it only had access to its remote master?

We use automation to test malware in an isolated network. We don't generally test malware with a real Internet connection because we want to limit possible exposure to the rest of the world's netizens. But every now and then something catches our interest and we'll perform a manual test.

Such as the trojan we blogged about last Thursday which creates a mutex named after reporter Brian Krebs.

When we first encountered the trojan, its server, fatgirlsloveme.com, was offline, and then, it went live two days later.

So we configured a Windows 7 test computer, infected it with Trojan-Downloader:W32/Agent.DTBM, connected it to the Internet, and opened Internet Explorer.

One Bing search and then — a pop-up window opened promoting the following webiste:

Russian Sex Brides?

Adult website pop-ups?

We had been hoping for something a bit more interesting. Ah well…

The website doesn't appear to use affiliates as part of its marketing efforts. It's unknown what type of connection the trojan author has with the website's owner, Thunder Road, Inc.

The trojan is still not prevalent, but our customer statistics show that it currently remains active in the wild.

Monday, June 27, 2011

Cloned Android Apps: Symbiosis or Parasitic?	Posted by ThreatInsight @ 08:22 GMT

There was a recent report of a malicious Android package installation being hosted on a fake "Android Market"-lookalike site, which was pushed to users from an advertisement link.

The distribution strategy itself is not new. We saw variations of this happening with Google advertisements 2 years back, though in that case it was rogue or scareware that was being pushed by the advertisements.

What is interesting about the case is: Android application repackaging. We've seen this tactic being used quite frequently in the last few months, as it seems to be the favored "quick" way for malware authors to produce new Android malware.

What's also interesting is that this seems to be a popular way for developers to produce "new", clean applications. We've been seeing a rash of repackaged applications posted on the official Android Market. (Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them.)

One example we saw recently is shown below, with the original app on the left and the repackaged app on the right:

The repackaged application has the same modules as the original, but includes an advertisement module. In some cases, there were no technical changes from the original application at all — just a change in the app name, of course.

Most of the repackaged apps we've seen are "clean" in that they don't have any malicious code included in them. So far, we also haven't seen any instances of the repackaged apps being distributed as paid apps.

Presumably, the point of the repackaging is to include the advertisement module, with the developers gaining some kind of monetary reward when users view or click through the ads being displayed.

However, since the repackaging was most likely done without the consent of the original developer(s), the repackaged app would probably be considered pirated, or at least intellectual property theft to the original developer.

This is still something of a grey area though, especially as Google doesn't actively vet every application posted on the Android Market. Whether most developers — and users — are going to consider these repackaged apps as just another side-effect of an "open market" philosophy, or conversely as rip-offs of a developer's honest efforts, is anybody's guess.

Threat Insight post by — Raulf

Thursday, June 23, 2011

Somebody Doesn't Like Krebs on Security	Posted by Sean @ 11:37 GMT

At F-Secure Labs, we design, build, and use numerous systems that perform automated sample analysis.

Some of that automation monitors suspicious code for various keywords. And why do we monitor for keywords? Because some malware authors like to embed hidden messages in their code.

For example, Virus:W32/Divvi contains this string: "Mikko cut ur ponytail" — clearly a reference to our own Mikko Hypponen.

Many malware authors also sprinkle their code with references to pop culture, using words such as "Chuck Norris".

We've even come across a David Hasselhoff themed Remote Administration Tool (RAT).

Fraud-News.com was recently hacked to post a false story that Mikko and Brian Krebs were arrested for credit card fraud.

Naturally, we began monitoring incoming samples for the keyword "Krebs".

And it didn't take very long before something turned up.

Trojan-Downloader:W32/Agent.DTBM (SHA-1: 20dba9e7730094341f327194f67b43bd751dd9cf) creates the following mutex:

[name removed at request]_AND_BRIANKREBS_GOT_MARRIED

This trojan is in the wild, but is not highly prevalent. Our antivirus blocked it based on behavioral heuristics even before we added a signature detection.

Additional analysis from our Threat Research team tells us that the trojan attempts to connect to fatgirlsloveme.com (Whois). The site/server was not online two days ago, but its proxy now appears to be active (hosted in Germany).

Our analysis continues.

As does our "watchful and intent" automation.

Tuesday, June 21, 2011

LulzSec Suspect Taken Into Custody	Posted by Sean @ 12:54 GMT

Rumors and news regarding hacker group LulzSec have been afloat on Twitter today.

The rumors circle around this Pastebin post which claims that LulzSec had acquired the UK's 2011 census data.

Note that anybody can post to pastebin.com.

Soon after, news came that Scotland Yard has arrested a 19-year-old in Essex.

Should be interesting to see what comes next…

Will the UK's census data be published to The Pirate Bay?

For those of you that don't use Twitter because you don't do social networking (it's really social media), but that want to be alerted to breaking stories, here's an RSS feed that you can use to "follow" Mikko Hypponen:

http://twitter.com/statuses/user_timeline/23566038.rss

Monday, June 20, 2011

Student faces US extradition over copyright charges?	Posted by Sean @ 17:42 GMT

Richard O'Dwyer was in the news this weekend. He's a 23-year-old from the UK that is facing extradition to the USA over tvshack.net, a website which was seized by the US government due to claims of copyright infringement.

O'Dwyer has the same lawyer as Gary McKinnon, who allegedly hacked into United States military and NASA computers back in 2001. McKinnon has been diagnosed with a form of autism and of having a precarious state of mental health. His mother has claimed he's suicidal and would not survive US prison.

Richard O'Dwyer's mother is also front and center in her son's defense.

She told the BBC that "To me he's just a geeky boy, who sits in his room messing on his computer."

We decided to learn more.

O'Dwyer has been widely reported to be a Sheffield Hallam University student.

We found this by doing a Google Images search:

It says he graduated in 2008. Perhaps he's a post-graduate student?

But then there was this Facebook page that caught our eye:

Richard O'Dwyer… Athlete.

That's a very nice Mini.

Looks expensive.

There's Richard's photo.

And there's a link to his website, odwyerracing.com.

O'Dwyer Racing is not online.

Last week, the site suddenly began redirecting to a company called Web Design Yorkshire at richardodwyer.co.uk.

This is what O'Dwyer Racing looked like:

O'Dwyer Racing's YouTube channel — https://www.youtube.com/user/RichardODwyer — is also no longer available.

However, some of the individual videos can still be seen (for the moment).

Now, all this paints a very different picture than that of the "geeky boy sitting in his room with his computer". (Is it all just a defense strategy?) Perhaps his mother's view is truly one side of Richard O'Dwyer. And perhaps O'Dwyer really is in fact a student. But clearly there's another side to Richard, racing car enthusiast and businessman, and it's a side that somebody is now trying to erase.

And that's easier said then done in the age of Social Media.

Remember folks, if you put it online, it tends to stay online in one form or another (up to seven years).

Setting aside the legal questions, we look forward to seeing how Richard's digital persona evolves as his lawyer fights extradition.

Friday, June 17, 2011

Finland Has It All	Posted by Sean @ 13:03 GMT

As mentioned earlier, we've recently started a major project with one of the largest broadband operators in North America.

And so we have plenty of positions to fill, and many of them are based in Helsinki.

Where the weather is beautiful.

And really, how could you not want to live in a country with this kind of entertainment?!?

Apply now: Open Positions!

Pickpocket Targets Wallets at Bitcoin Forum	Posted by Sean @ 10:36 GMT

Our Threat Research team analyzed a Bitcoin wallet.dat trojan today. Bitcoin is a digital currency created in 2009.

We detect the threat as Trojan-PSW:W32/CoinBit.A.

Here's a screenshot of the GUI:

(SHA-1 c4f6c921aa77fbb7f2b616a22ee7d4578f8ccf44)

It's not very professional looking.

But that's not the real point. This is a snatch and grab. Before the window is rendered, the application will fetch the Bitcoin wallet.dat file (if it exists) from this location:

%Documents and Settings%\\AppData\Roaming\Bitcoin\wallet.dat

Coinbit.A then attempts to send the wallet.dat to a @hotmail address via a Polish SMTP server. The .pl server address is hardcoded. Reportedly, the password of the server account has been changed so this variant is no longer effective.

Performing a search for the hardcoded @hotmail recipient e-mail address leads one to this thread at bitcoin.org's forum.

It appears the pickpocket posted links in the forum's chat application. If the forum members clicked the link and downloaded the trojan, they risked losing their wallets.

To quote a forum member:

"No doubt that sucker is going straight for your wallet.dat"
"People will loose coins from this!"

Very possibly.

Read more from Kevin Poulsen at Wired.

Thursday, June 16, 2011

Facebook is finally winning?	Posted by Sean @ 13:11 GMT

Has Facebook shut its doors to spam?

Ninja CEO at cpafix.com, a viral marketing & CPA forum, thought so a few weeks ago…

But there's always a new mouse to challenge the cat.

This particular CPA spam has been circulating for several days now.

It links to CPA survey offers hosted at http://impressionvalue.mobi.

So it appears that the door wasn't completely shut after all.

Wednesday, June 15, 2011

Sandra's Credit Card Fraud	Posted by Sean @ 19:10 GMT

Sandra, a corporate communications manager here at F-Secure, recently had a bad experience with credit card fraud.

But she turned that bad experience into a very good post over on our Safe and Savvy blog.

Check it out.

Monday, June 13, 2011

Hungry Beast: Stuxnet	Posted by Mikko @ 13:58 GMT

You know a computer virus has become mainstream when TV channels start producing infographic specials on it.

TV show "Hungry Beast" is produced by ABC1 in Australia. They released this nice 3-minute video clip on Stuxnet.

While not all the details in the video are technically accurate, it's still worth watching.

Sunday, June 12, 2011

Fraud News	Posted by Mikko @ 20:00 GMT

Late on Sunday, I got a weird message from a colleague.

He had done a Google News search, looking for latest press coverage on F-Secure and had found something odd.

I was not familiar with this news source, so I checked their front page.

And there it was. A fabricated article claiming that I and fellow security researcher Brian Krebs were arrested for selling stolen credit cards. As a sidenote, the article also mentioned that we were lovers. Now, let me make it clear: Neither of these claims are true. I like Brian, but not like that.

Here's the fake article:

So, I called Brian up. He had already seen the article and had a pretty good idea who had done it, too. We have no idea how it ended up on fraud-news.com though.

Of course, fake news like this travel fast.

So let me just state it for the record that I'm not arrested and I have not been involved in selling stolen credit cards…

—————

No, I was not indicted either. Thanks for asking.

Signing off,
Mikko

P.S. The fake article is a modified version of a real article written by Brian in 2007. The fake screenshot is based on a posting on a real crime forum at omerta.cc/showthread.php?t=1474

—————

Updated to add: Administration of fraud-news.com contacted. Here's what they wrote:


From: info@fraud-news.com

Hi Mikko

Thanks!. When I checked the site today I was shocked to see what appeared
to be a fake story posted by someone who has hacked into the site. I then
checked on net and then saw your email, which confirmed that someone has
"hacked" in to post this news item.

I have now regained access to the system. I have quickly edited the news
item but kept the headline while replacing contents with my notes. That is
just to make sure that any visitor who follows the title from another site
or Google news is able to see that it was a fake entry. Removing the
article altogether may result in a broken link which may leave some
readers guessing. Hope that is fine with you. I hope to make another post
to explain this further.

I took over this site - fraud-news.com was initially a community based
site -  somewhere last year, and as at now the only way the news can be
published (which is picked up by Google news) is by making a forum post
and then upgrading it as an article. The forum runs on vBulletin latest
suite (Blog + Forum). I am trying to check into the logs and other
settings to see how someone was able to use the username 'FraudNews' which
I had the exclusive access as the super admin, or made the post through
another alternative mechanism through loopholes in vBulletin, if any. I
have also turned off the forum while we ensure the security of the site.

Strangely, fraud-news.com has recently come under attack as well, and in
April/May we were under a DDOS, at which time we temporarily moved the
site to DDOS protected hosting. The repeated attacks made publishing
articles harder. The site is popular due to the forum which pulls all the
scam/fraud related news and alerts. Since we tend to give all scam alerts,
we may have ended up a target. However this is the first time someone
"hacked" to make an unauthorised post, looking to make use of our site to
target your entity/reputation. I will be monitoring the fraud-news.com
closely to ensure that the culprit doesn't make another attempt.

Finally, many apologies for the inconvenience this has caused to all
concerned.
Arun Arunagiri

Friday, June 10, 2011

Malware Gang's $14.8 Million Bank Account Frozen	Posted by Mikko @ 21:05 GMT

The US Attorney's office has today frozen a Swiss bank account belonging to Sam Shaileshkumar.

Mr. Shaileskumar, together with Bj�rn Sundin were the main figures behind Innovative Marketing Ukraine, a malware house that was operating from Ukraine. Neither Shaileshkumar or Sundin were nationals of Ukraine themselves. Shaileshkumar holds a US passport while Sundin is Swedish.

The amount of money in the frozen account? A cool $14,800,000. This is believed to be only part of the proceeds IMU did while using malware to push out rogue security products such as "Systemdoctor".

As usual, these products did nothing useful. They found "problems" from any computer and would only "fix" them after you purchased a license.

The authorities have been after Sundin and Shaileshkumar for quite a while. Both are still on the run.

Here's the INTERPOL Wanted page for them:

Does Facesnoop Really Hack Facebook Accounts?	Posted by Sean @ 15:06 GMT

We came across a supposed hack-tool called "Facesnoop" this week.

The author uses YouTube videos to promote his software.

Facesnoop 2 was released sometime recently and claims to have "ACTUAL video proof" that it works.

(ACTUAL must be better than actual.)

The video depicts the "hacking" of an account belonging to a young woman named Kristen.

We think Kristen is just a sockpuppet account, so we've blurred the profile picture.

Once you've watched the Facesnoop video, and decide to download, you're directed to a webpage at ShareCash.Org which prompts you to fill out Cost Per Action (CPA) affiliate marketing surveys. (Offers from many of the usual CPA suspects. This is how Facesnoop monetizes his software.)

There's a problem though.

This is what happens when you launch Facesnoop 2:

You get an "Unhandled Access Violation" exception that claims there is a "Net Framework 2.0 missing library". Most people probably click on the "Check For Updates" button at this point, and that opens a webpage requesting even more CPA surveys to be filled out.

Facesnoop's Facebook page has several complaints about this.

(Seriously, who complains about a Facebook hack-tool failing to work on a Facebook Page???)

The Facesnoop author has created a newer page, and it opens to the Info tab to avoid visible complaints.

All of the people complaining about the error shouldn't really be surprised though…

Examining the properties of the executable shows that it was designed to fail.

Look: the Internal Name of the file is "Facesnoop 2 error.exe".

This isn't a hack-tool — it's a fraud-tool.

You can see more details in the executable's code:

(SHA-1: 2862de8e506414589b923f8faa49bf8fc81238e2)

E:\Nicolas\Code\fn2 error\Facesnoop 2 error\…

Nicolas? Hmm, where have we seen that name before?

Oh yes, the first video's sockpuppet "victim" was called Hayley.

And the Hayley account has a friend named Nicolas.

And the Nicolas account just happens to "like" Facesnoop. Is it the hack-tool author himself?

We don't know for sure.

All we do know, whomever Nicolas is really… he thinks you're a sucker.

Anonymous: who will be the ultimate decider?	Posted by Sean @ 12:18 GMT

It's been a busy week, had an idea for a blog post, but not a lot of time to write today…

So here's a shortcut via screenshots of my Twitter feed:

(http://bit.ly/kFc7yy) (http://bit.ly/lwqxZt)

(http://bit.ly/inNMzO)

Whom indeed?

#anonymous #sony

Thursday, June 9, 2011

ISSA Event on June 9th	Posted by Mikko @ 17:34 GMT

We spotted this malicious PDF file today.

When opened, the PDF (md5: 20ecffdc2ecea0fbe113502bec0c938c) uses a known Adobe Reader exploit to drop a backdoor to the system. While dropping the backdoor, it displays this PDF on-screen to fool the user into believing everything is okay.

The bait PDF talks about an Information Systems Security Association event in Alabama on the 9th of June, 2011. Which is today.

The backdoor connects to a server at 119.202.148.82, which is somewhere in South Korea.

We don't know who was the target of this targeted attack.

Updated to add: Funnily enough, here's a good presentation from Northern Alabama's ISSA event, focusing on malicious PDF files.

Tuesday, June 7, 2011

Facebook Attackers Now Hiding Behind Porn Sites	Posted by Sean @ 12:46 GMT

There was a rather innovative Facebook malware attack last week which pushed both Windows and Mac malware.

While some folks were distracted by the Mac scareware component, it appeared to us as only the secondary factor in the overall attack. The Windows component, a fake "Adobe Flash Player" update, has ZeuS bot characteristics according to an analyst on our Threat Solutions team. We therefore conclude that the attack was focused on building a Windows OS botnet, and that the Mac OS scareware was tacked on as a bonus (as there are no ZeuS binaries to push at Mac users).

Facebook took more than 24 hours to block malicious links redirecting to newtubes.in: a domain using an Indian TLD, hosted on a Lithuanian server, and registered to "Narcisa Scott" of Thailand.

In the end, all links used by the attack were deleted by Facebook.

And we had hoped last week that Facebook killed whatever spam/attack vector was being used.

But that hope was in vain.

The same bad guys are now spamming links to porn sites via Facebook profiles:

You can see profiles posting the links via an Openbook search for "Free Tube Hub".

The sites, which have names such as blackbootyblog.com, ebonyarea.com, justebonypussy.com and ebonykey.com, all have a common theme…

That's because many of them are hosted on the same server:

The website server appears to be compromised and a folder called /watch/ has been inserted that contains script which attempts to redirect users to borntobefree.in: a domain using an Indian TLD, is hosted on a Lithuanian server, and is registered to "Andrew Farrell" in Thailand.

Sounds familiar.

So… the porn site server is a smokescreen to hide the real attack site, borntobefree.in.

Neat trick.

As was the case in last week's malware attack, too many visits from the same IP address will result in a redirection to youtube.com. Also, the attack server is Geo-IP aware and focuses on users from the USA and UK.

We currently see no evidence that these links are being spread "virally" via Facebook Platform. Instead, they appear to be posted directly to profiles via bots.

If true, Facebook has a problem. To block these types of attacks, they'll need to suspend the profiles of infected users. But how to inform the user as to which computer is infected?

As we said last week, this is a highly professional attack using well developed techniques.

And it looks to us as if it could be here to stay for a while.

—————

Updated to add on June 9th: Bots continue to spam Facebook with porn based links, and Facebook continues to fail at blocking them (72+ hours and counting).

The links are not redirecting to malware at this time, based on our analysis. Instead, they are currently redirecting to two additional porn sites, one of which we saw last week when these links were pushing fake Flash Players and Mac scareware.

The spammed links use very consistent text, so it's quite surprising that Facebook doesn't have some sort of automation to block accounts from posting the links.

The structure is as follows: there's a porn site, hosted on a common server (see above) and it contains a folder called "/watch/". That folder contains a page with script to pull content from another location:

In this case, greatfeel.in, another Lithuanian server with an Indian TLD.

And no big surprise, greatfeel.in is also registered to "Andrew Farrell" in Thailand.

Monday, June 6, 2011

Another Android Malware Utilizing a Root Exploit	Posted by ThreatSolutions @ 07:54 GMT

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found. We were able to find a sample ourselves, and we now detect it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  •  execDelete — execute command to delete a supplied file
  •  execHomepage — execute a command to open a supplied homepage
  •  execInstall — download and install a supplied APK
  •  execOpenUrl — open a supplied URL
  •  execStartApp — run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  •  imei — IMEI number
  •  ostype — Build version release, e.g., 2.2
  •  osapi — SDK version
  •  mobile — users' mobile number
  •  mobilemodel — Phone model
  •  netoperator — Network Operator
  •  nettype — Type of Net Connectivity
  •  managerid — hard-coded value which is "sp033"
  •  sdmemory — SD card available memory
  •  aliamemory — Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."

The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."

Threat Solutions post by — Zimry

—————

Updated to clarify: The original discovery of the trojan was by a research team at North Carolina State University. We were able to independently find a sample for our own analysis.

Thursday, June 2, 2011

British Intelligence Vandalizing Extremist Online Magazines	Posted by Mikko @ 12:34 GMT

An article in the Washington Post reports that members of British intelligence vandalized an issue of the Inspire magazine. Inspire is the English-language lifestyle magazine of Al-Qaeda, published online in PDF format. They have published five issues so far.

When the first issue was published last year, most jihadists ended up downloading a corrupted version instead of the real deal. The corrupted version was manufactured and spread by British intelligence.

Here's what the corruption looked like.

Below, the cover of Inspire #1. On left, the real version, on right, the corrupted version. There's no visible difference.

Table of contents. No visible difference.

Page 4. Suddenly, the contents of the doctored version turn into binary garbage:

This continues throughout the magazine. Here's page 41:

The binary garbage that replaced the extremist content seems to be random bytes. In reality it's a raw dump of a file with cupcake recipes, pasted to overwrite the original content.

When we analyzed the corrupted version, we thought it would be plausible that it would contain malware or exploits. However, it did not.

We will not be providing download links for the actual magazine.

Mac Market Share x Google Images SEO Poisoning = Gold Rush	Posted by Sean @ 10:49 GMT

Mac malware has been making lots of news recently, and much of the analysis has focused on Mac's market share, which in the USA, is around 15%. But market share is only a single data point. Is that the whole story?

We don't think so.

Mac malware is hot right now because of the infection vector — Google Images Search. Mac market share (15%) multiplied by infection vector (Google Search Engine Optimization poisoning) equals a huge economic incentive to target Mac users.

What happens when Google fixes their Images SEO problem? The bubble will burst and the boom will bust.

What will happen to Mac malware then?

Sean and Mikko discuss that topic on our YouTube channel in: Mac Malware Circa 2011

For more insight on Google's battle against SEO poisoning, see: Finding SEO Poisoned Sites Using Google

Quick Snapshot of Trojan:AndroidOS/AdSMS.B	Posted by ThreatSolutions @ 09:24 GMT

Ever since we got wind of a variant of an AdSMS trojan with more aggressive functionalities making the rounds in various online forums, we've been on the lookout for more samples to analyze.

It hasn't been easy — there was a report of "more than 20 Android apps" being identified, but most of them seem to have been pulled out of circulation already. A lot of heavy forum trawling was required, which is a good thing for most users — it's not easy to get this trojan.

Analysis is still ongoing, but here are a few snippets based on the samples we have:

As before, the malware is a trojanized version of a legitimate app. For this sample, it was a paper toss game. For a simple game though, the permissions it requests are suspicious:

An alert user should be suspicious when a game says it needs to send SMS messages and read your personal information.

Once installed, the trojan is designed to prompt the user to "update" the program to a new version, with a "lightning update in 1 second" (?):

Once updated, the device is restarted and the malware is successfully installed under "com.android.battery", though it lists itself as appsms.apk in the application folder.

The trojan contains a known exploit, rageagainstthecage, for gaining root access and will run four malicious classes as services in the background: Adsms.Service, SystemPlus, MainRun and ForAlarm.

Other functionalities appear to be as reported, though we'll be continuing analysis — and hunting for more samples. We will be detecting this as Trojan:AndroidOS/AdSMS.B.

Threat Solutions post by — Irene

Wednesday, June 1, 2011

Facebook Finally Blocks Malware Attack	Posted by Sean @ 22:06 GMT

With more than 24 hours having passed since it began, Facebook has finally blocked a malware attack that linked to Windows and Mac malware.

The attack site pushed MacGuard scareware at Mac users, and host modifying fake "Adobe Flash Players" at Windows users.

Contrary to our earlier post, rather than using the "Like" feature, we now think the malware was spreading by posting directly to Facebook accounts. The posted link used the Like feature's icon rather than icons used by Links or Videos.

Here's what Facebook search revealed a couple of hours ago:

And this is an example from a user's Wall:

The "LOL, just found new tube site" link didn't reference any .php as the others.

Here you can see the same site, newtubes.in, was used on Sunday:

The subject was "Boobs Too Big For Seatbelt".

The bad guys attempted, and failed, to launch their attack during the Memorial Day holiday weekend, with big boobs.

As mentioned earlier today, the attack site was Geo-IP and OS aware, and focused only on USA/UK IP addresses. All others were safely redirect to youtube.com. It also employed anti-analysis evasion techniques, such as blocking IP address that visited too frequently. This was a highly professional attack using well developed techniques.

We hope that it cannot be repeated soon.

Facebook Attack Spreading both Windows AND Mac malware	Posted by Sean @ 09:17 GMT

There's a significant Facebook malware attack occurring at the moment.

The attack is spreading virally using Facebook's "Like" feature — a method well established by rogue Cost Per Action (CPA) marketing affiliates. But unlike CPA spam that redirects to deceptive ads, this "viral video" is linking to a Lithuanian server that serves up Windows and/or Mac malware.

This is the first time we've seen malware using "viral links". (Stuff such as Koobface uses phishing and compromised accounts.)

The bait uses the following subject lines:

"oh shit, one more really freaky video O_O" and...
"IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!"

The links used point to a subdomain on "newtubes.in".

An Openbook search shows numerous examples of folks that have been exposed.

Here's an example of Facebook's search results:

When testing the link from Germany, Finland, France, India and Malaysia, we were safely redirected to youtube.com. Testing from the USA and UK offered up Mac scareware or Windows malware depending on our browser user agent IDs.

The attack is GEO-IP as well as OS aware.

And though this attack started more 16 hours ago, Facebook does not yet block links to newtubes.in even though the subject text and the root domain has remained unchanged during that time. This could be due to the fact the attack is utilizing Facebook "Likes" rather than posting links to user's Walls which can be more easily filtered by Facebook's security team.

Or perhaps they're still catching up on their post-Memorial Day holiday e-mail…

Updated to add:

At 17:00 GMT the attack changed subject line to:

one more stolen home porn video ;) Rihanna and Hayden Panettiere and…
Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna! Hot Lesbian Video - Rihanna And Hayden Panettiere !!

At 19:12 GMT the domain used switched from newtubes.in to shockings.in.

Correction to above: The malware is using the Facebook "Likes" thumbs-up icon, but appears to be spreading via another method. Additional analysis suggests that the malware itself may be injecting a post into the victim's Facebook session.

Try as we might, our test account was not compromised by the attack server's webpage. We are now speculating that the Windows malware is a Koobface like worm with ZeuS like webinject capabilities. Our analysis continues.

Old Trojan Tricks on Android	Posted by ThreatSolutions @ 02:58 GMT

We recently did an analysis on a trojan, AdSMS, that's been spreading for the last week or so and thought it might make an interesting contrast to the rash of trojanized Android apps that we've been seeing lately.

AdSMS is distributed via a malicious link in a spammed SMS message. The malware appears to be targeted to Android users in mainland China, as the SMS is faked up to look like it's from a major Chinese telecom network and the download link deliberately spoofs a domain name associated with the network.

AdSMS is promoted as an "update for a security vulnerability". Sounds like a throwback to the old Symbian trojans (e.g. Merogo and MapUp), which used this exact same distribution and social engineering strategy.

If the user clicks the link, the malware is downloaded. These are the permissions the trojan requests:

An update that needs to send SMS messages? Hopefully an alert user would notice that and suspect something's amiss.

Once installed, AdSMS doesn't add an icon for itself on the application menu; it just runs silently in the background. Users need to check the Setttings > Applications > Manage Applications menu to see if it's present, under the name "andiord.system.providers":

Again, an old trick, though in this case previously seen in mobile espionage suites such as Phone Creeper and Flexispy. Incidentally, once on the Manage Applications menu, users can uninstall the trojan as per a normal application.

Once installed, the trojan steals phone details, connects to a remote site to download more files. It also has the capacity to read, write and send SMS messages, much like the preceding Trojan:AndroidOS/Fakeplayer.A.

So there's nothing new about this trojan's tricks per se, but it's one of the first we've seen on the Android platform to try some of them.

Our Android security product detects this as Trojan:AndroidOS/AdSMS.A.

Threat Solutions post by — Irene