17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
22 Apr Lock, stock and two smoking Trojans-2 Sergey Golovanov
19 Apr An ambush for peculiar Koreans Dmitry Tarakanov
17 Apr Boston Aftermath Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The story of the Foncy SMS Trojan started during the fall of 2011. This piece of malware was one of the first SMS Trojans targeting users outside Russia and China. Potential victims were from various countries in Europe, North America and Africa. In the middle of January 2012 Foncy was updated: it started to spread together with an IRC bot and a root exploit. But the end of the Foncy story was very close because in February two suspected authors of this malware were arrested in Paris: you can read the story here in French and here in English. Since then we haven’t found any new modifications of this piece of malware.
So, Foncy is dead. And what is Mania? Mania is an SMS Trojan which currently only targets users of Android from France and its code is very similar to the code of the Foncy malware. The first sample of Mania (Trojan-SMS.AndroidOS.Mania) was found approximately at the same time when the Foncy IRC bot was discovered (during the first half of January). After that new variants of Mania appeared in February, March, April and May.
We haven’t found any traces of Mania on
Android Market Google Play. It seems that it is spread via file sharing web sites as popular legitimate applications such as PhoneLocator Pro, BlackList Pro, Enhanced SMS and Caller ID, CoPilot Live Europe, Settings Profiles Full, Advanced Call Blocker and Kaspersky Mobile Security.
Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.
Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.
For the full low-down on this advanced threat, read on…
What exactly is Flame? A worm? A backdoor? What does it do?
Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.
Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.
Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
It seems that development of the main module of SpyEye stopped with last autumn’s version 1.3.48 – and this is now the dominant strain of SpyEye malware.
SpyEye distribution by versions for the period since 1 January 2012*
* Others (7%) includes: 1.2.50, 1.2.58, 1.2.71, 1.2.80, 1.2.82, 1.2.93, 1.3.5, 1.3.9, 1.3.25, 1.3.26, 1.3.30, 1.3.32, 1.3.37, 1.3.41, 1.3.44.
But just because the authors are not developing this platform further, it doesn’t mean that SpyEye is no longer getting new functions. The core code allows anyone to create and attach their own plugins (DLL libraries). I’ve been analyzing SpyEye samples since the start of the year, and I’ve counted 35 different plugins. Below you can see a table with those plugins and the corresponding number of samples in which they were included:
It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.
Image source: http://crossrider.com