14 Dec Carberp-in-the-Mobile Denis
05 Jul Find and Call: Leak and Spam Denis
23 Mar Think twice before installing Chrome extensions Fabio Assolini
04 Jan The Top 10 Security Stories of 2011 Costin Raiu
01 Dec Lab Matters - Analyzing the Android security ecosystem Ryan Naraine
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much everyone running Windows, and lots of Microsoft shops, should be diligently patching systems today.
Pwn2own attracted top offensive security talent to Cansecwest and awarded a half million in prizes for fresh 0day this year, but the event didn't force much Microsoft fix development for this Bulletin release. Adobe, Java, Firefox and Chrome were all hit this year along with two Internet Explorer 10 0day for full compromise on Windows 8 on a Windows Surface Pro tablet.
Instead, MS013-021 is one giant "Internet Explorer Use-After-Free patch", addressing the longest list of IE use-after-free vulnerabilities in a single monthly Bulletin to date. Knowing that only one of these vulnerabilities was disclosed publicly, it almost looks as though they fixed a fuzzer in their own labs or someone stepped up development of their own.
MS013-022 addresses a memory pointer check in Silverlight component HTML rendering - an unusual problem known as "double de-referencing". The interesting thing here is that this client side RCE enables exploitation across not only all of its supported Windows systems, but across Apple's Mac OS X systems. In the light of OS X mass exploitation this past year and the recent slew of OS X-enabled targeted attacks, this patch is important to folks lugging around systems running OS X.
Microsoft recommends that EMET helps mitigate both the Internet Explorer and the Silverlight issues.
On the server side, altogether different from the client side memory corruption issues above, we see a web service vulnerability in Sharepoint, a pretty widely distributed service in organizations. The eye popper here includes an EoP enabled by an XSS flaw that provides remote users with a method to issue Sharepoint commands in the context of an administrative user on the site. These Sharepoint flaws were all privately reported by an outside researcher, but no public disclosure is known. At the same time, a denial of service and buffer overflow issue is being addressed in the Sharepoint code.
MS012-023 addresses vulnerable code in Visio Viewer 2010, but the vulnerable code also is delivered in components within Microsoft Office. The odd thing is that there is no known code path traversal through the vulnerable code within Microsoft Office. And, Microsoft maintains four or five versions of Visio Viewer, a widely used piece of software for organizations to distribute diagrams and charts of all types. However, this vulnerability only affects one version - Microsoft Visio Viewer 2010. Nonetheless, Microsoft is leaning towards addressing any and all security issues (including unknown future issues), and patching the code everywhere it resides including Microsoft Office, whether or not it is traversed at runtime within Office.
Of the lesser rated vulnerabilities, the kernel mode USB descriptor issue seems the most interesting. And yes, the title of this post is out-of proportion and fairly ridiculous. I don't expect another Stuxnet to rise up simply because of this vulnerability. But, in a flashback to Stuxnet exploit vectors, it provides another vector of delivery for arbitrary code to be executed in kernel mode simply by inserting a USB device into a system.
To clarify, the danger here does not lie in the immediate potential for another Stuxnet. The immediate danger lies in the availability of attack surface demonstrated by Stuxnet to enable highly secured, air gapped industrial environments to be infiltrated with Pearl Harbor style surprise and effectiveness.
We previously wrote several times about Man-in-the-Mobile attacks which aim to steal mTANs sent via SMS. For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.
But when the mobile version of Carberp Trojan appeared (we detect it as Trojan-Spy.AndroidOS.Citmo, Carberp-in-the-Mobile) such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.
Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.
In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code:
According to this screenshot, users of one of the most popular Russian banks, Sberbank, are under attack. ‘Sberbank’ updated its web page on 12th of December with information about the attack. The link in the QR-code led to the fake ‘SberSafe’ application (Trojan-Spy.AndroidOS.Citmo) which has been in Google Play since 30th of November.
Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
Since November 2011, according to recent statistics, Google Chrome has become the most popular browser in Brazil (more than 45% of the market share).
The same has is true for Facebook, which now is the most popular social network in Brazil, with a total of 42 million users, displacing Orkut.
These two facts are enough to motivate Brazil’s bad guys to turn their attentions to both platforms. This month we saw a huge wave of attacks targeting Brazilian users of Facebook, based on the distribution of malicious extensions. There are several themes used in these attacks, including “Change the color of your profile” and “Discover who visited your profile” and some bordering on social engineering such as “Learn how to remove the virus from your Facebook profile”:
1) Click on Install app, 2) Click on Allow or Continue, 3) Click on Install now, After doing these steps, close the browser and open again
This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension it’s hosted at the official Google's Chrome Web Store. If the user clicks on “Install aplicativo” he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”:
Kaspersky Lab security researcher Tim Armstrong looks at the security posture of the Android platform and discusses current and future threats to Android-powered devices.
I’m often asked about the real danger of Android malware. This is a difficult question as it has many factors to consider, such as your location, your device, how many apps you install, and how reckless you are with the apps that you choose.
There are two common factions often at odds with each other. There is one side of the argument that states that the threat to Android is overblown, and that because the number of malicious samples discovered so far is so small in comparison with Windows malware, it’s insignificant. In fact when a company discloses their findings and they show any type of marked growth in this sector, they’re often accused of scaremongering to generate sales.
In April, the .co.cc and .cz.cc sub-domains were absolutely littered with malware distributing web sites, and the unusually telling DNS registration setup on .co.cc and .cz.cc had forecast the previously upcoming Apple FakeAv. That DNS setup later led to FakeAv downloads for the Mac as forecast. But FakeAv distribution has been steadily declining since the beginning of the year, and a few related major events have occurred over the past six months. Blackhole operators have migrated to .info domains, along with other related malicious site operators. Have they pushed .info to become the new .cc?
So, what has this dispersion looked like? Well, let's look back to the beginning of the year. .co.cc and .cz.cc domain registrars offered free dns registration and cheap or free hosting. Malware distributors abused these cheap resources and staged the Blackhole exploit pack using these URL names, serving up FakeAv and other nastiness. Java exploits became the most effective and most popular in the Blackhole set, followed by exploits targeting vulnerable Adobe Reader and Microsoft HCP software. Traffic was directed to these kits by Google Image Search Poisoning, by compromising legitimate sites and redirecting browsers to the kit sites with injected iframe and img src tags, and by successful malvertizing campaigns on major webmail providers. But, what goes up must come down.
Web based threats such as malicious links on social medias, infected websites and malicious ads are terms that we read about quite often. We security experts have for quite some time tried to emphasize the importance of protecting both your website and computer from being infected, since these malicious websites often exploit client vulnerabilities. These vulnerabilities have been one of the major attack vectors for malware writers in recent years, but is it still a problem?
We are constantly seeing new software vulnerabilities , and the bad guys are very quick to developg exploits which are then hosted in their exploit kits. The vulnerabilities themselves are not dangerous unless the attacker is able to exploit them on the victim’s computer. The attackers have therefor developed ways to get victims to visit a website, for example, which then triggers the exploit. Some common ways are through social engineering or infecting a legitimate website with redirection code that points to the exploit kit.
Last month almost all major vendors released critical security updates for their software, such as Adobe, Oracle, Apple, Microsoft and Mozilla. I then started to research the current threat landscape, and focused on Sweden since I am the security researcher for the Nordic region; and after just a few minutes I saw that both Swedish websites and Swedish users were under attack.
The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.
In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.
Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.
Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.
Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.
However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.
As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).