CounterMeasures - A Security Blog � malicious code

The best form of defence?

Rik Ferguson — Tue, 03 Jan 2012 16:19:41 +0000

Mutation by woodleywonderworks

A report in the Daily Yomiuri suggests that the Japanese government have commissioned Fujitsu Ltd to create a “defensive virus” and that after 3 years of work and a budget of $2.3 million, the project is nearing completion.

Technical details in the article are necessarily thin on the ground but it appears that the “cyberweapon” is designed to “springboard” from one compromised computer to another, tracing back to the original source of the attack and shutting down malicious processes en route.

Whilst I can see the attractiveness of the principle and have some sympathy for the thinly veiled claims in the article that “everyone else is doing it”, the concept of the “good” computer virus has been the subject of debate for many years and it has never gained widespread support.

Even a “good” virus or worm must execute on a machine without the permission of the owner of that machine. If that “good” virus has the objective of terminating malicious processes and/or patching security holes then, by definition it must modify or delete critical processes, memory content or files. If its design is to spread autonomously then system owners will have no opportunity to test whether its supposedly altruistic activities will have any negative impact on a running system. It will also consume bandwidth, disk space, memory and processor cycles, all adding to the load, just as a malicious worm does effectively creating a Denial of Service condition.

The “good” virus may also be hindered by effective security software, many of the actions it will be carrying out, such as modifying system components and terminating process, will be precisely those which are designed to be recognised and stopped by security programs.

Finally it really wouldn’t take much effort for criminal groups to take these white-hat tools and modify them for more malicious use, blurring the line even more between the “good” and the bad and putting professional grade carrier mechanisms in the hands of criminals.

The Japanese government seem less than coordinated right now on the actual use such a technology would be put to, the article reports them as saying that they are “not considering outside applications for the program as it was developed for more defensive uses, such as identifying which terminal within the Self-Defense Forces was initially targeted in a cyber-attack“. This is hardly surprising, as the creation of malware is currently a violation of Japan’s criminal code.

You have to wonder though, even in that limited scenario, wouldn’t such an automated “sprinkler system” pose a huge risk of destroying valuable forensic evidence in the case of a breach? Wouldn’t effective real-time monitoring of computers and networks, reporting to a centralised SIEM console provide as much intelligence in a less inherently risky way?

Post Script:

In 2004 Cyrus Peikari made a seemingly good case for Fighting Fire with Fire, but I feel that the medical analogy breaks down completely under close examination. In the digital case we are talking about releasing a self-replicating virus into the wild, whereas in the medical case we talk about manual and controlled introduction of an attenuated virus on an individual (and voluntary) basis.

Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

Rik Ferguson — Fri, 02 Dec 2011 14:37:21 +0000

I have just read a Reuters news story where respected “cyber warfare expert” John Bumgarner is reported to claim that Conficker was devised and released to act as a global smokescreen for the surgical attack, using Stuxnet on nuclear facilities in Iran.

Bumgarner claims that initial reconnaissance work was carried out using Duqu in 2007 to identify targets relevant to a later attack by Stuxnet. In November 2008 Conficker was released globally to infect as many machines as possible. When a Conficker infection phoned home, if the victim machine was found to be in a apposite location (Iran) it was flagged as a later target for Stuxnet. He further states that Conficker did no damage to machines outside Iran and that on the infamous April 1st “activation date” (of the third variant from March 2009) it was used to pull down Stuxnet to those machines located in interesting locations in Iran.

Here is the evidence, all of it unsubstantiated as far as I can ascertain, that Bumgarner presents to support his claim:

1- Both Stuxnet and Conficker show evidence of “unprecedented sophistication” leading him to believe that they are related.

2- Both Stuxnet and Conficker use the same vulnerability to infect machines (MS08-67)

3 – Unspecified “key dates” in timestamps of unspecified “different versions” of Conficker and Stuxnet overlap and also “helped him to identify April 1 2009 as the launch date for the attack“.

4 – April 1st 2009 was the 30th anniversary of the declaration of an Islamic Republic in Iran. Other unspecified dates also corresponded with days when “Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York“.

As regards the end-game, the eventual infection of machines physically located in the right place inside nuclear facilities, Bumgarner concedes that at this point the malware wasn’t yet “in the target“. So to make that final crucial leap, Stuxnet was designed to infect USB drives, in the hope that someone would later take the same USB drive from a Conficker/Stuxnet infected machine and plug it into a machine located in an air-gapped network in nuclear facility. At that point, Bumgarner states, “it was checkmate“.

Phew, what a ride! You’ll forgive me I hope if I say that this account stretches my credulity to breaking point. Let me list a few reasons why.

1 – If targets outside of Iran were surplus to requirements, why did the first iteration of Conficker only exclude computers based in the Ukraine? Why was that restriction later removed? Why not only infect machines in Iran in the first place? It is also not true to say that machines infected with Conficker were all unharmed, Conficker was used to deliver Fake AV and had a functional relationship with Waledac botnet C&C

2 – The levels of sophistication in Conficker and Stuxnet are in different leagues. The original version of Conficker used a single already patched Windows vulnerability to spread, the second variant added the capability to spread via removable drives and by brute forcing passwords against a list of common password variants, neither method sophisticated. There was a level of sophistication in the scale of pseudo-random domains that were generated by the malware as potential C&C locations, but nothing that wasn’t quickly reverse engineered and understood. In the third variant of Conficker the propagation methods were actually removed, only to reappear again in the fourth significant variant. Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.

3 – I would theorise that the creators of Stuxnet chose to also use the MS08-67 vulnerability because its effectiveness is demonstrated by the fact that Conficker is still one of the most prevalent infections in enterprise networks, three years after its initial appearance. Why would you make two pieces of malware that propagate using the same vulnerability and yet rely on one to download the other?

4 – The “activation date” of April 1 was coded into the third variant of Conficker. You don’t need unspecified time-stamps on unspecified files to tell you that.

5 – April 1st is also April Fool’s day in many countries around the world, it’s also the anniversary of the founding of Apple Inc., the founding of the Serious Organised Crime Agency (SOCA) in the UK, the birth of the Republic of Ireland and the land blockade of West Berlin by the East German military. Get my point? As regards President Mahmoud Ahmadinejad saying that his country would continue to pursue it’s nuclear program, well surely, pick a day, pick any day…

Then of course there’s the difficult conclusion, relying on persons unknown to plug a USB device into a Confuxnet infected machine, then unknowingly taking that same USB drive and plugging it into a PLC in a nuclear facility. Given the “unprecedented sophistication” of everything that has gone before, it’s this one just a tiny bit of a shot in the dark? A little bit “hit and hope”?

Sorry Mr. Bumgarner, it could be true, of course it could, and it could be that you have been misreported, but on the evidence you present so far, I just don’t buy it.

If I were a government with this kind of resource at my disposal, wouldn’t it make sense for one of my operatives in the target facility to simply take the USB containing Stuxnet right there for me?

I know, there weren’t any aliens.

The mobile threat: FUD or MUD

Rik Ferguson — Mon, 21 Nov 2011 13:38:21 +0000

Preface: This blog is not about open source vs closed, it’s also not about Android vs iOS or any other mobile operating system. It’s about criminals vs people, it’s about hype and reality and it’s about knee-jerk self-preservation vs openness and consideration.

Last Wednesday, Chris DiBona (Open Source Programs Manager at Google Inc.) made a post on his Google+ profile hitting out at claims about “open source being inherently insecure’ and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market“.

While Chris does make some reasonable points regarding the comparative resilience and security of open source code, I can’t help but feel that he is wilfully missing the point when it comes to the current threat landscape that confronts smartphone users today. I’ll deal with the points I disagree with in the same sequence that Chris raises them:

1 – “All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.”

Yes Chris, the major vendors all distribute apps based on the Marketplace or App Store model. One or more rogue or plain malicious apps have been discovered in most of those distribution channels and some of them get removed. Some of them even get removed in a timely fashion. Perhaps this is where some of the criticism based on “openness” has been misunderstood. As far as I am concerned, the problem pertinent to Android is not that the OS itself is open source, like I said you made some valid points about that, but that the app distribution mechanism is entirely open. Android embraces the concept of multiple third party marketplaces in addition to the “official” marketplace, even in the “official” marketplace there is no upfront vetting of code or functionality. Couple that with the undeniable and deserved popularity of the platform, it is no surprise that criminals are already actively exploiting an opportunity here. It’s not the open source, it’s the openness of the source.

2 – “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”

Well now, this seems to be plainly stating that there is no malware problem for the popular mobile platforms. The weight of evidence (not to mention criminal intent) would seem to be heavily against you here Chris and Android itself seems to be the target of choice. TrendLabs for example have documented a 1410% increase in Android malware in the period January to July 2011. Let me be very clear. I am well aware that this rate of increase is starting from a low base, those four figure increases are not as shocking as they may at first appear. In raw numbers the total amount of malware is of course orders of magnitude lower than for example the Wintel platform. However the more important figure is not the total number of malware, but the rate of increase of that malware quarter on quarter and year on year. That demonstrates current, active and sustained criminal interest in the mobile platform. It’s not complicated, criminals follow consumers; always have, always will.

3 – “If you read an analyst report about ‘viruses’ infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence. If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans. ”

I think the figures referenced above and the litany of mobile woe researched and documented by TrendLabs here speak for themselves. This clinging desperately to the term “virus” in a last ditch attempt to demonstrate that a platform is free of malware is exactly the same language I have heard from MacOS enthusiasts (I am one before you flame me) who have been historically unwilling to admit that now the criminals are after them as well. It may well be that there are no viruses in the strictest definition of the term Chris, where do you stand on criminal malware for mobile devices?

4 – “Please note: Policy engines, and those tools that manage devices from an corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on ‘virus’ protection. That part is a lie, tell your vendor to cut it out.”

So we agree that security of mobile devices extends far beyond the threat from malware. Of course there is loss, theft, inappropriate access, device tracking, web-based threats through social networking or phishing for example and many other areas to consider (by the way this is important for the consumer too) but advising your users to request that vendors remove functionality designed to detect malicious software? Well I guess that’s one way to make a platform appear malware free…

Am I ashamed of myself? Not at all. I’d prefer to offer protection against a growing threat to personal and business security than to bury my head in the sand and defend my stance with wild accusation.

Your post very much accuses security vendors of FUD, sowing Fear, Uncertainty and Doubt. I hope I have demonstrated that is very much not the case. Maybe your outburst was more a case of MUD? Myopic Unalloyed Denial.

How to check if you are a victim of Ghost Click

Rik Ferguson — Wed, 09 Nov 2011 22:27:22 +0000

used by permission from flattop341 Flickr photostream

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.

This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.

If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.

First you will need to discover what your current DNS server settings are:

On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.

On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.

You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.

If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.

Ongoing updates on this threat can be found on our Operation Ghost Click landing page.

The mobile threat – Get Safe Online

Rik Ferguson — Tue, 08 Nov 2011 15:16:26 +0000

Yesterday saw the launch of Get Safe Online week in the UK, an annual event aimed at raising awareness among consumers and small business of the threat from online crime.

The focus of the launch event yesterday was mobile malware and I was asked to give a presentation and demonstration of how this threat manifests itself. The video that I made with the BBC illustrates just how invisible and damaging SMS fraud malware can be and the kind of financial damage it can inflict on the victim.

Smartphone scams: Owners warned over malware apps
Added on November 12th, 2011

The history of mobile malware begins back in 2004 with the appearance of Cabir, the forerunner of many later variants. Cabir was aimed at infecting Symbian based devices, it first emerged as a proof-of-concept but was rapidly picked up and abused by those with criminal intent. Cabir made money by sending premium rate SMS messages from infected devices. This means of turning a profit turned out to be so effective that by 2009 SMS fraud Trojans made up a large bulk of mobile malware and that trend has continued and grown with the rise of the smartphone. In fact, the first ever Trojan for Android based devices was also an SMS fraud trojan, known as ANDROIDOS_DROIDSMS.A

Malware exists for all major mobile platforms in fact, renowned mobile securtity researcher Charlie Miller announced yesterday that he had devised a way to embed functionality in apps for Apple’s iPhone which allowed them to download and run code after the intial application had been installed. His proof of concept app had been checked by Apple and was available in the App Store since September.

If you are interested in finding out more about the history of mobile malware you can download my paper on that very subject right here.

The TrendLabs mobile threats information hub can be found here.

DigiNotar, Iran, Certificates and YOU

Rik Ferguson — Mon, 05 Sep 2011 11:57:50 +0000

The story that has been slowly breaking over the past few days regarding the compromise at Dutch certificate authority DigiNotar and the subsequent “theft” of many important credentials is one that is of huge importance for internet users, governments and even the trust foundation that underlies the internet in general.

What has happened exactly?

DigiNotar is a trusted authority. That means that they can issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are. Think of it as a digital passport. When you browse to your bank, your email provider or any other secure site, in the background these certificates are exchanged before secured communications can begin. Your web browser contains a list of “root authorities” whose certificates can be trusted. If a web site presents a valid certificate then your browser will trust it and begin encrypted communications. When the certificate is valid, this all happens transparently to you, the end user. DigiNotar’s security has been compromised and a large number of fraudulent certificates have been issued. A full list can be found here (CSV file), although it should be stated that this list may yet grow over time.

What is a valid certificate?

A valid certificate is one that matches the name of the site that is using it, that has an expiry date that has not yet been exceeded and critically is signed by a trusted authority. It is this last step that is normally difficult for those with malicious intent to overcome. If I present an faked, expired or otherwise fraufdulent certificate, your browser will alert you and you may well choose not to continue the communication.

So what does this mean?

If I can set up a “man-in-the-middle”, for example a proxy server, between you and your bank it is very simple for me to intercept and read plain old HTTP traffic as it is not encrypted. However HTTPS traffic would be a problem, it is encrypted and I don’t have the keys to decrypt it, the encryption is between you and your bank. If I have a valid certificate that appears to come from your bank I can overcome this problem, my proxy can pretend to be your bank, present the right credentials and I can decrypt and read all your content, before I pass it on to the real final destination.

Who is at risk?

In a normal situation where I am browsing the internet I can connect directly from my computer to my bank I am on a network I trust and I am not at risk. If however all my traffic must pass through a proxy, either at my Internet Service Provider or at state level, which is the case in some more restrictive nations, then I am at risk. The owner of the proxy can make use of fraudulent certificates and act as a man-in-the-middle. There is also a risk on public networks such as wi-fi hotspots, again the hot-spot provider will often make use of a proxy. Under normal circumstances encrypted traffic will simply be passed through untouched, but if I have a shady certificate and malicious intent I can intercept your traffic.

Alternatively I could infect your system with malware that configures your computer to pass all your traffic through a proxy of my choice, wherever you are located. For this to be effective I would need to be able to install code on your system to make these changes. At least one of the fraudulent certificates allows “code signing” meaning it can be used to certify that a program is from a valid publisher so this possibility certainly exists in theory.

Trend Micro’s Feike Hacquebord has uncovered concrete evidence that the fraudulent certificates issued as a result of the DigiNotar compromise have disproportionately and suspiciously affected users based in Iran (link to TrendLabs blog to follow). In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware. It has been reported that the fraudulent certificates obtained include certs for *.com and *.org, meaning that all traffic for any web site with one of these suffixes can be intercepted.

Is the internet broken?

Does this event undermine the foundations of trusted communication online? Not entirely, although it certainly highlights a weak link in the chain. Authorities that are trusted to certify the identity and validity of web servers have a responsibility to ensure that the security of their systems and networks is second to none; they represent the top of the food chain. Having said that, security should always be designed on the assumption that a breach will occur. The key to successfully responding to such an event lies in the honesty and transparency of an authority that has been the victim of such an attack. Details of any such breach should be made public immediately so that the bad certificates can be revoked and will no longer be accepted by browsers around the world, thus mitigating the effect of such an attack. Unfortunately in the case of DigiNotar the extent of the breach was reported as minimal at the outset and the full details are only now becoming clear, several days later. We now know that 531 bad certificates have been issued, including those for *.*.com and *.*.org, making the certificates for WindowsUpdate look tame by comparison. The compromise at DigiNotar happened in July of this year, at the time of the initial investigation the fraudulent cert for google.com was not discovered, meaning that that one at least was in the wild for over a month.

Trust in all certificates issued by DigiNotar has already been revoked by many browser and operating system manufacturers and the consequences for DigiNotar as a company are likely to be severe, possibly fatal.

Mac malware: Same shizzle, different dizzle.

Rik Ferguson — Fri, 27 May 2011 12:18:14 +0000

You may have read in the press recently about the Mac Defender scareware that is affecting many OSX users, to the extent that Apple have even promised to deliver a removal tool and a fix to their customers. Trend Micro’s Smart Surfing for Mac has been protecting against this threat from the outset, both by detecting and blocking the malicious files, but also importantly by blocking access to the criminal websites being used to propagate this threat. You may be surprised to hear though that Mac Defender is not the first “scareware” application targeting Mac users and trying to trick them into parting with their cash and their credit card details.

Malware for Mac OSX is nothing new, and the increasing popularity of the platform is driving criminal interest. In addition to Mac Defender (May 2011), there are already several threats in the wild that affect Mac OS X, the Leap worm (Feb 2006) that propagates through iChat , the RSPlug Trojan (Oct 2007), that drops DNS changing malware, the MacSweeper & IMunizator (Jan & Mar 2008) scareware, Jahlav (Dec 2008) another DNS changing malware, Krowi (Jan 2009) responsible for the first Mac OS botnet and HellRTS (April 2010) another Trojanised installer, this time for iPhoto which gives attackers remote control over the infected computer.

MacSweeper, IMunizator and now Mac Defender are typical scareware Trojans. In 2008 they were delivered by malicious advertisements and in 2011 criminals have adopted the tried and tested tactics so successful in the world of Windows, Blackhat Search Engine Optimisation. Booby trapped web pages are created, designed to show up in the first page of search results for popular terms. Simply clicking the link to one of these pages is enough to start the infection process. The latest version has even worked out a method to bypass the requirement for the user to type an admin password in order to install. Affected users are presented with a professional look application and informed that multiple security issues have been discovered on their computer. Subsequently they are duped into buying a completely bogus piece of software to “fix” those issues, a tactic with which Windows users will be only too familiar. RSPlug and Jahlav have both been known to pose as video codec installers, another tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business that is now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign. Also important is the fact that these malware examples are not single discrete files, they represent entire families of malware, where new variants are continually being released to defeat signature based detection.

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple themselves may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

For many years now Mac users have believed themselves to be invulnerable to malware, and have been encouraged in this belief by Apple themselves on more than one occasion, or ”Safeguard your data by doing nothing“. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived potential to the cybercriminal. It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected only increases the attractiveness.

Osama lives again on Facebook

Rik Ferguson — Mon, 02 May 2011 17:28:54 +0000

Criminals are wasting no time in harnessing the undeniable impact of the news of Osama Bin Laden’s death to bait familiar old traps on facebook.

I just got a call from, let’s call him “a concerned family member”, after he had been taken in by a facebook “chat virus”.

The infection chain started with a chat message from a friend, the message read “watch the video of them killing osama bin laden live! ” and was accompanied by a link. The message began with the victim’s real name giving it added credibility.

The link leads to a page that may look familiar to those of you who keep up with this sort of thing, but as my br… um… concerned family member can attest, it still fools the unwary.

The instructions on the page inform the unfortunate mark that in order to view the supposed execution video, they need to paste the “video code” into the address bar of the browser. This may seem an unusual request in the context of a blog post, but when the recommendation comes to you in a live chat message from a friend you know and trust, your spider senses may not be tingling quite so much.

The code that you are pasting into your address bar is a JavaScript that simply calls a second JavaScript file hosted on a compromised but otherwise innocent website. The second file enumerates all your friends and sends them chat messages, creates an event to which all your friends are invited and continually updates your facebook status. Meaning that the video link is immediately posted to your facebook wall to entice other unwary facebookers and spammed out in personalised chat messages and event invitations to your nearest and dearest (well, your Facebook friends anyway).

The tactics used are exactly the same as in many of the “Profile Spy”, or “See who views your profile” scams that do the rounds so often, in fact the offending JavaScript file in this instance even contains the line “var eventdesc = ‘Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! -” suggesting that this represents nothing more than a rebaited trap.

But hey, there’s an old saying in Tennessee – I know it’s in Texas, it’s probably in Tennessee – that says, fool me once, shame on … shame on you. It fool me. We can’t get fooled again (with thanks to GWB)

What do we learn from this? I guess the simplest lesson is, if you receive an unsolicited link from someone, even someone you know, check with them first before you click. You never know, you could be doing them a favour and letting them know they have been duped. And NEVER paste ANYTHING that is not a URL into your browser address bar.

It is also worth noting that this is not the only Osama scam currently spreading on Facebook, I also spotted many iterations of a second attack that uses clickjacking in the form of a bogus CAPTCHA to fool users into posting the bait to their own walls.

Malvertising, who’s responsible?

Rik Ferguson — Fri, 01 Apr 2011 12:18:05 +0000

Online advertisements are a part of our daily browsing experience as they are also an essential part of companies’ online marketing strategies. So how do we know, when visiting websites that carry these networked advertisements, whether we are opening ourselves up to criminal compromise through malicious ads?

Tweet from the New York Times after they fell victim to criminal ads

Web site owners use trusted content networks to provide advertisements for their websites, and criminals are actively targeting this trust relationship as it represents a weak link in the chain of content control. Criminals create shell companies to place advertisements that hide malicious content in ads that are subsequently placed with high profile advertising networks. These malvertisements are then syndicated across many hundreds of web sites silently infecting as many victims as possible, as these examples illustrate.

Malvertisments, as they are referred to, have become increasingly common over the past few years and continue to be a growing problem. The potential number of victims available to criminals through a syndicated ad will often far outstrips the potential return for compromising an individual website. Internet users are unknowingly putting themselves at risk when they visit legitimate websites, which happen to be carrying malvertisements, designed to invisibly and automatically infect them through drive-by downloads. A drive-by download usually involves a chain of events; the victim visits a website which in this case is carrying a malvertisement, the malvertisement will contain content (most often JavaScript or Adobe Flash) which will be automatically executed by the browser. The purpose of the JavaScript is to automatically and invisible redirect the browser to a server hosting exploits (commonly a criminal exploit kit such as Yes!, Eleonore or Phoenix for example) these exploits are then used to push out the final malicious payload of the criminal’s choosing. In some cases exploits for technologies such as Adobe Flash are embedded directly within the malvertisements and this has the same end result of delivering a malicious payload. Once infected, your PC is compromised or your virtual wallet lifted in a number of ways; from pushing fake security software which attempts to fool the you into believing that your PC is infected with any number of entirely bogus malware which only this (paid-for) application can remove, to criminals stealing your personal or financial details and/or obtaining remote access to your PC.

So where does the responsibility lie? Is it with the web site that is hosting the malicious adverts, the network distributing them, or the consumer who visits the website? Really the responsibility, as well as the potential for damage, is shared. Web site owners and ad-networks alike suffer embarrassing brand damage when their customers are infected and the victim of course suffers the pain of information or identity theft and financial loss.

It is certainly true to say that if the right checks and balances were in place the problem would largely cease to exist, at least on legitimate websites. Clients of ad-networks should be applying pressure to their provider of choice to ensure that the appropriate checks are made before the advert goes out. Ideally, automated systems need to be in place at the advertising content providers, to run the ads through a sandbox before they are released into the public domain, checking for any kind of active or malicious code. Third party providers should perform specific checks to verify URLs and detect any unexpected or unwanted behaviour such as automated redirections, even if not malicious no web user wants to be bounced off to a third party website simply as a result of rendering an ad in their browser and no website owner would want their visitors stolen in this way either!

In the meantime, Internauts should ensure that they have the appropriate anti-malware software installed on their PC to minimise the risk. Free options include tools such as Browser Guard, which blocks exploit attempts and detects malicious JavaScript, stopping it from executing. When choosing anti-malware software, it’s important not to focus purely on software that will scan for bad files, but also that will stop PCs (and not just browsers) from connecting to malicious destinations.

Google Android rooted, backdoored, infected.

Rik Ferguson — Wed, 02 Mar 2011 13:08:49 +0000

Image from MJ/TR Flickr under Creative Commons

The folks over at Android Police published details yesterday of what they describe as “the mother of all Android malware” that was initially spotted by reddit contributor lompolo.

Lompolo posted details of 21 Android apps which were repackaged version of legitimate apps, at current count now more than 50 malicious apps appear to be involved. The repackaged versions include the rageagainstthecage or the exploid exploit which is capable of gaining root access to the device. Not only do these trojanised apps steal device details such as IMEI and IMSI but they also install further hidden malware which siphons even more user information off the device and into the hands of criminals. Further research from Android Police reports that this second payload also contains a dropper capable of downloading further code.

In a response to the intial posting by lompolo one of the developers of the legitimate apps that have been hijacked commented:

“I’m the developer of the original Guitar Solo Lite. I noticed the rogue app a bit more than a week ago (I was receiving crash reports sent from the pirated version of the app). I notified Google about this through all the channels I could think of: DCMA notice, malicious app reporting, Android Market Help…they have yet to respond. Thankfully this was posted on Reddit, since after the post the rogue dev and all his apps have been removed from the market. There really should be a faster/easier way to get Google to act on it!”

Trend Micro detect this threat (popularly known as DroidDream) as ANDROIDOS_LOTOOR.A, further details in the link.

During the five days these apps were available an estimated 50,000 downloads have taken place. Google have now pulled the apps and blocked the rogue developer from Android marketplace, they have also remotely removed the apps from affected handsets. Of course this remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection. So if you are one of the estimated 50,000 people who have downloaded these malicious apps it could be worth your while investigating the possibility of getting a replacement handset or reinstalling the operating system on the one you have if possible.

The Android app ecosystem is by definition open, there is a wide array of app stores available and apps can be published to the user community in minutes. This greater openness of the developer environment has been argued to foster an atmosphere of creativity, but as Facebook have already discovered it is also a very attractive criminal playground.

It is worth remembering that full security suites are now available for Google Android, such as this one. The number of threats to mobile platforms is growing and growing at a steady rate. Of course the sheer volume of mobile malware is a long way from the epidemic proportions of Windows based malware, but criminal interest is clearly there and growing. We see multi-platform attacks distributed by the same criminal groups that traditionally have focused on Wintel systems, and the growth in complexity of threats, for example ZeuS malware now incorporating mobile elements aimed at intercepting SMS banking authentication codes is striking. Criminals are driven by consumer behaviour and as the money-making opportunities move to mobile platforms criminals will, in fact already are, following.

A full list of the trojanised apps, published by Myournet, is:

Falling Down
Super Guitar Solo
Super History Eraser
Photo Editor
Super Ringtone Maker
Super Sex Positions
Hot Sexy Videos
Chess
下坠滚球_Falldown
Hilton Sex Sound
Screaming Sexy Japanese Girls
Falling Ball Dodge
Scientific Calculator
Dice Roller
躲避弹球
Advanced Currency Converter
App Uninstaller
几何战机_PewPew
Funny Paint
Spider Man
蜘蛛侠

The Guardian have published an expanded list of apps believed to be trojanised in this way here.