Symantec Security Response

Zeusbot/Spyeye P2P Updated, Fortifying the Botnet

Wed, 02/22/2012 - 16:44

We blogged about a parallel Zeusbot/Spyeye build near the end of last year that introduced some improvements in the botnet, moving the network architecture away from a simple bot-to-C&C system and introducing the beginnings of a peer-to-peer model. This new variant new uses P2P communication exclusively in order to keep the botnet alive and gathering information.

Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the C&C server) was distributed from one peer to another. This way, even if the C&C server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new C&C servers.

With the latest update, it seems that the C&C server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the C&C, these control messages are now handled by the P2P network.

This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots—every compromised computer is capable of providing data to the other bots. We don’t yet know how the stolen data is communicated back to the attackers, but it’s possible that such data is routed through the peers until it reaches a drop zone controlled by the attackers.

While these changes make the botnet more resistant to takedown, and equally more difficult to track the attackers behind it, it also provides another major benefit to the attackers. Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus C&C servers around the world. With Zeus switching to P2P for these functions means that the site would no longer be able to produce exact Zeus C&C IP block lists.

No need for C&C?

Having to rely on a C&C server is a limitation. It means that it can be taken offline, and that the botnet herders can be tracked. This was still a flaw in the initial P2P version of the bot—by simply black boxing the bot executable, one could observe the C&C server being contacted. It seems that the botnet herders have addressed this issue—the control messages that were going to the C&C server are now going to the P2P botnet itself. Of course the peers are other compromised computers, so they cannot be taken offline. Nor they can be related (in most cases) to the guys behind the botnet.

Figure 1: The C&C paradigm has shifted from central server to botnet

More UDP, less TCP

Another noticeable update is that communication has shifted more and more to UDP. As we have previously discussed, the bots would contact each other by using a sort of homemade UDP handshake. If successful, this would cause the bots to exchange TCP data, such as configuration files, list of other peers, etc. However, TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.

In this new strain, the data exchange is also now happening in UDP. Given the stateless nature of this protocol, it is more difficult to capture and extract data from bot communications.

Figure 2a: Older version using TCP to exchange configuration files

Figure 2b: The new version exchanges all data in UDP

Changes in the compression and encryption

The encryption used by the bot was more or less the same as the one used by the “standard” Zeusbot strain. The data is compressed, each byte is XORed with the preceding byte, and then RC4 is applied.

With the new strain the data is still encrypted with RC4 and the XOR byte-with-preceding-byte is still there, but there is now another added layer: a byte-per-byte XOR applied to each block of the configuration, where the encryption key is calculated with the following code:

Figure 3: The new encryption layer code

This corresponds to the simple formula:

XorKey = ((BlockSize << 0x10) | BlockId) | (XorSeed << 8)

Once you get past the decryption layers, the last thing to get rid of is the compression of every data block. The earlier version of the bot was using Nrv2b compression, while this new variant has switched to Zlib 1.2.5.

Each bot is a Web server

As explained above, the control messages that were previously handled by the C&C server are now handled by other peers in the botnet. These messages are exchanged through HTTP, so the bot has been updated to include nGinx, an open source, minimal Web server. With this, every bot is capable of handling HTTP requests, meaning it can perform C&C functionalities.

Figure 4a: The older version used standard HTTP POST requests to C&C servers

Figure 4b: The new version sends POST requests to a peer, using a random TCP port

Having the bots host a Web server is not a novelty in the threat landscape. We have seen the Waledac/Kelihos bots already using this technique to exchange data and expose malicious content in order to spread itself.

Zeusbot distributing malware?

One interesting thing that we also observed regarding this new variant is that the Zeus botnet has been distributing malware. The bots communicate with other peers, issuing HTTP requests to download and run two executables. These executables are hosted by other peers in the botnet, and after analysis we discovered they are a fake antivirus risk and a proxy engine. This is unusual; we don’t have records of Zeusbot distributing other malware, although it is technically capable of doing so.

So, is there no C&C anymore?

Well, it seems that the cybercriminals removed (or at least reduced) the dependency the bots had on the C&C server. Still, this does not mean it’s completely gone—the bot may still decide to contact a C&C server under specific conditions (e.g. when there is stolen data to communicate back to the attackers). Analysis of the threat is still ongoing and this is our main point of focus at the moment.

If they managed to completely remove C&C servers then this can be considered a step towards strengthening the botnet. If it only operates through P2P, it becomes nearly impossible to track the guys behind it. Again, analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture.

Zeus’s main infection vector is emails containing malicious attachments, pretending to look like documents. As usual be wary of emails received from unknown recipients, and never to open files received from unknown sources.

Categories: Spam and Incident Response Blogs

PDF Malware Writers Keep Targeting Vulnerability

Wed, 02/22/2012 - 14:49

We keep seeing new waves of PDF file-based attacks that exploit the Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) that exists in certain unpatched versions of a popular PDF reading application. All these attacks were stopped by Symantec’s Skeptic™ technology. 

A typical example of such an exploited PDF sample contains highly obfuscated JavaScript, as shown in figure 1.

Figure 1: Portion of obfuscated JavaScript

 

The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form. The JavaScript manipulated a subform field by using a reference to an embedded element, “qwe123b” in the example. When such an exploited PDF sample is loaded into the vulnerable PDF reading application, the XFA initialize activity is triggered and the embedded JavaScript will be called. After manually de-obfuscating it, we were able to extract the hidden JavaScript (figure 2).

Figure 2: Portion of extracted hidden obfuscated JavaScript

 

Further analysis shows that the JavaScript actually exploits a known vulnerability - Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) - where an invalid value in a tagged image file format (TIFF) image generated by the JavaScript corruptsthe TIFF parser (LibTIFF) in certain unpatched versions of a popular PDF reading application.

Similar to the findings presented in one of our previous blogs the JavaScript does a few things as well:

1. Determines the current version of the PDF reading application and constructs the correct exploited TIFF file and shellcode.
2. Sprays the shellcode into memory.
3. Assigns the exploited TIFF image to the "rawValue" of the pre-defined form element to trigger the vulnerability when the image gets displayed.

It is interesting to note that the version of the PDF reading application being exploited will be converted to a huge integer and compared to a certain threshold which represents one of the application versions. This is probably designed by the malware writer to confuse malware analysts and/or antivirus (AV) scanners. In this instance, we also notice that the generated TIFF images and shellcode remain the same regardless of the PDF reading application version.

A portion of the extracted hexadecimal encoded shellcode is shown in figure 3.

Figure 3:Portion of the extracted hexadecimal encoded shellcode

 

When examining it further, it shows that there is a URL at the end of the file (figure 4).

Figure 4: Malicious executable file link in shellcode

 

It clearly shows that a malicious executable file will be downloaded once the shellcode gets executed successfully. Unfortunately, the malicious file link only existed for a very short time and we have been unable to retrieve the actual executable sample as yet.

Symantec.Cloud has protected our customers from all such attacks. Our analysis reveals that Skeptic™ has successfully blocked over ten thousand PDF files with such exploits in the past two weeks (figure 5). It clearly shows that the attacks were carried out in several main waves spread over the period detailed in the figure. The most aggressive attack was launched on the 16th of February, which saw over 3,000 hits in one run, followed by the attack stopped on the 6th of the same month.

Figure 5: PDF attacks through emails stopped by Symantec.Cloud over a period of two weeks

Categories: Spam and Incident Response Blogs

Airline Booking Confirmation Phish

Wed, 02/22/2012 - 02:55

Recently I came across an airline booking confirmation phishing email.  Whilst this is not necessarily a new phishing technique, the email and associated phishing website are quite interesting and at first glance could appear to be legitimate.  In the email, it states confirmation of payment made by credit card, and that the recipient should click an embedded link in order to print their tickets and flight information.

The email itself is in plain text and looks nothing out of the ordinary.  However, upon further investigation I noticed that the sending domain, which is spoofed, is not actually one associated with the airline.  It looks similar but the actual sending domain that is spoofed is for an air purifier and cleaner company and is not associated with the airline in any way.  This would appear to be just laziness on the part of the spammer for not checking that the sending website matches the airline that they are pretending to be and should immediately make anyone suspicious about the authenticity of the email.  Of course if you have not made any airline reservations, then the email would immediately cause suspicion It is possible, however, that the scammers would hope that the user might believe that they have received this email in error and click on the link anyway in order to investigate further.

Looking at the phishing domain from the link in the email, we can see that the legitimate airline has had their original website cloned by the scammer.  However, from what appears to be laziness on the part of the scammer again, the fake website is not displayed correctly.

On this fake website it asks for the “Card number” and “Password” for the user’s account with the airline.  I tried to investigate this further to see what happens if you enter some dummy information but the fake website does not work and does not open the Web form.  This makes the whole scam a waste of time for the scammer as they will not be able to steal any information using this broken Web form.  Therefore it is difficult to be certain of the scammer’s intent, but my guess would be that if the Web form worked, it would then ask the user for their credit card or bank details.

The “whois” information for the phishing domain in the email is also very interesting.  Whilst the domain has only been registered in the last two weeks, it has been registered against a user’s email address at a well known manufacturer of airplanes.  Therefore it is very possible that this user could have had their email account compromised and bank or credit card information stolen, and that the scammer has then registered the fake domain in their name.  Anyone viewing the “whois” of this domain might then believe it to be legitimate as it is registered against a well known legitimate company.

In the signature of the email, the FSA registration number that the scammer has used is for a different airline altogether and not of the airline that they are pretending to be.  Whilst this scam will fail due to the website not being displayed correctly, it could have been more sophisticated if the scammer had taken the time to make the fake website more realistic and ensure that all of the information in the email was correct.

Symantec’s advanced monitoring systems were able to proactively identify and block this scam.

Categories: Spam and Incident Response Blogs

Масленица Началась, And So Is Spam!

Wed, 02/22/2012 - 01:24

Thanks to Poonam Keluskar for their assistance with this research.

Maslenitsa (Маслница) is a religious holiday celebrated in Russia and Ukraine during the last week before Lent, i.e. the seventh week before Pascha (Easter). This festival is also known as Pancake week or Butter week. During this week people enjoy the social activities that are forbidden during the prayerful Lenten season, such as partying, dancing etc. This year the Maslenitsa will be celebrated from February 20 to February 26.

We are observing Maslenitsa spam targeting Russian and Ukrainian users that offers attractive tour packages. Similar to other Russian spam messages like online marketing promotions, spammers have provided a phone number to book the carnival package.

Below is a sample of a tour package spam:

Translation:

Our readers are encouraged not to fall for such cheap package offers and stay safe from online scams.  Symantec is effectively blocking such spam messages to protect our customers.

Поздравляю вам с счастливой Масленицей

Categories: Spam and Incident Response Blogs

Malware to Mourn Whitney Houston

Fri, 02/17/2012 - 21:43

Thanks to Anand Muralidharan for their assistance with this research.

The world is mourning the loss of another legendary pop singer also known as the queen of pop - Whitney Houston. Spammers are paying homage to the icon with a wicked malware. The malicious email shows a video of the last appearance of the star in a Los Angeles night club and also downloads an executable binary. This file is detected by Symantec Antivirus as WS.Reputation.1.

The email originated from Ireland and targets Portuguese readers. The malicious file is hosted on a hijacked Japanese website. The email subject is randomized by adding random numbers at the end of the subject field.

Here are a few subjects that have been used by this spam:

• Subject: Olha o Video da ultima aparicao publica de Whitney Houston em u ma Boate em Los Angeles. Clique no play para Reproducao (0 .06787)
• Subject: Olha o Video da ultima aparicao publica de Whitney Houston em u ma Boate em Los Angeles. Clique no play para Reproducao (0 .17465)

Translated Subject Line:
Subject: Here is a video of the last public appearance of Whitney Houston in a bar in Los Angeles. Click here to watch (0 .06787)

Whitney Houston's funeral will be held on Saturday in a church in New Jersey and her fans are keen and curious to read any news about the pop star. We expect to see more malicious spam alleging to contain video footage of the funeral.

Symantec recommends our readers to visit reputed news websites to get updates and not to open any email claiming to have video/news of Whitney Houston. Use message security and antivirus solutions from Symantec and frequently update your security software, which protects you from potential online viruses and scams.

Categories: Spam and Incident Response Blogs

Microsoft Patch Tuesday - February 2012

Wed, 02/15/2012 - 05:40

Hello, welcome to this month’s blog on the Microsoft patch release. This is a larger month—the vendor is releasing 9 bulletins covering a total of 21 vulnerabilities.

Six of this month's issues are rated ‘Critical’ and they affect Internet Explorer, .NET, Windows, and GDI. The remaining issues affect Internet Explorer, Windows, Visio, and SharePoint.

As always, customers are advised to follow these security best practices:

• Install vendor patches as soon as they are available.
• Run all software with the least privileges required while still maintaining functionality.
• Avoid handling files from unknown or questionable sources.
• Never visit sites of unknown or questionable integrity.
• Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-feb

The following is a breakdown of some of the issues being addressed this month:

1. MS12-010 Cumulative Security Update for Internet Explorer (2647516)

   CVE-2012-0010 (BID 51931) Microsoft Internet Explorer Copy&Paste Operation Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate; Symantec Urgency Rating: 6.7/10)

   A cross-domain information-disclosure vulnerability affects Internet Explorer during a copy and paste operation. An attacker can exploit this issue by tricking an unsuspecting victim into copying content from an attacker controlled page onto a target page. Information obtained may aid in further attacks.

   Affects: Internet Explorer 6, 7, 8, and 9

   CVE-2012-0011 (BID 51933) Microsoft Internet Explorer CVE-2012-0011 Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 7.1/10)

   A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

   Affects: Internet Explorer 7, 8, and 9

   CVE-2012-0012 (BID 51932) Microsoft Internet Explorer Null Byte Handling Information Disclosure Vulnerability (MS Rating: Important; Symantec Urgency Rating: 6.7/10)

   An information-disclosure vulnerability affects Internet Explorer because it does not adequately protect process memory. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. Information obtained may aid in further attacks.

   Affects: Internet Explorer 9

   CVE-2012-0155 (BID 51935) Microsoft Internet Explorer Null Byte Handling Information Disclosure Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 7.1/10)

   A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

   Affects: Internet Explorer 9

2. MS12-016 Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)

   CVE-2012-0014 (BID 51938) Microsoft Silverlight & .NET Framework Unmanaged Objects Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 7.5/10)

   A remote code-execution vulnerability affects Microsoft .NET Framework and Silverlight due to a failure to properly handle unmanaged objects. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. An attacker can also exploit this issue by uploading malicious code to a vulnerable server, possibly in a shared hosting environment. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user or the affected service, respectively.

   CVE-2012-0015 (BID 51940) Microsoft Silverlight & .NET Framework Heap Corruption Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 7.5/10)

   A remote code-execution vulnerability affects Microsoft .NET Framework and Silverlight due to a failure to properly calculate the size of a buffer. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. An attacker can also exploit this issue by uploading malicious code to a vulnerable server, possibly in a shared hosting environment. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user or the affected service, respectively.

3. MS12-013 Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)

   CVE-2012-0150 (BID 51913) Microsoft Windows 'Msvcrt.dll' Remote Buffer Overflow Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 7.1/10)

   A remote code-execution vulnerability affects the msvcrt DLL library file because it fails to properly bounds check user-supplied input. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted media file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

4. MS12-008 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)

   CVE-2011-5046 (BID 51122) Microsoft Windows 'win32k.sys' Remote Memory Corruption Vulnerability (MS Rating: Critical; Symantec Urgency Rating: 9.2/10)

   A previously public (December 19, 2011) remote code-execution vulnerability affects the GDI component of the Windows kernel. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page or opening a malicious file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the kernel. This could facilitate a complete system compromise.

   CVE-2012-0154 (BID 51920) Microsoft Windows Kernel 'Win32k.sys' Keyboard Layout Local Privilege Escalation Vulnerability (MS Rating: Important; Symantec Urgency Rating: 6.6/10)

   A local privilege-escalation vulnerability affects the Windows kernel because of how it manages certain keyboard layouts. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This could facilitate a complete system compromise.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal, and to our customers through the DeepSight Threat Management System.

Categories: Spam and Incident Response Blogs

Revamped Fake Android Market for SMS Fraud

Sat, 02/11/2012 - 04:48

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.

 

Scammers have since released a revised version that is more in tune with the current Android Market. In fact, if you were not looking at the URL, the average person would probably not be able to tell the difference between the two.

Let’s take a look at one of the pages of an individual application. It looks like a copy and paste from the legitimate page.

But this page is not real and the same goes for the apps that are downloaded from it. Below are three downloads of the identical applications just minutes apart. Notice that the file sizes are drastically different. This is because the site is using server-side polymorphism to change the content of the package to evade detection by security software. It is also interesting to note that the files not only differ from each other, but that the sizes of all three are much bigger than the old variants used to be. The older variants may have been in the range of around 50KB – 100KB, but as you can see the size of the files is now in the range of around 1MB. Making the size bigger may be an attempt to look more authentic. Functionality-wise, they are identical to the old variants, so what is making these files so much bigger?

The culprits are the files contained in the “res\raw” folder. As you can see, there is countless number of 24 KB files that are all identical and are bloating the package. Note that 24 KB is the size of the file after the file has been unpackaged. The number of files in “res\raw” for the three packages is 3,544, 3,748, and 2,664. If you multiply the number of files by the file size and calculate in the decompression rate, you would get the above file size for the three files. Therefore it is simply the number of files contained in the “res\raw” folder that is making these packages unique from each other.

Interestingly, these files only contain meaningless text as can be seen below.

Like any typical malicious Android application used for SMS fraud, this one also requests the capability to send SMS messages. Note that the actual name of the application is “Installer” rather than the name of the application on the download page. This is a trait that is common for this type of malware. If you see “Installer”, or the Russian translation of the word, and if the application requests the ability to send SMS, then there is a high probability that it is not the legitimate application that you thought you acquired.

Even though these applications are targeting users with the ability to read Russian, there is a slight chance that they are (or will eventually get) mixed into various markets, file-sharing services, or be used as email attachments. So always be wary when installing applications on smartphones. We always recommend that people download applications from sources they trust and be cautious about what permissions you are giving the applications. Symantec’s Norton Mobile Security detects the variant discussed in the blog as Android.Opfake.

Categories: Spam and Incident Response Blogs

Is Waledac Spam Dirtying the Russian 2012 Elections?

Fri, 02/10/2012 - 21:50

Recently there have been several reports about the re-emergence of a botnet variant (Kelihos), which Symantec detects as W32.Waledac.C. The Waledac family is a threat that has been monitored by Symantec for many years and was featured in numerous blogs as well as a white paper. In the past, Waledac gained its infamy as a spamming botnet that utilized compromised systems to send out spam.  The purpose of these spamming campaigns had usually been for self-propagation of the threat through spam emails containing a link, often (but not always) pointing to a Waledac binary file hosted on a malicious website.  The variant W32.Waledac.C is also sending out spam emails, but with a twist.

In one spam campaign, we observed it sending out the email seen below to only Russian target email addresses.

Email translation (Rough translation)

This year Rospres celebrates another birthday - we are now 5 years old.

All these years we were trying our best to bring to you the latest available information in its full integrity. In the nearest future we intend to work even harder for our readers, so they come back to our web portal again and again. We will be very happy to work for all visitors to http://www.rospres.com/ !

With best wishes, Ruspres.

The Rospres.com link seen in the spam email leads to a slanderous article hosted on the Rospres.com site and can be seen in the picture below. We have found no evidence that the link contained in the spam email is used to propagate the threat. The site Rospres.com seems to contain numerous articles on high profile Russian individuals such as politicians and businessmen that could be considered slanderous.

The individual in this article is Mikhail Prokhorov a Russian billionaire oligarch and an independent candidate in the Russian 2012 elections this March.  While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant.

Categories: Spam and Incident Response Blogs

New Targeted Attack Using Office Exploit Found In The Wild

Thu, 02/09/2012 - 22:14

Contribution: Takayoshi Nakayama

I was going through some files we acquired related to targeted attacks the other day and an unusual set of files caught my eyes. We did some analysis on the files and it turns out a pair of files in the set exploits a vulnerability we have not seen in the wild before. Microsoft is aware of the issue and notes users who have applied MS11-073 are fully protected.

The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email.

The exploit makes use of an ActiveX control embedded in a Word document file. When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library. If the exploit is successful, malware is dropped onto the system. The .dll file must have the file name fputlsat.dll in order to work, so if users see this file name sent along in an email with a document file, they should be alerted. After a successful exploit, fputlsat.dll is deleted and then replaced with the file Thumbs.db. The attacker uses Thumbs.db because the file name is a common file created by Windows when thumbnail view is used. It is also hidden from normal view on a computer with default settings.

Symantec detects the document file as Trojan.Activehijack. We will follow with an update when we have further details about the vulnerability being exploited in this attack. Users are advised to be wary about .dll files attached to emails unless there is special reason for it to be there. We also recommend users apply the patch for MS11-073, as well as all the latest patches, to mitigate the risk of being infected by targeted attacks.

Categories: Spam and Incident Response Blogs

Infostealer.Offsupload: 20,000+ Archives Containing Stolen Data Uploaded to Third Party File-Sharing Site

Thu, 02/09/2012 - 11:39

Upwards of 20,000 stolen archives have been uploaded to a third party file-sharing site from hosts infected with a new threat called Infostealer.Offsupload. The following heatmap indicates the U.S. is the primary target of infection, however, only a few countries worldwide have managed to avoid the affect of this threat.

Infostealer.Offsupload is being used as part of a blended threat. The initial stage of the attack is an email purporting to come from FedEx with a malicious attachment: “FedEx_Invoice.exe”.

Once executed, this Trojan (detected as Trojan.Gen.2) contacts a command-and-control (C&C) server in order to download and execute further malicious files. At the time of analysis the files downloaded were Trojan.FakeAV and Infostealer.Offsupload.

Infostealer.Offsupload will search the computer for passwords to Firefox, Thunderbird, and Opera. It also searches for Word and Excel files (files with extensions .doc, .docx, .xls, or .xlsx). After these files are collected on the infected host they will be archived into a zip file, password protected, and then uploaded to sendspace.com. The URL to download and retrieve this stolen data along with the password to unlock the zip file is sent to the attacker. A log file was available for download from the command-and-control server whose contents can be seen below.

At the time of analysis 23,248 unique IP addresses (compromised hosts) have been logged, and 21,623 attempted uploads (stolen archives) were present in the exposed log file.

The advantage of using a third-party service such as sendspace.com is likely the improved reliability in terms of service uptime and the speeds in uploading the stolen data. A third-party service would also take care of storage requirements when exfiltrating large amounts of data.

This is a new kid on the block, recently highlighted by a security researcher at Trend Micro, and we will keep a close eye on any developments in the coming days and weeks.

Categories: Spam and Incident Response Blogs

Android.Bmaster: A Million-Dollar Mobile Botnet

Thu, 02/09/2012 - 07:14

Thanks to Eric Chien for his assistance with this research.

Introduction

We recently came across a new piece of Android malware, first highlighted by NC State’s Xuxian Jiang, and began investigating the command-and-control (C&C) servers associated with the threat. The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application.

Analysis of these servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botmaster millions of dollars annually if infection rates are sustained. Profit estimations can be found in the "Revenue generation" section below. So far, the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China (the Trojanized application is only available for download from third-party Chinese markets). Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers. Since the botnet has been active for a considerable amount of time, the botmaster has already earned hundreds of thousands of potential dollars during its operation. Also, while this is not the first botnet of this type we have found, this is the first time we are revealing detailed information regarding profitable revenue generation.

Screenshot of the Trojanized application.

Botnet structure and size

Upon running the Trojanized application, both the original clean software and a malicious application (Android.Bmaster) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated. The malware posts some user and phone-specific data to the remote address and attempts to download and run an APK file from the server. The downloaded file is the second stage in the malware and is a Remote Administration Tool (RAT) for Android, detected as Android.Bmaster. This type of malware is used to remotely control a device by issuing commands from a remote server.

We began investigating the server from where the malware was being served and discovered an additional 27 Android applications available for download. All of the discovered samples were found to be the malware Android.Bmaster. Judging by the timestamps of the available Android malware files, we were able to determine infections had been live from this command-and-control server from September 2011 to present day.

After analysis of other pages hosted on the remote server, we discovered what appeared to be a monitoring application for all the mobile phones infected with the Android.Bmaster malware. This was an incredible discovery, as it allowed us to determine the number of phones infected with the malware and the overall size of the Bmaster botnet.

Translated screenshot of the monitoring frontend.

By analyzing the information available on the remote server and reviewing the command-and-control panels, the amount of infected handsets appear to number in the hundreds of thousands. These numbers are based on querying the command-and-control data itself, taking into account the number of unique IMEI numbers discovered on the server’s monitoring pages. The command-and-control panel also graphs daily heartbeat pings from infected devices, and the data again indicates a botnet which numbers in the thousands.

Figure showing daily “heartbeat” numbers from infected devices.

Targets

The vast majority of infected devices belonged to Chinese customers. We also concluded the following data was transmitted by the malware:

• IMEI number
• IMSI number
• Cell ID
• Location Area Code
• Mobile Network Code

The regional information transmitted by infected phones is reflected in the command-and-control panels investigated, as seen above. There is also evidence the infected phones can be configured by the botmasters to block all incoming messages from China's two largest mobile carriers. This is a technique used by previous Android malware, as it prevents customer service representatives from contacting infected customers. Inspection of the message center phone numbers (logged by the malware) indicates the customers were based mainly in China and surrounding areas.

Screenshot showing infected phones.

Capabilities

We previously mentioned the phone-specific and geographical information stolen by Android.Bmaster, however the capabilities of the malware are not limited to this type of data theft. As has been reported elsewhere, this type of remote administration application is capable of much more functionality. Since this is a Remote Administration Tool, the malware is capable of receiving commands from the remote server. We have seen evidence of functionality to send text messages, block incoming text messages, log details of outgoing phone calls (including duration and target phone number), generate outgoing phone calls, updating the command-and-control server it contacts, and log and generate WAP access. More alarmingly, this botnet appears to capture and store a large amount of this data on its command-and-control servers. We discovered evidence of the botnet logging which phones were infected by the initial stage of the threat, which phones had exploit attempts, and which phones were successfully exploited. We also discovered evidence of the botnet recording which infected phones could execute commands.

Revenue Generation

The motivation behind the botnet is financial. The botnet exists to force infected devices to pay for premium services (shown in the monitoring and administration pages on the command-and-control panel). The botnet is geared towards Chinese mobile customers on two specific networks. Although phones on other networks have also been infected, the botmaster places those phones in a “do not use” queue. The botmaster configures rules, based on geographical location and mobile operator, which controls actions taken by each infected device. A device connecting to the command-and-control server for the first time, for instance, is assigned a set of rules which match device type, malware version, geographical location, and mobile operator. The botmaster can then further configure these rules to specify which premium service the infected device should attempt to contact. Infected devices are then configured to send SMS messages to premium numbers, contact premium telephony services, and connect to pay-per-view video hosting.

The botmaster has a fine grained level of control over the infected devices. Depending on which premium service a device is attempting to contact, a number of configuration options are available to the botmaster. For example, an infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days. Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website. The botmaster may also configure which incoming messages get blocked by the malware. This is typically used to block messages from mobile operators, but it is further configurable to prevent messages from premium services being returned to the device. This means the botmaster can configure infected devices to block any message with specific keywords ("on demand", "fee", etc.) that would potentially alert the infected user.

Active infection figures for January 1, 2012.

Although not every infected device is a good candidate for this type of functionality, a significant amount of infected devices are. The command-and-control frontend records how many devices are actively generating revenue on a daily basis. The figures for 02/06/2012 recorded 11,000 active devices generating revenue for the botmaster, whereas the figures for 01/01/2012 showed 29,000. The number of active, infected devices tend to range from 10,000 to 30,000 per day. Premium SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away.

Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running. (A percentage of this revenue needs to be paid out for overhead costs, such as revenue sharing agreements for leveraging premium content channels.)

This is not the first example of an active, revenue-generating Android botnet we have seen. However, considering the huge market for Android apps, the availability of third-party app stores without security checks, and the massive revenue which can be generated from this type of botnet, Android.Bmaster’s million-dollar botnet certainly won’t be the last.

Categories: Spam and Incident Response Blogs

Russian Spammers Eye World Content Show

Thu, 02/09/2012 - 03:17

Thanks to Anand Muralidharan for their assistance with this research.

Televison channels across the world are set to be at the 14th International Exhibition and Forum, World Content Show, held Feb 7- 9, 2012, in Russia. The exhibition showcases the latest technologies and trends in the TV and telecommunication industry.

This techno-fair will be attended in large numbers by leading media businesses, and spammers don’t want to miss the opportunity to circulate spam around the event. In a bid to catch the reader’s attention, one such spam email reveals some appealing facts about the event, such as Interactive Elements, Prize Drawings, Performance of Popular Leader/Star, and Colorful Musical Concerts.

Here is an example of this Russian spam observed by Symantec:

Here are the subject lines observed in the Russian spam attack:

• Subject: Российские и иностранные телеканалы на фес тивале World Content Show-2012
  Translated Subject: Russian and foreign channels on the Tiwal World Content Show-2012
• Subject: World Content Show-2012

Categories: Spam and Incident Response Blogs

Web Attack Ahead of Tax Season

Wed, 02/08/2012 - 08:50

At 3 AM, on February 6, 2012, Symantec Security Response observed spam carrying malicious links which target the upcoming tax season. The spam volume spiked between 6 AM and 1 PM, identifying over 200 unique URLs which lead to a Blackhole toolkit.

A Blackhole toolkit compromises the machine by targeting various vulnerabilities on the victim's machine. Symantec protects our customers with multiple-layer protection of antispam, antivirus, and IPS signatures. The payload downloaded from the malicious website is detected as Trojan.Zbot, for instance, and IPS detects this web attack as “Web Attack: Blackhole Toolkit Website 14” and “Web Attack: Blackhole Exploit Kit Website 11”.

The spam asks the user to click on a link to verify their account information. Below is an example of one such spam:

Examples of links found in messages:

These links point to a page containing more links to certain javascript files (as shown below). All of these links point to a singular “js.js” file.

The domains used in the spam email include recently registered domains and hijacked domains which employed weak security. Symantec advises our readers to be cautious ahead of tax season and follow general security guidelines to protect against malicious attacks.

Security tips:

• Avoid clicking on suspicious links in email by manually typing Web addresses directly into your browser.
• Do not open email attachments from unknown sources.
• Protect your computer with a comprehensive security suite. For details on Symantec’s offerings, visit http://www.symantec.com.

Categories: Spam and Incident Response Blogs

Purchases From This Super Bowl Sale Will Not Take You Anywhere

Sun, 02/05/2012 - 06:15

You may not need pills to watch the super bowl but spammers feel that this definitely  is an occasion to do so! The most exciting annual championship of the NFL -  the Super Bowl XLVI - starts tomorrow. And as expected, spammers are playing a different ball game with the crazy Super Bowl fans.

Spam related to Super Bowl  can be spotted with the subject listed below:

Subject: Super Bowl [BRAND NAME] Sale
Subject: Super Bowl Special
Subject: Super Bowl
Subject: Super Bowl 2012 - You win no matter which team does!

One such spam sample that we discovered promotes an online pharmacy. The email offers a free generic combo pack after placing medical orders with them.

The link in the spam sample goes to the following online pharmacy site:

Another spam sample offers new cars and SUVs at their lowest prices in history. The message alleged that this heavy discount is for Super Bowl week only.

After clicking the link in the message, the user is redirected to a lotto site (as shown in below example) which announces the user as a winner of an electronic gadget of their choice. The user needs to provide personal information in order to claim the gift. Spammers also made sure to inform the user who fills out the information that they will not be spammed or directed to survey sites.

While you plan your weekend at the super bowl we at Symantec would like to remind you to be careful with all your online transactions. Don’t compromise on your security. Stay away from the guile of spammers this Super Bowl season!

Categories: Spam and Incident Response Blogs

Server-side Polymorphic Android Applications

Thu, 02/02/2012 - 09:53

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files.

In one case, when we compare the file CRCs of two downloads, we can see that the only meaningful change happens in “res/raw/data.db”. The other changed files in META-INF contain signature data for the package so that they are just reflecting the fact that the res/raw/data.db has been modified.

File CRC Filename Installer.APK SKACHAT.APK 9dc48f61 074c54b5 META-INF/MANIFEST.MF b1377893 42ecb534 META-INF/ALARM.SF 248c37f7 65105b65 META-INF/ALARM.RSA 40659b25 40659b25 AndroidManifest.xml bbd88c2d bbd88c2d resources.arsc 7a3498c4 7a3498c4 classes.dex 6129f361 9e488e9e res/raw/data.db 27bc873d 27bc873d res/drawable-hdpi/logo.png 27bc873d 27bc873d res/drawable-ldpi/logo.png 27bc873d 27bc873d res/drawable-mdpi/logo.png fa11bed8 fa11bed8 res/drawable-hdpi/icon.png fa11bed8 fa11bed8 res/drawable-ldpi/icon.png fa11bed8 fa11bed8 res/drawable-mdpi/icon.png

This means that they share exactly the same code (stored in classes.dex), but that the data is variable. Examining the code, we see that res/raw/data.db contains a database of network operators with a list of premium numbers and messages that are to be sent if the user is tricked into running this malware. The content of those SMS messages is changed with every download, thereby producing unique files.

In another case of OpFake, the polymorphism was achieved using a different technique. We noticed that there were APKs where all of the code and data files were identical and just the manifest and signature files were different:

CRC Filename 311fa59a META-INF/MANIFEST.MF 86f1655e META-INF/CERT.SF ed814261 META-INF/CERT.RSA 02568138 AndroidManifest.xml 5539013f classes.dex c9805df6 res/drawable-hdpi/icon.png c9805df6 res/drawable-mdpi/icon.png c9805df6 res/drawable-ldpi/icon.png 1d66a094 res/layout/offert.xml b93210cd res/layout/grant_access_to_content.xml 169b2a86 res/layout/main.xml 30fe74be res/raw/activation_schemes.cfg aca144d2 res/drawable/progress_finished.xml 3367b765 res/xml/countries.xml f3087726 resources.arsc 88a24ad9 0.temp 88a24ad9 1.temp 88a24ad9 2.temp 88a24ad9 …

Here the polymorphism is achieved by simply re-ordering the code and data files within the application package. When the package is created, the differences in file ordering will cause different manifest and signature files to be created.

Finally, the packages also included dummy .temp files. We have seen upwards of forty of these dummy files in a single package. However, the number of dummy .temp files may change with each download providing even more permutations each time the application is downloaded. Interestingly, the .temp files do not seem to be used by the threat in any way and they all contain this mysterious picture:

Once the packages are downloaded and installed on the phone, SMS messages are automatically sent and the browser opens certain websites that are hosting further malware and/or the actual legitimate Android applications. Below are some examples of the fraudulent sites that are participating in the distribution of the malware:

While all of the distribution sites that have thus far been discovered are in Russian, the packages have the ability to send SMS messages not just in Russia, but also in other countries across Europe as well as countries like Australia and Taiwan. The following countries are affected by this threat:

Armenia
Australia
Austria
Azerbaijan
Belarus
Belgium
Bulgaria
Czech Republic
Denmark
Estonia France
Georgia
Germany
Ireland
Israel
Kazakhstan
Kyrgyzstan
Latvia
Lithuania
Netherlands Norway
Poland
Portugal
Russia
Spain
Sweden
Taiwan
United Kingdom
Ukraine
 

Though server-side polymorphism is used here, Symantec’s Norton Mobile Security protects customers against the automatically generated variants. We also block access to the websites hosting the Android package with Web Protection. We always advise people to download applications from sources they trust and also to be cautious about what permissions you are giving the applications. For example, Android.Opfake will always request the capability to send SMS messages as can be seen below.

 

Update February 2, 2012:

The "unidentified" individual in the mysterious picture has been identified as Свидетель из Фрязино. Thanks to Sean Sullivan of F-Secure for the information. The man is known for being digitally manipulated into various photographs.

Categories: Spam and Incident Response Blogs

Phony ICC Promotion Award

Wed, 02/01/2012 - 11:13

Nothing can be more enticing than to be chosen for some free goodies—be it mementos, a cash prize, or a ticket to watch a game. It gets even more interesting if you are from a cricket crazy continent and suddenly, out of the blue, you receive an email saying that you are “the chosen one”!

What would you do? At first thought you would pounce on the opportunity, like a jungle tiger does its prey. But hang on a second! What you might be thinking is an opportunity of a lifetime, sadly, is just the opposite. Let me put it bluntly: if you have received such an email, you are "the chosen prey”. And if you decide to reply to it, then you could be in for some big trouble!

Millions of people get scammed every day with such fantastic offers. The sad part of the story is that many get plundered in this game. Scammers put in a lot of planning before sending out such emails. Upcoming events are focused upon, strategies are formalized, and emails are drafted—all keeping in mind the target audience.

Last year, we reported a fake ticket scam for the 2011 ICC Cricket World Cup held in India. This year, scammers have revisited the continent with Sri Lanka in mind (the place where the destiny of cricketing nations will be decided). You guessed it right—it is the 2012 ICC World Twenty20 tournament to be held in September 2012. We certainly feel this will not be the last spam campaign to be seen for this tournament.

Let’s analyze one email scam sample. From the email headers, we find this message does not originate from the ICC in any way:

The contents of the email are actually found in the PDF attachment:

The content inside the PDF attachment has all the characteristics of an email scam. It announces the email account of the recipient has been chosen randomly and has won a prize of 75,000 Euro. (Without user participation in any lottery! Surprising isn’t it?). This award is called the “International Cricket Council (ICC) Promotion New Year Award 2012”, which is obviously imaginary. There is also a form to be filled with details like name, date of birth, address, and banking-related information. Amusingly, this mail also includes a logo which claims this payment is considered risk free by all financial service providers. Along with the risk free tag, a barcode is added towards the end of the document to make it look genuine. In addition, they have added the event logo of the tournament, inviting users to register for official travel packages to Sri Lanka.

Users should not believe and communicate with senders of these types of email notifications. This warning also applies to similar SMS texts sent to mobile phone users. Do not trust such emails without verifying the sender. Such messages are never “risk free”.

See the Symantec Intelligence Report for best practices for consumers.

Categories: Spam and Incident Response Blogs

An Update on Android.Counterclank

Tue, 01/31/2012 - 09:45

Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.

The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.

Since our initial blog post, we have determined the code in the Tonclank and Counterclank applications comes from the same vendor. The vendor is a company who distributes a SDK (software development kit) to third parties to help them monetize their applications, primarily through search.

In particular, the SDK code will connect to a remote server (apperhand.com) and send the following information:

• A SHA1 hash of device information (such as IMEI) to uniquely identify the installation
• Information to identify the application using the SDK
• Device information such as the brand, manufacturer, model, and Android OS version
• Display metrics such as screen size and resolution
• Language preference
• Browser user agent

After receiving this information, the code will wait for a command. Commands of interest include:

ACTIVATION – Causes a webpage to be displayed. The feature appears to be designed to display a webpage with a EULA (end-user license agreement), but our testing was unable to reproduce applications showing such a page.

HOMEPAGE – Sets the browser’s homepage.

BOOKMARKS – Create or request bookmarks. In our testing, we have seen this feature actively used to send all the bookmarks of a device to apperhand.com

SHORTCUTS – Create shortcuts on the home screen.

The homepage, bookmarks, and shortcuts may be sent to the following domain:
http://searchwebmobile.com/search?sourceid=1&app=[UNIQUE APPLICATION ID]

Searchwebmobile.com belongs to a third party, Infospace, who provides monetary compensation to applications redirecting search queries through their website.

Additional commands also exist, but do not have direct security and privacy implications. Further, different versions of the SDK have been created with new commands which have not been fully examined. The analyzed applications did not provide in-app notification of these behaviors and the bookmarks, shortcuts, and homepage modifications do not specify the application behind the change or the responsible company. The SDK provider's website does state they require application developers to place a notification in the Android Market description noting that the application will modify the homepage, create a bookmark, and create a shortcut to a search site. Those notifications did not include information on the exfiltration of bookmarks.

Due to the combined behavior of the applications, negative feedback from users who installed the applications, and the fact that previous applications (Android.Tonclank) using this code were initially suspended from the Google Market, we chose to notify users of Counterclank.

We have also submitted a ticket to Google for the removal of Counterclank from the Android Market. Google replied quickly informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market.

We are also in discussions with the SDK provider and hope to provide feedback which helps ensure mobile users have the necessary details to make informed choices.

The mobile ecosystem is growing rapidly and many monetization paradigms are being explored. At Symantec, we follow these developments closely while actively developing new technologies to cater to the variety of applications available and the differences in users' preferences and tolerances for certain behaviors. Through such technology, we hope to avoid the pitfalls of labels such as malicious, spyware, and adware, and instead provide methods to automatically inform users of undesired applications based on their personal preferences. We hope this future technology will encourage a vibrant mobile ecosystem and, at the same time, keeps users safe.

Categories: Spam and Incident Response Blogs

Email with Malicious HTML Attachments

Tue, 01/31/2012 - 06:08

Malware is often embedded in email as compressed attachments (such as .zip, .rar, etc.). Recently, however, Symantec has noticed an increase in malicious email attacks with .htm (HTML) attachments.

Here is what the message looks like in your inbox:

The attack contains a .htm attachment and obfuscated JavaScript is embedded in the coding of the file. The purpose of the JavaScript is to redirect your internet browser to a malware-hosting site in Russia which contains Trojan.Pidief and Trojan.Swifi.

Malicious JavaScript, when injected into an HTML file, can:

• Exploit browser and plugin vulnerabilities to run arbitrary code
• Display fake antivirus scans and other fraudulent information
• Download JavaScript, HTML, and other files
• Hijack browsing sessions
• Redirect users to malicious websites
• Steal information

Here are some best practices to protect yourself from malicious email attacks:

• Be selective on which websites you share your email address with.
• Avoid clicking on suspicious links in email or instant messages (these may be links to spoofed websites). We suggest typing Web addresses directly into the browser rather than clicking on links in messages.
• Do not open spam messages.
• Do not reply to spam: typically the sender’s email address is forged, and replying may only result in more spam.
• Do not open unknown email attachments. These attachments could compromise your computer.
• Always be sure that your operating system is up-to-date with the latest updates and use a comprehensive security solution. For details on Symantec’s offerings, visit http://www.symantec.com.

Categories: Spam and Incident Response Blogs

MIDI exploit in the wild

Fri, 01/27/2012 - 23:06

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

• a.exe
• baby.mid
• i.js
• mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi detection also covers a couple of dropped files: com32.dll and com32.sys.

On the IPS side, i.js is blocked by the Web Attack: Malicious JavaScript signature while the initial exploit attempt is blocked by the Web Attack: Malicious JavaScript Heap Spray Generic signature.

Categories: Spam and Incident Response Blogs

Android.Counterclank Found in Official Android Market

Fri, 01/27/2012 - 22:49

Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.

For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen.

The combined download figures of all the malicious apps indicate that Android.Counterclank has the highest distribution of any malware identified so far this year.

Publisher Malicious App Title Category iApps7 Inc Counter Elite Force Arcade & Action iApps7 Inc Counter Strike Ground Force Arcade & Action iApps7 Inc CounterStrike Hit Enemy Arcade & Action iApps7 Inc Heart Live Wallpaper Entertainment iApps7 Inc Hit Counter Terrorist Arcade & Action iApps7 Inc Stripper Touch girl Entertainment Ogre Games Balloon Game Sports Games Ogre Games Deal & Be Millionaire Sports Games Ogre Games Wild Man Arcade & Action redmicapps Pretty women lingerie puzzle Photography redmicapps Sexy Girls Photo Game Lifestyle redmicapps Sexy Girls Puzzle Brain & Puzzle redmicapps Sexy Women Puzzle Brain & Puzzle

Symantec is continuing with further investigation and we will post more information as we discover it.

Categories: Spam and Incident Response Blogs