Viry a Červi

ProtonMail Launches Free VPN Service

VirusList.com - 20 Červen, 2017 - 18:55
Encrypted email service ProtonMail announced it was launching its own VPN, ProtonVPN, on Tuesday.
Kategorie: Viry a Červi

Stack Clash Linux vulnerability: you need to patch now

Sophos Naked Security - 20 Červen, 2017 - 18:32
If you're running Linux-based IoT devices, remember that attackers are particularly focusing on these - so make sure you patch all your penguin-based devices

How social media companies are using AI to fight terrorist content

Sophos Naked Security - 20 Červen, 2017 - 17:28
Facebook, Google and other providers are stepping up with techniques ranging from AI detection to human intervention in response to calls from politicians after a rash of terror attacks

Google Removes Two Ztorg Trojans from Play Marketplace

VirusList.com - 20 Červen, 2017 - 15:26
Google removed two apps, Magic Browser, and Noise Detector, that were vehicles for the Ztorg Trojan, Kaspersky Lab said.
Kategorie: Viry a Červi

SophosLabs analysis: why the surge in Word docs hiding ransomware?

Sophos Naked Security - 20 Červen, 2017 - 15:23
The bad guys are using old tricks to hide very modern nasty surprises in Word documents. We take a look at how they're doing that

Say Goodbye to SMBv1 in Windows Fall Creators Update

VirusList.com - 20 Červen, 2017 - 14:41
The SMBv1 file-sharing protocol abused by the NSA’s EternalBlue exploit to spread WannaCry ransomware is being disabled in the upcoming Windows Fall Creators Update, or Redstone 3.
Kategorie: Viry a Červi

Phishing – how this troublesome crime is evolving [Security SOS Week]

Sophos Naked Security - 20 Červen, 2017 - 13:36
Join us today to learn from Sophos expert Peter Mackenzie how to keep your organisation safe from the pernicious problem of phishing.

FIN10 Extorting Canadian Mining Companies, Casinos

VirusList.com - 20 Červen, 2017 - 12:00
A string of data thefts targeting North American mining companies and casinos are extorting as much as $620,000 from victims.
Kategorie: Viry a Červi

Ztorg: from rooting to SMS

Kaspersky Securelist - 20 Červen, 2017 - 11:01

I’ve been monitoring Google Play Store for new Ztorg Trojans since September 2016, and have so far found several dozen new malicious apps. All of them were rooting malware that used exploits to gain root rights on the infected device.

Then, in the second half of May 2017 I found one that wasn’t. Distributed on Google Play through two malicious apps, it is related to the Ztorg Trojans, although not a rooting malware but a Trojan-SMS that can send Premium rate SMS and delete incoming SMS. The apps had been installed from Google Play more than 50,000 and 10,000 times respectively.

Kaspersky Lab products detect the two Trojan apps as Trojan-SMS.AndroidOS.Ztorg.a. We reported the malware to Google, and both apps have been deleted from the Google Play Store.

The first malicious app, called “Magic browser” was uploaded to Google Play on May 15, 2017 and was installed more than 50,000 times.

Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store

The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.

Trojan-SMS.AndroidOS.Ztorg.a on Google Play Store

What can they do?

After starting, the Trojan will wait for 10 minutes before connecting to its command and control (C&C) server. It uses an interesting technique to get commands from the C&C: it makes two GET requests to the C&C, and in both includes part of the International Mobile Subscriber Identity (IMSI). The first request will look like this:

GET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.

If the Trojan receives some data in return, it will make the second request. The second request will look like this:

GET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.

Why does the Trojan need these digits from the IMSI?

The interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the fourth and fifth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the country and mobile operator of the infected user. They need this to choose which premium rate SMS should be sent.

In answer to these requests, the Trojan may receive an encrypted JSON file with some data. This data should include a list of offers, and every offer carries a string field called ‘url’, which may or may not contain an actual url. The Trojan will try to open/view the field using its own class. If this value is indeed a url, the Trojan will show its content to the user. But if it is something else and carries an “SMS” substring, the user will send an SMS containing the text supplied to the number provided.

Malicious code where the Trojan decides if it should send an SMS.

This is an unusual way to send SMS. Just after it receives urls to visit, or SMS to send, the Trojan will turn off the device sound, and start to delete all incoming SMS.

I wasn’t able to get any commands for the Trojans distributed through Google Play. But for other Trojans located elsewhere that have the same functionality, I got the command:

{“icon”:”http://down.rbksbtmk.com/pic/four-dault-06.jpg”,”id”:”-1″,”name”:”Brower”,”result”:1,”status”:1,”url”:”http://global.621.co/trace?offer_id=111049&aff_id=100414&type=1″}

It was a regular advertising offer.

WAP billing subscriptions

I was able to find several more malicious apps with the same functionality distributed outside the Google Play Store. The interesting thing is that they don’t look like standalone Trojans, more like an additional module for some Trojan.

Further investigation revealed that these Trojans were installed by a regular Ztorg Trojan along with other Ztorg modules.

In a few of these Trojans, I found that they download a JS file from the malicious url using the MCC.

Malicious code where the Trojan downloads a JS file.

I downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users from a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received files with some functions. All the files contain a function called “getAocPage” which most likely references AoC – Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking attacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account. WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS.

JS file from a CnC for Russian users (MCC = 250)

It means that urls which the Trojan receives from the CnC may not only be advertising urls, but also urls with WAP billing subscriptions. Furthermore some Trojans with this functionality use CnC urls that contain “/subscribe/api/” which may reference subscriptions too.

All of these Trojans, including Trojans from Google Play, are trying to send SMS from any device. To do so they are using lots of methods to send SMS:

Part of the “Magic browser” app’s code

In total, the “Magic browser” app tries to send SMS from 11 different places in its code. Cybercriminals are doing this in order to be able to send SMS from different Android versions and devices. Furthermore, I was able to find another modification of the Trojan-SMS.AndroidOS.Ztorg that is trying to send an SMS via the “am” command, although this approach should not work.

Connection with the Ztorg malware family

The “Magic browser” app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser” and “Noise detector” apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the “Noise detector” app contains the encrypted file “girl.png” in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan.

I found several more Trojans with the same functionality that were installed by a regular Ztorg Trojan along with the other Ztorg modules. And it isn’t the first case where additional Ztorg modules were distributed from Google Play as a standalone Trojan. In April 2017, I found that a malicious app called “Money Converter”, had been installed more than 10,000 times from Google Play. It uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

Trojan-SMS vs. rooting

There were two malicious apps on Google Play with the same functionality – “Noise Detector” and “Magic browser” but I think that they each had a different purpose. “Magic browser” was uploaded first and I assume that the cybercriminals were checking if they were able to upload this kind of functionality. After they uploaded the malicious app they didn’t update it with newer versions.

But it is a different story with “Noise Detector” – here it looks like the cybercriminals were trying to upload an app infected with a regular version of the Ztorg Trojan. But in the process of uploading they decided to add some malicious functionality to make money while they were working on publishing the rooting malware. And the history of “Noise Detector” updates prove it.

On May 20 they uploaded a clean app called “Noise Detector”. A few days later they updated it with another clean version.

Then, a few days after that, they uploaded a version to Google Play that contained an encrypted Ztorg Trojan, but without the possibility of decrypting and executing it. On the following day they finally updated their app with the Trojan-SMS functionality, but still didn’t add the possibility to execute the encrypted Ztorg module. It is likely that, if the app hadn’t been removed from Google Play, they would have added this functionality at the next stage. There is also the possibility that attempting to add this functionality is what alerted Google to the Trojan’s presence and resulted in its deletion.

Conclusions

We found a very unusual Trojan-SMS being distributed through Google Play. It not only uses around a dozen methods to send SMS, but also initializes these methods in an unusual way: by processing web-page loading errors using a command from the CnC. And it can open advertising urls. Furthermore, it is related to Ztorg malware with the same functionality, that is often installed by Ztorg as an additional module.

By analyzing these apps I found that cybercriminals are working on clickjacking WAP billing. It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

This isn’t the first time that the cybercriminals distributed Ztorg modules through Google Play. For example, on April 2017 they uploaded a module that can click on Google Play Store app buttons to install or even buy promoted apps.

Most likely, the attackers are publishing Ztorg modules to make some additional money while they are trying to upload the regular rooting Ztorg Trojan. I suggest this because one of the malicious apps had an encrypted Ztorg module but it wasn’t able to decrypt it.

MD5
  • F1EC3B4AD740B422EC33246C51E4782F
  • E448EF7470D1155B19D3CAC2E013CA0F
  • 55366B684CE62AB7954C74269868CD91
  • A44A9811DB4F7D39CAC0765A5E1621AC
  • 1142C1D53E4FBCEFC5CCD7A6F5DC7177

Is CVE-2017-0199 the new CVE-2012-0158?

Virus Bulletin News - 20 Červen, 2017 - 10:55
After five years of exploitation in a wide variety of attacks, CVE-2012-0158 may have found a successor in CVE-2017-0199, which is taking the Office exploit scene by storm.

Read more
Kategorie: Viry a Červi

NSA had NFI about opsec: 2016 audit found laughably bad security

The Register - Anti-Virus - 20 Červen, 2017 - 08:02
Unlocked racks. No 2FA. No access control lists. No wonder Snowden got away with it

Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.…

Kategorie: Viry a Červi

South Korean hosting co. pays $1m ransom to end eight-day outage

The Register - Anti-Virus - 20 Červen, 2017 - 05:02
Talked scum down from $4.4m after they waltzed through unpatched legacy mess

A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare.…

Kategorie: Viry a Červi

Stack Clash flaws blow local root holes in loads of top Linux programs

The Register - Anti-Virus - 20 Červen, 2017 - 03:03
We knew about this in 2005. And 2010. And people are still building without -fstack-check

Powerful programs run daily by users of Linux and other flavors of Unix are riddled with holes that can be exploited by logged-in miscreants to gain root privileges, researchers at Qualys have warned.…

Kategorie: Viry a Červi

Mexican government accused of illegal phone hacking of citizens

The Register - Anti-Virus - 20 Červen, 2017 - 01:32
Investigation reveals targeting of journalists and activists

An investigation by Mexican NGOs and a Canadian tech lab has revealed how the Mexican government is illegally targeting the mobile phones of journalists, lawyers and activists to spy on them.…

Kategorie: Viry a Červi

Anatomy of a scam: how phone frauds harvest millions from us

Sophos Naked Security - 20 Červen, 2017 - 01:00
A review of guilty pleas by phone scammers holds many lessons for ordinary people

US voter info stored on wide-open cloud box, thanks to bungling Republican contractor

The Register - Anti-Virus - 19 Červen, 2017 - 21:00
OMG, GOP! WTF?

A massive cloud-hosted database containing personal information on nearly 200 million people in America was left wide open by consultants hired by the US Republican National Committee, it is claimed.…

Kategorie: Viry a Červi

Mexican Journalists, Lawyers Focus of Government Spyware

VirusList.com - 19 Červen, 2017 - 20:51
Dozens of Mexican journalists, lawyers, and even a child, were hit with Pegasus, commercially-produced spyware, as part of a campaign believed to be carried out by the nation’s government.
Kategorie: Viry a Červi

Republican Data Broker Exposes 198M Voter Records

VirusList.com - 19 Červen, 2017 - 19:59
Almost 200 million voter profiles culled by Republican data broker Deep Root Analytics were left exposed on an Amazon S3 server.
Kategorie: Viry a Červi

News in brief: Girl Scouts get cybersecurity badges; 1m hit by university data theft; India criticised

Sophos Naked Security - 19 Červen, 2017 - 19:48
Your daily round-up of some of the other stories in the news
Syndikovat obsah