Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for the ‘analyses’ Category
July 17th, 2014

Tinybanker Trojan targets banking customers

Tinba Trojan specifically targets bank customers with deceitful debt notice.

The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets havebeen banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tinybanker,  was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.

Czech version:

VÝZVA K ÚHRADĚ DLUŽNÉHO PLNĚNÍ PŘED PROVEDENÍM EXEKUCE

Soudní exekutor Mgr. Bednář, Richard, Exekutorský úřad Praha-2, IČ 51736937, se sídlem Kateřinská 13, 184 00 Praha 2
pověřený provedením exekuce: č.j. 10 EXE 197/2014 -17, na základě exekučního titulu: Příkaz č.j. 077209/2014-567/Čen/G V.vyř.,
vás ve smyslu §46 odst. 6 z. č. 120/2001 Sb. (exekuční řád) v platném znění vyzývá k splnění označených povinností, které ukládá exekuční titul, jakož i povinnosti uhradit náklady na nařízení exekuce a odměnu soudního exekutora, stejně ták, jako zálohu na náklady exekuce a odměnu soudního exekutora:

Peněžitý nárok oprávněného včetně nákladu k dnešnímu dni: 9 027,00 Kč
Záloha na odměnu exekutora (peněžité plnění): 1 167,00 Kč včetně DPH 21%
Náklady exekuce paušálem: 4 616,00 Kč včetně DPH 21%

Pro splnění veškerých povinností  je třeba uhradit na účet soudního exekutora (č.ú. 549410655/5000, variabilní symbol 82797754, ČSOB a.s.), ve lhůtě 15 dnů od
doručení této výzvy 14 810,00 Kč

Nebude-li  uvedená částka uhrazena ve lhůtě 15 dnů od doručení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní účet  povinného ve smyslu § 44a odst. 1 EŘ a podle § 47 odst. 4 EŘ. Až do okamžiku splnění povinnosti.

Příkaz k úhradě, vyrozumění o zahájení exekuce  a vypučet povinnosti najdete v přiložených souborech.

Za správnost vyhotovení Alexey Mishkel

 

English translation:

Distraint notice
———————
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:

Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)

To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.

For the correctness of the copy warrants Alexey Mishkel

Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that there exists a debt which needs to be paid.

Read more…

June 9th, 2014

Are hackers’ passwords stronger than regular passwords?

Hackers use weak passwords just like the rest of us.

librarian_dict_sm

Nearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary. :)

Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.

1Passwords that nobody will guess

Percentage of characters used in hackers' passwords

About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text. ;)

There were also passwords that don’t use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.

The table on the right shows which characters are used in hackers’ passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z. Read more…

June 4th, 2014

Black marketed Windows banking & POS Trojan Minerva turns in-the-wild

10309990_1418461665091456_1542203837_oThe path from the creation of malicious program to its delivery onto victims’ computers is long nowadays and involves many different players with the same goal – to make a financial gain. Malware authors usually offer their software to cyber criminals who in turn distribute it via underground forums. This is the how they keep their anonymous status. We have previously seen many famous malicious programs start this way.

In the past, the Russian banking Trojan Carberp was heavily advertised on shady forums. In the beginning of the year, an attempt to sell a new ransomware called Prison Locker was reported. Last year, we blogged about Trojan Solarbot which choose to promote itself through a well- designed website, appearing very official.

However, we don’t always know all the details about every piece of malware, from the code to how it is being distributed. The Trojan dubbed i2Ninja, for example, made headlines last year, but we never received a real sample containing all the functionalities the media reported on. Or do you remember the Hand of Thief Trojan for Linux desktops? Its variant for the Android platform was also advertised, but again, we never encountered it in our Virus Lab. These advertisements could have lacked the real code behind them or may have gone under in the pile of cyberthreats.

In March 2013 a new banking Trojan dubbed Minerva was introduced on a Russian forum. We will see that it is awfully successful in what it promised to do. Read more…

May 12th, 2014

Browser Ransomware Attacks are Massive in Scale

avast! Virus Lab infographic shows how prolific and wide-spread Browser Ransomware attacks have been over the last three months.

AttentionLeaving page alert

During December I wrote about the tricks and tactics of Browser Ransomware. Browser Ransomware is malware that works in different types of browsers to prevent people from using their PCs. To get access back to their own PC, the victim of this malware must pay a ransom to unblock it. The key to success for this attack is its translations into many different languages, giving the cybercrooks a bigger pool of potential victims.

Today I would like to look back on Browser Ransomware attacks and share some data from our avast! CommunityIQ with you.

We detect Ransomware attacks using several different methods.  The detections I checked were created January 30, 2014. I was really surprised at the huge impact this attack has had on AVAST users.

  • In a little under 3 months, AVAST protected more than a half million unique users around the world from Ransomware attacks.
  • In the past 6 weeks, AVAST users have unknowingly visited a site with Ransomware on it over 18 million times.
  • During last 24 hours, AVAST stopped redirection from infected sites to sites hosting Ransomware for more than 18,000 unique users. Read more…
May 7th, 2014

Fake government ransomware holding Android devices hostage

Ransomware, which has already made its rounds on Windows, is now increasingly targeting the Android operating system. A new piece of mobile malware claiming to be the government under the name Android: Koler-A is now targeting users.

We have full control of your phone – give us $300 and we’ll give it back

Obrázek 1-1

The ransomware is pushed automatically from fake porn sites visited by Android users via a malicious .apk file that appears in the form of an app. The innocent appearance of the app deceives users and is a powerful social engineering tactic used by malware developers to trick people into installing malicious apps. The form of delivery is not the only thing that makes the app suspicious and potentially dangerous, but the access it seeks are highly unusual and alarming. The ransomware requests full network access, permission to run at startup and permission to prevent the phone from sleeping. Once installed the granted access allows the ransomware to take control of the device. The full network access allows the malicious app to communicate over the web and download the ransom message that is shown on the captive device. The permission to run at startup and prevent the phone from sleeping fully lockdown the phone, preventing victims from escaping the ransom message.

The ransomware localizes fake government messages, depending on the users GPS location, accusing them of having viewed and downloaded inappropriate and illegal content. What does the ransomware do next? Demands ransom of course! The ransom to regain access to the device including all of its apps, which it claims are all encrypted, is set at around $300 and is to be paid through untraceable forms of payment such as MoneyPak.

avast! Mobile Security safeguards against ransomware

Both AVAST’s free and premium mobile security apps, avast! Mobile Security and avast! Mobile Premium, protect customers from falling for the devious apps containing ransomware. AVAST detects this ransomware under the name Android: Koler-A and blocks its execution.

We recommend that everyone be cautious when downloading apps, especially from unofficial app markets. We also urge users to not open any files that have been downloaded to their device without their consent. Always check what apps want to access and in addition to being cautious, we advise people download antivirus to protect their devices. This new ransomware appearing on Android is the perfect example of how malware is starting to move away from the PC environment and into our pockets and there are no signs of this slowing down.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news and product information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.

Comments off
April 17th, 2014

WordPress plugin vulnerability puts mobile visitors at risk

AVAST finds WordPress plugin redirector

AVAST finds new twist on WordPress plugin vulnerability

Today one of our colleagues came into our office and said, “Hey guys, I’ve been infected.” I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really “interesting ” case of mobile redirected threats localized for each country.

All you need is one bad IP

The case was brought to us by Jakub Carda, a fellow AVAST employee who enjoys blogging in his free time. His WordPress site was compromised through a vulnerability in WordPress, more precisely OptimizePress. OptimizePress is a WordPress plugin that fully integrates itself into the WordPress CMS, helping bloggers optimize their blog’s design. A tiny mistake in the code of a file located in: lib/admin/media-upload.php made it possible for pretty much anyone to upload harmful content onto people’s WordPress sites, and plenty of websites have been compromised because of this.

Read more…

April 1st, 2014

Email with subject “FW:Bank docs” leads to information theft

In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message – a fake email from the popular WhatsApp messenger. This time we will look at spam email which tries to convince the victim that it originates from his bank. The malicious email contains contents similar to the following one:


Subject: FW: Bank docs

We have received this documents from your bank, please review attached documents.
<name, address>

 

promo Read more…

Comments off
March 27th, 2014

Pretty women. Which one will infect you?

which_one_will_infect_you

Malware which opens pictures of attractive women to entice its victims has been around for some time. Last month there were more than usual, so I decided to research malware that pretends to be a regular picture, and the results are pretty interesting.

We looked for executable samples with two distinct characteristics: 1. .jpg in their name, and 2. no older than the last three months. About 6,000 unique files which matched this criteria were found. From these samples, we noticed that pretending to be an image is not a family specific criteria but we identified that Win32:Zbot is represented more than other malware e.g. MSIL:Bladabindi-EV, Win32:Banker-JXB,BV:Bicololo-CY, etc.

The important message is that most of these samples are distributed by scams which are sent by email or posted on social media sites. An example of an email scam is pictures below. If you are interested in what the social media scam looks like and how to protect yourself, you should read one of our previous blog posts.

scam_mails

Read more…

March 18th, 2014

Fake Korean bank applications for Android – Pt 3

Recently, we discovered an account on GitHub, a service for software development projects, that has interesting contents. The account contains several projects; one of the latest ones is called Banks, and it has interesting source codes.  The account contains information like user name, photo, and email address, but we cannot tell who the guy in the picture is. He might not be related to the contents at all, it could be a fake picture, fake name, or simply his account may have been hacked, his identity stolen, and the Banks repository created by someone else without his consent. In this blog post, we will explore the source codes in detail.
korea-03

When we downloaded the repository, we found several directories – GoogleService and fake applications imitating mobile applications of five major Korean banks – NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank and Woori Bank.

korea-02

 

We previously published two blog posts with analyses of the above mentioned fake applications.

When we look at GitHub statistics, and Punchcard tab, it tells us what time the creators were most active. From the chart below you can see, that Saturday mornings and evenings and Sunday evenings were the most active times of comments of new versions. It seems that authors of this application do the development as a weekend job. At the time of writing this blogpost, the last update of fake bank applications was in the beginning of January 2014.

korea-20

This is not the first attack against users of Korean banks. About a year ago, we published this analysis.

Conclusion

Github, the web-based hosting service for software development projects, offers a lot of interesting contents, which depending on its settings can be later found and accessed by virtually anyone, including Google robots.  We managed to find the above mentioned repository by simply Googling the strings which occurred in a malicious Android application.

Acknowledgement:

The author would like to thank to Peter Kalnai and David Fiser for help and consultations related to this analysis.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

March 7th, 2014

Google Play: Whats the newest threat on the official Android market?

Official app stores are the primary sources to finding and downloading apps. Experts advise users to stay within the official app stores as they are approved ecosystems, which are widely recognized as safe. But are these sources really trustworthy? Some experts, however, claim that “Android malware is non-existent and security companies just try to scare us. Keep calm and don‘t worry.“ So which is it?

We’ve already blogged about plenty of threats that sneak onto your device from trusted sources, but here we have a really fresh one, one that  is still undetected by other security vendors. An Application called Cámara Visión Nocturna (package name: com.loriapps.nightcamera.apk), which is still available in the Google Play Store as I am writing this post, is something you definitely don’t want to have on your Android device.

Blg1

Starting with the application’s permissions you might notice there are some unusual requests for an app that should be able to work only using your camera.

    <uses-permission android:name=”android.permission.CAMERA” />

Read more…