Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘trojan’
June 5th, 2014

SimplLocker does what its name suggests: Simply locks your phone!

A new Android mobile Trojan called SimplLocker has emerged from a rather shady Russian forum, encrypting files for ransom. AVAST detects the Trojan as Android:Simplocker, avast! Mobile Security and avast! Mobile Premium users can breathe a sigh of relief; we protect from it!

malware, mobile malware, Trojan, SimplockerThe Trojan was discovered on an underground Russian forum by security researchers at ESET. The Trojan is disguised as an app suitable for adults only. Once downloaded, the Trojan scans the device’s SD card for images, documents and videos, encrypting them using Advanced Encryption Standard (AES). The Trojan then displays a message in Russian, warning the victim that their phone has been locked, and accusing the victim of having viewed and downloaded child pornography. The Trojan demands a $21 ransom be paid in Ukrainian currency within 24 hours, claiming it will delete all the files it has encrypted if it does not receive the ransom. Nikolaos Chrysaidos, Android Malware Analyst at AVAST, found that the malware will not delete any of the encrypted files, because it doesn’t have the functionality to do so. Targets cannot escape the message unless they deposit the ransom at a payment kiosk using MoneXy. If the ransom is paid the malware waits for a command from its command and control server (C&C) to decrypt the files.

What can we learn from this?

Although this Trojan only targets a specific region and is not available on the Google Play Store, it should not be taken lightly. This is just the beginning of mobile malware, and is thought to be a proof-of-concept. Mobile ransomware especially is predicted to become more and more popular. Once malware writers have more practice, see that they can get easy money from methods like this, they will become very greedy and sneaky.

We can only speculate about methods they will come up with to eventually get their malicious apps onto official markets, such as Google Play, or even take more advantage of alternative outlets such as mobile browsers and email attachments. It is therefore imperative that people download antivirus protection for their smartphones and tablets. Mobile devices contain massive amounts of valuable data and are therefore a major target. 

Ransomware can be an effective method for criminals to exploit vulnerable mobile users, many of which don’t back up their data. Just as in ransomware targeting PCs, this makes the threat of losing sentimental data, such as photos of family and friends or official documents, immense.

Don’t give cybercriminals a chance. Protect yourself by downloading avast! Mobile Security for FREE.

June 4th, 2014

How to protect yourself from the coming virus apocalypse

After the takedown of a major botnet, users have a “two-week window” to protect themselves against a powerful computer attack that ransoms people’s data and steals millions of dollars from unsuspecting victims. 

Zeus_Banner_blhd01
If you read our blog, you are familiar with the dangers of the Zeus Trojan and ransomware, and how people get infected. Here’s a quick review:

1. The victim opens a carefully crafted email which is designed to look like it came from their bank or a well-known company.
2. The victim clicks on and runs an email attachment.
3. Malicious software like the one making the news now, Gameover Zeus, releases a Trojan which searches the computer for passwords and financial data.
4. Once Gameover Zeus finds what it’s seeking, cybercrooks instruct CryptoLocker, ransomware software, to hijack the computer, encrypt the files, and demand payment for it to be unlocked. To get access to your computer again, you must pay a ransom within a set amount of time.
5. Once infected, the computer becomes part of the global botnet.

The good news

Led by the FBI, agents from Europol and the UK’s National Crime Agency (NCA) brought two computer networks that used the Gameover Zeus botnet and Cryptolocker ransomware to infect up to a million computers and cost people more than $100 million under control of the good guys.

The bad news

As we explained in our blog post yesterday, GameOver Zeus May not be as Over as You Think, cybercrooks could conceivably build another botnet to replace the ones that were shut down.

Why the two-week window?

This window is based on the amount of time the FBI thinks they can ”hold the upper-ground against the cybercriminals.” Two weeks should be enough time for computer users to update their operating system software and security software and disconnect infected computers.

Steps to take now to protect your computer

Read more…

Comments off
April 1st, 2014

Email with subject “FW:Bank docs” leads to information theft

In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message – a fake email from the popular WhatsApp messenger. This time we will look at spam email which tries to convince the victim that it originates from his bank. The malicious email contains contents similar to the following one:


Subject: FW: Bank docs

We have received this documents from your bank, please review attached documents.
<name, address>

 

promo Read more…

Comments off
March 18th, 2014

Fake Korean bank applications for Android – Pt 3

Recently, we discovered an account on GitHub, a service for software development projects, that has interesting contents. The account contains several projects; one of the latest ones is called Banks, and it has interesting source codes.  The account contains information like user name, photo, and email address, but we cannot tell who the guy in the picture is. He might not be related to the contents at all, it could be a fake picture, fake name, or simply his account may have been hacked, his identity stolen, and the Banks repository created by someone else without his consent. In this blog post, we will explore the source codes in detail.
korea-03

When we downloaded the repository, we found several directories – GoogleService and fake applications imitating mobile applications of five major Korean banks – NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank and Woori Bank.

korea-02

 

We previously published two blog posts with analyses of the above mentioned fake applications.

When we look at GitHub statistics, and Punchcard tab, it tells us what time the creators were most active. From the chart below you can see, that Saturday mornings and evenings and Sunday evenings were the most active times of comments of new versions. It seems that authors of this application do the development as a weekend job. At the time of writing this blogpost, the last update of fake bank applications was in the beginning of January 2014.

korea-20

This is not the first attack against users of Korean banks. About a year ago, we published this analysis.

Conclusion

Github, the web-based hosting service for software development projects, offers a lot of interesting contents, which depending on its settings can be later found and accessed by virtually anyone, including Google robots.  We managed to find the above mentioned repository by simply Googling the strings which occurred in a malicious Android application.

Acknowledgement:

The author would like to thank to Peter Kalnai and David Fiser for help and consultations related to this analysis.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

March 3rd, 2014

Fake Korean bank applications for Android – part 2

In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.

Analysis of Android:AgentSpy

It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.

Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.

BootBroadcastReceiver

Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.

CoreService

1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps

2) Regularly polls C&C and responds to the following commands

sendsms – sends SMS to a given mobile number

issms – whether to steal received SMS or not

iscall – whether to block outgoing call

contact – steals contact information and upload them to C&C

apps – list of installed bank apps

changeapp – replaces original bank applications with fake bank applications

move – changes C&C server

PhoneListener receiver

Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.

Config class

Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.

koreanbanks_agentspy_config

Analysis of Android:Telman

One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…

February 17th, 2014

Fake Korean bank applications for Android – PT 1

About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.

Original bank application

We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
korea-08

Read more…

January 23rd, 2014

WhatsApp bogus email tries to install Zeus Trojan on your computer

whatsapp-logoHave you received an email from WhatsApp? No? That’s because the company usually sends their users messages directly via the app itself, typically notifying them of updates. If you have received an email from WhatsApp recently, we urge you to not open it and to delete it immediately. The email is a hoax that contains malware.

Within the last few days, an email with the subject line “Missed voice message” has spread with the sender name “WhatsApp Messenger.” The message asks recipients to “please download attached file,” a file named “Missed-message.zip.”

Our antivirus lab expert, Peter Kálnai, told us, “It has never been WhatsApp’s strategy to send you missed voice messages in an email and they haven’t started to do so now. Instead of a voice message, it includes a zipped attachment with an executable file under the same name missed-message.exe. This file is able to download any malware attackers want to load onto their victim’s computer, including the Zeus Trojan, also known as one of the most dangerous banking trojans.”

Zeus lies silently on users’ computers until they log on to a banking website. Once on a banking site, Zeus collects the users’ personal data and online banking information. Read more about how avast! Antivirus blocks Zeus Trojans.

The popular mobile messaging service, WhatsApp, recently announced they now have more than 430 million Android and iPhone users. This is a great success for WhatsApp, but at the same time makes it an attractive target for cybercriminals, as the amount of potential victims is huge.

Does avast! Antivirus protect against the WhatsApp malware?

Yes! AVAST detects the executable files spread in the ZIP file in different versions and protects all of its more than 200 million users from this threat. Besides using AVAST, we recommend users use common sense and think twice when they receive an email from an app that usually never chooses to address its users via email. Also, in general, trustworthy companies don’t send attachments unless you have requested specific documents, so do not open any email attachments if you haven’t requested them, and always use caution when downloading files from the Internet.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , ,
Comments off
January 22nd, 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 2

1608606_777513882262041_947320490_n

Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.

From 32-bit Loader to 64-bit Payload

As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.

Read more…

January 15th, 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 1

clickfraud2At the turn of the year we started to observe a Trojan, not much discussed previously (with a brand new final payload). It has many interesting aspects: It possesses a complex structure containing both 32-bit and 64-bit code; it achieves its persistence with highly invasive methods; and it is robust enough to contain various payloads/functionalites.

Evolution of Blackbeard

Confronting this threat for the first time, we wondered about its classification. Using AVAST’s Malware Similarity Search, we found an old sample (the TimeStamp said “02 / 20 / 12 @ 3:30:55am UTC”) in the malware database that shared the threat’s structure of PE header. Moreover, it also contained debug info with a string “Blackbeard,” so we decided to dub it like that.

blackbeard_first_old

The development of the code evolved in time. We can connect a part of the infection chain of this Trojan with the threat called Win32/64:Viknok. For both the historic and the current variant of Blackbeard, the complexity of the structure is sketched on this scheme:

blackbeard_structure_and_evolution

Read more…

September 25th, 2013

Win32/64:Napolar: New Trojan shines on the cyber crime-scene

In recent weeks, malware samples resolved as Win32/64:Napolar from AVAST’s name pools generated a lot of hits within our file and network shields. Independently, we observed an advertising campaign of a new Trojan dubbed Solarbot that started around May 2013. This campaign did not run through shady hacking forums as we are used to, but instead it ran through a website indexed in the main search engines. The website is called http://solarbot.net and presents its offer with a professional looking design:

_napolar_intro

For the Win32/64:Napolar Trojan, the pipe used to inter-process communication is named \\.\pipe\napSolar. Together with the presence of character strings like “CHROME.DLL,” “OPERA.DLL,” “trusteer,” “data_inject,” and features we’ll mention later, we have almost no doubts that the Trojan and Solarbot coincide. Let us look at some analysis.

Read more…