Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for the ‘Virus Lab’ Category
February 10th, 2015

Mobile Crypto-Ransomware Simplocker now on Steroids

In June 2014, we told you about mobile ransomware called Simplocker that actually encrypted files (before Simplocker, mobile ransomware only claimed to encrypt files to scare users into paying). Simplocker infected more than 20,000 unique users, locking Android devices and encrypting files located in the external storage. Then, it asked victims to pay a ransom in order to “free” the hijacked device. It was easy to decrypt the files affected by this variant of Simplocker, because the decryption key was hardcoded inside the malware and was not unique for each affected device.

Dangerous unique keys

keyBut now there is a new, more sophisticated variant of Simplocker in town that has already infected more than 5,000 unique users within days of being discovered. The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices.

To use an analogy, the original variant of Simplocker used a “master key” to lock devices, which made it possible for us to provide a “copy of the master key” (in the form of an app, Avast Ransomware Removal) to unlock already infected devices. The new variant however, locks each device with a “different key” which makes it impossible to provide a solution that can unlock each infected device, because that would require us to “make copies” of all the different “keys”.

Why would anybody install Simplocker?!

The reason why people install this new variant of Simplocker is because it goes undercover, meaning people don’t even realize that what they are installing is ransomware!

Fake Flash

Tricky Simplocker pretends to be a real app.

 

In this case, the new variant of Simplocker uses the alias “Flash Player” and hides in malicious ads that are hosted on shady sites. These ads mostly “alert” users that they need Flash Player installed in order to watch videos. When the ad is clicked on, the malicious app gets downloaded, notifying the user to install the alleged Flash Player app. Android, by default, blocks apps from unofficial markets from being installed, which is why users are notified that the install is being blocked for security reasons.
Device Admin Request

 

Users should listen to Android’s advice. However, users can go into their settings to deactivate the block and download apps from unknown sources. Once installed, a “Flash Player” app icon appears on the device and when it is opened the “Flash Player” requests the user grant it administrator rights, which is when the trouble really begins.

As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.

device-2015-02-05-143216  FBI warning is an example of social engineering

What should I do if I have been infected?

We do NOT recommend you pay the ransom. Giving into these tactics makes malware authors believe they are succeeding and encourages them to continue.

If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager.

Avast protects users against Simplocker

Avast Mobile Security protects users against both the old and new variant of Simplocker, the new variant is detected as: Android:Simplocker-AA.

A more technical look under the hood:

As the fake FBI warning is being shown to users, the malware continues working in the background, doing the following: Read more…

January 15th, 2015

Fobus, the sneaky little thief that could

One small Android application shows lots of determination and persistence. Too bad it’s evil.

Mobile malware, Fobus, acts like this famous little engine. "I think I can, I think I can!"

Mobile malware, Fobus, acts like this famous little engine. “I think I can, I think I can!”

 

The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.

All that, and a bag of chips

From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as  Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.

Permission

Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works. Read more…

January 6th, 2015

Linux DDoS Trojan hiding itself with an embedded rootkit

10867127_1516649011939387_257681840_nAt the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.

Installation Script & Infection Vector

The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.

In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic\ SMP\ mod_unload\ modversions\ 686\ “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977.  Read more…

December 17th, 2014

South Korea hit with banking malware using VPN connection

South Korean banks have been attacked by hackers again!

This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.

The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses.  Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!

XP Debugging2

The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.

Read more…

Comments off
December 3rd, 2014

Is backing up your data the same as exposing it? In this case – Yes!

Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution -  You can find them online! The catch? Your contacts are in a publicly accessible place.

1playstore photo

Seriously.

If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.

Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.

 2app

A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.

3savedatacloud

Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.

4fiddlerinfo 5datafromserver

We found log in data inside those entries from countries like Greece, Brazil, and others

The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.

6appinfoplaystore The application has been reported to Google without receiving any response.

Avast detects it as Android:DataExposed-B [PUP].

Samples (SHA-256):

F51803FD98C727F93E502C13C9A5FD759031CD2A5B5EF8FE71211A0AE7DEC78C 199DD6F3B452247FBCC7B467CB88C6B0486194BD3BA01586355BC32EFFE37FAB

September 15th, 2014

Tiny Banker Trojan targets customers of major banks worldwide

The Tinba Trojan aka Tiny Banker targeted Czech bank customers this summer; now it’s gone global.

After an analysis of a payload distributed by Rig Exploit kit, the AVAST Virus Lab identified a payload as Tinba Banker. This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC.

 hsbc_bank

In comparison with our previous blogpost, Tinybanker Trojan targets banking customers, this variant has some differences,  which we will describe later.

How does Tiny Banker work?

  1. 1. The user visits a website infected with the Rig Exploit kit (Flash or Silverlight exploit).
  2. 2. If the user’s system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
  3. 3. When the computer is infected and the user tries to log in to one of the targeted banks, webinjects come into effect and the victim is asked to fill out a form with his/her personal data.
  4. 4. If he/she confirms the form, the data is sent to the attackers. This includes credit card information, address, social security number, etc. An interesting field is “Mother’s Maiden Name”, which is often used as a security question to reset a password.

Read more…

Comments off
August 27th, 2014

Self-propagating ransomware written in Windows batch hits Russian-speaking countries

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

msg
The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
payload
The files have .btc attachment, but they are regular executable files.

coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is   Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

msg2 Read more…

August 19th, 2014

Reveton ransomware has dangerously evolved

The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.

Reveton

The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer.  This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.

Pony stealer module

Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.

The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules.
Reveton modules

Read more…

Comments off
July 17th, 2014

Tinybanker Trojan targets banking customers

Tinba Trojan specifically targets bank customers with deceitful debt notice.

The Tinba Trojan is banking malware that uses a social engineering technique called spearfishing to target its victims. Recently, targets have been banking customers in Czech Republic, AVAST Software’s home country. Tinba, aka Tiny Banker or Tinybanker,  was first reported in 2012 where it was active in Turkey. A whitepaper analyzing its functionality is available here (PDF). However, the spam campaigns against bank users in Czech Republic are still going on and have became more intensive. Here is an example of what Czech customers recently found in their email inbox.

Czech version:

VÝZVA K ÚHRADĚ DLUŽNÉHO PLNĚNÍ PŘED PROVEDENÍM EXEKUCE

Soudní exekutor Mgr. Bednář, Richard, Exekutorský úřad Praha-2, IČ 51736937, se sídlem Kateřinská 13, 184 00 Praha 2
pověřený provedením exekuce: č.j. 10 EXE 197/2014 -17, na základě exekučního titulu: Příkaz č.j. 077209/2014-567/Čen/G V.vyř.,
vás ve smyslu §46 odst. 6 z. č. 120/2001 Sb. (exekuční řád) v platném znění vyzývá k splnění označených povinností, které ukládá exekuční titul, jakož i povinnosti uhradit náklady na nařízení exekuce a odměnu soudního exekutora, stejně ták, jako zálohu na náklady exekuce a odměnu soudního exekutora:

Peněžitý nárok oprávněného včetně nákladu k dnešnímu dni: 9 027,00 Kč
Záloha na odměnu exekutora (peněžité plnění): 1 167,00 Kč včetně DPH 21%
Náklady exekuce paušálem: 4 616,00 Kč včetně DPH 21%

Pro splnění veškerých povinností  je třeba uhradit na účet soudního exekutora (č.ú. 549410655/5000, variabilní symbol 82797754, ČSOB a.s.), ve lhůtě 15 dnů od
doručení této výzvy 14 810,00 Kč

Nebude-li  uvedená částka uhrazena ve lhůtě 15 dnů od doručení této výzvy, bude i provedena exekuce majetku a/nebo zablokován bankovní účet  povinného ve smyslu § 44a odst. 1 EŘ a podle § 47 odst. 4 EŘ. Až do okamžiku splnění povinnosti.

Příkaz k úhradě, vyrozumění o zahájení exekuce  a vypučet povinnosti najdete v přiložených souborech.

Za správnost vyhotovení Alexey Mishkel

 

English translation:

Distraint notice
———————
Bailiff [Academic title] [First name] [Last name], Distraint office Prague-2 ID: 51736937 at Katerinska 13, 184 00 Prague 2 was authorized to proceed the execution 10 EXE 197/2014 -17 based on execution Order 077209/2014-567/Cen/G according to §46 paragraph 4, 120/2001 law collection in valid form which impose you to pay these costs:

Debt amount: 9,027.00 CZK ($445.00)
Distraint reward: 1,167 including 21% TAX
Fixed costs: 4,616 CZK including 21% TAX
Total: 14,810 CZK ($730.00)

To bank account 549410655/5000, variable symbol 82797754, CSOB a.s.

For the correctness of the copy warrants Alexey Mishkel

Using the spearfishing social engineering tactic, the attackers attempt to scare their victims with a specially designed email message explaining that a debt exists which needs to be paid.

Read more…

June 20th, 2014

Samsung Galaxy S5 and other popular phones vulnerable to “TowelRoot” Android exploit

avast! Mobile Security detects TowelRoot exploitsavast! Mobile Security protects from an Android flaw which leaves nearly all new smartphones and tablets vulnerable to attack.

Last week, a wave of articles about a newly discovered Android security flaw flooded the Internet. They sounded a warning, similar to this:

“A flaw in the Android operating system may leave many Android phones and tablets vulnerable to attack, including the Samsung Galaxy S5 and Google’s own Nexus 5,” reported Jill Scharr in a Tom’s Guide article.

Our Virus Lab did not waste  time and started preparing for the inevitable attacks. AVAST researchers dug into the subject looking for malware to make  sure that avast! Mobile Security is ready to protect our users. If you are an avast! user and your tablet or smartphone is protected by avast! Mobile Security, you are protected.

“Even though TowelRoot is not malicious itself, it may be misused as an exploit kit. Generally, TowelRoot can be used as a delivery package for malicious applications,” explained  Filip Chytry, an AVAST Virus Lab expert on mobile malware. “It’s capable of misusing a mistake in Android code which allows attackers to get full control over your Android device. TowelRoot itself is more a proof-of-concept, but in the hands of bad guys, it can be misused really quickly. For this reason we added it to our virus signatures, so Avast detects it as Android:TowelExploit.”

Android has not made an official statement on the security flaw, however our researchers confirm that even the latest versions of the operating system are exposed (version 4 and all higher). It is very likely that versions 3.0 can be attacked, too. For those who just purchased an Android device or don’t have protection yet, we strongly recommend that you install avast! Mobile Security, before taking any further actions. Despite the fact that some of the mobile providers claim that their devices are immune to this particular Android exploit, it is highly risky to leave your device unprotected.

What is the TowelRoot Android vulnerability?

Earlier this month a security flaw in Linux, the operating system which Android is based upon, was discovered by a young hacker known as “Pinkie Pie.” Soon afterwards, a gifted teenager, notable because he was the first to unlock the unlockable –  an iPhone at the age of 17, prepared a tool kit for potential hackers. Its instructions are available publicly to “purchase,” allowing even less advanced programmers to write a script that will use the exploit.

The potential exists for hackers to take full control; to simply root your device. So far the AVAST Virus Lab has not observed any massive attack, however knowing about the potential risk, our Virus Lab is ready for the attack. avast! Mobile Security is capable of discovering different variations of malware code required to exploit the bug.

Who is exposed and how to protect yourself?

Basically everyone who owns an Android device without proper antivirus protection, tablet or mobile phone, with any version of Android OS, including the newest one is at risk for malware.

In order to prevent this exploit, or any other malware attack, once you purchase your device, we advise to install antivirus first, before installing any apps, importing contacts, or starting to browse online. Our avast! Free Mobile security, as well as its Premium version are available to download and install from Google Play.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.