If you had the privilege to meet Android:Obad, which Kaspersky earlier reported to be the “most sophisticated android malware,” you are in a real bad situation and this will probably be the moment to which you’ll be referring to in the future as “The time I learned the hard way what better-safe-than-sorry means.” A few days ago we identified a new variant of that threat. There is a chance you bumped into this bad guy before we started detecting it, because if our generic detections don’t catch the malware there is always a short delay before it gets to us. In most cases, it isn’t a problem to get rid of a malicious app – you just uninstall it after you find it. This time, that won’t work.
The problem we are facing here is called “Device administrator.” After you launch an app infected with Android:Obad, you will be asked to make the app the current device administrator, which will be only a few buttons away so it isn’t hard to do. After you do so, there is no way back because this piece of malware uses a previously unknown vulnerability which allows it to get deeper into the system and hide itself from the device administrator list – the only place you can manage device administrators. You won’t be also able to uninstall the app via Settings, because all the buttons will be grayed out and will not function.
Lucky for you, avast! Mobile Security will save you from doing a factory reset and losing your data, which certainly is one of the solutions. But don’t worry, you are safe with us. Read more…
We all have our favorite apps for all the things we do. I use Shazam when I don’t know what song is playing, Maps when I’m lost, FlightRadar24 when I’m curious about the plane flying over my head. These apps are there for my satisfaction; they meet some need.
Each of us have different needs and desires. Apps like SatsFiU Player take advantage of that. Wherever you got this app from, it’s not from the Google Play Store. This app will try to satisfy both your and its developer’s desires.
SafsFiU Player is an app that might come in handy, when you need to be entertained, in an “adult way,” if you know what I mean. For the ones that don’t get it or don’t believe what I’m talking about it, I’ll be clear - it’s an app that plays pornographic movies. There is the standard “catch” which almost every malicious app for android has. In this case, the catch most visible is that it allows the developer to remotely control your phone, in a particular way. The most distressing part is that he can tell your phone to send an SMS to a given number, potentially premium-rated.
Yes, it’s a win-win situation. Kindof. You’ll be pleased by what you see, he’ll be pleased by the money he gets and the information sent from your phone. Read more…
Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.
Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”
In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.
Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.
Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives. We have been tracking its activity since January 2013. We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.
We have seen grum activity on following sites:
Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.
After the bot sets its ID, it tries to connect to a C&C server.
1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer
2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:
3) Then the C&C server is contacted by the following request
The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.
4) The C&C server answers with a message which looks like a typical BASE64 encoding
Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.
The whole decryption algorithm written in C# could look like this:
The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:
5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.
6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.
The interesting thing is that sent spam is similiar to scam described on our blog in the past.
Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT)
id E%W_RND_INTCE%W_RND_INTE; %DATE
From: Work at Home <%FROM_EMAIL>
Subject: Your second chance in life just arrived
Content-Type: text/html; charset=us-ascii
When the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had ended. But a sample that we received on May 7th, a month after the arrests, looked very suspicious. It connected to a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected to was registered on April 9th!
Taking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm EST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of larger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a distribution process.
After using our internal Malware Similarity Search to catch as many malware samples as possible, a cluster appeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like Win32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite sophisticated loader and a final payload. Read more…
I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.
We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.
Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.
We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.
Dealing with file formats is not really enjoyed by us. Usually the format designers haven’t had the security and parsing by foreign applications in mind, sometimes the specifications are hard to get, but, what is worst is the specification which claims something and then the major implementation does not follow it, allowing the bad guys to evade easily our strict parsers (as strict as specified in docs). We’ve already blogged about such problem in the past.
As I dealt with Embedded Open Type (EOT) in the past I have received some undetected samples from my colleague. It was EOT sample mentioned in this blog and some other sample downloaded by her. EOT is a compact form of OpenType font – it uses some special compression based on this specific file format to decrease file size.
The begining of spring seems to be an unsuccessful period of the year for cybercriminals in Eastern Europe. There is recent news referring to a neutralization of a group of hackers by joint cooperation between the Security Service of Ukraine with the Federal Security Service of the Russian Federation (FSB) on the web. These hackers are responsible for the infamous Trojan called Carberp.
Due to this recent information, we are allowed to say that Carberp was as a mainstream Trojan that monitored the environment of infected computers and exploited remote banking systems. It was a robust modular malware that improved its capabilities by drive-by-downloaded dynamic libraries – plugins. It was not only successfully grabbing money from victim’s bank accounts but also the attention of security experts both in an industrial and an academic sphere (an example of a paper). Therefore there are plenty of references on the web considering the methods of a system invasion, protection by polymorphic outer layers and a persistence of the Trojan. We will try to fill in some gaps in the picture.
Carberp started its progress approximately in autumn 2010. Later in spring 2011 it was split into two main branches regarding the form of HTTP requests. Read more…