In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.
Analysis of Android:AgentSpy
It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.
Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.
Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.
1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps
2) Regularly polls C&C and responds to the following commands
sendsms – sends SMS to a given mobile number
issms – whether to steal received SMS or not
iscall – whether to block outgoing call
contact – steals contact information and upload them to C&C
apps – list of installed bank apps
changeapp – replaces original bank applications with fake bank applications
move – changes C&C server
Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.
Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.
Analysis of Android:Telman
One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…
About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.
Original bank application
We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
Question of the week: What is the antivirus setting called DeepScreen?
DeepScreen is a new technology inside avast! Antivirus 2014. When you are about to run a suspicious program which is not yet known to the other core antivirus technologies, DeepScreen is invoked. Its task is to simply distinguish between good and bad software. Although it seems obvious and simple, it is not.
How DeepScreen uses The Force for good
This (magic) technology is served by two software components (the Jedi, if you will) which work hand-in-hand. One of them is well known from the past: The avast! Sandbox.
When a file is “DeepScreened,” it is actually run in the Sandbox, which is mainly responsible for keeping things isolated while watching for various high-level events and behavior of the program running. For example, it monitors the system call invocation and overall behavior of the program which is being executed. This seems to be just enough to distinguish between the Dark Side and the Light Side of the Force, but unfortunately, it is not that simple.
Firstly, how can you tell good and bad behavior apart? There are plenty of legitimate software products that use “weird” techniques to protect themselves. On the other hand, there is a bunch of malware samples that look innocent and behave well.
Secondly, malware is used to hiding away from the vigilant eyes of the Sandbox. The most common and powerful technique is encryption. In fact, there are more ways of encrypting and packing these well - known bad guys and rendering them undetectable than there are distinct malware samples.
SafeMachine: The new Jedi Order
With the latest version of avast! Antivirus 2014, this technology is fully involved in fighting the bad guys. Whenever DeepScreen runs something in the Sandbox, it also performs binary instrumentation of the process.
Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients.
The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same.
The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.
From 32-bit Loader to 64-bit Payload
As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.
At the turn of the year we started to observe a Trojan, not much discussed previously (with a brand new final payload). It has many interesting aspects: It possesses a complex structure containing both 32-bit and 64-bit code; it achieves its persistence with highly invasive methods; and it is robust enough to contain various payloads/functionalites.
Evolution of Blackbeard
Confronting this threat for the first time, we wondered about its classification. Using AVAST’s Malware Similarity Search, we found an old sample (the TimeStamp said “02 / 20 / 12 @ 3:30:55am UTC”) in the malware database that shared the threat’s structure of PE header. Moreover, it also contained debug info with a string “Blackbeard,” so we decided to dub it like that.
The development of the code evolved in time. We can connect a part of the infection chain of this Trojan with the threat called Win32/64:Viknok. For both the historic and the current variant of Blackbeard, the complexity of the structure is sketched on this scheme:
Christmas is a time of peace, but it does not apply to hackers and creators of malware. In the middle of the holidays, the AVAST Virus Lab found a new type of infection targeting advertisement servers with OpenX installed. Unfortunately, the only antivirus detecting this threat is avast! which leads to the erroneous conclusion that there is a false positive on our side, but it is actual danger.
This infection is called JS:Redirector-BJB or JS:Redirector-BJC and it has been confirmed on 930 servers running OpenX over the world. This means that at least 130 thousand people are saved by avast! from malware infection in advertisements every day, so please be reasonable and update your server as soon as possible.
Infection and consequences for users visiting a malicious website are described in our recent post about malvertising, but today let’s look at how to successfully clean, update, and secure your application. Below are the top 5 most visited and infected sites. Is yours on this list?
If you are using OpenX or Revive AdServer’s prior version 3.0.2 your system is vulnerable!
Below you can find a few steps that will lead you through cleaning, but updating to the latest version of Revive AdServer is necessary. Otherwise your server will still have known security flaws.
1. Backup Files – Download all files from FTP to your computer and scan them with antivirus. If any of the files are marked as a threat, delete it from FTP instantly. If it is possible, also backup your database to ensure calm upgrading.
2. Check for Backdoor - Search FTP for files that do not belong there. You can find them by their date of creation (file with different date than others in the directory) or by obfuscated content in source files. You can also compare your source codes with official installation and reveal newly added files. If you are using OpenX version 2.8.10, delete file “flowplayer-3.1.1.min.js” because it contains a backdoor.
4. Upgrade Application – Download the latest version of Revive AdServer to your hard drive. OpenX changed its name in summer 2013 so the newest version can be downloaded only from link above. Follow the steps that you find in the article from the official pages about upgrading OpenX or Revive AdServer application.
5. Secure Server – After the upgrade you have only a few things to do. Check that the database and all users have their password unbreakable. Do not use any passwords from before. Do not leave any installation or old files on FTP. Change the password to the FTP because hackers could discover it too.
Someone might think “upgrading must help solve my problem,” but that’s unfortunately not true. In this and as well in many other cases, website administrators and owners must perform the described steps in order to get rid of the infection completely. Do not forget to change all passwords.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
By definition, Adware is a program bundle which renders advertisements in order to generate revenue for its author. In a more strict sense, e.g. for security solutions, it means an application/installer whose nature lies somewhere between a potentially unwanted application and proper malware, like Trojans or Spyware. It might use more or less aggressive methods, starting with tricks and ending with fraud, to achieve its goals to benefit its distributor, while staying as innocent as possible on first sight. We blogged about an adware downloader a year ago.
Now we focus on two selected adware examples: The first is a Windows installer called Linkular and the second is a well-known application called Genieo (with a focus on its OS X version.) Being in the wild for a few months, the detection within AV products reached only partial coverage in both cases, with very similar numbers on VirusTotal (~10-20 %, see Sources below). However, the OS X adware Genieo is additionally flagged by OS X-specific security solutions. Considering maliciousness, the Windows adware is far more dangerous and invasive than the OS X one and also more than other Windows Adware examples we usually see. Here’s the comparison:
|Distribution strategy||Advertisement Network||unknown|
|Software Download site||coolestmovie.info||www.genieo.com|
|Rank on alexa.com||~4200||~3000|
|Masking||VLC Player + Addon||Flash Player (*)|
|Payload||SpeedUpMyPC; Multiplug; Bitcoinminer;OneStep/BasicServe||Codemc; Photo.it; Qtrax(**)|
|Change of browser start page||YES||YES|
|Persistance||YES (of payload)||YES|
|Obfuscation||YES (of payload)||NO|
|Digitally signed||YES (both installer & payload)||YES|
(*) masking is not connected with the official site, but some of its distribution partners
(**) related to older installers; not presented anymore
Christmas time is essentially connected with buying presents. There’s a lot of stuff to be done and a lot of opportunities to buy a present in an e-shop to save time. Who doesn’t know someone who buys a Christmas gift online?
The malware authors know and are very keen to take advantage of it. We see scam emails containing order or delivery details every day and they have a lot of common. In fact, it’s nothing new. Such methods are used constantly during the year, it’s nothing special connected to Christmas. However, Christmas is the reason why many people might be fooled. Let’s look at them in detail.
Imagine you are customer waiting for a present to be delivered. You get anxious and check your email waiting for order details. You are probably the most vulnerable at this time. Then you get an email from DHL, the well-known parcel delivery service, with a notice saying that the shipping details are in an attachment. In that moment of relief, you click on the email attachment. It turns out to be a zip file containing a file named DHL-parcel.exe. The strange thing is the file extension looks like regular PDF file because it has the same icon. In fact, it is malware.
It’s not surprising that scared people are the most vulnerable to attacker’s traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how ‘Ransomware’ works – scare tactics with a convenient way to buy yourself out of the predicament at the end.
When we look closer at the scam, we find that the Ransomware is focused only on the victim’s browser and fortunately, not as they claim, on the data stored inside the victim’s computer. Here are several points that work together to scare the victim:
- The headline of the webpage: “FBI. ATTENTION! Your browser has been blocked…”. This is the part of the attack that tries to scare visitors as much as possible.
- The name of the page, “gov.cybercrimescenter.com”, tries to convince visitors they are on a legitimate website which belongs to the government.
- A countdown timer starts on 48 hours and counts down the time before “legal steps” starts.
These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it’s better to take a deep breath before reacting. You know you didn’t watch the movies mentioned on the page, and of course, you didn’t store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?