Archive for January 9th, 2008
January 9th, 2008 by Macky Cruz (Technical Communications)
Sure, the iPhone has topped Time’s Magazine’s Top 10 Gadgets of the Year, but that doesn’t mean it is safe from the reach of digital threats.
Already this New Year brings with it a new, albeit minor, annoyance for the legions of Apple iPhone users that have already weaned into their new phones for their everyday use.
The culprit? A bored eleven-year-old.
But before that, let’s recap.
It would appear that everyone is always oh-so-eager to point out holes in the whatever the celebrated gadget of the year seems to be, even when it first appears in the consumer space.
When it comes to the iPhone, some threats have been incidental to the hype, but yet some reports appear to have real teeth in terms of becoming legitimate iPhone threats (like the zero-day flaw in Safari as confirmed by our researchers, and the Wi-Fi woes illustrated in an entry last July).
Several security concerns may have followed closely on the heels of the iPhone craze, but who would have thought that an eleven-year-old would lay claim to authoring the first malicious application for the iPhone.
The offending application— which is really more of a nuisance than an actual attack— comes in the form of a downloadable application package purporting to be an important system update.
Once installed, it doesn’t appear to do anything except take up 90kb of the unit’s memory (at least upon initial analysis).
If the user decides to uninstall the package, however, the offending code also deletes other application files related to programs in the same directory.
As of this writing, the modmyifone thread on this issue has identified four applications that could be corrupted by uninstalling this tiny app, namely Erica’s Utilities, OpenSSH, Launcher, and Doom. The reason behind this, according to the programmer of some of these applications, is that the malicious program is just a slightly modified version of the originals: so if you install it, it overwrites the program files if they are already existing, and if you uninstall it, you inadvertently uninstall the said files, too.
Simple, really — but a potent vector for malware authors out to do more than just a little XML-tinkering.
Herein lies the catch for iPhone users who demand the freedom to modify their phones — ‘modded’ iPhones apps allow hackers to FUBAR your phone.
The link from which this Trojan can be downloaded is now down. But be assured — there will most certainly be more.
January 9th, 2008 by Jovi Umawing (Technical Communications)
As fresh as the New Year is the new round of Patch Tuesday releases for the year. For January, Microsoft released the following two (2) security bulletins:
Critical Bulletin
Important Bulletin
Windows users are advised to keep their systems up-to-date by applying the necessary patches supplied by Microsoft. You may refer here for the Windows Update Center.
January 9th, 2008 by Paul Ferguson (Advanced Threats Researcher)
Click for larger image.
You’ve seen us blog about problems with Google’s Blogger service before, but now it appears to have an ongoing problem with “malicious” content of a different sort — illicit pages which brazenly expose stolen credit card information.
I ran across this article earlier today on KOAA.com (the NBC television affiliate in Colorado Springs), which stated that:
“News First Investigates has uncovered what looks like a major internet breach. We found a list of hundreds of credit card numbers and personal information on a website hosted by Google.”
“We contacted Google and within 30-minutes the web log, called a blog, was down. We’ve also contacted local and federal authorities, and a few people in Colorado Springs who’s information was on the site.”
“The person behind the blog that was posted on blogger.com issued a warning at the top, stating ‘Where the cyber life begin and nothing is secure.’ That point’s proven with a list of hundreds of credit card numbers, names and addresses.”
Soon after seeing this, I did some digging, and discovered a couple of other pages which were also hosting pages that simply contained (suspected) stolen credit & debit card numbers, names, addresses, ZIP codes, and CVV codes.
The page in the screenshot above has had critical information obscured (for obvious reasons) and has now been removed for “…violations of terms of service…” but it is yet another reminder that cyber crime seemingly knows no bounds these days.
Not to knock Blogger — on the contrary. I think they responded very quickly and are doing the best they can to respond to these issues.
I use Blogger personally, and I find it extraordinarily useful. It’s a shame to see so much abuse. The specter of this sort of illicit disclosure is very troubling. Thank goodness it was removed quickly when it was reported.
Good job, Google!
Let’s be careful out there!
Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Research
January 9th, 2008 by Ivan Macalintal (Advanced Threats Researcher)
Their current propagation statistics was next to non-existent, said Sunbelt, and added that being less in number doesn’t exactly equate to “safe”.
The MBR (Master Boot Record) rootkit threat — perhaps a perfect product of recycling — had been making waves in the Internet for days, seemingly making an entry to the modern security scene as a new Web threat. TrendLabs researchers have analyzed it and came up with the following technical findings.
This rootkit arrives when certain URLs/Web sites are accessed:
http://%bad domain%/ld/mat{any number from 2-20}/index.php?b=3
where %bad domain% can be one of the following:
- BFF1TWE.COM
- IMM2TWE.COM
- FTT3TWE.COM
- GUUATWE.COM
- GFEPTWE.COM
- ANOPLEV.COM
- HGFDTWE.COM
After successful infiltration using the exploits of Web threats that we’ve come to know, malicious codes are downloaded and executed and the rootkit is installed via the MBR.
The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system.
It then looks for the bootable partition of the affected system. Once found, this Trojan creates a new malicious MBR that loads the rootkit component of this Trojan.
Writing to the MBR may look like the following:
Modified sectors 61, 62 and 63 of the physical disk are shown below:
The modified MBR may look like the following:
The rootkit component, which is detected as RTKT_AGENT.CAV, is then saved in an arbitrary sector within the bootable partition. After performing its malicious routines, this Trojan restarts the affected system.
Trend Micro advises users to scan systems using the latest pattern file versions to remove the Trojan. The content security feature of our products can block all related domains, as well.
More information at:
Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz
