Archive for March 6th, 2008
March 6th, 2008 by Bernadette Irinco (Technical Communications)
The critical role that mobile phones play in our lives today make them a favorable target for malware authors. Mobile phones contain a lot of users’ vital information in the same way as their PCs. This is why it is not surprising to see mobile malware enter the threat landscape.
Recently, a malware targeting Windows Mobile PocketPC was found and analyzed by Trend Micro researchers. Detected as WINCE_INFOJACK.A, this worm specifically runs on Windows CE environment, leaves the mobile phone open to other malware and installs unsigned applications without the user’s consent. It also steals information like Mobile IMEI or serial number, OS version, model and platform and hosts name among others to which it sends back to the malware author/s. Aside from this, WINCE_INFOJACK.A also changes the security settings of the affected phone.
Users can get infected once they insert an infected memory card on the mobile device or through SMS. Just last January, Trend Micro also discovered SYMBOS_BESELO.A, a Symbian malware that disguises as a multimedia file and infects phones running Symbian/S60 2nd edition OS.
“These gadgets are running faster and better,” Trend Micro Research Manager Jamz Yaneza says in a news article last February 27.”Because it’s running like a regular PC, you should treat it like a regular PC.” Clearly this shows that mobile malware is already cementing itself as a security threat that we should also watch out for.
March 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
February started off with some compromised tour sites, one about Thailand and the other about the Pyrenees Mountains in Spain. As Valentine’s Day approached, numerous mailboxes probably received spammed messages containing a link where NUWAR’s latest variant could be downloaded. The rest of the month was filled with spammed messages, uncovered exploits and compromised Web sites and towards the last few days of February we witnessed another wave of the Italian Job. Here is last month’s malware roundup.
Notable Malware
TSPY_LDPINCH.FE
This malware is the one behind the compromise of Udiya Northern Thailand Tours Web site. Early in February, several pages in the Web site have been compromised. When a link on the landing page of the Web site is clicked, the user’s browser is redirected to a series of URLs, eventually leading to a download of this LDPINCH variant. On a similar note, the same technique is also used in the compromise of this Pyrenees Mountain tours Web site, only a different malware family is involved.
JS_IFRAME.HX
This is a malicious Javascript that downloads a variant of ZLOB. The malicious code is present in a PHP page that is returned as a Google search result when a use enters the search string “Japanese schoolgirls.” Hentai has been previously seen as a social engineering technique, particularly around October last year, when a Trojan detected as TROJ_PUSHDO.AD was received via spammed email messages bearing a Hentai image.
WORM_NUWAR.AR
As expected, the infamous Storm worm (Nuwar) made its appearance once again shortly before Valentine’s Day. The malicious link contained in its spammed email messages led to a copy of the worm variant. It seems that this particular Nuwar variant contained routines bypass heuristic detection mechanisms of antivirus software. Upon close inspection of its code, Nuwar contained references to bogus API functions, clearly a ruse to avoid detection.
BKDR_AGENT.AKJZ
On February 18, a lunar eclipse occurred. Unfortunately this astronomical event was taken advantage of by malware authors to lure users into downloading a malware into their systems. A spammed email message spread around during this time, with a link to a video of the eclipse. Of course, clicking on the link brings no video but downloads a copy of BKDR_AGEN.AKJZ instead.
RTKT_PUSHU.AC
This rootkit is a component of the malware families of WORM_NUWAR, TROJ_PUSHDO and TROJ_PANDEX. The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.
Web Incidents
For February there were more than 10 web threat incidents that were reported. 43% of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 20% of the reported incidents are related to entertainment.
Exploit
EXPL_PIDIEF.O
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum. Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files.
Myspace Exploit
A vulnerability in the image uploader used by MySpace and Facebook was recently discovered by security researchers, bringing about issues of the possibility of exploits and malicious users gaining access to affected systems. Aurigma’s Image Uploader Control Library was found to have a buffer overflow vulnerability that could be exploited by an unknown user to compromise systems. MySpace and Facebook use the application for their image uploading functions.
That’s all for today. What’s in store for March? As of this writing, we’ve just received reports of an email message being spammed around, apparently containing news of Fidel Castro’s death. The link contained in the message supposedly leads to a backdoor … More of this on next month’s malware roundup.
March 6th, 2008 by Jovi Umawing (Technical Communications)
MonaRonaDona may be far from the thought of a wild combination of popular women paintings than initially thought, but this nifty little malware has been making headlines in security Web sites for the last couple of days, bringing to light the latest “artistic” persuasion only a social engineer scammer will attempt to pull off.
The exact source of the malware remains unclear, but some security analysts surmise that this threat comes packaged with “system optimization tools” available for free on the Internet. However, our analysts are also inclined to believe that this threat arrives on computers that are already infected, specifically those that are already part of a botnet. The malware remains inactive (and impervious to detection) until users restart their systems. Mona then displays a message upon startup, aiming to introduce itself to the user and at the same time pique his/her interest:
Through the years, it has become natural for computer-savvy users to start looking for solutions or a cure for malware once they get their systems inadvertently infected over the Web. Thus, this natural human response becomes an opportunity for social engineers to exploit. Researchers have found out that keying in “MonaRonaDona” in a search engine (i.e. Yahoo!, Google) would result to a list of Web sites pointing to several references and discussions about a cure for the MonaRonaDona strain. The sites include YouTube video sites and Web forums. Not that Mona is quite popular at that side of cyberspace, but further investigation reveals that these sites were also the doing of the malware writers.
In a sample article that turned up in the searches, for instance, an antivirus software known as the Unigray Antivirus was mentioned, which claims to scan and detect 679,871 threats, including the MonaRonaDona strain. Though detecting and cleaning the said strain was true, investigation results disputed the fact that Unigray can also (supposedly) detect and clean the remaining 679,870. Furthermore, the Web site where Unigray was housed had only been up in the Web for a couple of weeks, which would probably make anyone think twice before actually purchasing the product. One can assume that most likely, the people behind MonaRonaDona were also the same people who developed Unigray.
Trend Micro detects MonaRonaDona as TROJ_MONAGRAY.A. The following component files are also detected:
- RegistryCleaner2008.txt (1,990,711 bytes) - detected as ADW_REGCLEAN.A (TMASY detection is Adware_RegClean)
- unigray_antivirus.txt (1,377,566 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
- Unigray Antivirus.txt (6,721,536 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
- SRVSPOOL.txt (2,170,880 bytes) - detected as TROJ_MONAGRAY.A
One can not help but feel a little impressed as to how much social engineering has “come of age.” The people behind such acts are nevertheless putting more thought and effort into their new schemes than usual, attempting to make something out of the smallest opportunities for profit. Social engineering is really no small business, as users are still found to fall prey to its lures.
Trend Micro advises users to be more wary of new social engineering techniques being practiced in the wild. Lastly, keep pattern and scan files updated.
March 6th, 2008 by Mayee Corpin (Technical Communications)
Looks can be deceiving, and the face of cyber crime is getting fresher and fresher. Young computer whizzes lured to the dark side are still very much active, as proven by news that a teen hacker—all of 18 years old—was nabbed in the worldwide effort to put botnet masters behind bars.
Owen Thorn Walker of New Zealand, who used the handle “AKILL,” reportedly masterminded a group operating a botnet that has caused losses of $20 million, according to Techworld. Their botnet has allegedly compromised 1.3 million systems to collect credit card information and manipulate stock trades.
Walker stands to face 10 years in jail if proven guilty. Local New Zeland police worked hand in hand with the FBI, US Secret Service and Dutch authorities in the investigation, according to The New Zealand Herald.
Teen hackers are hogging the news of late, but the good news is, the international community is on to them. The most recent botnet gang that was caught and which police have dubbed the largest and most damaging in Canada even involved minors. If sound advice applies to this global effort to straighten out these juvenile delinquents, it’s to get them while they’re young. Because with their whole lives ahead of them, there’s at least hope that they can turn their life around, and side with the good someday. Perhaps they should even work in security because sometimes, as they say, it takes a thief to catch a thief.
