I have seen Android malware delete and send SMS messages but this is the first time I saw an Android malware act as an SMS relay.

My colleagues and I were recently able to analyze a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have recently seen, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second then immediately closes it.

This malware installs a service called FlashService. It employs two receivers called FlashReceiver and SMSReceiver, which are respectively triggered after a device boots up and when it receives an SMS message. FlashReceiver, which runs after a device boots up, starts the FlashService.

Receivers are functions that are executed when a specific Intent is received. Think of an Intent simply as an event. When a device received an SMS message, its OS will broadcast this event, which triggers the execution of all of the functions that are supposed to run every time the said event occurs.

FlashService is responsible for allowing the device to communicate with its server. As mentioned, it runs once the device boots up and connects to a certain URL in order to download an .XML configuration file. The code of the .XML configuration file the malware receives at the time of writing is shown below.

Read the rest of this entry »

We recently received a sample of the bot client that was used by hacker group Lulzsec Brazil in conducting distributed denial-of-service (DDoS) attacks against Brazilian websites. Those affected included the websites of both the Brazilian government and the president. The said attack is not the first of its kind from the group, as the main LulzSec hacking group reportedly attacked other sites, including those of the U.K. Serious Organized Crime Agency, the U.S. Senate, and Sony.

The Lulzsec hacking group is one of the two hacking groups that have been recently making the news, along with Anonymous. The two groups recently declared war against governments, banks, and corporations all over the world and accused the said organizations of corruption. They also called other hackers to join their cause, which they dubbed “Operation Anti-Security.”

The bot client, which we now detect as BKDR_ZOMBIE.SM, connects to a certain Internet Relay Chat (IRC) server and joins a specific IRC channel to receive commands.

Read the rest of this entry »

People say there is no such thing as a free lunch and as we recently found out that there’s no such thing as free supper either.

We recently came across a spam run that uses a nonexistent promotion from the popular fast-food chain McDonald’s that tries to convince users to execute a malicious file.

The spammed messages have been fashioned as invitations to “The Free Supper Day,” which will supposedly take place on June 29.

The message tells the users to print the file found in a .ZIP file attachment, which is supposed to be the invitation that they must show the cash desk in order to avail of free food.

Read the rest of this entry »

Last June 17, 2011, the Japanese Parliament approved a revised proposal for criminal law against creating and keeping malware aka the Cybercrime Law.

The key point about this revised criminal law is that malware writers will be penalized if a malware was created and distributed under the following circumstances:

1. Without a legitimate reason
2. With the purpose of running it on someone’s computer without the person’s consent

In other words, it’s about “malicious intent.”

Up until now, creating and owning malware with malicious intent cannot be penalized by law in Japan. For example, the creator of the Harada virus was found guilty not for creating and distributing malware but for violating the copyright for TV animation and for libel by using his friends’ personal information and photos. The same person created the Octopus and Squid viruses while on probation and was later arrested in 2010 for suspicion of property damage as the viruses rendered victims’ hard disks unusable.

In other words, there was no direct way to punish malware writers in Japan until now.

Read the rest of this entry »

Everyone’s talking about the upcoming iCloud, Apple’s newest cloud service offering. From Steve Jobs’ announcement earlier this month at the annual “Worldwide Developers Conference (WWDC)” to the recent Apple trademark lawsuit, iCloud is easily one of today’s fast-rising topics. In the course of our research, we discovered several cybercriminal attempts to peddle FAKEAV malware by taking advantage of the “iCloud” keyword.

Cybercriminals typically use search engine optimization (SEO) poisoning techniques to trigger the rise of malicious URLs that lead to pages hosting FAKEAV malware in search engine results pages. These blackhat SEO techniques use Google as referrer to run the malicious file download. In this case, the file downloaded named SecurityScanner.exe has been detected by Trend Micro as TROJ_FAKEAV.HKZ.

Using the keyword “icloud mymobi” results in a possibly malicious URL. MyMobi appears to be a compromised news site containing gadget information. We previously blocked the site because of malicious activities but since it appears that the site has since then cleaned, it is now unblocked. In the image above, the domain mymobi.com has been infected with files with the extension name .php3 and riddled with “icloud” as keyword. In this instance, hackers insert topics containing keywords to gain high page rankings in Google search results as phishing bait, specifically for the rogue antivirus software, Windows Antispyware for 2012.

These URLs are not accessible via the URL address bar. These instead show up in Google searches. We can say this is so because the URL needs to been referred by Google in order to become accessible. From there, these redirect users to a FAKEAV URL with co.cc as top-level domain (TLD). The script for downloading the file is similar to the ones usually used by typical FAKEAV malware.

Read the rest of this entry »