Last week we came across a report about a Plankton variant embedded in various apps emerging in the Android Market. One of the samples we inspected is a puzzle game called Sexy Ladies-2.apk, which is detected as ANDROIDOS_PLANKTON.P along with many other apps related to it.

Other external reports tell of the millions of app downloads with similar suspect code, which led to coining it as the “largest Android malware outbreak ever”. In that report, the analyzed application is a puzzle game. It starts a service that can create a shortcut, get/set bookmarks, post device information to its server (including IMEI, brand, device, model, operating system, OS version, display metrics, locale), set notifications, and set browser homepage.

Our findings show us that this application can be categorized as adware since it appears to be simply used for advertisements. A more appropriate term may be “mobile app adware” with the SDK (software development kit) being used for legitimate download upfront revenues so that people can download them from various mobile app distribution sites. The app’s basic functionality is as was claimed: install a search shortcut and serve ads through that app. Its behavior does not send any private personal data to external server. In short, it turns out to be a monetizing ad service so that app developers can make more money from their free apps. This is basic search monetization.

“Mobile App Adware”

At this point this is a perfect example of “mobile app adware.” This is bolstered from the fact that the current business model is for an SDK integrated into the app and is used for legitimate download affiliate revenue. In today’s content-serving business and marketing model, this makes it practically the same as what is being done on desktop PCs.

Threat Response Engineer Erika Mendoza adds “taking ad networks into consideration, I think it makes more sense now that a lot of applications are bundled with code similar to this. This mobile adware is quite aggressive, but it still depends on the user if they consider this annoying behavior malicious.”

But researchers at Lookout Mobile Security don’t think that this behavior means it’s a malware attack, rather, it is an “aggressive form of an ad network.” We agree with the claim that it isn’t malware per se, however, the issues regarding this involve how mobile information is gathered and stored. There are also potential privacy issues down the line which today users may not understand the possible ramifications of until much later.

Read the rest of this entry »

It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, I came across a scam in Facebook that leverages the upcoming occasion.

The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

Once users click on this post, they are redirected to another page that urges them to install the said theme. Note that this attack only works on either Google Chrome or Mozilla Firefox browsers.

Read the rest of this entry »

Throughout 2011, I am sure that you have heard of the compromise of RSA, in which the stolen data regarding RSA’s Secure ID appears to have been used in subsequent attacks and that there were many more victims other than RSA. You’ve probably also heard of ShadyRAT, which demonstrated the longevity of command and control infrastructure as well as Nitro and Night Dragon which showed that some attackers focus on specific industries.

You’ve probably also heard of Trend Micro’s research of the Lurid attacks which showed that the attackers are interested in non-US targets but more importantly,  such attacks should be seen as “campaigns” and not isolated attacks.

But what about all the great APT related research that you probably haven’t heard about?

Here is my personal Top 10 11:

1. The “Contagio Dump” and “Targeted Email Attacks” Blogs – Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
2. The CyberESI Blog – The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
3. Htran –Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
4. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains – Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
5. “1.php” – This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.

Read the rest of this entry »

Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003). (Ed. Note: addressed in MS12-004)

The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Upon successfully exploiting the vulnerability, it decodes and executes the decoded shellcode. This shellcode then connects to a site to download an encrypted binary:

This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA. We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Read the rest of this entry »

At a time when the web is flooded with user information and entire platforms are built and run on sharing just about every piece of information about oneself, you have to wonder, “Are we really living in the post-privacy era?”

For 2012, we believe that the new social networking generation will redefine privacy. Our concept of online privacy constantly changes along with various shifts in technology. Providing information has become so convenient that most people no longer know how much information they reveal and to whom.

With Data Privacy Day coming up, it’s high time that people all over the world become aware about best online privacy practices. Though most of you may already know, social networking sites track your movements and store valuable information such as photos, links, videos, and everything else they make public. As you increasingly go online for personal transactions like shopping and banking, you’re bound to wonder just how much information you actually expose online.

The end of online privacy and an era of extreme openness may be the only inevitable conclusion unless you know the implications that the cyberlinked world brings. You should realize that along with the convenience that the Internet brings comes great responsibility. Despite the fact that Data Privacy Day is currently only observed in the United States and Canada, this should not hinder raising awareness on online privacy on a global level.

For more information on online privacy, please read our latest TrendLabs Digital Life e-Guide, Be Privy To Online Privacy.

Trend Micro is an official data privacy champion for this year’s Data Privacy Day.