Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 24th, 2013

    Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

    PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

    Unfortunately, many applications – old and even new ones – still contain this vulnerability.
    The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

    Below are some of the malware that use various normal files to load its malicious components:


    • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
    • loads hha.dll, which then loads hha.dll.bak
    • both files are also detected as BKDR_PLUGX.DMI


    • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
    • loads CommFunc.dll, which then loads CommFunc.jax
    • both two files are also detected as BKDR_PLUGX.AI


    • uses Mc.exe which is a legitimate McAfee file
    • loads McUtil.dll, which then loads McUtil.dll.url
    • both files are also detected as BKDR_PLUGX.AQT
    • connects to the fake anti-malware site vip.{BLOCKED}

    Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:


    Figure 1. Screenshot of PlugX code snippet

    Read the rest of this entry »


    Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.

    We will note that recently the FTC settled with HTC just two months ago over the Carrier IQ controversy. Unpatched vulnerabilities were a key part of the settlement; HTC agreed to patch the vulnerabilities within 30 days. While the action of ordering the patches fixed was laudable, it wasn’t exactly timely: Carrier IQ came into the limelight in late 2011.

    What the lawsuit does do is highlight the Android update problem beyond just tech industry circles and into the hands of regulators. Two years ago, at Google I/O, the Android Update Alliance was unveiled. Google promised to work with both carriers and device manufacturers to keep devices updated for 18 months after they were released. Unfortunately, almost nothing has not been heard from the alliance since then.

    Let’s consider Google’s own statistics. The most common version of Android in use is… Android 2.3 (Gingerbread), which was last updated in September 2011. The percentage of users on the latest version, Android 4.2 (Jelly Bean), is… 2%. It is rumored that the next version of Android, codenamed Key Lime Pie, will be released as soon as this May. It’s quite possible that 4.2 will not even hit double digit percentages by the time its successor is released.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on (Lack of) Android Updates To Come Under FTC Scrutiny?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice