Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May   Jul »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June 13th, 2013




    We have been seeing apps that exploit vulnerabilities in Android, with most of them attempting to gain higher privileges on user devices. In recent days, a stronger and a far more advanced Android malware named ANDROIDOS_OBAD has come into play. What seems to be a product from the same malware authors behind ANDROIDOS_JIFAKE, ANDROIDOS_OBAD is found to be equipped with ability to avoid being uninstalled from devices and triggers more malicious code.

    Newer and more improved stealth routines 

    This new malware family has overall stealth and anti-reverse methods for both normal users and security researchers. When installed, it asks for root privileges and activates the device administrator. Because of ANDROIDOS_OBAD’s gaining root privilege, the malware takes complete control of the device and may allow an attacker to utilize this fully.

    If the user does not activate as instructed, the malware displays frequent pop-up messages when the device restarts. Additionally, if users press the back button, pop-ups appear once again. If the if home button pressed, the pop-ups appear any time later.

    Here, users will finally have the chance to uninstall it, but if device administrator is activated, the malware will instead run fully in stealth mode.

    Figure 1. Activating device administrator allows the malware to run in stealth mode

    Still, you can carefully distinguish the malicious app from the mixed Android system apps under Apps Management. However, you won’t be able to uninstall it because it’s a device admin app.

    Figure 2. Malware’s app information

    The “anti-uninstall” tricks also work on Android’s vulnerability by hiding itself from Device Administrator management view:

    Figure 3. The malware hides itself from the Device Administrator management view

    From a security researcher’s perspective, it seems that the malware author tested ANDROIDOS_OBAD against traditional analyze tools.

    The Android OS recognizes AndroidManifest.xml but major decoding tools fail to precisely parse it. Most sandboxes encounter problems loading this malware because ANDROIDOS_OBAD has the ability to initially detect them.

    A new obfuscation technique

    The app’s Dalvik code is obfuscated in a new way – almost every Class file has a unique, embedded obfuscated decryption routine. This means that every string and function called must be first decrypted while the app runs. Some parts of the code – like string constants – are encrypted multiple times. Current decompilers have problems to illustrate the execution order correctly.

    An example of unordered execution code snippet from one decrypt routine:

    Figure 4. Code sample

    The upper IF statement intersects with WHILE loop. The IF condition cannot be true, so consequent code will never be executed, but WHILE loop will loop back to the middle of IF consequent code (p6 = (p6 + 1); ). The correct order is append last two lines of IF consequent  code to the WHILE loop, and disable IF statement.

    Once we were able to decrypt the code and analyze it, we found that the malware is capable of the following behavior:

    • Hiding the launcher, and run as a background service with the highest priority.
    • Automatically try to open Wi-Fi connections and connect to remote server (http://www.{BLOCKED}ofox.com/load.php).
    • Collect user’s contacts, call log, SMS inbox and installed apps.
    • Download, install and uninstall apps (with root privileges, this can be done silently).
    • Distributing malware to other phones via Bluetooth

    ANDROIDOS_OBAD vs. ANDROIDOS_JIFAKE

    ANDROIDOS_OBAD shares similar features with that of its predecessor ANDROIDOS_JIFAKE. The latter is a fake app installer that tricks user into installing and executing them, after which it will silently register as a service connecting to remote servers as it waits for commands. The remote server can then trigger sending premium text messages and do the same “anti-uninstall” tricks.

    The anti-uninstall trick is exploited through Android’s Device Administration feature. If one app is installed and enabled as the device admin application, it will be entrusted with more power to constrain user’s device, including enforcing security policy, lock or wipe user’s device. Under this level, app cannot be easily uninstalled, which contributes much for the anti-uninstall tricks.

    To uninstall the device application app, users need to deactivate under Settings->Security->Device Administrators. But an unpublished Android vulnerability can be exploited to hide the deactivation option. Users are then forced to enable the malware as device admin application with no way to disable it.

    Trend Micro Mobile Security already detects this malware family upon installation.

     



    Last month, the hacker collective Anonymous announced their intention to launch cyber attacks against the petroleum industry (under the code name #OpPetrol) that is expected to last up to June 20.

    Their claimed reason for this attack is primarily due to petroleum being sold with the US dollar instead of currency of the country where petroleum originates. However, there had been some discussions seen online suggesting that the reason to launch new attacks was due to both #OpIsrael and #OpUSA being regarded as ineffective.

    Users should note that June 20 is only the day that most attacks are expected to occur and/or be made public. Similar to last month’s #OpUSA, they have begun mobilizing prior that date. Since the announcement of this operation, targets have been hit, credentials have been stolen, and the list of targets is already growing.

    It is also not uncommon for these activities to be used as a distraction to mask other attacks. Based on the collateral damage recorded from previous operations and data leaks outside publicized attack dates, their targeting and timing aren’t always precise either.

    An announced operation like this is a good opportunity for all current existing and potential targets to exercise the necessary steps to protect themselves. Everyone is a target eventually; there will always be vulnerabilities to be exploited for cause or profit.

    If your organization or country you defend is a potential target in this operation, you should consider doing the following steps (see below) and possibly more. If you’re in anyway connected to the targeted industries or located in one of the potential target countries, we advise that you consider going through these steps anyway. However, if you are not affected or linked to the expected targets, you may use these steps as proactive measures against attacks like #OpPetrol.

    Before June 20:

    • Ensure all IT systems (OSs, applications, websites, etc.) are updated.
    • Ensure IT security systems are current, have as wide a view as they can, and can inspect deeply. Can they detect and prevent phases of attack plan and can they be integrated into part of a kill-chain? Can they observe indicators over the network, on disk, and in memory?
    • Ensure relevant third party vendors are aware and accessible.
    • Probe any anomalous network and system behavior and examine it. Reconnaissance phases of the attack are already in play. Opportunities for exploit are being logged and credentials are already being stolen. Solutions such as Trend Micro Deep Discovery can help you examine dubious network activities.
    • Remind your users to be particularly careful and watch out for phishing and spear-phishing emails.
    • Plan or review your incident response procedures with all necessary parties (not only IT groups). Explore how the planned response differs among DDoS, defacement, and disclosure.
    • Have IT Security, Attorneys, and External Communications departments prepare or review public statements in the event your organization is affected. Ask the question of “how your statements and response might differ if it wasn’t a hacktivist group, but a criminal, nation state, insider, or terrorist?”
    • Monitor the many Anonymous sources for any changes in targeting, tools, or motives, lists of accomplishments, or data dumps.

    On June 20:

    • Note that attackers may attack across different time zones, so it can last longer than the 24 hours in your time zone.
    • Continue to monitor the Anonymous’ sources for any changes in targeting, tools, motives, lists of accomplishments, or data dumps.
    • Exercise a high level of awareness of your IT and IT Security systems and their logs; continue to apply questioning curiosity to anything interesting.
    • If you think your organization is affected, assume that you are affected by DDoS, defacement, and disclosure – and not just one of them.

    After June 20:

    • Continue to monitor Anonymous’ sources for any lists of accomplishments or data dumps.
    • If you’ve made it into Anonymous’ news, you’ll be remediating and designing against future occurrence.
    • If you didn’t make it in Anonymous’ news, review for any sign of breach, compromise, or excessive probing.
    • Remain vigilant, especially if you’re in the target list. The attacks may not be over.

    Similar to how DDoS, defacement, and disclosure tactics can distract and mask each other, so can threat actors. A hacktivist group’s activity can mask or distract criminal, nation state, insider, or even terrorist activity.

    Announced operations like these with their relative open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

    For more information on how targeted attacks work and how organizations can better protect themselves from such threats, you may refer to some of our previous entries here.

     



    Earlier in February we blogged about RARSTONE, a Remote Access Tool (RAT) that we discovered having some similar characteristics to PlugX, an older and more well-known RAT. In April, the same malware family used the Boston Marathon bombing as part of its social engineering bait.

    Since then, we’ve been looking out for further attacks using RARSTONE. We’ve seen it used in targeted attacks across Asia, hitting several industries like telecommunications, oil and gas, governments, media, and others. The said targets are located in various countries including India, Malaysia, Singapore, and Vietnam. To better identify this campaign, we are calling this Naikon, based on the common useragent strings found in related attacks (NOKIAN95/WEB).

    These attacks were carried out using spear-phishing attacks against the target organizations, using messages related to diplomatic discussions in the Asia-Pacific region.

    The spear-phishing email contains a malicious document as an attachment, which exploits CVE-2012-0158, a dated vulnerability in Windows common control. This vulnerability was also used in other targeted attacks, most recently the “Safe” campaign that compromised several government agencies, media outlets and other institutions.

    When the target opens the attachment, a decoy document is dropped into the system, so as to make the victim think that the decoy document is the file they opened. However, in reality, opening the attachment also triggers the dropping of BKDR_RARSTONE. The malware downloads its backdoor component from a C&C server and loads it directly into memory. This behavior makes RARSTONE difficult to detect using ordinary, file-based scanning technologies.

    infection-chain-rarstone

    What makes RARSTONE unique from PlugX – and other RATs – is its ability to get installer properties from Uninstall Registry Keys. This is so that it knows what applications are installed in the system and how to uninstall them, in the case that these applications inhibit RARSTONE’s functions. It also uses SSL to encrypt its communication with its C&C server, which not only protects that connection but also making it blend in with normal traffic.

    The attackers behind Naikon clearly tried to make the work of security researchers more difficult. The domains used by this campaign used either dynamic DNS domains, or used registrars with privacy protection.

    Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities. Traditional technologies like blacklisting and perimeter controls are not enough to detect or block the components of these campaigns. Instead, enterprises need to increase their visibility and control over their networks in order to identify dubious network traffic.

    Tools like Trend Micro Deep Discovery can help IT admins accomplish this, in the broader context of a custom defense necessary to detect intrusions in the network. Deep Security also protects users from exploits using CVE-2012-0158 via DPI rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158).

    With additional insights by Senior threat researcher Jessa dela Torre

     
    Posted in Malware, Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice