Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 3rd, 2014

    The availability of affordable mobile Internet access has changed the computing landscape everywhere. More and more people are using mobile devices both for work and for entertainment. China is no exception. According to a report published by the China Internet Network Information Center (CNNIC), 81% of Chinese Internet users went online using their mobile phone in 2013. The CNNIC also reported that China ended 2013 with 618 million Internet users and 500 million mobile Internet users.

    This change in user behavior is affecting the cybercriminal underground. Cybercriminals are now more likely to target mobile users, with some “businesses” in the cybercrime underground economy that are specifically aimed at mobile users. One particular business that has found success inside China is sending SMS spam.

    Just as email has been abused by spammers for many years, mobile users are now receiving large amounts of SMS spam as well. Like their email counterparts, SMS spam is used to advertise various products as well as lead users to malicious sites. Sending these messages is cheap, too: sending 100,000 messages can cost only about $450.

    One way SMS spam is sent to these users is using a GSM modem. These modems are devices which, when attached via USB to a PC, can send out text messages to multiple users in a very small amount of time. The device is controlled using an application on the PC. Basic devices will have only one SIM card, but more advanced versions (also known as a GSM modem pool) will use multiple antennas and SIM slots to send SMS messages more quickly. A 16-slot GSM modem pool (like the device below) can send up to 9,600 text messages per hour. They are available for approximately $425 each.

    Figure 1. A GSM modem with 16 SIM card slots

    Other tools that can be used Internet short message gateways. These are devices provided by mobile carriers to allow service providers to send large numbers of text messages. Alternately, a “SMS server” can also be used; These use a software-defined radio (SDR) to impersonate a cellular base station; when phones connect to this “base station” they instead all receive SMS spam.

    Sending spam is only the tip of the iceberg when it comes to these threats. My paper titled The Mobile Cybercriminal Underground Market in China examines similar products, as well as other items for sale in the Chinese cybercriminal underground. The paper offers an overview of some of the basic underground activities in the China mobile space, as well as some of the available products, services, and their respective prices.

    Posted in Bad Sites | Comments Off on The Mobile Cybercriminal Underground Market in China

    It’s been said that a picture is worth a thousand words. Unfortunately, there’s one that’s worth your bank accounts. We came across malware that uses steganography to hide configuration files within images. However unique this technique might seem, it is hardly new—we previously featured targeted attacks that use the same technique.

    The ZBOT malware, detected as TSPY_ZBOT.TFZAH, downloads a JPEG file into the affected system without the user’s knowledge. The user does not even see this particular image, but if someone did happen to see it it would look like an ordinary photo. We encountered an image of a sunset, but other security researchers reported encountering a cat image. (This particular photo appears to have been lifted from popular photo-sharing sites, as it appears in these sites if you search for sunset.)

    Using steganography, a list of banks and financial institutions that will be monitored is hidden inside the image. The list includes institutions from across the globe, particularly in Europe and the Middle East. Once the user visits any of the listed sites, the malware will proceed to steal information such as user credentials.

    Figure 1. Image appended with the list of targeted institutions

    This particular attack has another unusual routine: it downloads onto the system other malware, namely TROJ_FOIDAN.AX. This Trojan removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame. Webmasters use this setting to ensure their sites are not used in clickjacking attacks.

    ZBOT has not traditionally been linked to clickjacking in the past. However, it has been linked to other threats, such as ransomware and file infectors.

    The use of steganography, along with the inclusion of clickjacking-related malware, shows that established malware threats are still expanding their techniques and routines.

    With additional insights from Mark Manahan.

    Update as of 7:00PM PST, March 6, 2014

    The hashes of the malicious files related to this attack are as follows:

    • 3e545d7776064f22e572e92b9c0a236280459917
    • bf3052fd93ba6c80ede96ed7c03a6c03235e6235
    • ebdb802aa5e274d76252d65841100a1a021408d9


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice