The discovery (and subsequent media coverage) of the mobile malware OBAD shows that mobile threats continue to be a serious concern for users.  Just like Windows malware, mobile malware are also becoming more sophisticated, both in technique and deployment. This confirms one of our 2013 security predictions.

OBAD exploits an Android vulnerability to avoid detection and uninstallation. OBAD’s propagation method is notable because of its use of Bluetooth, a routine previously seen in Symbian malware.

FAKEAV mobile malware routines now include pop-up windows and messages about “infected” apps. Rather than show persistent notifications, mobile ads now lead users to web threats.

These refinements take advantage of characteristics of the current mobile landscape. Android vulnerabilities are exploited because Android fragmentation makes it difficult to address vulnerabilities. This concern on Android’s update issues may contribute to the growing concerns about mobile malware, making it easy for users to become victims of mobile FAKEAV.

Our latest monthly mobile report discusses these emerging threats, issues affecting or influencing these threats, and what you can do to help secure your devices better.

Opera recently disclosed that attackers compromised their network and stole at least one expired Opera code signing certificate. The attackers then used this certificate to sign their malware, which tricked the target system and (even) security software into thinking that the file was legitimate.

We obtained a sample of the said malware (which is detected as TSPY_FAREIT.ACU) that bears the outdated Opera certificate (see screenshot below). Similar to what Opera reported, the sample we acquired poses as an Opera update.

Once executed, TSPY_FAREIT.ACU steals crucial information from certain FTP clients or file managers including usernames, passwords, and server names.

Figure 1. Screenshot of stolen old Opera digital certificate

Aside from FTP clients, TSPY_FAREIT.ACU gathers more information from Internet browsers (which include Mozilla Firefox, Google Chrome, and interestingly Opera), usually those stored on these browsers. These data are typically login credentials for as social networking, banking, and e-commerce websites etc. Using these information, the people behind the malware can get hold of your various online accounts or even initiate unauthorized transactions. They can also profit from these stolen data by selling these to the underground market.

Opera estimates that several thousand of Windows users are affected as a result of their installed Opera software automatically installing the said malware bearing the outdated certificate. To address this issue, the software vendor promised to release a new version of their browser.

This abuse of digital certificate to keep malware under the radar is not a new trick and has been proven effective in the past. A good example is the notorious FLAME attack that uses components bearing Microsoft-issued certificates. The screen-locking malware Police Ransomware was also previously found using fake digital certificates, in an attempt to elude digital certificate checks.

Opera is also not the first software vendor to release an advisory warning its users of malware bearing their digital certificates. Last year Adobe issued an advisory informing users of malicious utilities carrying legitimated Adobe certificates.

Trend Micro detects and deletes the said spyware bearing the said certificate. You may visit Opera’s site to know more about their advisory.

With additional insights from Threat Researcher Alvin John Nieto.

Our investigation of the June 25 South Korea incident led us to the compromise of an auto-update mechanism attack scenario. As part of our continuous monitoring, we documented another scenario (presented in this blog entry) pertaining to a DDoS attack scenario launched at specific sites.

The recent attack against South Korean websites has revealed a certain similarity between this attack and the March 20 MBR Wiper incident: a time trigger.

Recall that the March 20 MBR wiper attack involved a malware that was set to wipe the MBR files of affected systems at specific times (triggers were set to either at or before 2PM on March 20, 2013, or 3PM or later on the same date. This trigger date is dependent on files downloaded from certain URLs that function, in effect, as commands that specify when the DDoS attack will occur. We also uncovered that the malware re-checks the trigger time to re-execute the DDoS component every 24 hours for 3 days to possibly ensure that the DDoS attack occurs for a specific duration of time.

This ticking “time bomb” illustrates the great impact portrayed by time-triggered attacks, showing big effects in a short amount of time.”

Figure 1. DDoS Behavior

Looking more into the attack, maximum impact appears to be its primary goal. The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so. By targeting a single point of failure, attackers are able to take down multiple sites using only one attack.

All the components of this attack are already detected as TROJ_DIDKR.A, and the URLs of these malicious files have been blocked as well. We will continue to be on the lookout for further threats, and will release new information if it becomes available.

With additional analysis from Threat Researchers Rhena Inocencio and Teoderick Contreras.

On Tuesday, South Korea raised the country’s cyber security alarm from level 1 to 3, because of several incidents that affected different government and news websites in South Korea. One of the several attacks related to the June 25 security incident involved the compromise of the auto-update mechanism related to the legitimate installer file SimDisk.exe, which we were able to get a sample of. SimDisk is a file-sharing and storage service.

Most software vendors’ auto-update mechanisms are intended to be non-intrusive to the user experience in order to help consumers keep their software patched and updated with the latest versions of the software. This is extremely important in preventing exploit attacks that leverage software vulnerabilities in order to perpetrate cybercrime or targeted attacks.

In the SimDisk case, the legitimate software are configured to automatically download updates from a specific website. However, this website was compromised with a modified version of the installer (detected as TROJ_DIDKR.A). The modified version drops a copy of the legitimate installer in order to simulate what should typically happen. But it actually also drops another file, which is a malicious component that connects to a malicious location, allowing the infection chain to play out as intended.

Figure 1. Possible attack scenario

All the files noted above are detected as TROJ_DIDKR.A. The malicious file which connects to the Tor network takes its name from any process that is currently running on the system.

We are currently investigating this and related incidents. We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust. Software vendors should also prioritize safeguarding product servers and the overall security of their network using products, considering the impact that a compromise in this area has on their software’s users.

Trend Micro blocks all the malicious URLs related to this specific attack and also the malicious component of the compromised installer file. Trend Micro Deep Discovery helps enterprises defend their networks through network-wide visibility, insight, and control.

With additional analysis from Threat researchers Harli Aquino and Nikko Tamaña

Update as of June 26, 6:35 AM PDT

We also found evidence that the same technique of compromising the auto-update mechanisms of web application installers is being used in other attacks. Specifically, Songsari_setup.exe, a legitimate installer file, has also been modified to drop a malicious component that will connect to a URL to download files. Our detection for these compromised installer files and other related files is TROJ_DIDKR.A.

Figure 2. Possible attack scenario

With additional analysis from Network threat researcher Dexter To

Another scam site is offering to increase a user’s Instagram followers. Unlike previous attacks, however, these sites require payment – with the amount depending on the number of followers you prefer.

Figure 1. Pricelist for Instagram followers

Despite the site’s liberal use of the Instagram logo, it has nothing to do with the service. It has a reservation form that asks for user’s name, e-mail address, telephone number, and payment information. Even if you try to fill-up the form using a dummy account it will accept the any information that the user inputs. It even has information about the site itself, as well as a FAQ page.

Figure 2. About page

Figure 3. FAQ page

In the end, however, not only does the user not get the promised followers, he has handed over his personal information to scammers. This particular site has a .RU domain name, was only registered earlier this year, and is also hosted in Russia; in fact it is one of many malicious Instagram-related domains on the .RU country top-level domain. These sites are already blocked in order to protect Trend Micro customers from these threats.

Instagram’s recent introduction of video means that more users may be looking at using the already-popular service. Users should keep in mind that all offers of added followers – whether it be free or paid – are likely scams that will steal the user’s information, money, or both.