Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 5th, 2014

    Earlier this year, the Federal Bureau of Investigation disrupted the activities of the Gameover botnet. That disruption had a significant effect on the scale of the ZBOT threat, but it was unlikely that cybercriminals would not respond in some fashion.

    The use of domain generation algorithms (DGAs) is a key part of Gameover, but new variants like TROJ_ZBOT.YUYAQ have made this tactic even more powerful. How exactly does this variant use this technique?

    The domains are based on the results of an MD5 hash generated by the system. The factors that go into computing the hash are:

    • current day/month/year
    • hardcoded value of 0x35190501
    • tick count (time since the system was started)

    How does the malware generate a domain name from this hash value? This is best demonstrated with a sample hash value. Let us suppose that the resulting MD5 value is 0xf1d73a971e50a68419c7f70764f34f1e. This can be split into four 4-byte words: from most significant to least significant, these would be:

    • 0xf1d73a97
    • 0x1e50a684
    • 0x19c7f707
    • 0x64f34f1e

    Each word is processed using the same algorithm with the word as the initial value, as follows:

    1. Divide the input number by 0x24.
    2. Take the remainder from #1 and add this value to the numbers 0x30 and 0x57. Let’s call these x and y.
    3. Convert x and y to ASCII characters using standard values. Of the two resulting characters, use the result which is either a number or a lower-case character.
    4. To generate the next character, repeat the algorithm with the quotient from step #1 as the input. If the quotient is zero, the algorithm is finished running and the resulting string is complete.

    The above algorithm converts 0xf1d73a97 into the string tdcly51. The malware reverses this string, resulting in 15ylcdt.

    Each word is converted into a string in this manner, and then the resulting strings are concatenated together into one longer string: in this case, our MD5 hash is converted into 15ylcdt10t00m627l7a18es4f8. This string is used as the hostname for the command-and-control server.

    The top-level domain (TLD) used is one of the following: .biz, .com, .net, or .org. Which TLD is used depends on the tick count of the system.

    Every time this malware is run, it generates up to 500 distinct domain names, with up to 1500 unique domains generated per day. While it may be capable of generating this large number of domains, in practice relatively few are used. We have found only 23 domains related to this specific variant of Gameover. More than three-fourths of the victims of this variant are located in the United States. The heat map below shows the distribution of the victims around the world, with the blue circles showing where the C&C servers are located:

    Figure 1. Heat map of victims and C&C servers

    This incident was not the first time that a DGA was used by malware to try and hide its network traffic, and it won’t be the last. So long as it is an effective way to help make detection of C&C traffic difficult, malware will continue to use this technique – to the detriment of users.

    The hash involved in this attack is :

    • 591567291435e4e1394aac27a0c4bbb1d5bdd47e

    With additional analysis from Marilyn Melliang and Marco Dela Vega

    Posted in Malware | 1 TrackBack »

    We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface.  This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.

    Spotify quickly responded to our discovery by fixing the flaw in the 1.1.1 version of the app. Users are encouraged to make sure they are using the latest version of Spotify for Android.

    Affected Activity

    The vulnerability affects a specific activity (, which is designed to retrieve and show Spotify web pages on the app. The vulnerability causes the content of these exported web pages to be visible to other apps installed in the phone. Furthermore, the bug can allow a separate app, process, or thread to trigger the activity without the need for additional permissions.

    Using a malicious app, an attacker can exploit this activity to alter the content being shown by the app to users. For example, we were able to show the Google home page on the Spotify app. Far more malicious pages can also be displayed within the app.

    Figure 1. Official Spotify app displaying Google home page

    Figure 2. “Malicious” page that could be displayed by the app

    It should be noted that the malicious app can trigger and “minimize” the activity at will. If a user tries to stop the Spotify app by using the “Back” button, the malicious content will show up on the screen. Users who may not be overly familiar with the app might view this action as a normal routine for the app.

    Because potential attacks do not require additional permissions, users may not be aware of any suspicious activity that may arise from this situation. No additional permissions also mean that AV solutions and threat researchers may find it harder to detect and analyze malicious activity.

    Potential for Phishing Attacks

    Attackers may take advantage of this vulnerability to create phishing pages that ask for sensitive information such as user names, passwords, contact details, and even payment information. The latter is especially plausible considering Spotify offers both free and premium services. A well-crafted phishing page might cause users to assume that the request for financial information is part of a routine or process. A phishing page is often just the first step to other schemes. The stolen information could be used for other schemes such as identity theft, fraud, or even targeted attacks.

    Cybercriminals may also create pages that will lead users to other threats such as malware. Because the vulnerability lies within the official app—compared, say, to a fake Spotify app—users will be prone to believe the malicious pages being displayed. These scenarios are similar to ones we previously discussed in our blog entry, Android App Components Prone to Abuse.

    Spotify has fixed the flaw in Version 1.1.1 of the Android app. We advise Spotify users to upgrade to that version or download the latest version to help protect themselves against this issue or visit the Google Play store to automatically get the latest update. At the time of publishing, the latest version is 1.1.2.

    As of this writing, we are not aware of any attacks using this vulnerability.

    Posted in Mobile, Vulnerabilities | Comments Off on Vulnerability in Spotify Android App May Lead to Phishing


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice