Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.

    This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.

    In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.

    Vulnerability Description

    The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).

    The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data. The source code below – found in the frameworks/av/media/libstagefright/matroska/MatroskaExtractor.cpp file – shows the vulnerability in detail:

    865 size_t offset = 1;
    866 size_t len1 = 0;
    867 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {//codecPrivate is controlled by the mkv file
    868 len1 += 0xff;
    869 ++offset;
    870 }
    871 if (offset >= codecPrivateSize) {
    872 return ERROR_MALFORMED;
    873 }
    874 len1 += codecPrivate[offset++];
    876 size_t len2 = 0;
    877 while (offset < codecPrivateSize && codecPrivate[offset] == 0xff) {
    878 len2 += 0xff;
    879 ++offset;
    880 }
    881 if (offset >= codecPrivateSize) {
    882 return ERROR_MALFORMED;
    883 }
    884 len2 += codecPrivate[offset++];
    886 if (codecPrivateSize < offset + len1 + len2) {//len1 or len2 maybe 0xffffffff, then integer overflow happened
    887 return ERROR_MALFORMED;
    888 }
    890 if (codecPrivate[offset] != 0x01) {
    891 return ERROR_MALFORMED;
    892 }
    893 meta->setData(kKeyVorbisInfo, 0, &codecPrivate[offset], len1);//crash in here

    Proof Of Concept

    We created a proof-of-concept app that includes a malformed MKV file (res/raw/crash.mkv) to demonstrate how this attack functions. Once the app is started, the mediaserver service will keep crashing.

    Figure 1. The mediaserver service continuously restarting after the exploit is triggered

    This wil cause the device to become totally silent and non-responsive. This means that:

    • No ring tone, text tone, or notification sounds can be heard. The user will have have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.
    • The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

    Figure 2. Unresponsive phone

    The video below demonstrates the exploitation through a malicious app.

    As for exploitation through the specially-crafted URL, we’ve created a test website with the same MKV file embedded into an HTML page. When this site is loaded using the Chrome browser, we see the same effect:

    Figure 3. HTML code of test page

    What’s more, although mobile Chrome disables preload and autoplay of videos, the malformed MKV still causes the Chrome to read more than 16MB until mediaserver crashes. It appears to have bypassed the limitation.

    Potential threat scenarios

    As we mentioned above, there are two ways that this attack can be exploited: the user can either visit a malicious site or download a malicious app.

    There are many common techniques that could be used to lure a user to a malicious site. We’ve discussed in the past how repackaged apps pose a problem for users who may have a hard time differentiating legitimate apps from repackaged ones.

    Whatever means is used to lure in users, the likely payload is the same. Ransomware is likely to use this vulnerability as a new “threat” for users: in addition to encrypting on the device being encrypted, the device itself would be locked out and unable to be used. This would increase the problems the user faces and make them more likely to pay any ransom.

    Further research into Android – especially the mediaserver service – may find other vulnerabilities that could have more serious consequences to users, including remote code execution. One of them is Stagefright, a recently discovered vulnerability which can infect Android devices using just one MMS.

    We reported this vulnerability privately to Google and received responses on the following dates:

    • May 15 – Trend Micro reported the vulnerability to Google
    • May 20 – Google acknowledged the report as a low priority vulnerability identified it as ANDROID-21296336

    For ransomware and other apps that may disrupt the functionality of mobile devices, users can opt to reboot their device in “safe mode,” which is similar to the safe mode found in Windows. Safe mode allows users to start up their device without loading any third-party apps. Booting in safe mode should allow users to access the list of installed apps and remove the malicious app. Booting in safe mode may vary per device so we advise users to consult their device or network provider before proceeding.

    Protect your Android devices with on-device security solutions like Trend Micro Mobile Security (TMMS) to block threats like these. TMMS watches out for vulnerabilities that can be used to alter system functions like the notification sounds and display.

    Find out more mobile stories and graphics in our Mobile Threat Intelligence Center.

    Updated on July 30, 2015, 7:54 A.M. PDT (UTC-7) to include more solutions addressing ransomware and other disruptive apps.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team and eventually download PoisonIvy and other payloads in user systems. This campaign started on July 9, a few days after the Hacking Team announced it was hacked.

    The actors compromised the sites of a local television network, educational organizations, a religious institute, and a known political party in Taiwan; and a popular news site in Hong Kong. Note that the affected sites have consistent followers given the nature of their content. The affected educational organizations, for instance, are used to deliver employment exams for government employees. The Taiwanese television network involved has been producing and importing TV shows and movies for a decade.

    We have notified the owners of the sites that are affected by the campaign; however, three sites are still compromised as of this writing.

    Traces of Hacking Team Still Out There

    The actors initially delivered a Flash Player exploit  (CVE-2015-5119) found in the Hacking Team dump into pre-compromised sites a few days after the company announced it was hacked (July 5) and Adobe patched the flaw (July 7). The actors delivered a second wave of attack by delivering another Flash zero-day exploit (CVE-2015-5122) related to the Hacking Team.

    Figure 1. Timeline of Flash exploits related to Hacking Team delivered to Taiwan and Hong Kong sites

    Note that, at the start of the first and second wave of attacks, the actors included the same two educational organizations’ websites in Taiwan among its targets.

    Figure 2. Screenshot of a religious organization’s site in Taiwan compromised to deliver CVE-2015-5122

    PoisonIvy and Other Payloads

    We found that all the compromised sites, save for the official site of a known Taiwanese political party, were injected with a malicious SWF using iframe which leads to the remote access tool (RAT) PoisonIvy, detected here as BKDR_POISON.TUFW,  as the final payload. PoisonIvy is a popular RAT backdoor available in the underground market and typically used in targeted attacks. This backdoor has been known to capture screenshots, webcam images, and audio; log keystrokes and active window; delete, search, and upload files; and perform other intrusive routines.

    The party’s site, on the other hand, has been observed to deliver a different payload embedded in a picture and detected as TROJ_JPGEMBED.F. The party’s site sends collected information to the same server as the other sites (223[.]27[.]43[.]32), leading us to believe that it is part of the same campaign.

    Figure 3. Photo where a final payload of Hacking Team Flash exploit campaign is embedded

    Although analysis is still ongoing to determine if this campaign is a targeted attack, we have found a suspicious domain wut[.]mophecfbr[.]com embedded in the payload which was listed in the command-and-control (C&C) list of a previously reported targeted attack dubbed “Tomato Garden.”


    To protect machines from exploits and unwanted backdoor access, users should update Adobe Flash Player. You can verify if you’re using the latest version by checking the Adobe Flash Player page. It also helps to keep yourself updated with the latest news on popular software. Read more about recent Flash-related incidents and what users and companies can do on our blog post, “The Adobe Flash Conundrum: Old Habits Die Hard.”

    Trend Micro detects all malware and exploits related to this incident. The SHA1s are outlined below:

    • SWF_CVE20155122.A
    • SWF_CVE20155122.B
    • SWF_CVE20155122.C
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices.

    Million dollar breaches

    News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence.   2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot.  The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?

    Buying a stolen credit card

    One interesting thing I observed was that right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc.

    Figure 1. The marketplace GoCVV offers a global map index to show the availability of credit cards in different locations for a better underground shopping experience

    During my research excursions through various underground forums, I stumbled across several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of fresh credit card leaks.

    Corporate Credit Cards = $$$

    How often do you use your corporate credit card to pay for an overnight stay, a flight, a business lunch? Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement.

    Shopping in the Russian Underground

    Today we are releasing the third of a series of papers on the Russian Underground, titled Russian Underground 2.0.  It discusses the most current set-up of the Russian cyber underground scene, a mature ecosystem that covers all aspects of cybercriminal business activities. The Russian Underground not only provides products and services for cyber criminals but creates new niches for “employment” in the underground such as translation or spam-proofing services for criminals. The paper looks into new services becoming available to criminal minds, automated and optimized processes for quick and easy deals, and looming attack avenues we expect to see in the near future.

    This is part of the Cybercrime Underground Economy Series, which take a comprehensive view of various cybercrime markets from around the world.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Car hacking is a reality the general public will have to deal with. Nothing can be as intrusive and dangerous as strangers taking over your car while you are driving it. Last week, Valasek and Miller’s digital car-jacking stunt using 3G connectivity on a Jeep Cherokee’s infotainment system illustrated how life-threatening this situation can get. The discovery of the bug has since led to the recall of of 1.4 million vehicles. A similar hack—but off-road this time—was also demonstrated a few days after, but this time via digital audio broadcasting (DAB) radio signals.

    Last week’s revelations are not the first time that car security has been in the spotlight, earlier in 2015, German security specialist Dieter Spaar discovered vulnerabilities in BMW ConnectedDrive. We have been monitoring and researching this security area as well (Automotive Security: Connected Cars Taking the Fast Lane).

    High Visibility Can Mean High Risk

    Currently, we are investigating the SmartGate System, first introduced by Škoda Auto in its Fabia III cars, which allows car owners to connect a smartphone to a car to read and display data such as how fast your car is going, how much fuel you are using on average, how many days till your next oil change or service and the like. Škoda Auto, more known as Škoda, is a Czech auto manufacturer that is a subsidiary of the Volkswagen Group.

    Figure 1. Škoda SmartGate sample telemetry screen

    During our research, we discovered that any attacker can read more than twenty parameters similar to the above and even lock out the owner of the car from the SmartGate system. All the attacker needs to do is to stay within the SmartGate’s in-car Wi-Fi range, identify the car’s Wi-Fi network, and then break the password, which is secured quite weakly. Interestingly, staying within the Wi-Fi range would not be so difficult, because the attacker can be lurking within up to fifty feet of the vehicle and still be within range. The Wi-Fi range could be even wider if the attacker is using a high-gain antennae. From there, the attacker can read all the car’s data.

    In our real-world test, we were able to break into the Wi-Fi even as we were driving behind the target car. Both cars were moving at approximately 30 to 40 kph. Meanwhile, reading the car data worked up to 120 kph, as for safety reasons we did not want to try higher speeds.

    We also found out that Wi-Fi Direct makes it incredibly easy for attackers to determine the PIN.  SmartGate firmware shipped with recently built cars (or cars where a Škoda car owner or his dealer updated the SmartGate firmware) supports Wi-Fi Direct.

    You may say that this is more a privacy concern and less a severe security issue, i.e. we cannot stop the engine or blow up the gas tank or anything like that, however, unlike the possible attacks being discussed in the news which require the IP address of the car, which is quite hard to get, the Škoda SmartGate security issue has much less barriers to success: you only need the VIN (Vehicle Identification Number), which is often clearly printed on the car’s dashboard.

    Sufficiently motivated attackers can stalk targets using the leeched information. An attacker can wait for you to turn on the ignition in your car, and once your Wi-Fi gets online, the attacker can learn your SmartGate device password, change your Wi-Fi settings, and basically lock you out of the system. An attacker can then wait for you in some location knowing you will need to go back to your car dealer to have your settings reset.

    Škoda Fabia Car Owners and Maker Need to Act Now

    Furthermore, we found out that more recent versions of SmartGate support Wi-Fi Direct, sometimes called Wi-Fi P2P, which can provide an unseen advantage for the attacker: the system does not need the owner’s smartphone to be connected and, as mentioned earlier, the Wi-Fi PIN is easy to crack.

    Right now, Trend Micro recommends all owners of Škoda cars that support SmartGate (in Germany it’s the Fabia, Octavia, Rapid, Yeti, and Superb, but it may vary in different countries) to do the following, where at least step 1 is highly recommended:

    1. Change the Wi-Fi transmission (Wi-Fi TX) power to 10%
    2. Change the Wi-Fi password and change the Wi-Fi Direct PIN (if Wi-Fi Direct is supported)
    3. Change the Wi-Fi network name

    SmartGate is currently rolled out to other Škoda car models, so it is high time for Škoda to take action as well. These are good places to look into:

    1. Re-consider to set the Wi-Fi TX power to 10% as default via a firmware update.
    2. Add a strong recommendation in the car’s manual for owners to change the password and PIN.
    3. Design an “on/off” switch for SmartGate.

    The SmartGate (Wi-Fi) is on when the ignition is on. But sometimes you just don’t need the SmartGate functionality. Admittedly, there is a workaround—you can unplug the cable of the SmartGate device which is located below the driver’s seat. However, that isn’t convenient for users, especially those who want to use the SmartGate function at times. There should be either a physical on/off switch or you can easily switch it on/off in the car settings menu of the on-board multimedia unit.

    Governments and other regulatory bodies have taken great strides in ensuring road safety throughout the years, where the impact of physical components on physical security are scrutinized. With the integration of smart devices into everyday lives, security conversations should include the impact of digital components as well. The Internet of Things may be a much-abused buzz word, but it is happening now and has clear and dangerous consequences if security is not built in.

    All tests have been performed with a Škoda Fabia III car, SmartGate HW version 0004, SmartGate SW version 0884, and SW version 0928. As of this writing, SW version 0928 appears to be the latest version.

    More details and information about this security concern will be discussed at length in an upcoming entry.

    Updated on July 29, 2015, 6:36 A.M. PDT (UTC-7) to update the list of cars that support SmartGate.

    Legal disclaimer: The information provided in this statement is only of a general nature and only meant to serve as information. It is not intended to give any practical or legal advice and must not be interpreted as such. Without any specific practical or legal advice obtained from a third party, the contents of this document must not be relied on or interpreted as instructions for any action to be taken. Trend Micro reserves the right to change this information at any time and without any previous warning. Trend Micro does not assume any warranty or liability, in whichever form, for this document or its use, neither expressly nor tacitly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.

    Looking into its infection chain, we found that part of its reconnaissance involves searching for data related to specific websites and companies. One example would be Verifone, a company that offers solutions for electronic payments and PoS transactions. Based on the infection chain, we also believe that this attack is targeting web-based terminals.

    This finding suggests that attackers are now looking for ways to deploy PoS malware on a wider scale. Just recently, we discovered a PoS threat that piggybacks on the established Andromeda botnet to reach PoS systems.

    Arrival vector

    The Angler Exploit Kit often uses malvertisements and compromised sites as the starting point for infection. For this specific incident, we found that the infection chain takes advantage of two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). After exploiting either vulnerability the Trojan, detected as TROJ_RECOLOAD.A, finds its way to the system.

    One detail that bears stressing is the use of fileless installation for this malware. Fileless installation involves installing the malware into locations that are difficult to scan or detect. The malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive.

    Anti-analysis techniques

    By definition, reconnaissance requires stealth work. TROJ_RECOLOAD.A employs several anti-analysis techniques before performing its main routine.

    • It checks if modules related to virtualization, sandbox and analysis tools are loaded.

    Figure 1. Checks for loaded malware analysis-related modules

    • It checks if the current user of the infected system has user names related to malware analysis.

    Figure 2. Checks for malware analysis-related user names

    • It has a list of hashes of analysis tool’s process names that it will check if running. Here are some of the processes being checked:
      • wireshark.exe
      • dumpcap.exe
      • Tcpview.exe
      • OllyDbg.exe

    If any of the conditions are met, it will not proceed with its main routine.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice