RedKit Exploit Kit : New web malware exploitation pack

Trustwave researchers have spotted a new exploit kit called "RedKit Exploit Kit" that  being used in the wild is aiming to enter a market that is practically monopolized by the widely famous BlackHole and Phoenix exploit kits.



In actual, The new kit has no official name, so the researchers dubbed it 'Redkit' due to the red bordering used in the application's panel.

"Logging to the admin panel presents you with options which are typically used by other exploit kits. The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37 different AV’s," Trustwave reports.

To deliver the malware, RedKit exploits two popular bugs:
1.) The Adobe Acrobat and Reader LibTIFF vulnerability (CVE-2010-0188).
2.) The Java AtomicReferenceArray vulnerability (CVE-2012-0507), lately used by the criminals behind the massive Flashback infection.



"As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL."

Read More...

For the first time, hacked websites deliver Android malware

Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system.

The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches.

"This appears to be the first time that compromised websites have been used to distribute malware targeting Android devices," Lookout wrote on its blog.

Lookout said it noticed that "numerous" websites had been compromised to execute the attack, although those sites had low traffic. The company expects the impact to Android users will be low. The malware that tries to install itself, dubbed "NotCompatible," appears to be a TCP relay or a proxy.

"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," Lookout said. "This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."

NotCompatible will automatically start downloading if the hacked website detects an Android device is visiting by looking at the web browser's user-agent string, which specifies the device's operating system.

The hacked websites have an hidden iframe, which is a window that brings other content into the target Web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a "not found" error is displayed, Lookout said.

After the malware downloads, the device will ask a user to install the application. But for it to be installed, the Android device's settings must have "unknown sources" enabled, Lookout said. If the setting is not enabled, only applications from the Android Market, now called the Google Play store, can be installed.

Read More...

Notcom malware for Android distributed using drive-by downloads

Reddit user georgiabiker appears to have discovered a new drive-by malware attack targeting Android users visiting compromised websites.

The sites distributing the malware have been injected with a malicious iframe (Troj/Iframe-HX) that looks at the User Agent string sent by the browser to see if it contains the string "Android" and if so directs the device to download a malicious Android package (APK).

This malware, which Sophos Anti-Virus detects as Andr/Notcom-A, is a bit more stealthy than Andr/Opfake-C by disguising itself as a security update.

Lookout Mobile Security did an analysis and came to the conclusion this malware is designed to be a proxy. If that is true its purpose could be data theft for devices that are connected up to corporate networks or VPNs.

Vanja isn't as sure. He notes that the malware can be directed to communicate with different command and control servers and could have bot functionality as well.

Unlike many other Android Trojans we have analyzed this one only requests network permissions, so the intention doesn't appear to be collecting all of your contact details, SMSs, email and other personal details.

One of the command and control domains is 3na3budet9[dot]ru, which loosely translates to "3 on 3 will be 9", implying that whoever is behind this is likely Russian, or has an understanding of the Russian language. Not surprising really, but interesting.

Don't install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don't be fooled.

Read More...

First malware using Android Gingerbreak root exploit

It did not take too long after I found out about the discovery of Gingermaster, the first Android malware to use the Gingerbreak exploit, to acquire a sample which was still available from a Chinese alternative Android Marketplace.

The package I downloaded uses the following permissions:

android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES

I was quite interested to find out how and why the Gingerbreak privilege escalation exploit, also known as CVE-2011-1823 is used.

Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator.

The malware purports to be an application which displays "Beauty of the day" pictures. The content is downloaded from a website, not packaged with the application.

(When I carried out my tests, the list of beauties also included photos of Lady Gaga - some celebrities seem to be truly global.)

Apart from displaying the photos, Gingermaster creates a service that steals information from your device, sending it out to a remote website in an HTTP POST request. The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time.

The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.

In the assets folder of the APK file, Gingermaster includes three ELF executables and one shell script, all with the file name extension .png, presumably to make the exploit code slightly less obvious. The file names aregbfm.png, install.png, installsoft.png and runme.png. The malware also creates a file called gbfm.sh. This contains the the actual Gingerbreak exploit code, launched in a separate thread.

Gingermaster also generates an output log, called logcat, which contains information about what the malware has done so far:

If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.

One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.

This is an interesting technique which I have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the "uses-permission" INSTALL_PACKAGES in the Android manifest file.

Of course, once a malicious process gets root, its powers are potentially unlimited.

Gingermaster will be detected by Sophos products as Andr/Gmaster-A.

The Android malware writing scene is heating up as the season of summer holidays is coming to its end. Last week, we received a record number of samples which are now waiting to be analysed in detail.

Hopefully, I will have enough time to document the more interesting ones and share them with you on NakedSecurity.

If you are an Android user, here are some security hints:

* Avoid alternative Android Marketplaces unless you have strong evidence they are trustworthy.

* Avoid applications which request more permissions than they need.

(Gingermaster claims to be an application which downloads "beauty of the day" pictures of celebrities from a website. Why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?)

Read More...

Android malware spreads via Facebook

If you're using Facebook on your Android smartphone, you should be just as careful clicking on links as you would (hopefully) be on a desktop computer.

A few days ago I received a Facebook friend request and, as is usual, used my Android smartphone to check out the details of the person before I decided whether I wanted to become "friends" or not.

As the following video demonstrates, a link on the user's Facebook profile redirected my browser to a webpage that downloaded malware automatically onto my Android phone.

The malware package was called any_name.apk, and appears to have been designed to earn money for fraudsters through premium rate phone services.

Alarm bells definitely rang when I noticed the app was using a class name which attempted to associate it with the legitimate Opera browser app:

com.opera.install

An encrypted configuration file inside the package includes the dialling codes for all supported countries (for instance, the UK is in there) and the premium rate number and text of the SMS message which it intends to send.

Although the app makes a pretence of informing you what it plans to do when you first run the program, it is being pushy in the extreme by installing itself without your permission.

What's even more suspicious is that when I revisted the url on my Android smartphone a few days later, I was redirected to another website which downloaded a different app (allnew.apk) which had the same functionality as the earlier sample, but was non-identical on a binary level.

Clearly someone is busy creating new variants of this malware.

Sophos products detect the malicious app as Andr/Opfake-C.

Note that the malware does not install itself automatically onto the Android smartphone. Instead, what we saw was the malicious APK file downloaded onto the device. There does, of course, remain the risk that a user might be tricked into manually installing the app - perhaps through social engineering.

Read More...

Proof-of-concept Android Trojan app analyzes motion sensor data to determine tapped keys

A team of researchers from Pennsylvania State University (PSU) and IBM have designed a proof-of-concept Android Trojan app that can steal passwords and other sensitive information by using the smartphone's motion sensors to determine what keys victims tap on their touchscreens when unlocking their phones or inputting credit card numbers during phone banking operations.

The Trojan horse is dubbed TapLogger by its creators and was designed to demonstrate how data from a smartphone's accelerometer and orientation sensors can be abused by applications with no special security permissions to compromise privacy.

TapLogger was created by Zhi Xu, a PhD candidate in the Department of Computer Science and Engineering at PSU, Kun Bai, a researcher at IBM T.J. Watson Research Center and Sencun Zhu, an associate professor of Computer Science and Engineering at PSU's College of Engineering.

Accelerometer and orientation sensor data are not protected under Android's security model, and this means that they are exposed to any application, regardless of its permissions on the system, the research team said in a paper that was presented during the ACM Conference on Security and Privacy in Wireless and Mobile Networks on Tuesday.

The TapLogger application functions as an icon-matching game, but has several background components that capture and use data from the motion sensors to infer touchscreen-based user input.
When certain regions of the touchscreen are tapped during the normal phone operation, the device experiences subtle moves. For example, tapping somewhere on the right side of the touchscreen, will cause the phone to tilt slightly to the right.

These phone movements are picked up by the motion sensors and can then be analyzed to build patterns corresponding to specific tap events when performing certain actions, like when typing the screen unlock PIN or entering the credit card number during a phone call.

After installation, TapLogger runs in training mode and collects motion sensor data while the user plays the icon-matching game. This is necessary because tap-generated movements can be different for every phone and user.

After it has collected enough data, the Trojan app builds tap event patterns and starts using them to infer user input during targeted operations.

"While the applications relying on mobile sensing are booming, the security and privacy issues related to such applications are not well understood yet," the researchers said in their paper, noting that other motion sensor-based attacks have been demonstrated in the past.

In August 2011, a pair of researchers from University of California proposed a similar attack and designed a concept application called TouchLogger to demonstrate it.

However, compared to TouchLogger, TapLogger uses additional orientation sensor readings and introduces the training mode for device-specific data. It also features stealth options and supports two practical attacks -- inferring screen unlock passwords and credit card PIN numbers, the new Trojan's creators said.

Another motion-sensor-based attack was presented in October 2011 by a research team from the Georgia Institute of Technology, who used data from an iPhone 4's accelerometer and gyroscope to infer what was being typed on a computer keyboard positioned near the device.

Read More...

Facebook-Style Scam on Pinterest Leads Users … Back to Facebook

Pin promises exclusive Bieber XXX tape, links to classic Facebook sex-themed scam

Scammers are taking advantage of the high visibility of images on Pinterest – in this case a supposed naked Bieber video - to steer users to a scam on Facebook as part of the growing trend to cross-network sneakiness.

In this case, a Pin apparently featuring Justin Bieber splashing his way out of the ocean with no clothes on has popped up to take Pinterest users to a Facebook page that’s supposed to host the Bieber images.

The final stop, though, is a survey maze.

Though scams centered on sex and Justin Bieber have already gained a spot in the scam hall of fame, this appears to be the scammers’ first such connection across platforms. A previous scam wave was built on a reverse model, with Facebook (ads) steering to a Pinterest destination.

This twist of technique is probably due to scammers’ key advantage on Pinterest: the very high impact of visual content makes it relatively easy for scams to spread, text-based social engineering techniques being almost unnecessary.

The second element of novelty here is that the scam targets people highly active on online social platforms, more precisely the overlap between the Facebook and the Pinterest crowds.

As predictions about scams migrating from one platform to another and even building cross-platform malicious links are gradually confirmed, raising awareness about the existence of social scams and about the main baits they are likely to use is crucial. Despite the countless warnings against and lessons on social e-threats, scam history appears to repeat…with a twist. 

This article is based on the technical information provided courtesy of Tudor Florescu, BitDefender Online Threats Analyst

Read More...

New Email Scam “Phishing” For Your Yahoo Credentials

A new email phishing scam has just been reported and it looks like it’s going for your Yahoo credentials via a fake "E-Mail Account Exceeded" email subject.

Clicking the re-validate link will only redirect you to a Google Docs link that will display a small form asking you to input your email address, user name, password, and even opt for a 500 GB storage upgrade to your account.

Besides the poorly designed form, the fact that you can actually see the Google Docs link is an indication that the so-called hackers are pretty new at this and they’re targeting users not highly versed in Internet usage

.

If you receive this type of email in your inbox, it’s safe to assume that you’re being conned into giving away your Yahoo account, by using one of the internet’s oldest scams.

What to Do: If you ever receive similar emails, we advise you to do a Google search with their content and see if someone has reported the message as being a hoax.

Read More...