YourITDepo Archives

All Platinum Categories

  • Security
  • Service
  •  


    All Platinum Tags

    Archive for December, 2010

    Heads Up Android Users: Geinimi Trojan Found

    Posted on Thursday, December 30th, 2010

    With all the things we ask of our phones and all we use them for, your phone becoming a botnet-ish slave sending data to a remote is a nightmare. Although this is not the first android targeted trojan, it is live and a real threat.

    Post from The Lookout Blog:

    The Threat:
    A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

    Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.

    Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan. If you are already a Lookout user (free or premium), you are protected and no action is needed.

    How it Works:
    When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and www.piajesj.com. If it connects, Geinimi transmits collected device information to the remote server.

    Though we have seen Geinimi communicate with a live server and transmit device data, we have yet to observe a fully operational control server sending commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but we have evidence of the following capabilities:

    Send location coordinates (fine location)
    Send device identifiers (IMEI and IMSI)
    Download and prompt the user to install an app
    Prompt the user to uninstall an app
    Enumerate and send a list of installed apps to the server
    While Geinimi can remotely initiate an app to be downloaded or uninstalled on a phone, a user still needs to confirm the installation or uninstallation.

    Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware. The Lookout Security team is continuing to analyze capabilities of new and existing Geinimi variants and will provide more information as we uncover it.

    Who is affected?
    Currently we only have evidence that Geinimi is distributed through third-party Chinese app stores. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”). Geinimi could be packaged into applications for Android phones in other geographic regions. We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market.

    There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected. As the Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate applications, we’ll provide timely updates.

    As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.

    How to Stay Safe:

    Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
    Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
    Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
    Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.
    With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. Stay tuned for more details on this threat.

    See post on The Lookout Blog:
    http://blog.mylookout.com/2010/12/geinimi_trojan/

    Posted in Security by | Comments Off on Heads Up Android Users: Geinimi Trojan Found

    More Mac Malware Predicted for 2011

    Posted on Wednesday, December 29th, 2010

    No surprise to us, with the increase in Mac users, you expect more malicious attacks will follow. Mac users had the false belief that Mac could not be attacked. That belief, just like the Lisa Simpson’s rock that kept the tigers away, was not enough to protect Mac users.

    Simply put if you never install ANY software on your Mac, you’re probably alright being that OSX does not have a shared registry like windows. However if you browse online, download music, watch videos, or open emailed documents, you’re at risk.

    A good example would be the exploits with java, and yes you probably installed java in your browser with root access, so you’re highly vulnerable as well.

    Now you can understand why Symantec makes a Mac product.

    IPod and IPhone look out, when application support for the iPod touch and iPhone was introduced; they opened the door for malware that specifically targets these devices (or, rather, the applications running on those devices). However, currently the notion of malware for these devices is more theory than reality. Jailbroken devices are more susceptible than Apple-approved devices and there have been instances of malware for jailbroken iPhones. If you plan to jailbreak your iPhone, the heightened malware risk is something to consider.

    SCMagazine posted:

    Will 2011 be the year that threats against Mac platforms and devices finally reach the tipping point?

    Yes, according to a number of security firms.

    McAfee, in its annual list prognosticating what next year holds from an information security perspective, believes that Apple-targeted malware will increase in sophistication.

    “Historically, the Mac OS platform has remained relatively unscathed by malicious attackers, but…the popularity of iPads and iPhones in business environments, combined with the lack of user understanding of proper security for these devices, will increase the risk for data and identity exposure, and will make Apple botnets and trojans a common occurrence,” the company said Tuesday.

    Meanwhile, PandaLabs predicts a similar increase in threats, especially as the market share for Mac users grows.
    “The greatest concern is the number of security holes in the Apple operating system,” the company said. “Developers will need to patch these holes as soon as possible, as hackers are well aware of the possibilities that these vulnerabilities offer for propagating malware.”

    CoreTrace, an application whitelisting firm, foresees considerably more exploits in 2011 aimed at mobile devices, such as those running Apple iOS, the specialized version of Mac OS X.

    Threats geared for the Mac are not unheard of, but Apple users have been more likely to be hit by a phishing attack than malware in the past.

    Apple’s media relations department is closed for the holidays, and a representative did not immediately respond to a request for comment.

    Original post from SCMagazine:
    http://www.scmagazineus.com/more-mac-malware-common-on-2011-prediction-lists/article/193415/

    Posted in Security by | Comments Off on More Mac Malware Predicted for 2011

    Exploit code posted for new Internet Explorer flaw

    Posted on Friday, December 24th, 2010

    December 20th a video posted on offensive-security.com Demonstrated the CSS handling flaw. Following this post on December 22nd code published on Metasploit.com.

    SCMagazine posted:

    An exploit taking advantage of an unpatched vulnerability in Internet Explorer (IE) has gone public.

    Security researcher Shahin Ramezany said in a Tuesday tweet that he was able to exploit the flaw, which involves the way IE handles CSS style sheets on Windows 7 and Vista machines.

    A video demonstrating code execution was posted Monday by Offensive Security, a provider of security tools and training.

    On Wednesday, exploit code was published as part of the open-source Metasploit hacking toolkit.

    The flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), according to Ramezany.

    Microsoft has not yet confirmed the vulnerability.

    “We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” Dave Forstrom, director of trustworthy computing at Microsoft, told SCMagazineUS.com on Wednesday in an email. “Once we’re done investigating, we will take appropriate action to help protect customers.”

    Read post from SCMagazine:
    http://www.scmagazineus.com/exploit-code-posted-for-new-internet-explorer-flaw/article/193258/

    On December 22nd Microsoft confirmed IE flaw, but claims its not yet being exploited. Looks like we will have to wait till The January 11th round of updates for the fix.

    Microsoft has confirmed the presence of an unpatched vulnerability in all supported versions of its Internet Explorer (IE) browser.

    The software giant on Tuesday evening EST released a security advisory, acknowledging the flaw that, if exploited, could result in the execution of remote code. The bug impacts IE versions 6, 7 and 8.

    “The vulnerability exists due to the creation of uninitialized memory during a CSS [style sheets] function within Internet Explorer,” the advisory said. Users can be exploited if they visit a web page hosting the exploit.

    Microsoft is not aware of any in-the-wild attacks targeting the vulnerability or of any affected customers, Carlene Chmaj, senior response communications manager for Microsoft’s Trustworthy Computing group, said in a blog post.

    But proof-of-concept code exists. A video demonstrating code execution was posted Monday by Offensive Security, a provider of security tools and training. And on Wednesday, exploit code was published as part of the open-source Metasploit hacking toolkit.

    Although the flaw is able to bypass two built-in Windows security features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), IE Protected Mode for Vista and subsequent versions of Windows “helps to limit the impact of currently known proof-of-concept exploits,” Chmaj wrote.

    Microsoft is next due to release security fixes on Jan. 11. As of now, the company has no plans to issue an out-of-cycle patch for this vulnerability.

    Read post from SCMagazine:
    http://www.scmagazineus.com/microsoft-confirms-ie-flaw-not-yet-being-exploited/article/193310/

    Posted in Security by | Comments Off on Exploit code posted for new Internet Explorer flaw

    Malware: It’s all in the gift-wrapping

    Posted on Friday, December 24th, 2010

    Malware and Spyware are on a huge rise this season, even when anti-virus software buying is rising. Simple re-hashing of old malware is more common now then new software.

    A technical post from Avast is worth a read.

    There is a market for gift-wrapping services in cyberspace – especially for malware.

    There are thousands of malware variants out in cyberspace, including the well-known Alureon, Koobface, FakeAV, and Zeus. Behind this myriad assortment is a surprisingly small group of packers with the task of slipping malware past antivirus programs. These packers can generate an almost unlimited number of unique instances of a single underlying malware binary. And what is good news for the bad guys – and rather bad news for the rest of us – is that these software packages make malware more accessible to the more “average” cybercriminal.

    You don’t have to be a geek to write malicious code, but advanced skills are certainly needed to effectively hide it from antivirus engines. The current solution to this dilemma is to get a custom malware packer which is constantly being fine-tuned to avoid emulation and detection by AV engines. In this way, you don’t need to recode anything once your binary is detected and you can easily distribute your old malware in new wrapper.

    See more from Avast:
    http://blog.avast.com/2010/12/20/malware-giftwrapping-services/

    Posted in Security by | Comments Off on Malware: It’s all in the gift-wrapping