Posts Tagged ‘Trojan’
Friday, June 7, 2013 @ 02:06 PM gHale
There is a new mobile threat that is one of the most sophisticated Android Trojan one researcher has ever seen.
Backdoor.AndroidOS.Obad.a is capable of performing various malicious tasks, including sending SMSs to premium rate numbers, downloading and installing additional malware, and remotely executing console commands, said researchers at Kaspersky Lab.
This malicious software looks more like a Windows malware than an Android Trojan because it exploits a number of unpublished vulnerabilities and it’s highly complex, Kaspersky’s researchers said.
One vulnerability has the Trojan’s developers abusing an error found in DEX2JAR, a piece of software utilized to convert APK files into JAR files. The error in DEX2JAR allowed the cybercriminals to make the statistical analysis of the Trojan highly difficult.
Furthermore, the developers leveraged a vulnerability in the Android operating system to make it difficult to perform dynamic analysis on the threat.
A different Android vulnerability ended up exploited to gain extended administrator privileges, making it impossible to delete the malicious app from the device.
Obad.a only works in background mode – it doesn’t have any visual interface.
Once it infects a device, Obad.a immediately attempts to gain access to elevated privileges. It abuses its Device Administrator rights to block the screen for up to 10 seconds.
During these 10 seconds, if the smartphone connects to an unsecure Wi-Fi network or via Bluetooth, the Trojan starts sending malicious files to the devices it detects nearby.
The “su id” command also allows the threat to try and obtain root privileges.
When first launched, Obad.a collects various pieces of information on the device – including MAC address, operator name, phone number, IMEI and account balance – and sends it back to its command and control (C&C) server.
Then, it awaits commands from the C&C. The malware can then get an order to send text messages to specific numbers and delete the replies, act as a proxy, download files, connect to a specified address, retrieve a list of apps installed on the device, collect contact data, execute commands and send files via Bluetooth.
For the time being, this threat is not very widespread. Kaspersky researchers said of all the malware installation attempts it detected over a 3-day period, only 0.15 percent were from Obad.a.
Google is aware of the Android vulnerabilities exploited by the threat.
Friday, May 31, 2013 @ 03:05 PM gHale
Large botnets ZeroAccess and Sality control over one million infected computers using peer-to-peer communication, while the online banking Trojan Zeus has just reached 200,000 nodes, new research showed.
An international team of researchers got into the networks to determine these figures. As it turns out, the P2P botnets are much more resistant than originally thought regarding attempts to shut them down with targeted operations.
Conventional botnets receive their orders from a central command-and-control server, which also constitutes their main weak point. If that server shuts down, the botnet master loses control of the infected computers.
Newer botnets, however, are going the decentralization route and using peer-to-peer structures like the ones used in file-sharing networks. In this situation, the infected systems network with each other, and each zombie computer has a list of direct communication partners that belong to the same botnet.
So far, the strategy for figuring out the size of a P2P botnet has been to query peer lists from known bots and then go from one to the next in the hope that, eventually, all of the infected systems will end up tracked. Such “crawling”, however, results in figures that are far too low, said Christian Rossow of VU University Amsterdam, The Netherlands and Institute for Internet Security, Gelsenkirchen, Germany, Dennis Andriesse of VU University Amsterdam, The Netherlands, Tillmann Werner of CrowdStrike, Inc., Brett Stone-Gross of Dell SecureWorks, Daniel Plohmann of Fraunhofer FKIE, Bonn, Germany, Christian J. Dietrich of Institute for Internet Security, Gelsenkirchen, Germany and Herbert Bos of VU University Amsterdam, The Netherlands, who sneaked their own systems into the P2P botnets. Those systems actively participated in communication and were thus able to register all the active bots. In just one day, their sensors detected more than 920,000 computers under the control of one instance of Sality. The crawlers had found only 22,000 of the botnet’s victims.
One major reason for the differences is botnet clients are quite picky these days about which computers they add to their active peer list. Home computers, for example, are almost never included, since it is difficult to get past a NAT router from the outside.
There’s more bad news when it comes to shutting these botnets down. One approach frequently discussed is sinkholing, in which security specialists try to fill the bots’ peer lists with their own systems’ addresses in order to put a stop to communication within the P2P network. In their investigation, however, the researchers realized some of the P2P botnets are more resistant to that strategy than originally thought. A case in point, Sality has an internal reputation system for communication partners, and it is difficult to take the place of a real bot with a high rating in the peer list.
Researchers’ findings come mainly from analysis of actual bots. In their paper, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets“, researchers present a method for describing P2P botnets with formal models that can then also simulate certain operations.
Thursday, May 30, 2013 @ 05:05 PM gHale
A new banking malware can now target ecommerce and comes with features to help it avoid capture from the common security approaches.
Beta Bot underwent a refinement over the last few months and it is now ready to go, according to research conducted by RSA Security’s Limor Kessem. The bot started out in January as an HTTP bot and then made the gradual transition to a banking Trojan. Kessem, who’s part of RSA’s Cybercrime and Online Fraud Communications’ division, said Beta Bot has quite a few attack vectors.
The malware has been seen targeting everything from large financial institutions to social networking sites, along with “payment platforms, online retailers, gaming platforms, webmail providers, FTP and file-sharing user credentials … domain registrars for the common malware use of registering new resources,” Kessem said.
The bot deploys on machines after a user clicks through and allows it. Once it’s in though, the malware has an array of self-defense mechanisms.
Users whose machines end up infected by the malware will find themselves unable to reach whatever antivirus and security provider websites the attacker selects, he said. When trying to reach one of those sites, they will end up redirected to an IP address of the attacker’s choosing instead.
The malware knows better than executing in virtual machines and can avoid sandboxes as well, Kessem said. It can even block other types of malware from spreading on the system by “terminating their processes” and blocking code injections.
The Trojan goes on to log stolen data in a MySQL database, download malicious files, remotely control the infected PC and trick users into making fake banking transactions.
Kessem said he spoke with Beta Bot’s developer who said he is selling binaries for the malware and providing technical support but doesn’t plan to sell the builder, opting instead to keep it private. Builds can be purchased though for between $320 and $500 with a customized server-side control panel interface in underground online forums.
Banking Trojans are continuing to grow more sophisticated in order to stay ahead of curve of advanced detection methods.
Shylock, the credential-swiping Trojan that relies mainly on man-in-the-browser attacks, began to weed out less profitable banks last month and updated its infrastructure to avoid downtime. Developers behind the Zeus Trojan started selling tweaked versions of the malware in April, complete with customized botnet panels, via social networks like Facebook.
Tuesday, April 30, 2013 @ 04:04 PM gHale
A new Trojan capable of compressing stolen data and uploading document files to remote servers is now seeing use in targeted operations, researchers said.
Upon infecting a machine, the malware, called “Travnet,” gathers victims’ information – such as their computer name, IP address, IP configuration details and a list of running processes – to communicate the information to a command-and-control server.
From there, botnet operators can determine the value of information on the compromised machines at their disposal, while sending further instructions, McAfee Labs researchers said.
Travnet can steal files, such as Microsoft Office documents, PDFs and various text files, said Umesh Wanve, a principal research engineer at McAfee Labs in a blog post.
The Trojan then uses data compression and data-encoding methods, which allows it to send large amounts of information to botnet operators. The hijacked data first compresses using the Lempel–Ziv–Storer–Szymanski (LZSS) algorithm. Data then ends up encoded using custom Base64, a technique that converts binary data to the ASCII (American Standard Code for Information Interchange) text format.
“The compressed file can be too big to send over HTTP [hypertext transfer protocol], so the bot sends the compressed file in chunks of 1,024 bytes,” Wanve said.
In findings released last month, McAfee determined Travnet was going to victims through emails, and the Trojan exploited already-patched vulnerabilities in Microsoft Office, like CVE-2010-3333, a flaw exploited by the Red October cyber espionage ring.
Monday, April 8, 2013 @ 02:04 PM gHale
Yes, it focuses on the banking industry and it doesn’t really work in the manufacturing automation sector, but the credential-stealing Shylock Trojan is growing increasingly sophisticated, a new report said.
Its level of sophistication keeps rising because its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
Shylock makes its loot via man-in-the-browser (MiTB) attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec said Shylock is targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy. From its inception in July 2011 until around May of 2012, Shylock was only targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features includes an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime.
Shylock possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.
Thursday, April 4, 2013 @ 04:04 PM gHale
The leaders behind the Carberp Trojan and other developers that helped create it are under arrest in Ukraine in a joint investigation by the Security Service of Ukraine (SBU) and the Russian Federal Security Service (FSB).
In a major operation, police busted what they said were the gang’s ringleaders, two Moscow-based brothers in their late 20s, one of whom was also a suspect in a real estate fraud case.
Six accomplices of the pair were also under arrest.
“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, chief executive of Group-IB, a security firm that helped investigate the gang’s attacks.
The rest of the group — 20 people all between 25 and 30 years old — were living, working and arrested in Kiev, Zaporozhye, Lvov, Odessa and Kherson, police said.
Each of them worked remotely, and were responsible for the development of one part of the malware, officials said. They would send their work to a server in Odessa, where the gang leader would apparently assemble the pieces into the final product. Developers constantly worked on and changed the malware to evade AV detection.
Carberp is a banking Trojan that steals information that attackers can subsequently use to break into individuals’ and businesses’ online banking accounts. It also has a mobile component that allows criminals to steal mobile transaction authentication numbers sent by banks.
A little over a year ago a Russian gang used the Trojan to steal over $2 million from the bank accounts of over 90 individuals. That criminal ring ended up dismantled. Late last year RSA officials said the team that developed the Trojan has begun to sell it and rent it to anyone who could afford it.
According to the Ukrainian news outlet, some of the arrested men are already out on bail, while others are still under house arrest. If they end up convicted in Ukraine court, the maximum prison sentence they can get is five years. Some of the arrested individuals have Russian citizenship, so they may end up extradited and tried in their native country.