f-secure.com/weblog
|
F-Secure Antivirus Research Weblog
|
Weblog of F-Secure Antivirus Research Team
|
-
Video: Angry Birds Space Trojan & Drive-by Android
On Monday, we released our Mobile Threat Report for Q1, and in that report we mention there's a growing number of mobile trojans that "deliver on their promises". What do we mean by that?
Well, in the past, mobile malware often offered something such as "free" mobile web services as bait, but then, during installation, the trojan would display some kind of decoy error message.
At that point the folks installing the trojan would typically search for answers, either because they were suspicious or because they were troubleshooting. That would then lead to actual answers on forums that what they had in fact installed was a trojan. These days, when even non-nerds have smartphones, the bait is quite a bit different.
No decoy messages. The "bait" actually works.
Here's a video of trojan installing a working copy of Rovio's Angry Birds Space as it compromises the phone.
Video: Trojanized Angry Birds Space.
So, nothing to troubleshoot… and how many non-nerds do you think will find getting what they were promised to be suspicious? It's quite possible that somebody could compromise their phone and they'll never come to realize it.
Android malware is definitely evolving.
Here's a short preview of something which developed during Q2: drive-by Android malware.
Video: Drive-by Android Malware. On 18/05/12 At 02:19 PM
-
Repost: Webinar: Making Life Difficult for Malware
Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.
The subject is "Making Life Difficult for Malware" and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.
More information can be found from the webinar's registration page.
Over 1,000 people have registered thus far! On 16/05/12 At 12:59 PM
-
Recommended Listening: Danger In The Download
The Documentary, a BBC World Service program (or programme) recently aired a 3-part series called Danger In The Download.
It's definitely worth a listen. All of the episodes are now available online.
Episode 1 — The growing threats in cyberspace from hackers and cyber weapons.
Episode 2 — Is the net's architecture and governance is still fit for purpose?
Episode 3 — What governments can do to protect the Internet.
If you prefer your audio in the form of a podcast, we also recommend PRI's The World: Technology Podcast which is also offering Episode 1 for download. On 15/05/12 At 01:01 PM
-
Download: Mobile Threat Report, Q1 2012
It's time to publicly release our latest Mobile Threat Report, covering the 1st quarter of 2012.
Our Q4 2011 report was quite popular and this new one for Q1 is even better. More content (and pages) for your reading pleasure.
Mobile Threats Motivated by Profit Per Quarter:
You can download it here: Mobile Threat Report, Q1 2012 [PDF] On 14/05/12 At 03:49 PM
-
What's wrong with marketing software?
Yesterday, I suggested that nonymous speech is vastly superior to anonymous DDoS attacks and other forms of censorship.
Today, I offer this "anti-piracy" PSA (circa 1988) as evidence to support my thesis:
Click to embiggen.
It's stuff like this that made me happy to buy Infocom's games. They asked nicely, and made their points with tongue-in-cheek humor. I still remember this joke 24 years later. DDoS attacks? They fade from memory quickly.
Internet activists (as well as today's media industry) would do well to learn from the past. On 10/05/12 At 01:02 PM
-
Pirate Bay to Anonymous: Call Your Mom!
UK Courts recently ordered Internet Service Providers to block access to The Pirate Bay. Yesterday, Virgin Media was attacked by some that claim associations to the Anonymous collective.
Well, The Pirate Bay had something to say about the attack on its Facebook page.
TPB: We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.
My take: Love thy enemy.
TPB: So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship.
My take: Two wrongs don't make a right.
TPB: If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol…
My take: Don't be destructive. Better to be "subversive".
TPB: …print some pro piracy posters and decorate your town with, support our promo bay artists or just be a nice person and give your mom a call to tell her you love her.
My take: Call your mother. She worries about you.
Now some Anons out there may push back at The Pirate Bay's claim that DDoS equals censorship. There are numerous Anons that have claimed DDoS attacks are a form of digital protest similar to a sit-in. But consider this: a sit-in is a form of trespass, and trespass and preventing access to others is a crime.
A crime for which the world's greatest human rights leaders have been arrested. But that's the whole point. Civil disobedience is about non-violent resistance — breaking the rules and yet showing respect to the framework in order to change the rules. DDoS is not a non-violent protest. And the attempted lack of accountability is not respecting your fellow members of society.
Anon protip: there's a very good reason why Letter from Birmingham Jail by Martin Luther King, Jr. is (and always will be) infinitely more powerful than would be "YouTube video by Anon-MLK #OpBirmingham".
Kudos to the Pirate Bay crew for so clearly understanding this truth.
Regards,
Sean On 09/05/12 At 05:13 PM
-
Java Drive-by Generator
Ran across quite an interesting infection today. I visited a site that prompted me with a security warning about a "Microsoft" application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.
After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.
The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.
Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.
The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.
iJava also keeps track of infections. Below is the data from the infection mentioned above:
Which shows that for this particular malware, the infection only started yesterday. So far there's only 83 visits to the Java drive-by link.
And thankfully, he's not very successful (knock on wood):
Updated to add: The number of visits has now increased to 122 with a 26% success rate. Since it's counting the number of visits, if a specific IP accessed the page twice it then counts it as two. The total unique IPs so far is 77 with 30% success rate.
Kaspersky's Kurt Baumgartner has pointed out that this rate can actually be considered pretty high for such kits.
On 08/05/12 At 03:27 PM
-
Webinar: Making Life Difficult for Malware
Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.
The subject is "Making Life Difficult for Malware" and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.
More information can be found from the webinar's registration page. On 08/05/12 At 01:01 PM
-
Terrorist Groups in the Online World
The Combating Terrorism Center at West Point (USA) has released a study called "Letters from Abbottabad: Bin Ladin Sidelined?". The study provides analysis of 17 declassified documents captured last year during the raid which killed Usama bin Ladin. Copies of the documents in the original Arabic as well as English translations have been made available.
PRI's The World has an excellent summary: US Releases Letters From Bin Laden Compound.
Our Chief Research Officer, Mikko Hypponen, has been studying online extremism. He examined the documents and found this:
Bin Laden wrote: "One indication of the sympathy towards Jihad is the tremendous number of young people who frequent the Jihadist websites" — Mikko Hypponen (@mikko) May 3, 2012
A reference to "jihadist websites", which can be found in document SOCOM-2012-0000019:
Mikko recently spoke about online jihadists at RSA Conference 2012.
You can watch the presentation here: Terrorist Groups in the Online World On 04/05/12 At 12:40 PM
-
Yet Another SQL Injection Attack
Somehow these SQL Injections targeting ASP/ASP.net sites just never seem to abate.
First there was Lizamoon… surprising us with the millions of websites that got injected.
Then came a few others with the recent ones being nikjju.com and hgbyju.com.
Now came njukol…
Although the name is no longer as catchy as Lizamoon, the idea remains the same.
This njukol.com is still pretty fresh out of the oven. The domain was registered last April 28. The funny thing is, the registrant of the domain is still the same with all those previous ones.
On 03/05/12 At 04:31 PM
|
Copyright © 2012 www.itplanet.cc. Alle Rechte vorbehalten.
|
|
|
Virenticker 
