Google Won’t Remove CounterClank Apps

Google will not remove the 13 apps reported by Symantec containing “software development tools” that enable the theft of data because they do not violate Google’s terms of service.  Lookout Mobile Security said in a blog post Friday that it doesn’t consider the applications malware, but it does appear to be an “aggresive form” of an ad networking scheme, and should be taken seriously.  I would agree with that assessment, simply because it is a new pin on an old tactic, however I would still consider this malware to the extent that spyware was once considered in a similar light.  It has proven to be a real problem with real impacts, and has been used in a multitude of nefarious endeavors.

See this SC Magazine article for more coverage and details.

Beware “Official” Android Trojans!

Symantec has uncovered a massive botnet that may have lured millions of Android users into downloading malware infected apps from the official Android Market site.  The Trojan, being called ‘Android.Counterclank’, was wrapped into at least 13 free games on the official android app download site.  The following apps are known to be affected:

• Counter Elite Force
• Counter Strike Ground Force
• CounterStrike Hit Enemy
• Heart Live Wallpaper
• Hit Counter Terrorist
• Stripper Touch girl
• Balloon Game
• Deal & Be Millionaire
• Wild Man
• Pretty women lingerie puzzle
• Sexy Girls Photo Game
• Sexy Girls Puzzle
• Sexy Women Puzzle

If you have downloaded one or more of these games, you had best be taking some action to protect your information.  According to the description at Symantec’s site, the combined download figures for these malicious apps indicate Android.Counterclank has the highest distribution of any Android malware so far this year.

I don’t own any Android devices, so, why am I writing about this malware rather than the hundreds of malware variants found each day?  I am concerned that the “official” download site is laden with malicious applications.  The Android Market is owned and operated by Google Inc.  Android configurations really need to be tightened up, and the practices used when vetting an app for distribution on an “official” site need to be scrutinized and corrected.

Google really ought to know better.  There motto is “Don’t Be Evil”…

Cisco Q4-11 Global Threat Report

‘Tis the season for 2011 threat reports to start emerging, and here is Cisco’s contribution.  The Q4-11 report covers the period from 1 October 2011 through 31 December 2011.  This quarter’s contributors were Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Security Research and Operations (SR&O), and Cisco ScanSafe.

.

.

Highlights from the Cisco 4Q11 Global Threat Report include:

• An overall average of 362 Web malware encounters per month occurred throughout 2011.
• Enterprise users experienced an average of 339 Web malware encounters per month in the quarter.
• The highest average rate of encounters occurred during September and October (698 and 697).
• An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to 14,217/month in 2010
• During 4Q11, 33% of Web malware was zero-day, not detectable by traditional signature-based methodologies.
• The rate of SQL injection signature events remained steady, with a slight decrease observed as the quarter progressed.
• Denial-of-service events increased slightly over the course of 4Q11.
• Global spam volumes continued to decline throughout 2011. Continue reading →

Malware Compromises College For 10 Years [ ! ]

Trojans and other malware have been discoverd at City College of San Francisco, with some stories indicating the malware has been in place for over 10 years.   I suspect (hope?) that this is a misquote, and that the speaker meant to say that malware has been a problem during that period!   I have not found any information positively confirming the duration of the infection, but the original article appears to imply that the malware was present for over 10 years.  Why was this not detected earlier, how did it manage to remain in place for so long?

It appears as is the case in many educational institutions, budgets are tight, interest is low, and apathy runs high. Passwords went unchanged for at least as long as the infection, security controls were extermely lax, and even after filtering controls were brought in, demand for access to highly questionable material was often approved if minimal pressure was applied.  As a result, a keystroke logger is among at least 7 flavors of malware found operating within the network, and is known to have stolen personal banking information and other data from at least one individual, and potentially hundreds of thousands of students, faculty and administrators.  The college employs 3,000 employees, and hosts about 100,000 students every year.

The college identified the infection in late November 2010 after it noticed that there were gaps in server logs located in the campus computer lab.  An AP story about the incident indicates that at 10:00 PM every day, the malware would troll through the network looking for data to send overseas.  During the investigation, the IT department saw communication with many foreign countries, including Russia and China.  There has been only one confirmed case of personal banking information being captured in this incident that I am aware of.

Upon learning of the breach, the college contained the incident by closing off the infected computer lab, removing the affected server from service, and scanning desktop computers for malware.  Many desktops were found to also be infected.  The college community was notified by e-mail on Jan. 13.  The IT department has since reconfigured the campus firewalls, improved password security controls, updated and created new security protocols, is developing a network segmentation strategy, and is preparing to install new security hardware.

It will be interesting to see what the fallout is regarding how many users are actually impacted by this breach, if there is any way to figure all that out.  What’s on your network?

Symantec Source Code Follow-up

In a follow-up to a previous post, it looks like Symantec has backed away from earlier statements regarding the theft of source code of some of its security products, now admitting that its own network was compromised.  In a statement provided to Reuters, the security software maker acknowledged that hackers had broken into its network and stole source code of some of the company’s security applications.

Symantec had insisted previously that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated six years ago.  The list of software has also increased, now including Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.

If you have these products installed, you may be at increased risk.  The best advice that I can offer is to make sure that you have secured these products to their fullest, that their exposure to potential threat vectors is minimized, and that any systems that use them are monitored for abnormal behavior and network traffic.

FDIC Spam Delivers Malware

Continue to be suspicious and diligent whenever you receive unsolicited emails.  No matter who the sender purports to be, never open those “important attachments”.  A recent malware attack poses as a communication from the Federal Deposit Insurance Corporation (FDIC) to businesses.

SophosLabs has reported interception of a large number of malicious emails, pretending to come from FDIC, claiming to have important information about the recipient’s bank.  The emails’ subject line is “FDIC: About your business account”, followed by a random code number.  The attached filename, containing the malware, is FDIC_Information_About-your-business-account-JAN2012-XXXXX.zip (where ‘XXXXX’ is a random number).

Attached to the emails is a ZIP file which contains a malicious payload, designed to infect Windows computers.

Dear Business Customer, We have important information about your bank. Please refer to attached file to view information. This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Sophos anti-virus products detect the attachment proactively as Mal/BredoZp-B and Mal/Zbot-EZ.

One more note worth keeping in mind.  UPS, FedEx and other delivery services are commonly exploited in this kind of scam.  If you aren’t expecting a delivery, don’t open the attachment.  If the email contains a tracking number, go to the delivery service’s website or call them to confirm before opening a surprise attachment from aunt Martha.  Otherwise the surprise might be nastier than her old fuitcake…

Quick Follow-up – Symantec Source Code

Just a quick note to share the updated intell from a previous post; it would appear that Symantec has come clean, the hacker that claimed to have and threatened to release Symantec’s Norton Anti-Virus source code did indeed have it.  However, it is old code, it is not the source code from the current version.  The source code that was exposed was for Symantec Endpoint Protection 11.0, used to prevent outgoing data from being leaked.  It was four years old and had been updated regularly.  The source code for Symantec Antivirus 10.2 is five years old, and has been discontinued and no longer on sale for some time, althoughit is still being serviced and used.

It does make the current product somewhat suspect in my opinion, until Symantec has had a chance to rewrite and release a completely new version.  Having the source code for an application makes it simple to write exploit code to take advantage of the app, to silently turn it off, or to make it do some unexpected things.  The limit is your imagination, really, since A/V software runs so close to the kernel, and has so many privileged hooks.

I can’t say that I’m too happy about this, I am very surprised that the source code was allowed to languish on a 3rd party server, belonging to Indian Military Intelligence.  If you are using either of Symantec’s products, I would suggest you upgrade to the latest version, and pressure the vendor to release a new version that they guarantee is not based on this compromised code-base.

http://news.cnet.com/8301-1009_3-57353814-83/that-stolen-symantec-source-code-its-for-older-enterprise-products/

Rumors Abound – Symantec AntiVirus Source Code Leaked?

InfoSec Island is all over a reported breach and leak of Symantec’s flagship Norton Anti Virus product by an Indian hacker group known as “The Lords of Dharmaraja”.

The hackers have apparently posted on Pastebin a list of the files they obtained with the message “Complete listing of NAV source code package which is comming…” [sic], an indication that they intend to post the actual source code for the Symantec product.

If true, this breach could render Norton AV ineffective as a defense tool, and have a very serious impact on Symantec’s bottom line and stock value.

So far, all of the evidence presented appears to be a 12 year old document explaining how NAV works, but new material has been sent to Symantec for analysis and comment.  Let’s hope it is all bogus.  We don’t need the bad guys getting even more intelligence regarding the inner workings of commercial grade defensive tools.

Pre-Boot Malware Prediction

The National Institute of Standards and Technology (NIST) has released a draft version of their security guidelines for locking down the Basic Input/Output Systems (BIOS).  Exploitation of this and other Non-Volatile RAM and EEPROMs are my prediction for 2012.  I’ve seen a couple of malware reports from the lab and a sample that tried to hide its existence by writing to hard to reach areas, like the GPU and video RAM, and have been holding my breath hoping that these areas remain free of mainline cruft.  APT anyone?

Imagine a rootkit, but instead of writing its bootstrap code into the Master Boot Record of your hard drive, it flash updates your BIOS.  Who scans their BIOS?  Who wants to?  Soon you may need to scan every single chip and component in your system in order to ensure that these code monkeys haven’t tapped your keyboard.  The BIOS is initialized and loaded well before the Operating System, and any code that was written there would be potentially invisible to A/V products.

The BIOS Integrity Measurement Guidelines aim to help detect changes to system configuration and changes to BIOS code that could be used to let malware execute during the boot-up process.  NIST is welcoming comments on the draft document through January 20, 2012.  This guidance is directed more at developers than end-users.  Like most NIST guidance, it is recommendation, and not mandatory.

http://www.informationweek.com/news/government/security/232301025

Amnesty International Serving Malware

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. The attack appears to be part of a malicious scheme to target human rights workers.  Krebs’ blog reports that the site’s home page has been booby trapped with code that pulls a malicious script from what appears to be a hacked automobile site in Brazil. 

The auto site serves up a malicious Java applet that uses a public exploit to attack a fairly new Java flaw. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.  This Trojan provides remote access connectivity handling, Denial of Service (DoS) or Distributed DoS (DDoS) capabilities, keyboard input capture, file or object deletion, process termination for getting rid of those end-point pesky security controls.