Archive for December, 2011
The 28th Chaos Communication Congress (28C3) is currently underway in Berlin and on Tuesday, researcher Karsten Nohl gave a presentation called: Defending mobile phones. If you have an hour, it’s worth watching.
Initial press reports focused on Nohl’s revelation that hackers can potentially sniff numerous phone IDs and network authentications from an advantageous point, and because network authentications aren’t frequently refreshed (depending on the network operator), an attacker could make expensive premium rate calls and bill them to other persons. GSM network specifications allow for every network action to be re-authenticated, but that requires serious investment in authentication servers. So operators may only do it every third call. Or tenth. Or perhaps only when the phone connects to the network.
The H Security has a good summary overview of all the topics covered during the presentation.
But one of the most interesting things, from our point of view, was Nohl’s brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million “Silent SMS” to track suspects in 2010.
So we did a web search and found nothing about it in the English language press. However, Wikipedia’s SMS entry has (had) this:
Silent messages, often called silent SMS, stealth SMS, or stealthy ping, will not show up on the display, neither
is there an acoustical signal when they are received. However, at the mobile provider some data is created
(for example, the subscriber identification IMSI). This kind of message is sent especially by the police to locate
a person or to create a complete movement profile of a person. In Germany in the year 2010, nearly half a
million “silent SMSs” were sent by the federal police, the customs, and the secret service “Office for Protection
of the Constitution.”
We followed the referenced link to this Heise Online article. The title translates as: Customs, Federal Police and Protection of the Constitution in 2010 sent more than 440,000 “silent SMS”.
Hmm, Germany’s Customs Enforcement. Those were the folks that used the R2D2 backdoor a.k.a. “0zapftis”.
Using Google Translate and Google News, we were able to locate more German language articles using “stille SMS“.
The Federal Ministry of the Interior provided details on December 6th. (PDF)
In the screenshot below, you can see the number of messages sent by three authorities since 2006.
So what exactly does this mean?
Well, basically, various German law enforcement agencies have been “pinging” mobile phones. Such pings only reply whether or not the targeted resource is online or not, just like an IP network ping from a computer would.
But then after making their pings, the agencies have been requesting network logs from mobile network operators. The logs don’t reveal information from the mobile phones themselves, but they can be used to locate the cell towers through which the pings traveled. And thus, can be used to track the mobile targeted.
Requesting such network logs was a legal gray area until 2007, when Germany amended its telecommunications surveillance act.
And now we are left to wonder, just how many other countries consider this type of tracking to be a gray area?
On 29/12/11 At 06:47 PM
It’s almost the end of 2011. What with Christmas recently passed, and the New Year coming up, there’s naturally a lot of well wishes and holiday greetings being messaged around. Looks like somebody’s decided to join in (a little late) — and also do a bit of data harvesting at the same time.
Spyware:Android/AdBoo.A appears to be one of those programs that lets you send witty/sweet/funny messages to your contacts. On execution, it displays a list of text messages that fall into different categories: new year wishes, friendship, love and jokes:
When the user selects one of these messages, the app prompts a dialog box asking for the next action: Contact, Edit or Cancel:
If Contact is chosen, the app tries to read the stored contact data. Presumably, it needs to know to whom to send the message:
During our initial analysis, because the test phone didn’t have any stored contacts, the app didn’t retrieve anything at this point.
However, when AdBoo was retested with (bogus) contacts present, no text message was sent then either — AdBoo only produces a dialog box with the message “Sending fail”:
We noticed that the app did do something else though. On selecting the Contacts options, it silently obtained the following information from the device:
1) Phone Model
2) Android Version
3) Phone number
4) International Mobile Equipment Identity (IMEI) number
The harvested details are then forwarded to remote server.
Incidentally, looking at the certificate for this variant of AdBoo, it appears to be from the same developer as Zsone.A:
Threat Solutions post by — Irene
On 29/12/11 At 10:12 AM
Technologist of the Year awards recognize individuals in key roles for
their extraordinary efforts and contributions to enterprise technology
solutions. Global winners are selected for early-adopter and
groundbreaking uses of Oracle technology and for defining their roles in
a way that makes the industry take notice. Check out all the Oracle Excellence Awards 2011
winners in the January/February 2012 online issue of Oracle Magazine.
There’s a run of ZeuS (aka Zbot) trojans currently targeting several Finnish banks. And naturally, our Threat Research team has been working on related cases. Interestingly, they’ve discovered some new ZeuS functionality that hints of SpyEye.
This version of ZeuS 2.x (Zbot.AVRC) has two new commands it will accept: user_activate_imodule and user_restart_imodule.
When it receives the command user_activate_imodule, Zbot.AVRC will start a thread that attempts to load a certain DLL from disk, and if the DLL does not exists, it will be downloaded from a remote server. The trojan then fetches the addresses for three different functions that are exported by the DLL: TakeBotGuid, Init, and Start. The DLL is then started by creating a thread that runs code from the DLL.
User_restart_imodule simply calls the function named “Start” from the loaded DLL.
It is interesting to see that the names of the functions used from the loaded DLL are the same as those being used by SpyEye trojan components. The names of commands related to this could also be interpreted to refer to SpyEye (imodule = eyemodule?).
The full list of commands for this variant of ZeuS/Zbot.AVRC:
He who has seen more than his fair share of ZeuS bots, sorry for him, will notice that two often seen commands are not present; namely the commands for stealing passwords stored to FTP (user_ftpclients_get) and e-mail clients (user_emailclients_get).
Another notable detail of this ZeuS run is the quality of the Finnish used.
Here’s an example:
After a customer has started their banking session, they’ll be prompted by this message:
“Suo anteeksi, teknillinen palvelu tietää virheestä ja korjaa sitä.”
This basically translates to something such as: we’re sorry, there’s an error and we’re working to fix it.
And while the grammar is really rather good, the tone is a bit… odd. Native Finnish speakers say that the sentence sounds something like “we beg your pardon, but there has been as error” et cetera. It’s a little too polite for an error message.
We speculate the bank trojan gang outsourced their localization to professional translators, but didn’t provide quite enough context.
Analysis by — Mikko ja Mikko
On 28/12/11 At 03:45 PM
You’ve probably heard about the stratfor.com hack by now. Anonymous claimed responsibility.
Then Anonymous denied being responsible.
But then today, “Anonymous” claimed that the earlier anonymously posted pastebin post wasn’t Anonymous, but was really Stratfor employees claiming to be Anonymous.
Wait… doesn’t Anonymous claim that “we are all Anonymous”? If that’s true, then maybe it was Anonymous after all.
Does anybody care anymore?
Appears the public doesn’t. Google’s instant results for “anonymous is” and “anonymous are” contain few compliments for the group.
In other news: Anonymous promised another data dump today.
Pending denials by Anonymous of course.
On 27/12/11 At 04:22 PM
Earlier this month, we did a post about a family of premium rate SMS Trojans, which we detected as Trojan:Android/FakeNotify.A. Now we’ve found that the trojan has been updated, with changes to make analysis and detection more troublesome.
The new version comes from the same developer, as can be seen from the signing certificate. There’s no change in the trojan’s overall behavior, but the coding approach has changed significantly enough to foil static analysis tools and such.
For example, while analyzing I compared the SMS sending routine from both the original and the current versions, and observed a change from the earlier simpler coding approach to a more dynamic one.
In the original FakeNotify version, the routine was implemented in a straightforward manner that makes it is very easy to “read” what malware does:
The new version however takes advantage of the Reflection/Dynamic Invocation feature in the Java language to accomplish the same purpose, while making it harder for analysts to “read” the code.
The developer even goes one step further by obfuscating the string arguments with their own encoding/decoding algorithm (though this is just a simple substitution-like cipher). You can see the encoded form below:
The change in coding approach could easily defeat most static analysis tools.
Side note: during analysis, I suddenly realized the similarity between Windows LoadLibrary and GetProcAddress combo API functions and some features of Java Reflection. When it comes to dynamic retrieval of other API function addresses (Windows) and classes or method object handles (Java), both will allow the developer to call or invoke a recently acquired method or function.
Anyway, let’s go back to Android world. To ease analysis of the new FakeNotify version, I created a simple Python script to replace instances of obfuscated strings with the plaintext ones of all the decompiled Java sources of the malicious application.
After the patching, it became clearer that the SMS sending routine obtains the handle to the class SmsManager and its getDefault method/function, which subsequently needs to be invoked/called or properly initialized in order to use the SmsManager class’s sendTextMessage function:
Granted, this is hardly the first time I’ve seen Java Reflection feature being used by Android malwares, and the string obfuscation is not complex. It is however a pretty clear example of how Android malware developers are continuously adapting and upgrading their techniques to keep their ‘products’ fresh and undetected.
ThreatSolutions post by – Jessie
On 28/12/11 At 09:08 AM
has combined the high-end hardware it acquired in the deal for Sun
Microsystems, with its Oracle Database 11g, and brought to market a
trailblazing appliance aimed at value-added resellers and SMBs. With up
to 12 TB of storage, dual Intel Xeon processors and price of $50,000
(with a pay-as-you-grow model), the Oracle Database Appliance delivered
by far the best enterprise appliance of the year.”
The Oracle Database Appliance is a simple, reliable, and affordable solution that helps customers to:
- · Save time and money with plug-and-go deployment, automated management and single vendor support.
- · Eliminate deployment risk with a fully integrated and tested database appliance.
- · Replace inefficient, aging servers with the latest, most advanced database infrastructure.
- · Seamlessly scale with pay-as-you-grow software licensing that eliminates the hassle, cost, and downtime usually associated with hardware upgrades.
To learn more about the Oracle Database Appliance click here.
For our last blog post of the year, we took a look back to see which ones you read the most. It’s no surprise that the top five were tips—the shorter the better for reading at work.
We’ve found Android trojans that attempt to send SMS messages to premium rate SMS numbers. That’s not unusual. What is different though is that these trojans don’t work.
The trojans (detected as Trojan:Android/RuFailedSMS.A) use these permissions:
And pretend to be installers for a range of applications, with each malicious app offering to download a package (of what is presumably a popular app):
Some of the “offered” applications include:
Fortunately, due to some uncaught exception in the code, the trojan (SHA1: 0d2d3317c6ca1a9812d357741f45af6bb360d89c) doesn’t complete its malicious activities — it just crashes and terminates:
We’ve found over a hundred copies of the trojans, but the large number doesn’t make it technically advanced — the copies basically use the same source code, but just re-shuffled into different configurations for the different packages.
The trojans were found on third-party Android markets and targets users in Russia, Belarus, Kazakhstan and Azerbaijan.
Even though these trojans crash and fail, we are still detecting them due to the malicious routines, and also because of large number of copies circulating.
Threat Solutions post by — Jessie
On 27/12/11 At 10:13 AM
Members of the Anonymous collective announced during Christmas that they had broken into stratfor.com.
STRATFOR is an organization that gathers open source intelligence for forecasting purposes. They sell their publications via stratfor.com. As far as we can tell, Anonymous gained access to a subscriber list stored on stratfor.com, and that list contained unencrypted credit card data.
Anonymous has now published two lists of credit card details belonging to people who have subscribed to STRATFOR reports. The first one contained 3956 card details and the second one 13191 card details. These card details belong to subscribers all over the world.
After the credit card leaks, various members of Anonymous have published screenshots where these credit cards have been used to do sizable donations to various charities. The charities have included Red Cross, CARE, Save The Children and the African Child Foundation.
At the first glance, actions like this look a bit like the actions of Robin Hood – steal from the rich, give to the poor.
But unfortunately, in this case the poor won’t get a dime.
These donations will never reach the ones in need. In fact, these actions will just end up hurting the charities, not helping them.
When credit card owners see unauthorized charges on their cards, they will report them to their bank or credit card company. Credit card companies will do a chargeback to the charities, which will have to return the money. In some cases, charities could be hit with with penalties. At the very least, they will lose time and money in handling chargebacks.
On 26/12/11 At 08:03 AM