Android security tips and Windows AutoRun protection
by Armando Orozco
Recently, two applications designed with malicious intent were discovered within the Google Play application store. The apps were built with a façade of being utility cleaners designed to help optimize Android-powered phones, but in reality, both apps had code built in designed to copy private files, including photos, and submit them to remote servers.
The applications, named SuperClean and DroidClean, did not stop there. Researchers also found that the malware was able to AutoRun on Windows PC devices when the phones were paired, and infect the main computer. The malware was designed to record audio through the computer’s microphone.
AutoRun has often been used as a method of infection, and Microsoft has since sent a security fix out to Windows XP/Vista/7 in order to disable the exploitable element. In some cases, however, the feature might have been re-enabled by the user for convenience or never changed through a backlog of updates.
An application such as this has not been seen in the past, and is showing the creative methods through which malware coders are attempting to break through a computer’s security. With the Android device acting as a Trojan horse for the infection, malicious code has the potential of bypassing established security parameters that typically keep endpoint users safe within their network.
While Webroot has classified the malicious apps, which have been removed from Google Play’s market, it goes to show that protective steps are necessary on all levels of devices to avoid an infection. Below, we will highlight the steps you can take to help stay protected from attacks like these.
Android Devices:
- Ensure the latest version of Webroot SecureAnywhere Mobile is installed from the official Google Play Android app store.
Webroot SecureAnywhere (PC users):
- Ensure USB shield is enabled (on by default)
- Steps: Open Webroot > Select PC Security Tab > Select Shields > Slide USB Shield to on (green)
- Advanced users can modify USB heuristic settings:
- Steps: Open Webroot > Select PC Security Tab > Select Scan > Select Change Scan Settings > Select Heuristics > Select USB > Select desired protection settings
For all users, we recommend ensuring that AutoRun is disabled on your computer. Even though Microsoft rolled out updates to disable, it is possible it could be enabled. Finally, always ensure you scan USB and other connected devices for malware before storing data or using on other PCs.
For more information and to keep up with the conversation, head to our community: http://bit.ly/11RKiFa
Source: SecureList http://www.securelist.com/en/blog/805/Mobile_attacks
‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
Kindle owners, watch what you click on!
Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon.com. In reality, when users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
On a daily basis, we intercept hundreds of thousands of fraudulent or malicious emails whose purpose is to either infect users with malicious software or turn them into victims of fraudulent schemes. About 99% of these campaigns rely on social engineering tactics, and in the cases where they don’t include direct links to the actual malware, they direct users to the market leading Black Hole Exploit Kit.
In terms of volume and persistence, throughout January, 2013, a single malicious campaign impersonating FedEx topped our metrics data. What’s so special about this campaign? It’s the fact that the digital fingerprint of one of the most recently introduced malware variants used in the campaign corresponds to the digital fingerprint of a malware-serving campaign that we’ve already profiled, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.
Sample screenshot of the spamvertised email:
Sample spamvertised compromised URLs part of the campaign:
hxxp://relax-legend.ba/ZXSZUSBLZG.php?receipt
hxxp://stylephone.co.il/misc/teasers.php?receipt
hxxp://voguepay.com/FEZDVUUCLG.php?receipt=
hxxp://sunrisemedya.com/HAEJMKGUMT.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://selimi-fugenabdichtungen.de/IYSZJVVIRA.php?receipt
hxxp://sunseekerownersclub.com/OOLZRZQTIW.php?receipt
hxxp://www.cursillodeorientacion.com/OLKIHLKYSB.php?receipt
hxxp://www.diocesebatroun.org/UEKFWHOJPF.php?receipt
hxxp://suarevista.com.br/QGQRXAOJLV.php?receipt
hxxp://fundloan.info/AYKQRUYOSL.php?receipt
hxxp://secretmobilemoneyprofits.com/SCTQOFXHVC.php?php=receipt
hxxp://www.matwigley.co.uk/SOJAJDTLAX.php?php=receipt
hxxp://rossiangelo.it/ALAGZUCWHV.php?receipt
hxxp://tqm.com.ua/misc/teasers.php?receipt
hxxp://metalphotosplus.com/PAUDSPBBXE.php?receipt
hxxp://businesscoaching24.com/BWMIZNPQAT.php?receipt
hxxp://www.bsf.org.pk/misc/teasers.php?get_receipt
hxxp://ferz.kiev.ua/misc/teasers.php?get_receipt
Detection rate for the malware variants distributed over the past 24 hours:
MD5: 980ffe6cee6ad5a197fbebdeeac9df57 – detected by 31 out of 46 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.amg
MD5: bf061265407ea1f7c21fbf5f545c4c2b – detected by 6 out of 46 antivirus scanners as PAK_Generic.001
MD5: 6bb823d87f99da067e284935ca3a8b14 – detected by 36 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
MD5: 75db84cfb0e1932282433cdb113fb689 – detected by 29 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B
Deja vu! This is the same MD5: 75db84cfb0e1932282433cdb113fb689 that we profiled in the “Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware” analysis, indicating a (thankfully) low QA (Quality Assurance) applied on behalf of the cybercriminals launching these campaigns.
The campaign is ongoing, so watch what you click on! Webroot SecureAnywhere users are proactively protected from these threats with our comprehensive internet security solution.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking.com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign.
More details:
Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware
In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.
Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.
More details:
A peek inside a DIY password stealing malware
On a daily basis, we continue to observe the emergence of the DIY (do-it-yourself) trend within the entire cybercrime ecosystem. And although the DIY activity cannot be compared to the malicious impact caused by “cybercrime-as-a-service” managed underground market propositions, it allows virtually anyone to enter the profitable world of cybercrime, thanks to the ongoing leaks of proprietary malware generating tools and freely available alternatives.
In this post, I’ll profile the latest version of a Russian DIY password stealing malware that’s targeting multiple browers, Email, IM, FTP clients, as well as online poker clients.
Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit
Users of FedEx’s Online Billing service, watch out!
Cybercriminals are currently mass mailing tens of thousands of emails impersonating the company, in an attempt to trick its customers into clicking on exploits and malware dropping links found in the legitimate-looking emails.
More details:
Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit
Financial institutions and online payment processors are a common target for cybercriminals, who systematically brand-jack and abuse the reputation of their trusted brands, in an attempt to scam or serve malware to their customers.
Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Novice cybercriminals experiment with DIY ransomware tools
For years, the DIY (do-it-yourself) trend has been evident across the entire cybercrime ecosystem.
From the early exploits generating DIY tools that set the foundations for the upcoming “malicious economies of scale” trend to emerge, to the ongoing leaks of DIY botnet and malware generating tools that were once only available to advanced attackers, it’s never been easier to enter the world of cybercrime.
In this post, I’ll profile a novice cybercriminal’s approach to entering the profitable world of ransomware.
More details:
Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware
LinkedIn users, watch what you click on!
Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.
Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.
More details:
Android malware spreads through compromised legitimate Web sites
Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.
More details: