Today we released our Fourth Quarter 2011 Threat Report, revealing that malware surpassed the our estimate of 75 million unique malware samples last year. Although the release of new malware slowed a bit in Q4, mobile malware continued to increase and recorded its busiest year to date.

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.
The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.
Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Download McAfee’s Threats Report: Fourth Quarter 2011.

Read the original here:
McAfee Q4 Threats Report Shows Malware Surpassed 75 Million Samples in 2011

Hacktivism has become very popular in recent years; one of its leading agents is the online community Anonymous. Hacktivist groups use digital tools to perform denial of service (DoS) attacks for pursue political ends or to protest against controversial laws in countries around the world. One of the most common tools they use Low Orbit Ion Cannon (LOIC), an open-source computer program written in C# that can run different types of DoS attacks. LOIC can send a large amount of TCP/UDP packets to a specific URL/IP address in a short amount of time. The same tool has been ported to JavaScript to perform a DoS directly from a browser. The existence of Web LOIC, along with anonymous web hosting services such as pastehtml, has made it possible for any user on the Internet to participate in those attacks with just one click.

Recently the same attack has been easily ported to one of the most popular mobile platforms: Android. Anonymous social network accounts promote the new attack in Latin America as “LOIC para Android by Alfred”:

By “easily” ported I mean that it is not necessary to have any programming skills to create the Android application because it was generated with a free online service that creates Android apps with just a URL, HTML code, or a document (DOC or PDF). In this case, the attack was created with only the URL of a specific pastehtml website that has a JavasScript version of LOIC to perform a DoS attack against the Argentinian government. The attack is part of the operation #opargentina, run by an Anonymous cell in South America. Once the tool is downloaded and installed, the following icon appears in the applications menu:

When it is executed, a WebView component shows the contents of the URL, which is basically an HTML web page with a JavaScript that sends 1,000 HTTP requests with the message “We are LEGION!” as one of the parameters. (The web page does not fit in the Android screen, probably because the tool that creates the application does not adjust the size of the web page inside WebView.)

Creating Android applications that perform DoS attacks is now easy: It requires only the URL of an active web LOIC–and zero programming skills–thanks to automated online tools. Because the application’s purpose is simply to display any website on an Android system, we classify this hack tool a potentially unwanted program (PUP). If you have enabled PUP detection (our default setting), then McAfee Mobile Security for Android will detect this tool as Android/DIYDoS.

See more here:
Android DIY DoS App Boosts Hacktivism in South America

Potentially Unwanted Programs (PUPs) are often legitimate software that pose a risk to users’ privacy or systems. A reasonably secure–or privacy-minded–user may want to be informed of the presence of certain PUPs and in some cases remove them. One very common type of PUP is adware, which exists to make revenue through advertising. Some adware is merely annoying but others could ignore or violate a user’s privacy by collecting and transmitting sensitive information to others without the user’s consent. Adware is well-known in the PC world and is becoming more prevalent now on mobile platforms (due to the fact that more developers are able to distribute their own applications from a central source like the Android Market).

The recent PUP Toplank (a.k.a. Counterclank) is an example of how aggressive mobile advertising in the Android world can be. The basic installation behaviors may be bad enough for some users. For example, Toplank adds bookmarks and home-screen shortcuts and makes home-page modifications without adequately informing the user or gaining consent to do so. More disturbing is what it does after it is installed. Recently, during the analysis of suspicious live wallpaper available in the Android Market, I found an advertisement module similar to Toplank’s in the sense that, once the PUP executes, it adds a shortcut in the home screen without the user’s consent:

However, at the same time in the background the following sensitive information is sent to the remote server ad.leadboltapps.net:

In addition to the “normal” sensitive data (OS version, IMEI, geographical location, and phone number) collected by several mobile-advertisement SDKs, this PUP also collects and sends the IP address of the device (which could be internal if the device is connected via network address translation or external if it is using the mobile network). This information, along with the exact identification of the device with the IMEI, could represent a privacy violation to some users. In addition, the developer does not clearly state in the Android Market that the wallpaper is ad supported:

The developer offers an option in Settings to disable notification ads. However, even if the option is disabled, the data has already been leaked and the user can do nothing to stop it.

Adware for mobile devices is constantly evolving and becoming very aggressive, invasive, and even dangerous to our privacy. If you have enabled PUP detection (which is enabled by default), then McAfee Mobile Security for Android detects this adware as Android/LdBolt.A.

Continue reading here:
Adware on Mobile Devices an Evolving Privacy Threat

Potentially Unwanted Programs (PUPs) are often legitimate software that pose a risk to users’ privacy or systems. A reasonably secure–or privacy-minded–user may want to be informed of the presence of certain PUPs and in some cases remove them. One very common type of PUP is adware, which exists to make revenue through advertising. Some adware is merely annoying but others could ignore or violate a user’s privacy by collecting and transmitting sensitive information to others without the user’s consent. Adware is well-known in the PC world and is becoming more prevalent now on mobile platforms (due to the fact that more developers are able to distribute their own applications from a central source like the Android Market).

The recent PUP Toplank (a.k.a. Counterclank) is an example of how aggressive mobile advertising in the Android world can be. The basic installation behaviors may be bad enough for some users. For example, Toplank adds bookmarks and home-screen shortcuts and makes home-page modifications without adequately informing the user or gaining consent to do so. More disturbing is what it does after it is installed. Recently, during the analysis of suspicious live wallpaper available in the Android Market, I found an advertisement module similar to Toplank’s in the sense that, once the PUP executes, it adds a shortcut in the home screen without the user’s consent:

However, at the same time in the background the following sensitive information is sent to the remote server ad.leadboltapps.net:

In addition to the “normal” sensitive data (OS version, IMEI, geographical location, and phone number) collected by several mobile-advertisement SDKs, this PUP also collects and sends the IP address of the device (which could be internal if the device is connected via network address translation or external if it is using the mobile network). This information, along with the exact identification of the device with the IMEI, could represent a privacy violation to some users. In addition, the developer does not clearly state in the Android Market that the wallpaper is ad supported:

The developer offers an option in Settings to disable notification ads. However, even if the option is disabled, the data has already been leaked and the user can do nothing to stop it.

Adware for mobile devices is constantly evolving and becoming very aggressive, invasive, and even dangerous to our privacy. If you have enabled PUP detection (which is enabled by default), then McAfee Mobile Security for Android detects this adware as Android/LdBolt.A.

View original post here:
Adware on Mobile Devices an Evolving Privacy Threat

We suggested earlier that instead of going after the Secure Element chip and the information it keeps safe, attackers would go after the weaker point of the Google Wallet app. Security researcher Joshua Rubin has now created a proof-of-concept app, Google Wallet Cracker, that can recover the Google Wallet PIN on a rooted phone.

Once attackers get your PIN, they have full access to any credit card information stored in the app and they can use your phone to make purchases. As a user of Google Wallet, the main security you see is the PIN. What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card.

How It Works
The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app. Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.

Google Wallet Cracker app checks whether the phone is rooted.

In this case an attacker with root access can reverse-engineer the Google Wallet app’s database format and extract the hashed PIN.

The Cracker app extracts the encrypted hash of the Google Wallet PIN.

Because the PIN is a four-digit code, an attacker can generate all possible PINs (0000-9999), hash them, and compare against the extracted PIN. On a real phone this takes about four seconds.

The Cracker app displays the recovered Google Wallet PIN four seconds after the app was started.

How Do We Stay Safe?
Currently only Nexus S or Galaxy Nexus users can run Google Wallet. Rubin has responsibly disclosed the vulnerability to Google and the company is now working on patching Android to prevent such attacks. The Google Wallet Cracker is not publicly available.

Google Wallet users can take a number of steps to protect themselves:

• Use a lock code/password, swipe pattern, or face unlock
• Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
• Install antivirus software on the phone to protect against unwanted root exploits and spyware

Welcome back to Security 101. Our New Year’s recess is over, and it’s time to offer another lesson.

So far we have discussed vulnerabilities and some types of low-interaction attack vectors. In this lesson we shall continue with attack vectors that require medium or high levels of user interaction to succeed.

These attack vectors are more dangerous because their success relies on the victims, which means that they can work in multiple “buildings” in parallel. (Recall our analogy of comparing a system to a building.) An attacker who uses these vectors also has an advantage that does not depend on technology: the human factor. Humans are curious by nature and, even when we don’t care to admit it, gullible. Almost anyone, no matter how cautious, can be tricked into being a victim of an attack or helping an attacker.

But we’ll delve into the topic of social engineering another time. For now we’ll focus on the vectors themselves. These vectors may require as much work from attackers as the low-interaction ones. Most of the time goes into assembling a malicious website or something similar.

Medium Interaction
Website/mail elements: Visiting a website is usually only a click away, especially if you just happen to be “in the neighborhood.” Think of all the advertisements you see while navigating the web. How many times have you been tempted to click an interesting ad, or follow a mail with a convenient offer? Any of these sites could host an attack or a piece of malware. The whole site need not be malicious, just one hidden element or image will suffice. When you enter a site, your browser tries to load all of the page’s elements; when it reaches the malicious part, the attack executes. Attackers can use this vector to exploit almost every kind of vulnerability because the attack happens online. The disadvantage for the attacker is that this vector requires a vulnerability in your browser to work.

High Interaction
Corrupted files: This broadly works in the same way as website vulnerabilities. An attacker places a file that contains an exploit on some part of the web. It can be a peer-to-peer network, FTP site, art gallery, free software site, you name it, or the attacker can send the file directly to you by mail. You download the file, open it, and Wham!: The exploit runs. The most visible difference is that the victim actually needs to find the file and open it. And that’s why this vector is usually disguised as tempting celebrity photos, work documents, or even free tickets to a concert. These attacks are often widely advertised (social networks anyone?). Because this vector employs the victim’s computer, it is mostly used for exploiting denial of service or remote code execution vulnerabilities. In the latter case, inside the file there’s a small piece of code that communicates with the attacker’s computer or server, allowing access to the victim’s machine.

So next time you see a “OMG, awesome video of here!” link, don’t just think twice. Don’t open it at all. The most probable outcome is that you’ll open the doors of your “building” to complete strangers and you’ll never know it. Next time we’ll see how the human factor fits into attacks, with a post about social engineering.

Read more:
Security 101: Attack Vectors Take Advantage of User Interaction

Many of you may have already noted this from Google’s home page, but for those not reading the fine print or not using Google: Today is International Safer Internet Day, which will have its 10th anniversary next year (if I counted right). Started in Europe by Insafe with funding from the European Commission, this day has become a truly global event.

And it’s about time. Looking at the widespread careless use of computers and mobile devices, in particular in the home but also in many offices. (It’s 2012: there really should be no more reports of unencrypted laptops with sensitive data being lost or stolen.) As we face attacks from an ever-growing number of criminals, this day should absolutely be used to think about safety.

Although the original intent was to promote safer and more responsible use of online technology and mobile phones, especially among children and younger adults, I think the older generation
(hello, mum ), in fact everyone, can benefit from this opportunity to think about safety and learn a bit as well.

Looking at the results published in “Cyber-security: The Vexed Question of Global Rules,” the first global report on cyberdefense, we can see that companies, organizations, and even governments are well advised to use this day for some brainstorming about the current situation, how to improve it, and how to help employees and citizens to better understand the risks.

So please take a look at the material online at the Safer Internet Day website and have a nice–and safer–day.

Read this article:
Safer Internet Day 2012 Offers a Lesson for All of Us

Today Google announced its Bouncer security service for the Android Market. This is a good initial step in protecting Android users.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.

Read more here:
Android Market Gets a Bouncer to Kick Out Malware

The ShmooCon security conference takes place in Washington D.C. this weekend. There will be a good number of mobile and embedded talks, covering attacks on and defense of Bluetooth, Android, NFC, RFID, and more.

Disposable computers
A number of years ago at DefCon a team of penetration testers showed how to infiltrate a corporate network by mailing an iPhone with a large backup battery to the target company. This allowed them to exploit vulnerable host on the internal network and then ship any acquired data back to themselves. In that case they eventually recovered this expensive portable computer (iPhone), but it would have been better if they didn’t have to worry about getting the computer back. There are other cases where one might want to use a computer without spending a lot of money on a smartphone, say, doing data collection in your near-space balloon.

In the talk “Sacrificial Computing for Land and Sky,” researcher Brendan O’Connor will explain how to build throw-away computers for less than US$80. These are computers that can be left at a target location without concern for recovering them.

Bluetooth
If the last time you followed Bluetooth security was more than a couple of years ago, you might think that Bluetooth is a broken protocol. Things have improved, though, with many of the old bugs and vulnerabilities fixed. There have been new attacks and new tools created for testing Bluetooth, but there are also techniques for protecting yourself from attackers. Researcher JP Dunning’s talk “Defending the King of Denmark with a BLADE” will cover his toolkit for detecting such attacks.

Near Field Communications and Radio Frequency Identification
New models of iPhones and Android smartphones are coming with NFC capabilities. These will eventually allow you to use your phone to buy goods and services just by tapping to pay. Having your credit cards tied to your phone or an RFID chip can be risky if security hasn’t been tested. Chris Paget, an expert on radio and GSM security, will present on the security vulnerabilities in today’s credit cards with RFID. Fortunately he will also cover ways to protect your credit cards.

Your phone-based credit cards aren’t necessarily safe. Researchers Corey Benninger and Max Sobell will go after NFC-enabled smartphones in “Intro to Near Field Communication (NFC) Mobile Security.” This is an extension to their Sector conference talk, but updated with new information on Google Wallet and the latest version of Android.

You might be familiar with RFID proximity cards used in your workplace to “badge in” and “badge out.” Penetration testers regularly bypass access-control systems that use such cards. Foundstone’s Brad Antoniewicz will showcase methods of attacking these RFID systems from multiple points of entry.

Android
Android malware is taking off with maliciously modified pirated apps and premium-rate SMS-sending Trojans. As threats increase, the need to analyze suspicious apps and compromised devices also increases.

Two talks will cover these aspects of securing an Android device: Matthew Rowley’s “A Blackhat’s Tool Chest: How We Tear Into That Little Green Man” and Joe Sylve’s “Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility.”  Both talks will include tool releases to help other researchers reverse-engineer malicious apps and dump memory from a running Android device.

iPhone
The iPhone does not escape scrutiny from these security researchers. David Schuetz will update his talk on the iPhone’s device-management interface. Device management allows your company’s system administrator or IT head to supply your iPhone with your corporate email or remotely wipe all the data when it is lost or stolen. He will cover changes in iOS 5 and other details.

Mobile exploitation
Smartphones aren’t always targets, sometimes they’re also used to attack. Researcher Pedro Joaquin will give a FireTalk, “ROUTERPWN: A Mobile Router Exploitation Framework.” Penetration Testers who need to test routers, access points, etc. can now pull out their smartphones and have access to ready-to-run exploits. The framework is written in JavaScript and HTML, so it doesn’t really matter what kinds of smartphones they have.

These are just a few of the mobile and embedded-related talks at ShmooCon. The weekend should be full of many more enlightening security-related presentations.

More here:
SchmooCon to Cover Hot Mobile Security Topics

This week, there has been public interest regarding some issues disclosed in McAfee products. McAfee treats security issues in our products very seriously, and so our Product Security team will explain the details around these issues. They do not affect all McAfee products, both are in a single product: SaaS for Total Protection, our hosted antimalware service. We have mitigating factors already in place that reduce risk, and a patch is coming to remediate any additional risk to our customers. The patch will be released on January 18 or 19, as soon as we have finished testing. Because this is a managed product, all affected customers will automatically receive the patch when it is released. We have no evidence of loss or compromise of any customer data in relation to either of these issues.

Two issues in SaaS for Total Protection have arisen in the past few days. In the first, an attacker might misuse an ActiveX control to execute code. The second involves a misuse of our “rumor” technology to allow an attacker to use an affected machine as an “open relay,” which could be used to send spam.

The first issue has much in common with a similar issue patched in August 2011. In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero. Because of this, customer data is not directly at risk.

The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability.

See more here:
Vulnerabilities Patched in McAfee SaaS for Total Protection