Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer.  It’s just there, wanting to trick you to buy a license.

Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.

Figure 1

A lot of recent attacks on Android users are attributed to fake websites of popular applications such as Cut the Rope, Instagram, Angry Birds, or Grand Theft Auto III. However, the very recently discovered malware NotCompatible uses a distribution method not previously seen in the mobile world. The malware hacks into vulnerable websites to inject a hidden iframe that points to a malicious application. This app is downloaded to the device without user consent when the victim visits the infected legitimate website. Let’s take a deeper look into this malicious application, which has a very interesting payload that is not common in the mobile world.

Several websites have been found with an injected hidden iframe, most of them based on an old version of WordPress and with a bad permission structure.

That piece of code redirects to another host, hxxp://android[censored]fix.info/fix1.php, that detects if the browser agent is Android. In this case, the server gives the device the URL that points to the Android install package, which will be automatically downloaded and saved onto the device’s SD card. The malware is downloaded, but not executed; it requires user assistance to activate. To accomplish that step, the application names the downloaded file Update.apk and the application com.Security.Update to trick the user into believing that the download is a legitimate Android system update:

As we see in the preceding images, NotCompatible will automatically start at boot. For this reason the application does not have an icon. It starts as a service running in the background only after reboot or when the device screen changes its state (between locked and unlocked). This service opens a backdoor to receive commands from a remote server.

The remote IP and port servers are encrypted with AES inside the .apk in /res/raw/data. During analysis, we decrypted this as notcompatibleapp.eu port 48976 and 3na3budet9.ru port 38691. These parameters can be changed via a remote command sent by the control server.

NotCompatible uses the New I/O Proxy API implementation, which is a low-level API that provides access to intensive input/output operations. This API provides attackers an effective method to send and receive commands in custom packages.

Once the service is started, NotCompatible communicates with its control server to send TCP data packages with customized commands. The first message sent by the infected device is the following (always sent via TCP port 8014):

04000001050000000007000000

The control server receives this message, confirming that the infected device is active, and it responds with a Ping message:

040000010100000004

To this the infected device responds with a Pong:

040000010100000005

After this initialization protocol, the control server asks the device to access a specific HTML web page to authenticate itself by validating the string A35T7G:

We have seen similar behavior in a Windows PC malware (detected by McAfee as Generic.dx!bd3j) that sends and receives the same data packages to the same port but with a different control server IP address. This suggests that the infected mobile devices and the PC malware probably belong to the same botnet.

These commands can be remotely executed by the control server:

• Send Error: Sends a custom packet with a specific byte when the command sent by the control server is invalid
• ConnectProxy: Obtains the IP address and port as parameters and tries to open a connection to that remote host, probably to forward the network traffic sent by the control server to another host
• ShutdownChannel: Closes a specific connection with a remote host
• sendPong: Sends a custom packet with a specific byte when a packet with the last byte “4” is received (the ping). It is used by the control server to test network connectivity with the infected device.
• setTimeOut: Sets a specific period during which the connection to a remote host is alive
• newServer: Updates the configuration (AES encrypted in data.bin file inside the device) with a new control server
• newReservServer: The same as newServer but with a backup control server

Based on our previous analysis, we conclude that NotCompatible is an unusual Android malware delivered to users using a drive-by attack that could represent a proof of concept for a targeted attack. The malware was designed to execute stealthy remote commands and act as a server proxy to redirect traffic through the device. This could be used to avoid the tracking of illicit acts by making the network traffic anonymous. Also, based on the network traffic similarities (commands, ports, strings), it is very possible that both the Android and PC malware belong to the same botnet. We will probably see more Android malware of this kind. McAfee Mobile Security detects this threat as Android/NotCompatible.A.

Go here to read the rest:
‘Android/NotCompatible’ Looks Like Piece of PC Botnet

Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware authors also use Pastebin to trade botnet kits. Many times, snippets of a botnet help researchers understand the workings of the botnet and write detections for it.

The code posted was fairly simple to understand, appearing fully tested and complete. The code provides insights to the coding skills and techniques used by the botnet author. This bot uses fairly standard installation, copying itself into the WindowsSystem32 folder and then sending and receiving commands from a hard-coded control server. The source contains two interesting antianalysis functions, which check for the presence of a sandbox or tools such as OllyDbg or Wireshark. If it detects countermeasures, the bot terminates its process. Below are the two functions used for antianalysis:

BOOL bIsSandbox (void)

• Check GetModuleFileNameA() for presence of string “sample” in the PATH
• Or Check GetUserNameA() for presence of string like “HfreAnzr” or “sandbox” or “currentuser” or “vmware” or “nepenthes”
• Or Check GetComputerNameA() for presence of string like “ComputerName” or “COMPUTERNAME”
• Or Check GetModuleHandle() for presence of DLL like “SbieDll.dll” or “api_log.dll” or “dbghelp.dll” or “dir_watch.dll”
• If anything matches, terminate the bot process

DWORD WINAPI tScanner (LPVOID)

• Use FindWindowA() function to check for name “CommView”
• Or “TCPViewClass”
• Or “TCPView – Sysinternals: www.sysinternals.com”
• Or “PROCMON_WINDOW_CLASS”
• Or “OLLYDBG”
• Or “gdkWindowToplevel”
• Or “CommView – The Team ZWT 2008”
• Or “The Wireshark Network Analyzer”
• Or “SysAnalyzer”
• If anything matches, terminate the bot process

Both of the preceding function help a bot to terminate its process from being analyzed by researchers. The bot sends OS version, Username, botID, and other information to its hard-coded control server in the ns/clients.php?os=%s&name=%s&id=%i&loc=%s format and waits for other commands.

Kaspersky Labs Int. comments on the recent virus incident Cambridge, UK, October 28, 2000 – As disclosed on Friday, the corporate network of Microsoft, the world’s largest software developer, was attacked by unknown hackers. The hackers used the QAZ network worm to penetrate into the network. As a…

Read more from the original source:
Microsoft Corporate Network is Hacked. What About Your Network?

Kaspersky Labs issues free software for the worm’s detection and removal In only six days since its detection on July 18, the network worm “SirCam” has spread throughout the world and has convincingly seized first place amongst the most wide-spreading malicious programs. At this time, Kaspersky…

View post:
The Network Worm "SirCam" Breaks Records for Spreading

A global epidemic of the network worm “Nimda” has been reported

Read more from the original source:
Kaspersky Lab Warns Not to Use the Internet or E-Mail without the Patch

The March Security Bulletin release from Microsoft was relatively light in volume. Out of the six bulletins released, only one was rated as Critical.

And for good reason. MS12-020 includes CVE-2012-0002. This flaw is specific to the Remote Desktop Protocol (RDP) present on most current versions of Microsoft Windows. The RDP service, by default, listens on TCP port 3389. And because it’s so darn convenient, lots of people like to open their firewalls/ingress points to the traffic.

This is a bad/dangerous/insecure thing. (Choose your own favorite term.) I hope this issue (and many others before it) will influence anyone’s decision-making process when it comes to network hardening, external access, etc.

This is certainly not the first flaw in RDP. It is quite significant in that it does not require authentication to exploit the flaw–just a firing of some specially crafted packets. From that point the world (or the world that the compromised host lives in) is the attacker’s oyster. This is especially bad because the RDP service runs in kernel mode, under the System account (in most cases).

Keep in mind that it is very easy and takes little time to find targets. You see this type of situation all too often:

It's Open!

I recently bumped into a colleague who mentioned his 20-something daughter regularly changes her online screen names to essentially prevent herself from building a long-standing reputation online. Her profile picture on Facebook, for instance, is deliberately obscure and not searchable using her full name.

Network Worms I-Worm.Brit I-Worm.Cosol I-Worm.Lee-Saltlake Worm.Newbiero I-Worm.Wargam I-Worm.Valcard Windows Viruses Win32.HLLW.Bezilom Win32.HLLW.Scareg Linux Viruses Linux.OSF.8795 Security Breeches Exploit.IIS.Beavuh Network Worms I-Worm.Brit I-worm.Brit is…

More:
Kaspersky Lab On-line Newsletter #26

Kaspersky Labs unveils a new version of their network protection products for small, mid-size and large enterprises. Kaspersky Labs, an international data-security software developer, announces the official launch of a new version for its network protecting anti-virus software products – Kaspersky…

View original post here:
Reliable Enterprise Protection