Android malware poses as Angry Birds Space game

What’s the story?

The latest version of the immensely popular “Angry Birds” series has already seen fake imitations in the Android Marketplace.  The infected version of the fake “Angry Birds Space” contains a Trojan which security company Sophos has detected as Andr/KongFu-L.

While the imitation appears to be fully functional, it is actually manipulating what is known as the GingerBreak exploit to install malware on the device.

Since last week, we have seen many specially crafted files exploiting CVE-2012-0158, a vulnerability in MSCOMCTL.OCX in Microsoft Office and some other Microsoft products. This exploit can be implemented in a variety of file formats, including RTF, Word, and Excel files. We have already found crafted RTF and Word files in the wild. In the malicious RTF, a vulnerable OLE file is embedded with object and objocx tags.

The following image shows an example of a crafted RTF file containing a vulnerable OLE file. You can see the signature of the OLE file in D0CF11E0. …

Malicious RTF file

Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed. Here are typical malware installation steps triggered by the vulnerable application, Word in this example:

1. The crafted document is opened by a Word process.

2. Exploiting the vulnerability triggers the shellcode in the OLE file.

3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:

%userProfile%Local SettingsTemp(filename).exe

4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:

%userProfile%Local SettingsTemp(filename).doc

5. The shellcode terminates the Word process that opened the crafted document.

Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator.

These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails. We also strongly recommend installing the latest fix, from April’s Patch Tuesday. (Refer to the Microsoft Bulletin for more information: http://technet.microsoft.com/en-us/security/bulletin/ms12-027)

McAfee detects these malicious document files as:

• Exploit-CVE2012-0158: Detection for MS Office files such as MS Word and MS Excel
• Exploit-CVE2012-0158!rtf : RTF files containing vulnerable OLE containers

Read more:
CVE-2012-0158 Exploit in the Wild

Much Ado About Nothing Cambridge, UK, June 29, 2000 – “Simpsons” is a primitive Trojan horse BAT-program written in DOS command language. It has been reported “in-the-wild” and is intentionally distributed via e-mail by some malevolent person. The Trojan appears as an executable file named…

More:
Simpsons: A School Age "Trojan"

Nowadays as more and more people are aware of malware infections, untrusted executable file is less likely to be executed by the user. Except when the executable is trusted, signed by a known company, or from a well-known software vendor for example. But even when the executable file is signed it might not be safe to run.

Recently a lot of malware samples in China have been distributed together with third party executable to persuade the user to run it and to avoid detection from HIPS.

This malware consists of three files:

RealImage.exe is originally a part of HaoZip archive utility distribution pack and it is signed by a valid Digital Signature.

Zlib.dll is a dynamic link library (.dll) file which export functions are the same as in the original zlib.dll.

And haotu.dat is file filled with random binary data.

As expected the Zlib.dll is malicious and due to its presence in RealImages’ import table is loaded every time the RealImage.exe is executed. The malicious function code then copies mentioned files into to C:Program Filestupian folder, decrpyts .dat file into an executable file, creates suspended notepad.exe process, calls NtUnmapViewOfSection to unload notepad.exe image from process memory to map it with its own decrypted exe image and resumes the process. Result of the action is an online trading trojan running in the system.

Malicious Zlib.dll then needs the RealImage.exe autostarted during the system start so it can resist in the system and due to the RealImage.exe trusted Digital Signature most HIPS allows the registry and file operation without prompting the user until the Zlib.dll is detected.

We can see that this method is a normal .dll hijacking implementation but instead of waiting for another program to load it, it uses a trusted executable as dummy to start malicious code.  And the dummy executable has to be carefully chosen, to have no other dependence and no UI before the malicious code is loaded. Until now several signed executables are used as the tragic dummy. Ironically, one of antivirus vendors’ file is on the list.

The malicious Zlib.dll and payload files are detected as Trojan horse PSW.Agent variants.

Note: HIPS stands for Host Intrusion Prevention System. This technology is inplemented in AVG Identity Protection component.

Franklin Zhao and Hynek Blinka

Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.

For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.

So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.

Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.

The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers.

The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.”

A quick look at over 6,000 infected sites with the “.com” top level domain showed that 13.6% of them involved some WordPress vulnerabilities. “It is not an uncommon problem,” pointed out Jan. “And it’s mostly resulting from owners forgetting to update their plugins.”

Read more from the original source:
Risky gaming with ZeuS and WordPress

Kaspersky Labs exposes a large-scale Internet defrauding scheme Kaspersky Labs, an international data-security software-development company, warns users about the detection of the new, exceptionally dangerous Trojan, “Eurosol.” This Trojan steals a user’s personal account information from the…

Read the original:
Warning: Trojan Picks the Pockets of WebMoney.ru Users

A Trojan program penetrates computers when reading RTF files Kaspersky Lab, an international data-security software-development company, warns users about the discovery of the Trojan “Goga” that steals and sends out from infected computers user details for Internet access (i.e. login, password and…

See more here:
Malicious Code in RTF Files: Yet another Prediction Comes True

The latest Trojan program goes after WebMoney purses. Kaspersky Labs, an international data-security software developer, announces the detection of the new Trojan, “KWM,” which allows malefactors imperceptibly to control infected computers and gain access to the personal payment accounts of WebMoney…

Go here to read the rest:
WebMoney Users Are Once Again in a "High-Risk" Group

Fake Android Markets

We have seen recently the spread of fake Android official market and website.

The fake android markets usually contain many (if not all of the them) malicious applications which can target the victim in the two places where it hurts the most – namely, money and privacy.

Those are malicious versions of the legitimate applications created by the legitimate developers.

Fake AVG scam on Twitter

Twitter has seen a flurry of activity talking about AVG and its products. The tweets contain a link, hidden by a link-shortener and encourages users to go a website made-up to look exactly like the official AVG site.