Posts Tagged ‘windows’
Evolution of Android Malware : IRCBot for Android
We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of the mobile malware is also on the raise. Just going by that, while I was going through our mobile malware collection, I found an interesting piece of malware for Android. This malware acts as an IRC Bot, just as we have seen in classical Windows Malware.
This malware binary is not a repackaged application as we have seen in the past, this malware masquerades as a the game ‘MADDEN NFL 12’. The malware has three modules embedded into it which perform various malicious activities. The main component is actually a dropper which drops a set of other components onto the compromised user device.
Figure 1. Android Malware Component
Upon installation, the malicious application drops these three malicious components:
1.Header01.png – Rooting Exploit
2.Footer01.png – IRCBot
3.Border01.png - SMS Trojan
‘Android/NotCompatible’ Looks Like Piece of PC Botnet
A lot of recent attacks on Android users are attributed to fake websites of popular applications such as Cut the Rope, Instagram, Angry Birds, or Grand Theft Auto III. However, the very recently discovered malware NotCompatible uses a distribution method not previously seen in the mobile world. The malware hacks into vulnerable websites to inject a hidden iframe that points to a malicious application. This app is downloaded to the device without user consent when the victim visits the infected legitimate website. Let’s take a deeper look into this malicious application, which has a very interesting payload that is not common in the mobile world.
Several websites have been found with an injected hidden iframe, most of them based on an old version of WordPress and with a bad permission structure.
That piece of code redirects to another host, hxxp://android[censored]fix.info/fix1.php, that detects if the browser agent is Android. In this case, the server gives the device the URL that points to the Android install package, which will be automatically downloaded and saved onto the device’s SD card. The malware is downloaded, but not executed; it requires user assistance to activate. To accomplish that step, the application names the downloaded file Update.apk and the application com.Security.Update to trick the user into believing that the download is a legitimate Android system update:
As we see in the preceding images, NotCompatible will automatically start at boot. For this reason the application does not have an icon. It starts as a service running in the background only after reboot or when the device screen changes its state (between locked and unlocked). This service opens a backdoor to receive commands from a remote server.
The remote IP and port servers are encrypted with AES inside the .apk in /res/raw/data. During analysis, we decrypted this as notcompatibleapp.eu port 48976 and 3na3budet9.ru port 38691. These parameters can be changed via a remote command sent by the control server.
NotCompatible uses the New I/O Proxy API implementation, which is a low-level API that provides access to intensive input/output operations. This API provides attackers an effective method to send and receive commands in custom packages.
Once the service is started, NotCompatible communicates with its control server to send TCP data packages with customized commands. The first message sent by the infected device is the following (always sent via TCP port 8014):
04000001050000000007000000
The control server receives this message, confirming that the infected device is active, and it responds with a Ping message:
040000010100000004
To this the infected device responds with a Pong:
040000010100000005
After this initialization protocol, the control server asks the device to access a specific HTML web page to authenticate itself by validating the string A35T7G:
We have seen similar behavior in a Windows PC malware (detected by McAfee as Generic.dx!bd3j) that sends and receives the same data packages to the same port but with a different control server IP address. This suggests that the infected mobile devices and the PC malware probably belong to the same botnet.
These commands can be remotely executed by the control server:
- Send Error: Sends a custom packet with a specific byte when the command sent by the control server is invalid
- ConnectProxy: Obtains the IP address and port as parameters and tries to open a connection to that remote host, probably to forward the network traffic sent by the control server to another host
- ShutdownChannel: Closes a specific connection with a remote host
- sendPong: Sends a custom packet with a specific byte when a packet with the last byte “4” is received (the ping). It is used by the control server to test network connectivity with the infected device.
- setTimeOut: Sets a specific period during which the connection to a remote host is alive
- newServer: Updates the configuration (AES encrypted in data.bin file inside the device) with a new control server
- newReservServer: The same as newServer but with a backup control server
Based on our previous analysis, we conclude that NotCompatible is an unusual Android malware delivered to users using a drive-by attack that could represent a proof of concept for a targeted attack. The malware was designed to execute stealthy remote commands and act as a server proxy to redirect traffic through the device. This could be used to avoid the tracking of illicit acts by making the network traffic anonymous. Also, based on the network traffic similarities (commands, ports, strings), it is very possible that both the Android and PC malware belong to the same botnet. We will probably see more Android malware of this kind. McAfee Mobile Security detects this threat as Android/NotCompatible.A.
Go here to read the rest:
‘Android/NotCompatible’ Looks Like Piece of PC Botnet
Pastebin Shares Botnet Source Code
Few days back, we found another Pastebin entry that contains a source which looks to be malicious botnet code. As I wrote in my earlier blog, malware authors also use Pastebin to trade botnet kits. Many times, snippets of a botnet help researchers understand the workings of the botnet and write detections for it.
The code posted was fairly simple to understand, appearing fully tested and complete. The code provides insights to the coding skills and techniques used by the botnet author. This bot uses fairly standard installation, copying itself into the WindowsSystem32 folder and then sending and receiving commands from a hard-coded control server. The source contains two interesting antianalysis functions, which check for the presence of a sandbox or tools such as OllyDbg or Wireshark. If it detects countermeasures, the bot terminates its process. Below are the two functions used for antianalysis:
BOOL bIsSandbox (void)
- Check GetModuleFileNameA() for presence of string “sample” in the PATH
- Or Check GetUserNameA() for presence of string like “HfreAnzr” or “sandbox” or “currentuser” or “vmware” or “nepenthes”
- Or Check GetComputerNameA() for presence of string like “ComputerName” or “COMPUTERNAME”
- Or Check GetModuleHandle() for presence of DLL like “SbieDll.dll” or “api_log.dll” or “dbghelp.dll” or “dir_watch.dll”
- If anything matches, terminate the bot process
DWORD WINAPI tScanner (LPVOID)
- Use FindWindowA() function to check for name “CommView”
- Or “TCPViewClass”
- Or “TCPView – Sysinternals: www.sysinternals.com”
- Or “PROCMON_WINDOW_CLASS”
- Or “OLLYDBG”
- Or “gdkWindowToplevel”
- Or “CommView – The Team ZWT 2008”
- Or “The Wireshark Network Analyzer”
- Or “SysAnalyzer”
- If anything matches, terminate the bot process
Both of the preceding function help a bot to terminate its process from being analyzed by researchers. The bot sends OS version, Username, botID, and other information to its hard-coded control server in the ns/clients.php?os=%s&name=%s&id=%i&loc=%s format and waits for other commands.
avast! Free Antivirus for Mac is #1 download
avast! Free Antivirus for Mac was launched a mere week ago, and it only took three days to reach the #1 position on CNET’s download.com. avast! Free Antivirus for Mac fulfills the need for quality security just as the Mac community is recovering from the high-profile Flashback Trojan that infected 600,000 Macs. Many people realize now that OS X is not immune to attack, and new OS X malware is demonstrating how unprotected Macs can be infected when a user simply visits a website.
avast! Free Antivirus for Mac contains the same light, award-winning, certified, and highly acclaimed antivirus and anti-spyware engine as its avast! version 7 Windows counterpart. Learn more about it here.
Win a MacBook Air
Thanks to loyal avast! users like you, avast! is the most liked antivirus on Facebook. As of this writing, we have over 1.1 million likes and rising. Thanks, avast! fans.
Like avast! on Facebook and enter to win a MacBook Air! Take a photo of yourself with an apple and submit it to our contest by Friday, May 18. You must be a registered avast! user and a fan of avast! on Facebook. After the photos are in, the fun begins when all the participants vote for their top 5 favorite photos. Those five will each win a MacBook Air! So get those apples polished and cameras snapping. We want your best photo!
Read more from the original source:
avast! Free Antivirus for Mac is #1 download
April 26 could be repeated on July 14!
The “Smash” virus will try to destroy your hard drive! Cambridge, UK, April 26, 2000 – Kaspersky Labs Int., a fast-growing international anti-virus software development company, announces the discovery of a new extremely dangerous Windows virus Win95.Smash. The virus originate from Russia and has…
Go here to see the original:
April 26 could be repeated on July 14!
That Was the Week That Was!
Kaspersky Lab�s prediction came true! Back in 1998, the last week of October brought a real surprise in the computer world. Kaspersky Labs Int. anti-virus research team detected “WinScript.Rabbit” – a computer virus using new methods of contamination and infecting Windows scripts (programs written…
See original here:
That Was the Week That Was!
Kaspersky Lab AntiViral Toolkit Pro – the Best Anti-Virus Protection for the Year 2000!
AVP wins tests performed by the European centre for information security “Secusys” Cambridge, UK, July 25, 2000 – Kaspersky Labs Int., an international anti-virus software development company, announces that its flagship anti-virus product AntiViral Toolkit Pro (AVP) for Windows operating system…
See the original post:
Kaspersky Lab AntiViral Toolkit Pro – the Best Anti-Virus Protection for the Year 2000!
A New Generation of Windows 2000 Viruses is Streaming Towards PC Users
Moscow, Russia, September 4, 2000 – Kaspersky Lab, an international anti-virus software development company, announces the discovery of W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the “Stream Companion” method for self-embedding into the NTFS file system.
Go here to read the rest:
A New Generation of Windows 2000 Viruses is Streaming Towards PC Users
Tag&Rename 3.5.7
Here is the original post:
Tag&Rename 3.5.7