Overblog
Suivre ce blog Administration + Créer mon blog
11 janvier 2012 3 11 /01 /janvier /2012 01:12

I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...

In a nutshell, this adware will:

- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine

- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity

- remain active as a background service... 

 

But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:

adware-heli-2012-01-11-005724-copie-1.png

 

Most of the installed AV I've tested do not detect it: 

- Norton (no screenshot available at the time of the test... :( )

- DrWeb 

drweb_device-2012-01-11-005326.png

- Weebroot

webroot_device-2012-01-11-005205.png

- Kaspersky Lite 

KAV-OK-2012-01-11-011915.png

Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) the game twice, with several days between each install, the KSN did not find anything.

 

I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.

 

But that's not all, this app will also install a service, that could be surprising for "just" a game...

app-service-2012-01-11-011009.png

 

 

Now here is the new icon on the main/first desktop:

accueil_device-2012-01-11-005348-copie-1.png

 

But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!

Charge-recherch-2012-01-11-005628.png

Then:

recherch1-2012-01-11-005408.png

(bottom of page)

recherch2-2012-01-11-005420.png

 

You have to go read the "privacy" link, down the page, to confirm our expectations:

recherch-privacy-2012-01-11-005453.png

 

Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:

result-music-2012-01-11-011631.png

 

While the "real" Google says:

google_music_110112.PNG

 

Therefore I'd say that:

- yes, antimalware on some smartphones is more and more needed. I suggest everybody tries one...

- as we have been saying for years on regular computers, be careful regarding the links you click and the apps you download... 

 

 

Update 1, 01/15/12:

Let's see what's going on deeper within Android:

DebugMon_app-process-service_14012012-copie-1.png

 

It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification. 

Searching Google for it returns the following PDF document:

https://docs.google.com/viewer?a=v&q=cache:JD8QLTJaokAJ:forum.unity3d.com/attachment.php%3Fattachmentid%3D22799%26d%3D1311396784+&hl=fr&pid=bl&srcid=ADGEESjCxeNBKAr8al8ucNN9aYNB4e14wcIVSyGps1m98N4V28LCbBDok2MP00DAuK67r-VGip0kMbnUuwTYdYn62PuEsyqCnLJqbpv-kaoOZymAxhzFJ1NVYqIFeQ-TNyrJYCT_A5np&sig=AHIEtbR8kCBOiQlmRSpvniyC5MzAMoFo7w

 

Pretty interesting too, as it explains the ad's implementation:

moolah1_15012012.png

moolah2_15012012.png

There we go: service androidname="com.moolah.NotificationService"!

 

Therefore, this will act as the adware component, and will remain active even if the game is not being run.

Let's see the result:

 

apps-notification-full-2012-01-14-134438.png

 

"Android app offer", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).

Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:

app1-2012-01-11-005544.png

 

Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ad will create extra (and most likely uncontrolled) data transfer over 3G!

 

If the mobile network operator does charge data in anyway, those apps may become painful for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!

Partager cet article

Repost0
8 janvier 2012 7 08 /01 /janvier /2012 21:20

A bit strange, isn't it, that alert from Certificate patrol? This came up while accessing Facebook with Firefox...

 

alert_certif_080112.jpg

 

alert2_certif_080112.jpg

 

Well, that would mean Facebook rolled back their HTTPS certificate, to re-use a former one, issued on November 2010... Why so? no real clue...

How are we (professionals) supposed to explain that to lambda users? :(

 

Anyway, I do suggest that more people use browsers add-ons like Certificate Patrol! 

Partager cet article

Repost0
8 janvier 2012 7 08 /01 /janvier /2012 20:49

Qui a dit que cela n'arrivait pas à tous les fournisseurs de service ? GMail ne fait pas exception à la règle.

 

GMail_HS_290411.JPG

 

Bien que le Copyright sur la page date de 2008, le message lui, date bien de 2011 ! (je n'avais pas eu l'occasion de le poster).

 

Attention donc à ceux qui veulent "mettre dans le nuage" leurs services informatiques : dans ce cas-là, certains métiers peuvent presque rentrer chez eux... :( 

Partager cet article

Repost0
8 janvier 2012 7 08 /01 /janvier /2012 20:34

Il y a peu, en démarrant la machine, Kaspersky a affiché des avertissements et la session ne se chargeait plus correctement (pas complètement).

 

Voici tout d'abord les infos de version du produit, pour savoir de quoi il est question :

 

info_KAV-copie-1.png

 

 

Ensuite, le message d'erreur proprement dit (apparu donc soudainement) :

 

KAV2011_err1.png

 

Il semblerait que KAV n'ait pas assez de droits pour se mettre à jour.... étrange !

Pourtant, même en lançant son interface avec un compte administrateur local, rien n'y fait.

 

 

Essayons alors en mode sans échec...!

 

KAV2011_err2.png

 

Le fait d'être en mode sans échec est visiblement un "danger", mais qu'importe, la mise à jour ne se fait toujours pas : le message d'erreur de bases corrompues revient.

 

Il faut en fait faire un retour arrière sur une version antérieure des signatures, redémarrer toujours en mode sans échec, puis relancer la mise à jour ! 

 

KAV2011_err3-copie-1.png

 

 

Moralité, si vous avez une présentation à faire ou un travail en mobilité, prévoyez 5 min pour faire un arrêt plus redémarrage de la machine, afin d'être sûr qu'elle redémarrera une fois sur place ! 

 

Partager cet article

Repost0
8 décembre 2011 4 08 /12 /décembre /2011 01:08

L'avertissement est, je pense, suffisamment explicite !

 

avertissement_Trusteer_061211.JPG

 

Mais où se cache le HTTPS ?


Solution possible : utiliser HTTPS EveryWhere dans Firefox... 

Partager cet article

Repost0
6 décembre 2011 2 06 /12 /décembre /2011 21:55

 

 

First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...

The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).

msg_Gmail.JPG

 

But when I clicked on it, surprise... The real URL is:

http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.

But this will in fact redirect the user to:

http://87.255.77. 35/fw2.pl

 

Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).

 

Under IE9, here is what happens:

 msg1_IE9_egorest.co.in.jpg

 

 

If I click on Yes, it goes:

scan1_IE9_egorest.co.in.jpg

 

Then...

 

scan2_IE9_egorest.co.in.jpg

 

Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:

 

file_egorest.co.in.JPG

 

 

 IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:

 

msg_file_IE9_egorest.co.in-copie-1.JPG

 

 

 

 KAV 2011 does not detect the sample. Neither does MalwareByte.

 

VirusTotal's results are quite clear! only 2 engines out of 41...!

 

Result
AhnLab-V3 2011.12.06.01 2011.12.06 -
AntiVir 7.11.19.2 2011.12.06 -
Antiy-AVL 2.0.3.7 2011.12.06 -
Avast 6.0.1289.0 2011.12.06 -
AVG 10.0.0.1190 2011.12.06 -
BitDefender 7.2 2011.12.06 -
ByteHero 1.0.0.1 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.06 -
ClamAV 0.97.3.0 2011.12.06 -
Commtouch 5.3.2.6 2011.12.06 -
Comodo 10859 2011.12.06 -
DrWeb 5.0.2.03300 2011.12.06 -
Emsisoft 5.1.0.11 2011.12.06 -
eSafe 7.0.17.0 2011.12.06 -
eTrust-Vet 37.0.9607 2011.12.06 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.06 -
Fortinet 4.3.388.0 2011.12.06  W32/Kryptik.TAF!tr
GData 22 2011.12.06 -
Ikarus T3.1.1.109.0 2011.12.06 -
Jiangmin 13.0.900 2011.12.06 -
K7AntiVirus 9.119.5608 2011.12.06 -
Kaspersky 9.0.0.837 2011.12.06 -
McAfee 5.400.0.1158 2011.12.06 -
McAfee-GW-Edition 2010.1D 2011.12.06 -
Microsoft 1.7903 2011.12.06 -
NOD32 6681 2011.12.04 -
Norman 6.07.13 2011.12.06  W32/Kazy.NA
nProtect 2011-12-06.01 2011.12.06 -
Panda 10.0.3.5 2011.12.06 -
PCTools 8.0.0.5 2011.12.06 -
Prevx 3.0 2011.12.06 -
Rising 23.87.01.02 2011.12.06 -
Sophos 4.71.0 2011.12.06 -
SUPERAntiSpyware 4.40.0.1006 2011.12.06 -
Symantec 20111.2.0.82 2011.12.06 -
TheHacker 6.7.0.1.352 2011.12.01 -
TrendMicro 9.500.0.1008 2011.12.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.06 -
VBA32 3.12.16.4 2011.12.06 -
VIPRE 11212 2011.12.06 -
ViRobot 2011.12.6.4811 2011.12.06 -
VirusBuster 14.1.102.0 2011.12.06 -
MD5: c7fa7ebcb697b26ac684f8b18a0f30b4
SHA1: 98561e513580021bbd2f715e54a53e96558a8a1f
SHA256: bc9264cd51df7815a96c0753cbacbde9f2f491a191b78a06782854abb93171f4
File size: 129536 bytes
Scan date: 2011-12-06 21:48:09 (UTC)

 

 About the file:

 I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.

 

 

file_properties.jpg

 

Update 1:

Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.

This is also what ThreatExpert tels about the file execution history:

http://www.threatexpert.com/report.aspx?md5=c7fa7ebcb697b26ac684f8b18a0f30b4 

Buggy malware?

 

Partager cet article

Repost0
1 décembre 2011 4 01 /12 /décembre /2011 13:46

Warning.

If you access your Facebook profile, from your cellphone, without using the "facebook app", you'll most likely be redirected to: m.facebook.com.

 

The problem is that HTTP is being used when you send your email address and password over the network, and not HTTPS! Obvioulsy, this is a pretty bad mistake in security.

 

For instance, as I train my students to do it (within the lab), it is quite easy to steal a password that is being sent over HTTP, for example with an ARP spoofing attack (and Ettercap or other tools from BackTrack Linux). Let's say that you connect to Facebook using the mobile browser, while being connected to a WiFi... it is then quite simple to launch the spoofing attack!

 

Therefore I do recommend that people use the official Facebook App, and not the mobile browser, since AFAIK the app uses HTTPS to send credentials to Facebook!

HTH...

Partager cet article

Repost0
9 novembre 2011 3 09 /11 /novembre /2011 12:06

Yes, a bit surprising, but yeah, even Google...! I'm talking about the classical GMail interface, which is still regular (the new one has not yet been put as a standard...)

 

While trying to reply to an email, or even write a new one, here is the warning that is being displayed:

 

 

Meaning: "impossible to load the rich text editor".

It is then impossible to write at least within the data part of the email. If you were going to write a new one, you won't be able to write the recipients'addresses nor the subject.

Update 1, 01/15/12:

Bug fixed in version 9...

 

 

 

Partager cet article

Repost0
9 novembre 2011 3 09 /11 /novembre /2011 01:32

 

This malware did succeed to install itself on the following configuration:

- Win7 64 bits, fully-patched

- KAV 2011

- user account not administrator (account switch using UAC)

- Opera 11.52 up-to-date

I was just surfing... Therefore I do believe it is a kindda drive-by-download.

 

Once installed, it will:

- kill all programs running (yes!), including a lot of services (sometimes KAV's service too)

- prevent you from launching new/other programs

- display a fake shield within the taskbar...

 

 Here is how it starts itself at the beginning of the user's session:  

registre_HKU_privacy.exe.jpg

 The Sysinternals tool "autoruns" does not show it, AFAIK.

 

According to VirusTotal, only 3 AV engines out of 43 (command line versions) do detect it !

(link: http://www.virustotal.com/file-scan/report.html?id=c6d83ab1348c548b7581153100b8b7eb7c1b89b3e753151594828c2ac78f2c12-1320798644# )

 

Kaspersky Antivirus 2011 does not detect anything. 

MalwareByte does detect something, but the problem is you can't start it once the malware is being run...

 

MBAM_privacy.exe_091111.png

 

 

As you can see, the malware stores a file in %appdata%, so that's the Appdata\roaming for the current user.

 

One hour after my first scan, VT says 3 new engines detect it:

Antivirus Version Last Update Result
AhnLab-V3 2011.11.08.01 2011.11.08 -
AntiVir 7.11.17.87 2011.11.08 -
Antiy-AVL 2.0.3.7 2011.11.08 -
Avast 6.0.1289.0 2011.11.08 -
AVG 10.0.0.1190 2011.11.08 -
BitDefender 7.2 2011.11.09 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.08 -
ClamAV 0.97.3.0 2011.11.08 -
Commtouch 5.3.2.6 2011.11.08 -
Comodo 10714 2011.11.08 -
DrWeb 5.0.2.03300 2011.11.09 -
Emsisoft 5.1.0.11 2011.11.09 Trojan.Win32.Agent.AMN!A2
eSafe 7.0.17.0 2011.11.08 -
eTrust-Vet 36.1.8663 2011.11.08 -
F-Prot 4.6.5.141 2011.11.08 -
F-Secure 9.0.16440.0 2011.11.09 -
Fortinet 4.3.370.0 2011.11.08 -
GData 22 2011.11.09 -
Ikarus T3.1.1.109.0 2011.11.08 -
Jiangmin 13.0.900 2011.11.08 -
K7AntiVirus 9.117.5413 2011.11.08 -
Kaspersky 9.0.0.837 2011.11.09 -
McAfee 5.400.0.1158 2011.11.09 Artemis!61E2511F79EF
McAfee-GW-Edition 2010.1D 2011.11.08 Artemis!61E2511F79EF
Microsoft 1.7801 2011.11.08 -
NOD32 6612 2011.11.08 a variant of Win32/Kryptik.SES
Norman 6.07.13 2011.11.08 W32/Krypt.BD
nProtect 2011-11-08.01 2011.11.08 -
Panda 10.0.3.5 2011.11.08 -
PCTools 8.0.0.5 2011.11.09 -
Prevx 3.0 2011.11.09 -
Rising 23.83.01.01 2011.11.08 -
Sophos 4.71.0 2011.11.09 Mal/FakeAV-PG
SUPERAntiSpyware 4.40.0.1006 2011.11.09 -
Symantec 20111.2.0.82 2011.11.09 -
TheHacker 6.7.0.1.339 2011.11.08 -
TrendMicro 9.500.0.1008 2011.11.08 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.09 -
VBA32 3.12.16.4 2011.11.08 -
VIPRE 11001 2011.11.09 -
ViRobot 2011.11.8.4761 2011.11.08 -
VirusBuster 14.1.53.1 2011.11.08 -
Additional information
Show all
MD5 : 61e2511f79ef738d73d766c0ab8c8c1a

 

Most of these detections are heuristic/generic ones!

I've submitted a sample to ClamAV.

 

About the file:

fichier_proprietes_091111.jpg 

There even is a Copyright for it...  

 

Partager cet article

Repost0
6 novembre 2011 7 06 /11 /novembre /2011 22:40

Just to say that the Opensource world does manage to provide tools being able to filter spams according to a sender's reputation.

 

Below a few (daily) stats that I have on a messaging server, running:

- Debian fully-patched

- SpamAssassin and Exim4 (with Razor, Pyzor, DCC, *RBL,...)

 TOP SPAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 BAYES_99 958 51.45 89.20 0.00 2 RCVD_IN_BRBL 921 51.93 85.75 5.84 3 DCC_CHECK 886 53.54 82.50 14.09 4 RAZOR2_CHECK 867 50.00 80.73 8.12 5 RAZOR2_CF_RANGE_E8_51_100 864 49.36 80.45 6.98 6 RAZOR2_CF_RANGE_51_100 864 49.36 80.45 6.98 7 DIGEST_MULTIPLE 852 47.31 79.33 3.68 8 RCVD_IN_XBL 769 41.35 71.60 0.13 9 RDNS_NONE 736 40.87 68.53 3.17 10 RCVD_IN_PBL 689 37.06 64.15 0.13 11 PYZOR_CHECK 625 34.00 58.19 1.02 12 HTML_MESSAGE 512 54.56 47.67 63.96 13 RCVD_IN_SORBS_WEB 479 25.94 44.60 0.51 14 RCVD_IN_BL_SPAMCOP_NET 466 25.24 43.39 0.51 

 

As we can see, lots among the top 14 of the triggered spam rules are "sender's reputation" related...!

 

And yes, the filtering efficiency is good.

BTW, congrats to the guys who worked on the Pyzor issue, for it hadn't properly worked for years...

Partager cet article

Repost0