May 3, 2011
New mobile malware
In April the first full-fledged backdoor for Android was found and now there are already two well-known modifications of the program. Android.Crusewin makes use of a few new methods to spread itself and incorporates previously unknown payload. A victim receives a message similar to the following: Updated MMS / GPRS / EDGE configuration received. Follow the link to use the new configuration: http://.../flash/MM329.apk». When the victim clicks on the link they download a Trojan APK—an Android distribution package (software is available in this format at the Android Market).
Figure 1.
After installation the Trojan downloads its XML configuration file. This malicious program is equipped with a whole set of features. For example, it is capable of sending SMS on command from the server.
In the face of growing complexity of mobile operating systems and increasing performance of devices that run them, smartphone malware also become more complex and similar in their properties to viruses for PCs. Emergence of a program like Android.Crusewind has been anticipated for quite a while. We can assume that with the spreading of anti-virus software for mobile platforms, virus writers will implement in such Trojan horses features found in other classes of malware targeting the x86 platform such as rootkits.
Several new Trojan horses for the mobile OS Android were also discovered. New versions of Android.Spy and Android.SmsSend Trojan horses were found in the wild.
Android.Spy.54 was detected on the Chinese web-site www.nduoa.com that provides access to a collection of applications for the Android platform. The Trojan horse was a part of the program Paojiao - the widget, allowing to make calls or send SMS to selected numbers. Spreading with a legitimate program is a standard method for the malware family Android.Spy to compromise smart phones.
The new modification of Android.Spy registers a background service, which connects to the malicious site and sends victim's identity information (such as the IMEI and IMSI to criminals). In addition, the Trojan horse downloads an xml configuration file containing commands that make it start sending spam SMS from the compromised device and add certain sites to the browser bookmarks.
More vulnerabilities in Adobe products
Our March review described a critical vulnerability in Adobe software. Then the traditional for such vulnerabilities term 0-day literally turned into 0-week—the vulnerability was closed in a week while several exploit samples had already been made available on the Internet.
On April 8, 2011 the public became aware of a new vulnerability CVE-2011-0611, its detailed technical description and implementation instructions followed shortly afterwards. As it happened in the last incident, here we are talking again about embedding a Trojan horse SWF-object into MS Office documents (doc-files) and PDF files. Shortly users began receiving spam messages containing exploits of the vulnerabilities Exploit.Rtf.based and Exploit.PDF.2177.
Figure 2. Exploit.Rtf.based
Figure 3. Exploit.PDF.2177
Mass mailings and fake anti-virus software
Also, the last month saw mass mailings containing numerous modifications of a common Trojan horse Trojan.Download.64325. Several modifications of this downloader were found in two weeks. The Trojan horse downloaded Trojan.FakeAlert.20509 to the victim's computer. Its distribution was fascilitated through the BlackEnergy botnet. Analysis of the botnet activity has revealed a significant mailing list containing a large number of corporate email addresses belonging to, in particular, pharmaceutical companies, such as SecureMedical Inc. It implies that information from e-mail addresses database may have leaked into the hands of spammers.
Fraudulent links and schemes at social networking web-sites
Fraudsters operating on social networking web-sites continue to exploit the interest of users in top news stories, while ignoring any ethical standards. Several accidents in amusement parks were recorded on video and widely publicized. Subsequently, the news about the accidents was used by criminals as a topic for Facebook messages aiming to lure users into clicking on a malicious link.
Figure 4, 5. Newsletter describing the accident in the amusement park in the UK
In other cases the news about the royal wedding served as the bait. Here the user who clicked on such links got to a site, spreading fake anti-virus software.
Figure 6. Fraudulent links to news stories about the royal wedding in the UK
Figure 7. The fraudulent page
Figure 8. The interface of Trojan.FakeAlert downloaded by clicking on malicious links
Conclusion
It is certain now that a new target of virus attacks has been established. Attackers have shown a growing interest in mobile platforms. Currently techniques and experience gained by virus writers for the PC platform is being put to use to develop malware for Android which will grow in complexity and diversity. Most likely, in the near future attackers will also pay attention to the rival platform iOS.
Samples of Trojan horse software detected in April 2011 in e-mail traffic
01.04.2011 00:00 - 30.04.2011 23:00 |
||
1 |
12454766 (27.22%) |
|
2 |
4602849 (10.06%) |
|
3 |
3548126 (7.75%) |
|
4 |
2805880 (6.13%) |
|
5 |
2252602 (4.92%) |
|
6 |
1482644 (3.24%) |
|
7 |
1111063 (2.43%) |
|
8 |
1098522 (2.40%) |
|
9 |
912229 (1.99%) |
|
10 |
797515 (1.74%) |
|
11 |
752502 (1.64%) |
|
12 |
653112 (1.43%) |
|
13 |
629032 (1.37%) |
|
14 |
573559 (1.25%) |
|
15 |
563802 (1.23%) |
|
16 |
552961 (1.21%) |
|
17 |
536032 (1.17%) |
|
18 |
532366 (1.16%) |
|
19 |
526171 (1.15%) |
|
20 |
505686 (1.11%) |
Total scanned:
32,697,947,759
Infected:
45,761,288 (0.14%)
Samples of Trojan horse software detected in April 2011 on users' computers.
01.04.2011 00:00 - 30.04.2011 23:00 |
||
1 |
18929309 (25.86%) |
|
2 |
18457256 (25.22%) |
|
3 |
10341001 (14.13%) |
|
4 |
7473876 (10.21%) |
|
5 |
2744737 (3.75%) |
|
6 |
2583200 (3.53%) |
|
7 |
1786547 (2.44%) |
|
8 |
948927 (1.30%) |
|
9 |
897812 (1.23%) |
|
10 |
685507 (0.94%) |
|
11 |
580001 (0.79%) |
|
12 |
533596 (0.73%) |
|
13 |
513468 (0.70%) |
|
14 |
423250 (0.58%) |
|
15 |
213901 (0.29%) |
|
16 |
161020 (0.22%) |
|
17 |
155310 (0.21%) |
|
18 |
151285 (0.21%) |
|
19 |
147664 (0.20%) |
|
20 |
143945 (0.20%) |
Total scanned:
218,706,105,678
Infected:
73,187,388 (0.03%)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments