By Cameron Palan and Nathan Collier
Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.
By Dancho Danchev
How are cybercriminals most commonly abusing legitimate Web traffic?
On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic.
In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case a fellow cybercriminal has already managed to compromise the same site.
Are turf wars back in (the cybercrime) business? Let’s find out.
More details: Continue reading
By Dancho Danchev
Despite the fact that on the majority of occasions cybercriminals tend to rely on efficient and automated exploitation techniques like the ones utilized by the market leading Black Hole Exploit Kit, they are no strangers to good old fashioned ‘visual social engineering’ tricks. Throughout 2012, we emphasized on the emerging trend of using malicious DIY Java applet distribution tools for use in targeted attacks, or widespread campaigns.
Is this still an emerging trend? Let’s find out. In this post, I’ll profile one of the most recently released DIY Java applet distribution platforms, both version 1.0 and version 2.0.
More details:
By Dancho Danchev
It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.
Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?
Let’s find out.
By Dancho Danchev
Remember the “Spamvertised ‘DHL Package delivery report’ emails serving malware” campaign profiled earlier this month?
It seems that another cybercrime gang has started impersonating DHL in an attempt to serve malware to the millions of spamvertised end and corporate users.
More details:
By Dancho Danchev
Think you received a package? Think again. Cybercriminals are currently spamvertising millions of emails impersonating UPS (United Parcel Service) in an attempt to trick users into downloading the viewing the malicious .html attachment.
More details:
By Dancho Danchev
The Electronic Frontier Foundation (EFF) is reporting on a recently intercepted malicious documents distributed over Skype, apparently targeting Syrian activists.
Upon viewing the document, it drops additional files on the infected hosts, and opens a backdoor allowing the cyber spies behind the campaign access to the infected PC.
Webroot has obtained a copy of the malware and analyzed its malicious payload.
More details:
By Dancho Danchev
Last night, a friend of mine surprisingly messaged me at 6:33 AM on Skype, with a message pointing to what appeared to be a photo site with the message “hahahahaha foto” and a link to hxxp://random_subdomain.photalbum.org
What was particularly interesting is that he created a group, and was basically sending the same message to all of his contacts. Needless to say, the time has come for me to take a deeper look, and analyze what appeared to be a newly launched malware campaign using Skype as propagation vector.
More details:
By Nathan Collier
We’ve all seen software grow. We watch as our favorite software adds on new features and becomes better at what it does. Malware writers are no different, they want their software to have more features as well as steal even more information. PJApps is a good example of this. PJApps is a Trojan that’s been around for a while causing havoc by being bundled in legitimate applications found in alternative Android markets, it is capable of opening a backdoor, stealing data and blocking sms behind the scenes. In one variant of PJApps it requests the following permissions to steal information:
INTERNET
RECEIVE_SMS
SEND_SMS
READ_HISTORY_BOOKMARKS
WRITE_HISTORY_BOOKMARKS
INSTALL_PACKAGES
WRITE_EXTERNAL_STORAGE
READ_PHONE_STATE
Here’s some of things the older variants of PJApps stole:
-SIM Card Number
-Telephone Number
-IMSI Number
By Dancho Danchev
Who said there’s such a thing as a trusted Java applet?
In situations where malicious attackers cannot directly exploit client-side vulnerabilities on the targeted host, they will turn to social engineering tricks, like legitimate-looking Java Applets, which will on the other hand silently download the malicious payload of the attacker, once the user confirms he trusts the Applet.
Let’s profile a DIY (do-it-yourself) malicious Java Applet generator currently available for download at selected cybercrime-friendly online communities:
