Targets for security threats, vulnerabilities, and attacks.
By Nathan Collier
Android.RoidSec has the package name “cn.phoneSync”, but an application name of “wifi signal Fix”. From a ‘Malware 101′ standpoint, you would think the creators would have a descriptive package name that matches the application name. Not so, in this case. So what is Android.RoidSec? It’s a nasty, malicious app that sits in the background (and avoids installing any launcher icon) while collecting all sorts of info-stealing goodness. Continue reading
By Cameron Palan and Nathan Collier
Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.
By Nathan Collier
We have found a new threat we are calling Android.TechnoReaper. This malware has two parts: a downloader available on the Google Play Market and the spyware app it downloads. The downloaders are disguised as font installing apps, as seen below:
By Dancho Danchev
Everyday, new vendors offering malicious software enter the underground marketplace. And although many will fail to differentiate their underground market proposition in market crowded with reputable, trusted and verified sellers, others will quickly build their reputation on the basis of their “innovative” work, potentially stealing some market share and becoming rich by offering the tools necessary to facilitate cybercrime.
Publicly announced in late 2012, the IRC/HTTP based DDoS bot that I’ll profile in this post has been under constant development. From its initial IRC-based version, the bot has evolved into a HTTP-based one, supporting 10 different DDoS attack techniques as well as possessing a featuring allowing it to heuristically and proactively remove competing malware on the affected hosts, such as, for instance, ZeuS, Citadel or SpyEye.
More details:
By Dancho Danchev
How are cybercriminals most commonly abusing legitimate Web traffic?
On the majority of occasions, some will either directly embed malicious iFrames on as many legitimate Web sites as possible, target server farms and the thousands of customers that they offer services to, or generate and upload invisible doorways on legitimate, high pagerank-ed Web properties, in an attempt to monetize the hijacked search traffic.
In this post I’ll profile a DIY blackhat SEO doorway generator, that surprisingly, has a built-in module allowing the cybercriminal using it to detect and remove 21 known Web backdoors (shells) from the legitimate Web site about to be abused, just in case a fellow cybercriminal has already managed to compromise the same site.
Are turf wars back in (the cybercrime) business? Let’s find out.
More details: Continue reading
By Dancho Danchev
Over the past year, we observed an increase in publicly available managed TDoS (Telephony Denial of Service) services. We attribute this increase to the achieved ‘malicious economies of scale’ on behalf of the cybercriminals operating them, as well as the overall availability of proprietary/public DIY phone ring/SMS-based TDoS tools.
What are cybercriminals up to in terms of TDoS attack tools? Let’s take a peek inside a recently released DIY SIP-based (Session Initiation Protocol) flood tool, which also has the capacity to validate any given set of phone numbers.
More details: Continue reading
By Dancho Danchev
In an attempt to add an additional layer of legitimacy to their malicious software, cybercriminals sometimes simply reposition them as Remote Access Tools, also known as R.A.Ts. What they seem to be forgetting is that, no legitimate Remote Access Tool would posses any spreading capabilities, plus, has the capacity to handle tens of thousands of hosts at the same time, or possesses built-in password stealing capabilities.
Pitched by its author as a Remote Access Tool, the DIY (do it yourself) malware that I’ll profile in this post is currently cracked, and available for both novice, and experienced cybercriminals to take advantage of at selected cybercrime-friendly communities.
More details: Continue reading
By Adam McNeil
With all the recent media coverage and extreme changes of the BitCoin value, it should come as no surprise that malware authors are trying to capitalize on the trends. These people attempt to make money on all sorts of digital transactions and it’s probably a safe bet to expect their rapid expansion into the up-and-coming Digital Currency market.
The Webroot Threat Research Department has already seen many malware campaigns targeting BitCoin users. The recent explosion (and subsequent implosion) of the BitCoin value has expedited the need for custom compiled BitCoin harvesters and the malware authors are happy to abide.
More details: Continue reading
By Dancho Danchev
Over the last couple of years, the industry’s and the media’s attention has been shifting from mass widespread malware campaigns to targeted attacks most commonly targeting human rights organizations, governments and the military, also known as advanced persistent threats (APTs).
In this post, I’ll profile a recently spotted underground market advertisement, which basically offers a Microsoft Access file of data belonging to executives within major companies such as Audi, Ralph Lauren, Bentley, Breitling, Porsche, Avito, Marc Jacobs, Ralph Lauren, Live Nation, Societe Generale, Bloomberg, Technip, Carlsberg, Coca-Cola, etc., obtained primarily through valid business cards.
More details: Continue reading
On Wednesday, February 27th, Webroot’s Security Intelligence Director (Grayson Milbourne) and Senior Mobile Analyst (Armando Orozco) presented at the RSA Conference in San Francisco. Their topic, Android Malware Exposed – An In-depth Look at its Evolution, is an expansion on their previous year’s presentation, highlighting the severity of Android malware growth. Focusing on the history of operating system releases and the diversity across the market, as well at the threat vectors and behaviors in the evolution of Android malware, the team has established strong predictions for 2013. Continue reading
