Mar 30 2011

Android Threat Tackles Piracy Using Austere Justice Measures

Android.Walkinwat is the first mobile phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorized sites.

Figure 1 – Messages displayed by the Trojan

Presented as a non-existent version (V 1.3.7) of Walk and Text, an application that is available on the Android Market, Android.Walkinwat can be found on several renowned file sharing websites throughout North America and Asia. One could make the case that this app was intentionally spread in these regions by the creators of the threat in order to maximize the download prevalence and convey their message to as large an audience as possible, however one could also make the case the creator of Android.Walkinwat is attempting to undermine the publisher of Walk and Text.

Once running the app, the user is presented with a dialog box that gives the appearance that the app is in the process of being compromised or cracked, when in fact, the app is gathering and attempting to send back sensitive data (name, phone number, IMEI information, etc.) to an external server.

Figure 2 – What happens in the background

Additionally, the app sends out the following SMS messages to all the contacts in the contact list:

Figure 3 – SMS message sent to all contacts in the contact list

Interestingly enough, the Trojan performs the above set of actions in a routine of Android.Walkinwat called “LicenseCheck”, something traditionally used by legitimate apps for license management in conjunction with a Licensing Verification Library available for the Android platform to help prevent piracy. The authors of the malicious code have taken an extra step to make sure that their app was obfuscated, which is another recommended measure to prevent piracy.

Figure 4 – The LicensingService and LicenseCheck routines

The app concludes with a final message to the user, reminding them to check their phone bill, as well as providing an option of buying the legitimate version of the app from the Android App market.

Figure 5 – Final message displayed by the threat

Although this isn’t the first case of disciplinary justice being used as means to send a message against piracy, this is the first of its kind discovered on the mobile landscape.

Mar 30 2011

U.K. Tax Scams on the Horizon

As the saying goes: Death and taxes are the only constants in life. This adage can be applied to scams on the Internet as well. Every tax season we can count on scams like these to raise their heads and try to bilk users out of their identity information and hard-earned money. A few of the messaging and spam researchers at McAfee Labs sent me some samples earlier today that I would like to share.

Take a look at the following sample and you will see the typical scam we see during tax season. This one is targeted at United Kingdom computer users and is a decent lure:

This particular scam promises a refund of GBP 239.41 if replied to within 72 hours, cites a few financial institutions, and asks the email reader to click the submission link. That link leads the user to the following fake site:

I found this site interesting because it has a few valid links embedded at the top, but the rest were bogus. Also notice that there is no SiteAdvisor rating at the bottom right. The real HMRC site is rated as green by SiteAdvisor:

All things considered it is a pretty good fake and I am sure will fool quite a few people. If you have SiteAdvisor installed or are using a browser with some built-in phishing protection, you would be proactively protected:

As always, make sure you are staying updated with your security technologies and expect these types of scams and lures in their seasons. A little healthy skepticism might just save one’s identity or bank account!

Mar 30 2011

Trojan Express Delivery

In the past couple of days, Symantec has observed a spike of email attacks that are designed to distribute malicious threats. All of the observed samples are spoofed to appear as if they are legitimate delivery warnings or notifications from UPS or Post Express. The message text asks recipients to open the zipped executable file for further details or actions necessary to take delivery of the item.

Below are the sample headers observed in this spam attack:

From: "United Parcel Service" <info***[email protected]>
From: "UPS� Customer Services"<***>
From: "United Parcel Service" <***>
From: "Neil Molina" United Parcel Service  <[Details Removed]@ [Details Removed]>
From: "Kimberley Miner" United Parcel Service  <[Details Removed]@ [Details Removed]>

Subject: United Parcel Service notification 40983
Subject: Delivery Status
Subject: UPS: Your Package
Subject: United Parcel Service notification
Subject: United Postal Service Tracking Nr.

From: "Post Express Support" <postmail-int[Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Report" <postmail-usa. [Details Removed]@ [Details Removed]>
From: "Post Express Office" <postmail-usa. [Details Removed]@[Details Removed]>
From: "Post Express Information" <postmail-usa. [Details Removed]@[Details Removed]>

Subject: Post Express Office. Package is available for pickup. NR03909
Subject: Post Express Office. Delivery refuse. NR4245855
Subject: Post Express Office. Track your parcel. NR06678
Subject: Post Express Office. Error in the delivery address. NR4061172
Subject: Post Express Office. Get the parcel NR31215

Once the recipient downloads the compressed file, the following threats are installed:

UPS tracking number.exe was detected as Trojan.FakeAV.
UPS notify.exe was detected as Backdoor.Cycbot.
Post_Express_Label.exe was detected as Trojan.Sasfis.

A couple of spam samples are shown below:


Symantec analyzed the attacks further and found that the increase in malicious activity, sent from diverse geographical locations, indicates that spammers are working to rebuild their botnets after the Rustock takedown.

Symantec recommends that users adhere to the basic practice of not opening or downloading any suspicious attachments from emails such as those described above. Also, install all security patches and keep antivirus definitions up to date to prevent the compromise of personal machines or networks.

Mar 29 2011

New XSS Facebook Worm Allows Automatic Wall Posts

Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen. Therefore it should be of no surprise that some of those messages are spreading very fast through Facebook. Some are posting links to infected websites, creating XSS worms that spread from user to user.

Unfortunately since the attack is very easy to recreate we have already started seeing a few dozen copy cats starting new attack waves with different messages.

We informed Facebook’s security team and they are working on a fix for this issue.

This attack works if you have enabled the SSL option in Facebook or not. Therefore it might be a good idea to currently log out of Facebook while you are not using it, or use security tools to protect or block you from going to infected sites. For example, the NoScript extension for the Firefox browser is able to detect this XSS worm attack.

UPDATE (March 29, 2011): Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attack.