Jun 28 2013

It’s not all code: A walk-through of goodies from Microsoft Build 2013

This week, you've joined us for the liveblogs and heard the many different announcements from Microsoft's Build developer conference. We got an extensive hands-on look at the new features in Windows 8.1 and its many interface changes. We also touched on Windows' new out-of-the-box 3D printing capabilities and took a stroll through the vastly improved Windows Store. After all that, we perused the miniature show floor, which was mostly a showcase of some of the latest Windows products. Take a peek.

Read on Ars Technica | Comments

    


Jun 28 2013

Leak of powerful malware tool like “handing a bazooka to a child”

Some of the goodies included with Carberp.

The recent leak of source code for a powerful piece of bank-fraud malware may spawn a surge of advanced botnet attacks carried out by copycat hackers who previously didn't have the skill to pull off such feats, security researchers warned.

Carberp, as the botnet-creation toolkit is known, previously sold in underground crime forums for as much as $40,000 a license. In the last week, source code for the crimeware began circulating online for free and can now be acquired by many people who have a few hours to poke around. While the leak is a boon for researchers who want to know as much as possible about the inner workings of sophisticated malware, it also comes with a dark side: it isn't that hard for malware newcomers to get their hands on the 1.88 GB package of code.

"In short, it does not take a genius to get a copy of the leaked source code, which makes this whole thing dangerous," Christopher Elisan, principal malware scientist in security firm RSA's FirstWatch department, wrote in a blog post published Friday. "Any script kiddie, who probably does not understand the technology, can use this which may result in dire consequences. It's like handing a bazooka to a child."

Read 1 remaining paragraphs | Comments

    


Jun 28 2013

Security Apps, Malware Race to Be First On Your Mobile

In China, there is a saying: “道高一尺,魔高一丈,” meaning “The law is strong, but the outlaws are sometimes stronger.”

In the last few weeks, a new Android malware we’re calling Android/Obad.A has appeared. It uses a number of techniques that have rarely been seen before in mobile malware. Android/Obad.A requests the victim to authorize its Device Administrator privilege request and exploits a system vulnerability to hide itself from the DeviceAdmin list to avoid being uninstalled. It also uses the commercial code obfuscation tool DexGuard to make reverse engineering and analysis more difficult.

It is interesting to note that although DeviceAdmin has been used by some security applications to avoid being accidentally or intentionally uninstalled, this is the first known instance of a sophisticated malware using DeviceAdmin.
Obad1Obad2

Names of Android/Obad.A classes and variable have been obfuscated to hamper analysis.

Obad3Obad4

Android/Obad.A requests DeviceAdmin privilege.

In addition to those techniques, Android/Obad.A does the following:

  • Collects sensitive information: IMEI (International Mobile Equipment Identity, a phone serial number), operator name, phone number, and local time
  • Encrypts the information and sends it to the attacker
  • Executes commands from the control server, including:
    • sending SMS messages
    • downloading another package
    • installing a package
    • accessing a certain website
    • sending the contacts information to the attacker
    • sending itself to nearby devices through Bluetooth
    • more commands

These payloads have been seen in other mobile malware since the beginning of Android attacks. However, the malware author breaks new ground in antisecurity software techniques–by attacking antimalware software.

Previously, malware has used the basic technique of deleting or uninstalling antimalware programs. Some malware looked for specific versions or particular brands of antimalware; others targeted multiple brands. Antimalware programs now have real-time scanning to prevent malware from running and deactivating them. In contrast, sophisticated malware runs its own service to detect antimalware software being installed on the device and uninstalling it.

All this looks like a race between the security application and malware. Who runs faster, and who catches (detects) whom?

Unfortunately, some antimalware apps can’t remove Android/Obad.A even if they detect it–due to its DeviceAdmin privilege. An alternative way to combat Obad.A is to develop a special tool to reveal it, and then to disable its DeviceAdmin privilege and allow the antimalware product to remove it. We have recently updated our McAfee Mobile Innovations application, which has multiple features, with one to find hidden applications, including malware such as Android/Obad.A.

Obad5 Obad6

McAfee Mobile Innovations uninstalling Android/Obad.A.

Obad7
McAfee Mobile Innovations completing the task of removing Android/Obad.A.

McAfee has a security product used in Japan that tightly integrated with the phone. This product is given root privilege by the manufacturer/operator, so it can detect Android/Obad.A and remove it without a special tool even if the malware is authorized with DeviceAdmin privilege.

Although Obad.A is sophisticated malware, MMS can still detect and remove it while it is installing–before it’s authorized to use the DeviceAdmin privilege. So we strongly suggest Android mobile phone users install McAfee Mobile Security.

There is also another old saying in China:”魔高一尺,道高一丈,” “As vice raises one foot, virtue raises ten.” Whatever malware appear and whatever technology they use, security applications will keep them out of your device.

Jun 28 2013

Hard drive-wiping malware part of new wave of threats targeting South Korea

Amid a new wave of attacks hitting government and media networks in South Korea, researchers have uncovered yet another piece of malware that destroys sensitive hard drive data and renders computers unusable.

Trojan.Korhigh, as the new wiper program is called by security firm Symantec, contains the same kind of functionality that simultaneously shut down the networks of a half-dozen banks and broadcasters in March. Like the earlier Jojka malware, Korhigh can permanently destroy stored data and overwrite a hard drive's master boot record, which contains information required for computers to reboot.

Korhigh accepts several commands that allow attackers to inflict additional damage. One "switch" changes passwords on compromised computers to "highanon2013" according to a blog post published Thursday by Symantec. Another wipes specific types of files, including those that end in .gif, .php, .dll, and 21 other extensions. Korhigh's discovery on Thursday came a day after Symantec researchers said they had identified the hacking group responsible for the March attacks. The newly identified DarkSeoul group is also responsible for a new wave of attacks that hit South Korea on Tuesday and were timed to coincide with the 63rd anniversary of the state of the Korean War.

Read 5 remaining paragraphs | Comments