No Winners at QR Code Roulette

Last year a friend had a bright idea for a party game that involved a series of QR codes in a circle on paper. He called it QR Code Roulette. Unlike the gambling game, selecting the right 2D barcode did not make you a winner. It turned out that every QR code contained a URL to an Internet shock site. As soon as I or our other friends scanned a QR code with our phones we witnessed things that probably can’t be unseen. This was a good prank, but fortunately due to my distrust of autoloading and autorunning code I had an app that previewed the URL. If the address were a risky site or malware download I could choose not to visit the URL.

McAfee Download URLs via QR codes arranged in a circle

These QR codes are safe. They point to McAfee mobile security downloads and our Virus Information Library. To verify, download one of the QR code apps mentioned and view the preview URL.

My friend’s little joke drove home the necessity of not blindly scanning every QR code I run across. Some of my colleagues aren’t as lucky. I was discussing a recent threat of malware distributed by QR codes with a couple of coworkers who are penetration testers. They test the security of their clients’ networks and systems nearly daily and are very skilled computer security professionals. Although both of them had QR code-scanning apps on their phone, neither had one that could provide a preview of the URL. I ended up suggesting a couple of free barcode-scanning apps that would keep them from being unpleasantly surprised.

Although distributing mobile malware through QR codes is becoming popular, it’s not a new idea. Security researcher Felix “FX” Lindner described similar attacks about three years ago at the 24th Chaos Communications Congress and DefCon 16. FX claimed that newspaper ads with QR codes are trusted implicitly by readers (“It’s in print; it must be true”) and would make a good vector for exploits and malware. The functionality that enabled the attacks was the automatic loading and following of URLs in QR codes. Point your phone at the QR code and you end up downloading mobile malware.


Screenshot of FX at Defcon 16 on barcodes

In 2007-2008 FX publicly painted a number of scenarios in which QR codes could be used maliciously. We have since seen malicious QR codes that link to mobile malware.

The risk from such downloaded malware is still relatively low, as these are not drive-by downloads. Users would still need to choose to install the JAR or APK files on their smartphones. The risk from exploits, though, is one to worry about. An attacker who places a link to a modified Apple iOS jailbreak exploit or an Android root exploit can take over a victim’s device or steal sensitive information (emails, social network credentials, credit card numbers, etc.).

As I told my two colleagues, there are a number of free QR code- and barcode-scanning apps with preview functions for both Android and Apple iOS. The following are my suggestions for safer QR code scanners:

Google Android

App Author
Google Goggles Google
Barcode Scanner ZXing

Apple iOS

App Author
Red Laser Occipital/eBay
Bar-Code Roberto Sonzogni


Protecting yourself from malicious QR codes and avoiding shock sites, mobile malware, and exploits doesn’t have to be too difficult.

  • Use a mobile QR code-/barcode-scanning app that previews URLs
  • Avoid suspicious URLs (for example, domains that don’t match ads, shortened URLs)
  • Do not play “QR Code Roulette” :)


Downloader.Chepvil and the Malicious Feedback Loop!

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

Meet Downloader.Chepvil, a malware that has been creating quite a lot of noise recently, hitting inboxes far and wide. This threat begins life as an innocent-looking email and quickly transforms itself into a powerful blended threat capable of stealing information, installing misleading applications, and mailing additional copies of itself from newly compromised computers.

To begin with, let’s take a look at the initial email. It usually follows a predictable format – an enticing message encouraging the victim to open the email attachment.

The content of the email will change frequently; but as an example, a recent set of emails contained the following message:

Dear customer.

The parcel was sent to your home address. And it will arrive within 3
business days.
More information and the tracking number are attached in document

Thank you.

Execute the file contained within the attachment at your peril! Downloader.Chepvil lies in wait and wastes no time inviting some unwelcome friends along to the party.

Once executed, a request is sent for an encrypted configuration file stored at Downloader.Chepvil now has its instructions to install the additional components.

These components are:

•    The Mailer (Trojan.Asprox)
•    The Harvester (An additional Downloader.Chepvil component)
•    The Moneymaker (SystemTool)

The following image illustrates this installation process more clearly in a step-by-step approach:

Ok, so now we’re in real trouble! What are Downloader.Chepvil’s three unwelcome friends capable of? Let’s introduce them:

The mailer:

Trojan.Asprox has been on our radar since June 2007, and for this operation it has been configured to send out the previously described emails (the initial infection vector).

Trojan.Asprox receives an emailing configuration template that has been observed to contain:

•    Approximately 2,000 target email addresses
•    A copy of Downloader.Chepvil to be attached to the email
•    A list of spoofed “From” addresses and “Subject” titles to introduce some variety into the sent emails.

This target email list of around 2,000 addresses is a subset of the entire list available to the attacker. Similar templates will be simultaneously sent out to all of the compromised computers that are under the attacker’s control and contain the Trojan.Asprox component.

The following table illustrates how well this model scales:

Compromised computers Emails
1 2,000
10 20,000
100 200,000
1000 2,000,000

The harvester:

This component is a comprehensive information-stealing component that is capable of harvesting email addresses and a wealth of credentials from a wide variety of applications and uploading them to the attacker at This stolen information is useful in many ways to the attacker, but two would prove extremely useful:

1.    Email addresses can be used to further feed the emailing component of the threat, in effect broadening its reach during the emailing phase.
2.    The stolen credentials can also be used to compromise additional servers in order to host SystemTool and Trojan.Asprox and make them available for download.

Over a short period of just over a week, 16 different servers were observed hosting these Trojan.Asprox and SystemTool components. Downloader.Chepvil uses these compromised servers to serve up malware for periods of between 3 and 53 hours.

So, why all of this effort?

The money:

SystemTool is a misleading application capable of causing serious system disruption and displaying exaggerated reports on a computer’s status. End goal? – Get the user to part with some money in order to install the “full product” and restore system stability and security. THIS WILL NOT BE THE CASE!

It is likely that the Downloader.Chepvil attack just takes a pay-per-install fee for the SystemTool threat. It is also highly likely that the SystemTool component will change to some other revenue-generating application over time.

The whole is greater than the sum of its parts:

Configuring some independent malwares to work together can have powerful results, for example:

1.    A configurable mailer component can further distribute Downloader.Chepvil.
2.    A configurable Downloader.Chepvil component can be used to establish the blended threat environment on the newly compromised computer
3.    An information-stealing component with stolen data that can be fed back and used in stages 1 and 2. This creates a positive feedback loop, in effect, expanding the reach for every subsequent phase of the operation.
4.    The attacker is then capable of expanding the network and further monetizing the whole operation through any of the following options:
       •    Install pay-per-install malware (The current revenue-generating technique)
       •    Sell on stolen credentials?
       •    Utilize the Trojan.Asprox network for SPAM in tandem with distribution?

We will continue to keep a close eye on this nasty piece of work. So in the meantime, ensure that you have the most up-to-date protection and be vigilant when clicking links or opening attachments in your email.

Thanks for reading!

How the M00p Malware Gang Was Brought Down

A piece of malware from the M00p group showing their name embedded in the code. Courtesy of F-Secure

It’s rare that malware-writing crews get arrested for creating the tools that criminals use.

But a presentation at the Virus Bulletin conference in Spain this week described an extensive operation in which law enforcement agents worked successfully with the Finnish anti-virus firm F-Secure to catch two members of the M00p gang, makers of malware that allowed criminals to steal passwords and proprietary documents, remotely control web cams and commandeer computers for use as spambots.

Detective Constable Bob Burls of the Police Central e-Crime Unit in the United Kingdom described, along with F-Secure Chief Research Officer Mikko Hypponen, how “Operation Kennet” was ultimately able to identify two members of the M00p gang — Matthew Anderson and Artturi Alm — which operated from 2004 to 2006. The Finnish company F-Secure got involved in part because M00p crafted malware-infected e-mails that were designed to look like they came from F-Secure.

According to Sophos’ Graham Cluley, who attended the presentation, Burls came onto the case while investigating an intrusion at a hospital that was infected with a piece of M00p botnet malware. He discovered that the botnet communicated with a domain registered to one [email protected] That address was soon linked to Anderson, a 33-year-old father of five from Scotland, and his company Opton-Security, which purported to be a computer security firm.

In a synchronized early-morning raid in 2006 by British and Finnish police, the two suspects were arrested. Anderson was caught logged in as administrator to the M00p IRC server when he was arrested, and Alm had an open IRC connection to M00p’s IRC channel.

Among the evidence police found on a computer seized from Anderson were incriminating chat logs and sinister images taken secretly of female victims whose webcams had been compromised. In one of the chat logs, the father of five was caught reportedly bragging to another hacker that he’d compromised a teenage girl’s PC and then snapped a picture of her with her webcam after she burst into tears upon discovering that her computer had been commandeered by him.

Alm turned out to be particularly daft at crime. He reportedly embedded his Social Security number in some of the malware the group distributed and also had an arm tattoo bearing the online nick he used to commit his crimes, “Okasvi.”

Despite evidence gathered from the computers and a confession, Alm was sentenced only to community service. Anderson got an 18-month jail sentence. Although the M00p operation was shut down, other members of the gang, reportedly from Canada, Finland, France, Italy, Kuwait, Scotland, and the U.S., remained at large.

Software Makers Win Big in Supreme Court Copyright Fight

The Supreme Court is refusing to review a federal appellate panel’s decision that software makers may use shrink-wrap and click-wrap licenses to forbid the transfer or resale of their wares.

Without comment, the justices on Monday let stand a 9th U.S. Circuit Court of Appeals ruling that is another erosion of the so-called “first-sale” doctrine, which the Supreme Court began to chip away at last year.

The first-sale doctrine generally is an affirmative defense to copyright infringement. It usually allows legitimate owners of copyrighted works to resell those copies.

That 3-0 circuit court decision means copyright owners may prohibit the resale of their wares by inserting clauses in their sales agreements. Autodesk had done that with a version of its popular AutoCAD software. The San Rafael, Calif. company sued to enforce those terms in its sales agreement and prevailed.

The Motion Picture Association of America and Software & Information Industry Association, whose members include Google, Adobe, McAfee, Oracle and dozens of others, urged the appellate court to rule as it did.

The American Library Association and eBay argued against that outcome. The library association said it feared that the software industry’s licensing practices could be adopted by other copyright owners, including book publishers, record labels and movie studios.

That assertion was not lost on the appeals court. It ruled Congress is free to modify copyright law “if it deems these or other policy considerations … require a different approach.”

The 9th Circuit’s ruling last year was believed to be among the first appellate decisions directly addressing whether a user agreement could forbid resales of software. The appellate courts have previously backed companies that have imposed terms on how software may be used.

The 9th Circuit had reversed a lower court judge who ruled the first-sale doctrine applied whenever the consumer is entitled to keep the copy of the work, thus allowing consumers to resell their purchased software at will.

The case concerned Autodesk’s AutoCAD Release 14, which was for sale on eBay. Autodesk, invoking the Digital Millennium Copyright Act, demanded eBay remove the item from the site, and it promptly did in 2007.

Timothy Vernor, the seller, had purchased at least four copies of the software from a company that was required to dispose of the software under an Autodesk user agreement. Vernor re-posted the sale on eBay and his eBay account was terminated after Autodesk complained. Litigation ensued and the Supreme Court rejected his challenge Monday.

Autodesk imposed a significant number of restrictions on its software: The company required that the software could not be transferred or leased without Autodesk’s written consent, and the software could not be transferred outside the Western Hemisphere.

The first-sale doctrine of 1909, in its current form, says the “owner of a particular copy” of a copyrighted work may sell or dispose of his copy without the copyright owner’s authorization.

Last year, the Supreme Court ruled Costco could be liable for copyright infringement for selling foreign-made watches without the manufacturer’s authorization.

Omega, of Switzerland, sued Costco for copyright infringement because Costco was obtaining the watches from unauthorized European dealers that sold them far cheaper than U.S.-based Omega distributors.

Omega copyrighted the watch design in the United States by imprinting the company’s emblem on the underside of the timepiece. The justices upheld a lower court decision saying the first-sale doctrine did not apply to goods produced overseas.

Hat Tip: techdirt

Photo: deltaMike/Flickr