Chicken or Egg: Where Does W32.Changeup Come From?

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking institutions (Figure 1), users are instructed to download an attached file and execute it. This securedoc.html.zip file is actually an executable file that Symantec detects as Downloader.Ponik.

Figure 1. Downloader.Ponik attached to spam

Once the user executes this file, Downloader.Ponik attempts to contact different URLs in order to locate and download the peer-to-peer version of Trojan.Zbot (also known as Gameover). Trojan.Zbot will then download and execute W32.Changeup.

Figure 2. Steps in Downloader.Ponik attack

Symantec has antivirus and intrusion prevention system signatures in place to protect customers from Ponik, Zbot, and Changeup.

Antivirus protection

Intrusion Prevention System signatures

In addition to the most current antivirus protection and intrusion prevention signatures, Security Response recommends companies warn employees about downloading attachments from email.

While W32.Changeup spreads to network shares and removable drives, we have also observed it downloading the peer-to-peer Trojan.Zbot as well, so one malware may come before the other interchangeably. It is plausible then that the driving force behind the recent rise in Changeup detections is actually to help distribute peer-to-peer Trojan.Zbot.

Android Malware Continues to Thrive in Japan

2012 will be remembered as the year in which Android malware spread widely in Japan and may also be known as the year when some of the developers of the malware escaped punishment for performing the malicious activities.

On October 30, the Tokyo Metropolitan Police arrested a group of five individuals for their involvement in developing and distributing Android.Dougalek. Their goal was to collect personal information stored on Android devices. Coincidently, the Kyoto Prefectural Police also arrested two men on the same day, and then two more at a later date, for the development and distribution of Android.Ackposts, which was also used to steal personal information. Symantec welcomes this news and applauds the police for their efforts.

Symantec was able to assist the Tokyo Metropolitan Police in its case by providing the details of the Android.Dougalek variants that we had knowledge of. The information was used as part of the evidence that helped lead to the arrest of the suspects. However, the group of five suspects was later released without prosecution because the prosecutor’s office determined that there was a lack of evidence to prove that a crime had taken place. According to media reports, the defendants argued that the permissions required by the apps were clearly stated during installation. As you can see below, the app asks for permission to “read contact data” and hence uploading contact details was not considered to be an illegal activity in this case.
 

Figure 1. Android.Dougalek permissions
 

On devices running Android 4.2, permissions have been organized into groups so they can be more easily understood by users and during permissions review users can click on the permission to see more detailed information about the permission. The reality is that such permissions are rarely read or understood by the average user. Symantec’s security products for mobile devices alert users to these apps to provide better information on the behavior of the apps.

It’s worth noting that at the time of writing, the developers of Android.Ackposts have yet to be prosecuted:

Android.Dougalek
*90,000 installs
*10 million PII leaked
Source The Daily Yomiuri

Android.Ackposts
*10,000 installs
*4 million PII leaked
Source: The Mainichi

The outcome of the case did not make any difference to at least one other particular group of scammers committing similar malicious acts. Even since the arrests the group has persisted in spamming out emails that attempt to lure recipients into downloading malware. The group is responsible for Android.Enesoluty, which has not only continued to send spam, but has also continued to aggressively register more domains and set them up to host the malicious apps. Emails are being sent with sender names like “Android App Magazine” and “Smart Magazine” to make the emails appear as though they have been sent by legitimate newsletters. Interestingly, the spamming primarily occurs from the afternoon until early in the morning (Japan Standard Time).

Currently, we can confirm that Android.Enesoluty can be downloaded from the pages displayed in Figure 2 on a number of domains. The pages introduce a variety of topics, including tools to improve battery life or phone reception, an antivirus app, a video app to view an undisclosed footage of a famous Japanese idol group, an adult-related video downloader app, and an entertainment app for a popular anime character.
 

Figure 2. Fake Google Play app pages
 

Once the apps are installed and launched, contact details are uploaded to the specified servers. What’s worse is that the scammers are sending large amounts of various spam to the acquired email accounts including spam such as a blank email (perhaps used to check if the account is actually active), an email advertising Viagra (which isn’t very common in Japan), an email pretending be from a manager of a famous celebrity asking the recipient to become a friend of the client (but this email only leads the recipient to a dating service website), and an email introducing the malicious apps.
 

    

Figure 3. Viagra advertisement
 

Figure 4. Celebrity manager spam email
 

Unfortunately, Android.Enesoluty may not be the only active malware circulating in Japan. Although we cannot confirm any recent spamming activity by these malicious programs, sites hosting malware such as Android.Loozfon and Android.Ecobatry are still accessible. On the other hand, Android.Sumzand, the most prevalent Android malware that spreads through email, has gone quiet for some unknown reason.

If you happen to receive emails from an unknown source trying to persuade you to download an app, think twice before clicking on the links included in the emails. I would even avoid opening up the email if possible. To be on the safe side, I recommend that you download your apps from well-known and trusted app vendors, and installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your phone.

New Mac espionage trojan targets Dalai Lama supporters

A website related to the Dalai Lama is hosting attack code that attempts to surreptitiously install OS X-based spy software on the Macs of people who visit.

The backdoor trojan, dubbed Dockster by antivirus providers, has the ability to capture the keystrokes of infected machines. It also provides an interface that allows attackers to download and execute additional malware, according to this brief analysis from F-Secure. Dockster was uploaded to the VirusTotal malware detection service on Friday, presumably by attackers who wanted to see if it was detected by AV services, according to a separate post from competing AV provider Intego.

The drive-by attacks exploit a now-patched vulnerability in Oracle's Java software framework. CVE-2012-0507 is the same Java bug used earlier this year to infect more than 500,000 Mac users with malware known as Flashback. Oracle has since released an update that patches the hole, and recent changes introduced by Apple also remove a Java-based plugin from default versions of OS X. But users who are using older installations or have changed default settings could still be susceptible.

Read 2 remaining paragraphs | Comments

How a browser worm slithered across a huge number of Tumblr accounts

Malicious code that caused a worm to quickly infect a large numbers of Tumblr accounts.

A quickly spreading worm on Tumblr has caused media companies The Verge, Reuters, and a large number of other account holders to publish a post laced with racist epithets and other offensive content.

The stunt, attributed to long-time Internet trolling collective GNAA, caused affected Tumblr accounts to display the post. People who viewed the post while logged into Tumblr were in turn forced to publish the offensive content, causing the attack to spread virally according to security researchers. More than 86,000 accounts were affected, according to unconfirmed claims from GNAA members. Tumblr issued a statement saying site engineers are working to combat a "viral post circulating on Tumblr." It advised anyone who has viewed the post to immediately log out of all browsers that may be logged in. Update: Later in the day the company said engineers had resolved the problem.

According to researchers at antivirus provider Sophos, the GNAA post spread by including malicious code that exploited weaknesses in Tumblr's reblogging feature. A coding tag contained in the post linked to malicious code on another website. The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It's a technique that compresses uses printable ASCII characters to represent large chunks of binary data and has the benefit of making it harder to know exactly how a script will behave when executed.

Read 5 remaining paragraphs | Comments