Man convicted for hijacking ex-girlfriend’s MySpace account

After breaking up with her boyfriend of two and a half years, an Illinois woman began to notice obscene messages being posted from her MySpace account. One post included her contact information and a picture of her in a thong. Another read: "Need a blow job? My dad buys them for my boyfriends." She was surprised because although she had shared her password with her ex-boyfriend, she changed it after the breakup.

She called her ex-boyfriend, Steven Kucharski, and demanded that he remove the content or she would go to the police. According to court records, he "started 'giggling and laughing' and told her that she deserved it."

The police investigated. A search warrant to MySpace revealed logs showing that the obscene content had been posted from an IP address belonging to Kucharski's father. Kucharski had helped the woman set up her MySpace account and used an e-mail address that belonged to him. This allowed Kucharski to gain access to the account even after she changed her password.

Read 6 remaining paragraphs | Comments

Turkish ‘Delete Virus’ Targets Facebook Users

Facebook continues to be a favorite target for attackers to spread fake wall-post messages or fake scams. Most of the time these fake messages are involved in fake scams that ask users to respond to surveys. Recently, I discovered a Facebook wall post with a malicious website address that was unknowingly shared by a friend. Once infected with this spam, the malicious wall post will also tag all the friends of an infected Facebook user.  Here is the screenshot of a malicious wall post:

Sil_wallpost

The link from this wall post redirects users to a malicious website that hosts malicious code. This site launches its main attack by identifying browsers with the help of the following code:

sil_code

The preceding code from the malicious site targets Firefox and Chrome browsers on userAgent strings.

Firefox

If the malware detects Firefox, it presents the following error message in Turkish:

sil_firefox_warning

The Google translation of the this message reads:

Please Refresh button, Firefox Add-Update your. Due to system errors and security bugs that are required by pressing the Reload button. Install Firefox Plug-in Update. As long as you have not updated the site faydalanamayacaksýnýz features.

Once clicked, the site installs the malicious “sosyalag.xpi” (XPI extension archive) file for Firefox (from the malicious site) along with a Chrome application from the Google Chrome store (this app has been removed from the store). Here is the JavaScript function used for the Chrome app:

sil_javascript

Chrome

If the malicious site detects Chrome, it will download the malicious file player.exe from the attacker’s dropbox account without asking the user. After using Chrome to visit the site, a victim will see a fake video page:

sil_chrome_warning

The malicious site cleverly shows an arrow pointing to the malicious file for download, even though the file has already  arrived. Player.exe makes Chrome install another malicious application by adding an entry for a .crx file from another malicious site under “\Policies\Google\Chrome\ExtensionInstallForcelist\1: “gagalgomhifgcmeciklindhpaihmecgi;https://XXXXXX.com/maflu.xml.” Once an infected user enters Facebook, the malicious code runs JavaScript in the background, infecting further users.

VirusTotal Detection

Player.exe

sosyalag.xpi

mafera.crx

The XPI extension file for Firefox contains malicious JavaScript code that targets Facebook. Here is screenshot of one of the files:

sil_source

The name in the preceding script “Virusü Sil” is Turkish, which in English is “Delete Virus.” Malicious sites hosting the files present user with information in Turkish. This campaign is aimed against Turkish Facebook users, but it’s not limited to them. Once someone is infected with these extensions, a victim can spread the same post by tagging their friends.

Facebook has already removed these malicious messages from the infected users’ wall posts. The malicious apps have also been removed from Google Chrome store.

Tibetan Activists Targeted with More Android Malware

Following the recent discovery of Android/Chuli.A, yet another Android malware has now been found using the same method as Chuli.A: via forged email messages with the Android malware (APK file) as an attachment. However, instead of creating a standalone malicious application that shows a fake invitation about an upcoming congress, this time the attackers compromised Version 3.5.5 of the popular instant-messaging application KakaoTalk by injecting additional code to steal sensitive information from the infected device.

One of the visible modifications made to the original KakaoTalk application is the addition of several suspicious permissions required to execute the injected malicious code. However, some of these permissions are duplicated with those present in KakaoTalk 3.5.5 because it too requires various permissions, as you might expect from an instant-messaging application. KakaoTalk requires permissions for communication via several protocols (SMS, WiFi, Bluetooth, Internet), access to sensitive information (accounts, contacts, audio, location), and access to specific hardware (camera, microphone) to obtain new data, not present in the device, to be shared with other users.

The following list of permissions are added to  the Trojanized version of the app:

  • android.permission.READ_SMS
  • android.permission.WRITE_SETTINGS
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.MOUNT_UNMOUNT_FILESYSTEMS
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.DEVICE_POWER
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.BLUETOOTH_ADMIN
  • android.permission.USES_POLICY_FORCE_LOCK
  • android.permission.CHANGE_CONFIGURATION
  • adnroid.permission.ACCESS_CHECKIN_PROPERTTES (misspelled)
  • adnroid.permission.CHANGE_WIFI_STATE (misspelled)

As you can see in the following image, these new permissions are not very visible to the user, as they should be in a standalone version:

Castillo02042013_Pemissions_User_Highlighted
Even less visible are the four services added to the Manifest file, which will run in the background:

Castillo02042013_Services

Only three services work. SmsService is not implemented in the code (only mentioned in the Manifest) suggesting that this is a version of the malware that is still under development.

The AlarmService starts when the device is rebooted or is turned on and its only purpose is to set up a system alarm to schedule the execution of InfoService, which collects the following information:

  • Device information: brand, manufacturer, SDK version, IMEI (International Mobile Station Equipment Identity), IMSI (International Mobile Subscriber Identity), SIM (Subscriber Identity Module) serial number, and phone number
  • Call log: number, name from the address book, type, date, duration of the call
  • Phone contacts: name, phone number, email address, plus details like IM (instant messaging), organizations (company and title), notes, nicknames, and address (street, P.O Box, neighborhood, city, region, and country)
  • SMS messages: address, person, body, date, and type
  • Installed applications: package name, date of the first install, and date of the last update
  • Location: Unlike traditional mobile malware that usually obtains GPS information (latitude and longitude) as data related to the location of the device, this threat goes beyond that and collects more specific and detailed information about the location of the infected device by getting the following cell identifiers, depending which mobile network the device is connected to: CDMA (base station, network, and system) and GSM (cell ID and the location area code).

This information could be used to establish the location of the infected device in a more accurate way than using only GPS coordinates, but to achieve that the malware would also need access to specific technical information about the cellular network architecture such as the physical location of a specific cellular base station that belongs to a certain network operator.

All the collected data is encoded with an XOR logical operation using the sentence “marriage and parenting are serious commitments dont be in a hurry.” After that, the information is stored in the file info.txt, which later is uploaded to an FTP server by the InterService, which runs every time there is a connectivity change. After checking that the device is connected to a network (WiFi or mobile), the service opens the configuration file proper.ini, which contains an encrypted URL. The malware parses the HTML code to obtain the URL and login credentials for the FTP server and to upload the stolen data.

The malware also constantly monitors incoming SMS messages, inspecting them for any starting with a specific number, which will trigger the collection of specific mobile network data (cell ID, area code, network code, and country code) to reply via SMS with the information.

Although there is no technical evidence that this malware has the same origin as Android/Chuli.A, they share four characteristics:

  • The attacks target Tibetan activists using forged emails with Android applications (APK files) as attachments
  • The purpose of both attacks is the same: To steal sensitive and personal information like phone contacts, call records, SMS messages, and location. However, this threat obtains more detailed and specific data from the contacts and the location of the infected device.
  • The use of free Java libraries licensed under LGPL developed by Sauron Software but with different purposes: ftp4j (to manage the FTP communication) and Base64 (to encode the stolen data)
  • The design and structure of the malicious code, the names of services like AlarmService, and the presence of log messages in Chinese

When Android malware was found at the end of July 2012 in control servers used in the “LuckyCat” campaign targeting India and Japan, it was clear that the attackers were planning to add mobile malware as part of the targeted attacks, though at that time we did not know how the malware would be delivered to its victims. Now, with Android/Chuli.A and this new threat, we can see that the initial infection vector is the use of forged emails with APK file attachments together with some social engineering to trick victims into installing the malicious application. Such techniques are often required due to the lack of exploits for Android. The malware could perform a genuine drive-by-download attack and may be the next step in the evolution of targeted attacks on mobile devices.

McAfee Mobile Security detects threat as Android/KaoSpy.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

Phishing Threat Uses UTF-8 BOM in ZIP Signature to Evade Detection

Last week, we noticed thousands of malware files in the wild that employ a simple phishing attack by modifying the hosts file on Windows systems. What’s interesting, however, is the technique chosen by the malware authors to distribute their payload. The samples in question (Example MD5: 34d9b42bfd64c6f752fe27eef8d80c5f) are packaged in a ZIP file along with a 0-byte readme.txt file.

Usually, ZIP files start with the ZIP signature 0x04034B50 (or “PK”, 03, 04), but in this case the author chose to insert the UTF-8 Byte Order Mark (BOM) (represented as 0xEFBBBF) before the ZIP header.

sanchitkarve_ziputf8

Unicode BOMs are often used to indicate the endianness of encoded textual data. It is redundant for UTF-8 data, as byte order has no meaning in UTF-8, which is why the Unicode Standard leaves it as optional and does not recommend its use. Despite this, it is not uncommon to see UTF-8 BOMS in text files and data streams. For example, many popular applications (Notepad, Google Docs, etc.) use the UTF-8 BOM to explicitly state that a document is encoded with UTF-8.

Because the ZIP file is prefixed with the UTF-8 BOM, it tricks many applications into assuming that the file is a UTF-8-encoded text file. For example, when such a file is opened by Windows 7, the OS complains that such a ZIP file is invalid. Some third-party archive programs, such as 7-Zip, WinRAR, and some others ignore the BOM and read the ZIP file correctly.

Because the only way to run the file is to manually extract and execute it, the malware authors expect their victims to have third-party archiver applications installed on their computers.

It is also likely that the authors using this technique want to evade detection from antivirus products and email spam filters that adhere strictly to the ZIP format. Even though most of the samples are virtually the same, they generate unique hashes due to the varying timestamp fields embedded in the ZIP header as well as differences in the installers’ overlay sections caused by varying application names.

As for the sample itself, the main payload is an installer that always bears one or more of the following words: Golaya, Russkaya, or Devochka (which together roughly translates to “Naked Russian Girls” in Russian).

This installer silently executes batch and VBScript files to modify the hosts file on a victim’s machine and map IP addresses to popular Russian websites as shown below:

sanchitkarve_hostsFile

When users visit one of these websites, instead of being connected to the site’s IP, they are instead connected to the IP address listed against the site name in the hosts file. Like any other phishing attack, the page hosted at the IP address in the hosts file looks almost like the original site, and is the perfect bait to lure users into unknowingly giving away their account credentials.

This threat has been growing steadily over the past few days. VirusTotal reports that it currently has more than 5 million submissions of this malware family.

McAfee detects this threat as Trojan-SkyHook, Agent-FBH and Agent-FBX.
Thanks to my colleague Srinivasa Kanamatha for discovering the anomaly.