Behold, the world’s most sophisticated Android trojan

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Read 6 remaining paragraphs | Comments

Backdoor.Tranwos Abuses EFS to Prevent Forensic Analysis

Recently, we discovered a threat that abuses the Encrypting File System (EFS), which Symantec detects as Backdoor.Tranwos. Not only is it trivial for program code to use EFS, it’s also very effective at preventing forensic analysis from accessing the contents of the file.

The threat creates the folder %Temp%\s[RANDOM ASCII CHARACTERS] and then calls the EncryptFileW API in order to encrypt the folder and all files and folders subsequently created in the encrypted folder will be encrypted automatically by Windows. The threat also copies itself as the file name wow.dll in the folder and then modifies the Characteristic attribute of the PE header in order to change to a DLL file.

backdoor tranwos 1 edit.png

Figure 1. Creates folder and encrypts it

In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer. This method is useful when retrieving files from a computer compromised by a rootkit. However, it’s impossible to get the file wow.dll by this method because the DLL file is encrypted on the EFS.

A user account that executes this threat can see the contents of the file and change the status of the encryption. As this threat makes it impossible for researchers to use forensic tools, as we normally would, we have to manually execute the threat on a test computer to gather the contents of the file. The purpose of this threat using EFS is only to prevent forensic analysis from retrieving the contents of itself.

backdoor tranwos 2.png

Figure 2. wow.dll file path

After executing this threat, Explorer shows the folder and the file in green as it has been encrypted.

This threat has the functionality to vary command-and-control servers according to a command it may receive from the remote attacker through the back door it opens. It also has the functionality to download more malware onto the compromised computer. Symantec will continue to monitor this threat and report if anything new is discovered.

The best way to stay safe from this threat and others is to keep your antivirus definitions, IPS signatures, and firewall rules up to date.

Under draft bill, EU wants to raise jail time for hackers, botnet operators

On Thursday, a European Parliament committee approved a new draft directive (PDF) that would, among other things, require European Union member states to step up criminal penalties for hacking, botnets, and other digital malfeasance.

Under EU law, directives are a set of instructions for all 27 (soon to be 28, when Croatia joins on July 1, 2013) member states to “translate” the new rules into their own local law. The new draft directive is set to be voted on by all of Parliament in July 2013 and enter into force shortly thereafter if approved.

According to a press release from the civil liberties committee, the new language requires that maximum prison terms for “illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences,” be set at least for two years.

Read 5 remaining paragraphs | Comments

Koobface Count Correction

The McAfee Threats Report for the first quarter of 2013 highlighted a noteworthy increase in the number of Koobface malware samples on record. This data point is based on the number of unique malicious files associated with the Koobface family, and is generally one indicator of active malware development. Besides the number of changes made to a malware’s code base, sample counts can also be influenced by repacking of the same underlying code (a common evasion tactic used by malware distributors), garbage data or junk instructions added to binaries, and other forms of server or client polymorphisms (such as self-modifying code or web server scripts that result in a unique binary being served with each download). Another complication arises from what is often called a cocktail, in which a parasitic virus inhabits a host file that is itself another piece of malware.

These factors led to our Koobface statistics being off by a large margin. The corrected data below shows Koobface on a continuing decline since Facebook published its landmark post “Facebook’s Continued Fight Against Koobface” nearly a year and a half ago.


We apologize for the error.