Operation Troy: OpenIOC Release

 

In conjunction with our investigation into Operation Troy, we will be releasing IOC data in the open and highly flexible OpenIOC Framework format.

The McAfee Operation Troy IOC can be downloaded here.

 

 

 

In addition to various open/free tools, OpenIOC data can be consumed by:

  •             McAfee Network Security Platform
  •             McAfee HIPS
  •             McAfee GTI Proxy
  •             McAfee Web Gateway

 

For more information around the OpenIOC Framework, please visit:

http://www.openioc.org/

 

 

Adult Voice-Service Apps on Google Play Japan Charge Users Without Notice

McAfee has reported on increasing fraudulent Android applications on Google Play in Japan this year, including one-click fraud applications and fraudulent adult dating service applications. The attackers are still looking for new victims using various techniques.

We have also found a new variant of the one-click fraud application that lures careless users into adult voice-connection services to listen to adult stories and later charges a large amount of money without prior notice.

 

20130709-gp-voice-fraud-applist

 

This new variant tricks users into dialing a specific phone number with the device’s standard dialer using a tel:// URI scheme, rather than using telephony APIs for automatic dialing. There is no information about billing for this service; the web page offers just “Listen Now.” By tapping on the button, the dialer application is launched with a preset phone number.

 

20130709-gp-voice-fraud-appdialer

 

Careful users might notice that the Web page has a link to ‘information’ page (‘i’ icon) which includes the terms and conditions. It says the user need to pay money for annual fee if he dials the number even only once. But we can easily imagine most of users will not visit the page because it is clear that the link to the informational page is intentionally difficult to find.

 

20130709-gp-voice-fraud-infopage

 

Once the user dials the phone number and connects to the service, he can hear recorded automatic voice guidance about how to use the service. If the user selects a channel, a recorded “story” plays. There’s no explanation about billing.

When the user next dials the service, the recorded voice talks about billing for the first time. It says the user should go to the informational web page and follow the instructions to pay for the service. If users ignore the payment request, they will get a phone call from the service after a few weeks that says they have not paid and that the service will resort to legal procedures if they will not pay the fee. It also says users must call or email the service to request cancellation in case they have dialed the number by mistake. Of course, you should never pay money for such invalid billing nor call and talk with the fraudster. Just ignore it.

In Japan we have had similar issues related to fraudulent adult voice services long before. An example is the “One Call Fraud,” in which the fraudster dials the victim’s number and quickly hangs up (hence “one call”) expecting that the victim will call back. If so, the fraudster demands payment for the service. We rarely see such traditional fraudulent voice services today, but we could see their revival as smartphone applications.

We first found the current variant around the end of June; these apps were deleted from Google Play at our request. But the same variant has appeared again just today. We estimate that the number of downloads is not yet large, according to statistics on Google Play.

McAfee Mobile Security detects these applications as a variant of Android/OneClickFraud malware and also blocks accesses to the fraudulent website.

New Zero-Day Attack Copies Earlier Flash Exploitation

Late on July 10, Microsoft released a blog post disclosing that they were aware of a zero-day attack in the wild. This attack exploits a previously unpatched Internet Explorer vulnerability (CVE-2013-3163). It’s interesting that the vulnerability was just patched in this month’s Patch Tuesday (July 9), which is perhaps only a coincidence. Although we do not know how long ago the attack began, we do have the official solution right now. (Apply the Microsoft patch if you haven’t done so.)

McAfee Labs rapidly responded to the threat. While digging into the exploitation process, we realized that this attack leverages the same exploitation technology that we were first to identify in an Adobe Flash zero-day attack in February. We call the new exploitation technology the Flash Vector exploitation. As highlighted in our blog post from February, we made a fairly accurate prediction:

More important, the technique looks like a common exploitation approach to Flash Player. The vulnerability actually doesn’t help much–just overwriting few bytes that are considered as a field of “element number” for a specific ActionScript object. These traits show that the exploitation technique is not limited to this particular Flash vulnerability; it may apply to other Flash or non-Flash vulnerabilities.

Both of these attacks leverage a weakness inside Flash Player’s custom heap management, especially, for the heap management of ActionScript “Vector.<>” objects. During our analysis, we also found some minor differences between these two attacks:

  • Because the trigger of the previous attack is a Flash vulnerability, the exploitation contains a step that frees the heap block (“leaving the hole”). In the second case, this step is not necessary because the trigger is an IE vulnerability. IE and Flash use different heap managements; thus IE can overwrite the memory bytes managed by Flash.
  • In the earlier exploitation, the zero day leveraged the “Vector.<Number>()” object and corrupted its length field. In the current case, the exploit leverages the “Vector.<uint>()” object (corrupting its length field as well). For example, the following code sprays a lot of “Vector.<uint>()” objects in the memory:

vector_spraying1

McAfee Labs has released a couple of UDS signatures to protect customers of our Network Security Platform against the IE vulnerability as well as the exploitation. Signature “UDS-HTTP: Microsoft Internet Explorer CBlockElement bdo element tag Use After Free Vulnerability I” addresses the vulnerability, and “UDS-HTTP: Microsoft Internet Explorer CVE-2013-3163 Flash Exploitation” handles the exploitation. Also, the generic buffer overflow prevention feature on our HIPS products will stop the related attacks.

The author would like to thank Bing Sun, Chong Xu, and Xiaoning Li (Intel Labs) for their help with the analysis.

User Ignorance of Cloud Services Poses a Data Leak Challenge

Cloud-based online services are useful tools for many enterprises, allowing them to coordinate their teams, share information and enable discussions within groups. However, companies should be sharply aware of how they manage their privacy settings for these services before discussing business critical matters or uploading sensitive data. 
 
It seems that many Japanese organizations have learned this the hard way. A Japanese newspaper found more than 6,000 cases where public and private organizations exposed internal communications by using the default Google Groups privacy settings. Keeping the default settings allowed for public access to discussion threads rather than making them only accessible to pre-approved members. The newspaper found that hospitals and schools posted records on their patients and students and at least one political party exposed a list of its supporters. In fact, the newspaper itself admitted that its journalists made the same mistake, potentially revealing draft news reports and interview transcripts to the world. 
 
The Japanese government was also involved in this and admitted that officials accidently posted internal memos publicly simply because they used the wrong privacy settings for Google Groups online discussions. This included details on planned negotiations on an international mercury trade treaty along with discussions about this between Swiss and Norwegian environmental ministries. The Japanese environmental ministry’s spokesperson said that while the internal documents were not confidential, it has since taken corrective steps to protect its data. 
 
There have been cases in the past where, even if the cloud service provider has set its default settings to private, users seemingly inadvertently set them to public and exposed data. As a result, more than 12 thousand data buckets were uncovered and almost 2 thousand were visible to the public. The buckets included 126 billion files which included data from social networks, sales records, video game source code and unencrypted database backups. 
 
These cases show how easily sensitive data can be exposed simply by human error as opposed to  malicious attack. The fact that this error was so widespread is worrying and suggests that many simply assumed that their communications were private, rather than checking to see for themselves. Before using any communications tool, always check the privacy settings to ensure that everything is protected.