Microsoft security sandbox for IE: Still broken after all these years

There's a trivial way for drive-by exploit developers to bypass the security sandbox in almost all versions of Internet Explorer, and Microsoft says it has no immediate plans to fix it, according to researchers from Hewlett-Packard.

The exploit technique, laid out in a blog post published Thursday, significantly lowers the bar for attacks that surreptitiously install malware on end-user computers. Sandboxes like those included in IE and Google Chrome effectively require attackers to devise two exploits, one that pierces the sandbox and the other that targets a flaw in some other part of the browser. Having a reliable way to clear the first hurdle drastically lessens the burden of developing sophisticated attacks.

The bypass technique "does give the attacker a significant advantage by giving them higher-level access than a typical exploit might in Internet Explorer, by allowing them to escape the sandbox," Robert "Rsnake" Hansen, a vice president at security firm WhiteHat Labs, wrote in an e-mail to Ars. "In practical terms this is a very important finding, because it can be tied into existing exploits that might otherwise not be able to escape the IE sandbox."

Read 8 remaining paragraphs | Comments

Terrorists embracing new Android crypto in wake of Snowden revelations

Security researchers announced Friday that they have found new evidence to bolster claims from the National Security Agency that terrorists have altered their countermeasures in the wake of the Edward Snowden revelations.

"Al-Fajr, one of Al-Qaeda’s media arms, released a new Android encryption application [in] early June 2014 on their website, referring to how it follows the “latest technological advancements” and provides '4096 bit public key' encryption," intelligence firm Recorded Future said in a Friday report.

The report added that Global Islamic Media Front, another arm of Al Qaeda, just released a "new version" of Android crypto software.

Read 9 remaining paragraphs | Comments

‘DHL’ SMS Spam Distributes Android Malware in Germany

One of the most common methods for distributing PC malware is the use of email spam messages that pose as tracking notifications from popular delivery companies such as DHL Express, FedEx, or UPS. The reason for this popularity is the malware’s effectiveness. Most of the time the victim receiving the message can’t resist opening the attachment file or clicking on a malicious link to know the current status of a hypothetical package. So many of us order items online these days that it’s easy to fall into the trap.

The same approach can be effectively applied to infect mobile devices. We see it currently happening with a spam campaign via short message service (SMS) targeting German users by using a fake DHL tracking notification to distribute Android malware.

Recently McAfee Labs received a mobile malware sample that is currently distributed as DHL.apk on the cloud storage service Dropbox. The complete URL is hidden using Google’s URL shortening service goo.gl and used in an SMS spam campaign with the following text in German:

“Ihr DHL Packung ist ihnen geliefert, verfolgen Sie online über http://goo.gl/<random>”
(“Your DHL package is delivered, track it online via …”)

Once the application is downloaded and installed, the following icon appears in the home launcher pretending to be the Google Service Framework application:

CASTILLO_SmsHndIcon
When the malware is executed for the first time, it will ask for device administrator privileges to make its removal or uninstalling difficult. The app also simulates the loading of data:

CASTILLO_SmsHndMainActivity

What the malware is actually doing, however, is starting a service in the background that will constantly contact a remote control server to request commands to perform any of the following actions:

  • Leak sensitive device information (phone number, device model, IMEI, and IMSI)
  • Send SMS messages using data (phone number and text) provided by the remote server
  • Send a specific text message to all the phone and SIM contacts
  • Steal the contact list

In addition to these actions, every time an SMS message is sent to the infected device (but not from any of the numbers from the victim’s contact list), it will be intercepted and forwarded to a remote server (located in Japan):

CASTILLO_SmsHndStolenSMS_EditedMcAfee Mobile Security detects this threat as Android/SmsHnd.A and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

The post ‘DHL’ SMS Spam Distributes Android Malware in Germany appeared first on McAfee.