Scammers Sell Free Mobile Flash Player Using YouTube Feeds

Scammers love to sell “Flash Player” for Android to careless users who are easily deceived. Although a series of these scam apps were deleted from the official Android app store after our recent report, malicious apps such as Android/Fladstep have reappeared in the store. This time scammers are promoting their sales tools using the RSS feeds from the world’s most popular movie distribution site, YouTube, to impersonate legitimate apps.


After being launched, the malicious app shows a playlist of video movies with titles related to Flash Player for Android devices.


This playlist of movies is actually retrieved from YouTube, from its published RSS feeds. We can bet that these movies do not belong to the attacker.


The playlist appears to start with advice about Flash Player. However, the scammer first replaces all the movie links with links to fraudulent sales websites, which require visitors to pay money for the fake Flash Player. (Adobe’s version is free.) We have seen these websites before.


If a user selects “Yes” on the download site, a familiar, suspicious page appears. Finally the user is redirected to a PayPal page. Unlike the previously reported case in which the scammer offered the free Flash Player for €5, this time the scammer has doubled the price, to €10.


Of course, you don’t need to pay for this bogus free version of Flash Player for Android; you should directly download and install it from Adobe. If it appears you have been tricked into buying a maliciously crafted version of Flash Player, you can simply close the app or browser if you see the preceding screen.

The post Scammers Sell Free Mobile Flash Player Using YouTube Feeds appeared first on McAfee.

CelebGate: a Long, Dangerous List of Celebrities

During the past few days, the media has been abuzz with the massive celebrity photo leak nicknamed The Fappening or Celebgate 2014. The story started on August 31 when the first nude pictures appeared on a 4chan board. An impressive list of victims has been posted.
Fake or true, today almost 450 pictures and videos are circulating on 4chan, Reddit, or Imgur in connection with this story. A Google search for “The Fappening 2014″ returns more than 1.4 million URLs. While some netsurfers work at posting them, website administrators work at deleting them.

The forums are inflamed, and dedicated websites are popping up to expose these photos.
Archives are offered to download:
And of course, malicious software is never far from such stories. Searching for these real or fake pictures is a dangerous sport. Behind the URLs you can discover via Google or dedicated forums, most of these paths are dangerous. Your chance of landing on a page that tests positive for spam, adware, spyware, viruses, or other malware is almost a sure thing.

My first two attempts infected my test computer.
After I disabled my antivirus for 10 minutes to easily browse, I was (not) surprised to detect 10 or more new infections (in the following case several Trojans).
In 2013, McAfee published a list of the 10 most dangerous celebrities. Today we appear to have a Top 100!

You should always be extra cautious when searching hot topics, which often lead to unwanted programs offered by unscrupulous companies or to malicious sites created by cybercriminals.

The post CelebGate: a Long, Dangerous List of Celebrities appeared first on McAfee.

Examining Your Very Own Sefnit Trojan

Most malware is created for economic purposes. To name just a few of our reports and blogs on this topic, we have written about Cybercrime Exposed, stolen data, and the Target point-of-sale malware.

But sometimes it’s not clear to our customers how much time and skill malware authors invest in their tools. A recent case at McAfee Labs got us scratching our heads to understand what was going on. The malware in question was already detected by our products as Sefnit-FAT, but the true content of the malware couldn’t be replicated in our environment no matter what we did.

Sefnit is a malicious family used in ad-click fraud. The infected computers will start to silently access various advertisement links to increase the ad hits and give money to the ad owner.

This is usually done by installing a malicious DLL in the system that monitors active browsing sessions and injects code into any request made by the user. It may also involve the use of malicious browser add-ons, which perform the same function.

Back to our case: We had to describe the features in the malware sample submitted by one of our customers, but the sample wouldn’t replicate in our environment.

The sample was a DLL, packed with Themida, a known packer and code protector that is pretty hard to reverse-engineer. Accompanying the sample was a file with same name as the DLL but the extension .idx. It contained encrypted data.

After removing the Themida packer layer, we found the code to read and decrypt the .idx file. The DLL file was simply decrypting the content of .idx and loading it in memory.

But one thing caught our attention and explained why we were not able to replicate the sample: The “key” to decrypt the file was formed by hashing information from the machine on which it ran. The malware collected information such as machine GUID, the folder where it was started, computer name, and other data to generate a hash, which was then used as the key.

If the sample was not run from a specific folder, on a specific machine, it would not decrypt the payload.

How was that encrypted file generated? How did the malware author know what information was present on the target machine to create a file that was unique to it?

Connecting the Dots

We knew that this detection was pretty prevalent, with thousands of detections per day, and that got us thinking how the malware could be so widespread and at same time unique to each machine, which is a characteristic of a targeted attack.

sefnit-FATSefnit detection data. (Source: McAfee GTI)

Looking at our Global Threat Intelligence (GTI) data, we noticed that Sefnit-FAT overlapped samples detected by another detection: Trojan-FDNK.

Our GTI data allow us to relate samples based on several factors, and one that helped us is replication data. We were able to find an executable (MD5: 129FFF31E13180F6E42C1991FB20EA12) that during replication dropped another sample detected by Trojan-FDNK. That was possibly a dropper for the DLL we were trying to analyze.

The file was a small executable (less than 50KB) with a PDF icon. These files are usually dropped on user systems by exploit kits such as Blackhole, Redkit, or Cool. We detect these as Dropper-FJS, Sefnit-FDNJ, and Trojan-FDLW, among others.

This executable turned out to be another layer of obfuscation. Once executed, it looks for setup.dat in the same folder where it is located, and decrypts this content in memory, generating a DLL. Let’s call this the Dropper DLL.

This DLL is never written to disk, but instead is loaded in memory and executes from its entry point. When analyzing what this DLL did, we noticed that it was Sefnit.

Sefnit at Work

So we were able to find a dropper for the Sefnit DLL, but it was not clear yet how it was locked to run only on one specific machine. We took a closer look at the Dropper DLL, and what we found was pretty interesting.

Once the DLL executes, it collects the following information:

  • Machine GUID
  • System Driver: Name
  • Process: Name, Executable Path
  • Network Adapter Configuration: Caption, Description, MAC Address
  • Computer System Product
  • Operating System
  • Processor
  • Onboard Device
  • CDROM Drive
  • Sound Device
  • Logical Disk
  • Disk Drive
  • Physical Media
  • Computer System
  • Base Board
  • System Enclosure
  • Display Configuration
  • Video Controller
  • BIOS
  • System
  • System Board: Product, OEM string array, Model, Caption, Serial number, Version, Manufacturer

The first hint that this had something to do with our DLL was the collection of the machine GUID, which was used by the Loader DLL to decrypt its payload. Analyzing the function that captured this information in both the Dropper DLL Sefnit sample and the Loader DLL we got from our customer, we confirmed that they have exactly the same code:

loader_dll dropper_dll


The code to collect machine GUID matches exactly on Dropper DLL and Loader DLL.

This information is encrypted and sent to the malicious control server for this malware. The server then sends another DLL, which is specifically tailored for the infected machine. And that DLL is exactly what we had from our customer.

This custom DLL was configured to look for a file in the same folder where it was dropped and with the same name as itself, but using one of four extensions: .idx, .lck, .txt, or .dat.

It decrypts this file using the same information collected by Dropper DLL, and starts this decrypted content the same way that the Dropper DLL was started.

We now had almost the full picture, but one piece was still missing: What was the content of the .idx file we received?

Exposing the Plot

Continuing our analysis of Dropper DLL, we noticed that after receiving Loader DLL from the web server, it creates a registry key to start it after reboot:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = regsvr32 /s %appdata%\loader.dll

(The preceding DLL name is just an example. The actual DLL might have random names on different systems.)

At this point, we solved the mystery: Dropper DLL, which was created in memory by the executable, encrypted itself using the same information collected earlier, and wrote the encrypted data to a file named after the Loader DLL sent from server, and using one of the four extensions we named.

We analyzed the rest of the code and found how the machine lock observed in the initial DLL is generated. The following graphic illustrates the process:

flowchartFlowchart of a Sefnit infection.

As we can see, the mysterious .idx is the same thing as the Dropper DLL generated in memory by the executable, which in turn was dropped on the system by the exploit kit.

We have found several other files with same name (setup.dat) on our database, and all of them can be decrypted by the same executable, and generate the same malware.


The group behind this malware uses a complex method to ensure that their samples will run only on specific machines, in an attempt to divert malware analysts and automated malware analyzer systems from learning what the malware does, and to avoid exposing code to anyone trying to see what is happening.

This may seem like too much work just to hide ad-click fraud, but if you have read our other reports you will know that these miscreants earn millions of dollars each year.

But with the power of our GTI infrastructure and a little ingenuity, we were able to uncover this malicious scheme and protect our customers.

The post Examining Your Very Own Sefnit Trojan appeared first on McAfee.

McAfee Labs 2014 Threats Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threats Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.



Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).


RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.