New Android malware variant lands with a punch!

On the heels of an invasion of malicious apps in Google’s Android market that occurred in early March, a new variant was detected over the weekend.

The latest run is being dubbed DroidDream Light (DDLight) by its discoverer, Lookout Mobile Security, as it appears to be a variant of the earlier Myournet/DroidDream.

Researchers suspect the new variant was created by the same developers as the older version. That iteration, which infected more than 50 applications back in March, distinguished itself for being distributed via the official Android Market, rather than through suspect third-party providers or alternative app markets.

The Lookout team said it believes between 30,000 and 120,000 users have been affected by DroidDream Light. Meanwhile, the Juniper Networks Global Threat Center blog reported that the malware already has affected 25 applications from at least four Android market developer accounts, and places its tally of affected users at 100,000 or more.

While the malware is dubbed a “light” version of the original, it might, in fact, be capable of causing more devastating damage, as the malicious apps do not need a user to start up the application manually for the trojan to launch.

Rather, the code is set into action when a phone call is received on a smartphone, researchers said. DroidDream Light may then install additional applications to the user’s device. These apps may have code embedded capable of a variety of malicious tasks.

The four developer accounts discovered to be hosting DroidDream Light – Magic Photo Studio, E.T. Tean, BeeGoo and Mango Studio – were removed from the official Android Market as of May 30, a Google spokesperson told SCMagazineUS.com on Wednesday.

“We’ve suspended a number of suspicious applications from Android Market and are continuing to investigate them,” the spokesperson said in an email.

Lookout offered a few words of warning to Android app users, including a suggestion to only download apps from trusted sources, such as reputable app markets. Users also should look at the developer name, reviews and star ratings, they said.

Also, mobile customers should check the permissions an app requests to ensure that it matches the features the app provides, Lookout said

Further, Lookout advised users to be on alert for anomalous behavior on their phones, such as unusual SMS or network activity, which could signal an infection.

According to a recently released Juniper report, the number of Android malware attacks increased 400 percent since the summer of 2010. The report also found that application download is the top distribution point for mobile malware, yet most smartphone users are not using any form of anti-virus protection.

Posted in Android | 1 Comment

Google remotely killing Android malware

Google is now using a remote security tool to remove malicious applications from affected Android devices after a malware outbreak hit its official app store, the company announced over the weekend.

Early last week, it was discovered that more than 50 apps offered in Google’s official Android Market were infected with malware, known as “DroidDream,” that is capable of gaining root access to a device, harvesting data and installing additional malicious code.

Google has since removed all the malicious apps from its app store and is issuing a security update to affected devices – called “Android Market Security Tool March 2011” – that will remove the exploits and prevent attackers from accessing any more information, the search giant said in a blog post Saturday from Android security lead Rich Cannings.

“This is, in effect, Google’s ‘remote kill switch’ – capable of forcibly removing offending apps from users’ phones,” Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Monday.

Approximately 260,000 Android devices had one or more malicious apps installed, according to reports. A Google spokesman would not publicly provide a number.

But while Google’s tool effectively eradicates the malware, it does not fix the underlying vulnerabilities that the malicious apps took advantage of, Cluley said.

The apps exploited known vulnerabilities, which have been fixed in Android 2.2.2 (Froyo) and higher, Google said. Those running older Android versions, such as 1.5 (Cupcake), 1.6 (Donut) and 2.0/2.1 (Éclair), may still be vulnerable to similar attacks, Cluley said.

“It is up to individual carriers and smartphone vendors to make sure that the patch is rolled out to users running older versions of Android,” he said. “There are so many devices running so many different flavors of Android, ensuring that all of them are kept up-to-date with security patches becomes a very serious problem.”

Google said it is working with its partners to provide a fix for the underlying security flaws. In the meantime, the company has suspended the developer accounts of those who posted the malicious apps and is contact with law enforcement.

Also, the search giant is adding additional, unspecified safeguards to prevent other malicious apps from being distributed in the Android Market.

Google said it believes the attackers were only able to gather certain device-specific information, including IMEI/IMSI numbers, unique codes that are used to identify mobile devices, and the version of Android running on the device.

“[But] given the nature of the exploits, the attacker(s) could access other data, which is why we’ve taken a number of steps to protect those who downloaded a malicious application,” Google’s Cannings wrote.

Posted in Android | Leave a comment

Improved anti-debuging methods used by latest malware

During the past few days, we found many malware samples using complex anti-debug methods.

The beginning of some functions looks like this. You can easily see the junk code:

Image1

The malware will push meaningless parameters and call some GUI APIs to bypass AV’s virtual machine emulator. Please refer to below snapshot:

Image2

Since the parameters for LBItemFromPt() are meaningless, LBItemFromPt() will report an error code. The following function COMCTL32.#14 is WSAGetLastError(). Malware call this function to get the error code generated by LBItemFromPt(). Then compare it with 578 which is the correct error code. But in common AV’s emulators, the emulated WSAGetLastError() can only get certain error codes which means AV’s emulators won’t get 578 in this case, so the malware will continue in the wrong process while running in the emulator.

Image3

If the malware in running in real environment, it will trigger an exception to continue with malicious behavior.

The stack view is as follows. SHE handler is 0×00405650

Image4

Address of handler is 0x00402FDF. We can see similar junk code there. Also a new thread will be created.

Image5

Now what’s interesting. Malware will install an UnhandledExceptionFilter in this thread.

Image6

Actually, if we use a debugger, we could not run into the filter function due to windows’ exception handling process. So we have to patch UnhandledExceptionFilter code. We shall change ‘je kernel32.7c862cc1’ into ‘ jmp kernel32.7c862cc1’.

Image7

Now we can run into the filter function installed by malware. But that’s not the end. In the filter function, we find that the malware would manually modify current thread context. It will change the EIP in the context into 0x004027D2. Why?

Image8

At the end of the filter function, we know the reason. The filter function will return ‘EXCEPTION_CONTINUE_EXECUTION’. Windows’ exception handling process will check the filter function’s return code to check how to continue. If it finds the ‘EXCEPTION_CONTINUE_EXECUTION ‘ return code, it will continue running with the EIP set in the thread context.

So after the filter function, this malware will go to 0x004027D2 where the real malicious behavior will happen.

To summarize it all, malware first uses certain API’s error code to escape from detection by AV’s emulators. Second, they will set up an own exception filter function. Then trigger an exception by itself. If we run a debugger, we could not run into the exception filter function. Third, malwares will modify the EIP in thread context. Then return ‘EXCEPTION_CONTINUE_EXECUTION’ to let CPU go to the EIP address to change the process.

Posted in Threat Detection | 1 Comment

Facebook Security and Privacy

As the sun is setting and I breathe some of the night time air I am inspired to write about Facebook.  Yes, *the* Facebook, the third largest country if it were a physical place with boundaries under a common rule of law and government.  When many people use a service such as this, it bears attention and especially when it comes to knowing about security and privacy .  Chances are a person has an account with Facebook.com and chances are a person has studied and understood the various controls that Facebook provides to turn the dials on privacy and security settings for maximum comfort and desirability.

All bets aside, my goal is to step through those dials in this article.  Feel free to comment and help make improvements. Also, please click on any images which appear small to render the full size.

Facebook Country

Privacy Settings

Once logged into your account on Facebook, we visit from the upper right hand screen under “Account”, the “Privacy Settings“.  Subsequent images and text are based around a framework or technique to activate if one’s goals are to have pretty tight security and privacy (as much as can be) when keeping an account with Facebook.  Use as a guide or model, and execute your own technique — hence your own mileage may vary.  Be sure to check out “Controlling how you share“, a resource at Facebook.

Account > Privacy Settings

 

Facebook Privacy Settings

Notice that there are canned options to elect along the left hand side.  These are common to Facebook and are found in almost all settings across the board.  Better enumerated as:

  1. Everyone
  2. Friends of Friends
  3. Friends Only
  4. Recommended
  5. Custom

“Recommended” is not part of the “across the board” values.  In the image above, “Custom” has been selected and to replicate it, simply click the link that reads “Customize Settings” and observe the following image.

Account > Privacy Settings > Customize Settings > Things I Share

 

Facebook Customize Settings

This brings you to the “Things I Share” and other Sharing sections to be witnessed momentarily.  Pay particular attention to “Posts by me”, as Facebook announces your selection here is considered the “Default” behavior for Privacy when posting including status updates and photos.

Here, two groups are referenced called “Family” and “Family – Extended”.  Reference them as examples as a person may define their own.  This is an exercise to show a person how settings may be customized.

Next we move to “Things Others Share” and “Contact Information”.

Account > Privacy Settings > Customize Settings > (Things Others Share and Contact Information)

 

Facebook "Things Others Share" and "Contact Information"

Omitted from this screen are Email Address and Phone Number.  However, such settings may look like thus:

Facebook Privacy Settings for Email and Contact Info

Account > Privacy Settings > Customize Settings > Things I Share > Posts by Me

Next we quickly look at “Posts by Me” to see what the typical “across the board” enumeration looks like for a selection options:

Facebook Settings Enumerated

See?  Yielding to “Custom”, one may better control their privacy requirements. Delving into “Custom” we see the following screens (I broke them up just for this article):

Facebook Customize Granular Facebook Customize Granular

Options to Display, and Options to Hide.

Account > Privacy Settings > Customize Settings > Things I Share > Include me in “People Here Now” after I check in

Here is a sample image of Places and Checking in, and the option to have a person be included.  Pictures above has this disabled and is shown under “Things I Shared > Include me in ‘People Here Now’ after I check in”.

Facebook Places

Account > Privacy Settings > Customize Settings > Things Others Share > Photos and videos you’re tagged in

 

Facebook Photos and videos you're tagged in

Further information on this feature may be explored here.

Account > Privacy Settings > Customize Settings > Things Others Share > Suggest photos of me to friends

 

Facebook Suggest photos of me to friends

To learn more about this feature, click here.  Notice, the option to disable is activated.

Account > Privacy Settings > Customize Settings > Things Others Share > Friends can check me in to Places

Places?  OK for more reading at Facebook on this topic, click here.

Facebook Places

 

Facebook Friends can check me in to Places

Account > Privacy Settings > Customize Settings > Things I Share > Edit privacy settings for existing photo albums and videos

If you have albums or photos, they may be grouped into a gallery display at this point.  Simply adjust your settings as shown below, for Profile Pictures.

Facebook Profile Pictures Setting

Now let us  go Back to the Privacy Settings page and explore Applications and websites settings.

Account > Privacy Settings > Apps, Games and Websites

 

Facebook Apps Games and Websites

If a person has options displaying here for particular applications or games, one will see the kind of information such selections have access to on one’s account.

Facebook Applications, Games and Websites Access

Notice in this example the only option a person has is to “Remove” the “Posts to my Wall” selection.  The others are required.  “Access my basic information” shares everything one has made publicly available with the application.

Some extra options for applcations:

  1. Remove the application https://www.facebook.com/settings/?tab=applications
  2. Turn off all applications http://www.facebook.com/ajax/settings_page/platform_apps.php?optout=1 (link disabled)

Visually, this is what that looks like:

Facebook Application Options

Here are some further options for this section:

Facebook Apps, Games and Websites Further Settings

Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends

One to explore is “Info accessible through your friends” and the various options that provides are shown below:

Facebook info accessible through your friends

Account > Privacy Settings > Apps, Games and Websites > Instant Personalization

Now we move onto “Instant Personalization”, more information available here.

Facebook Instant Personalization

Notice, the option to “Enable” is on the bottom.

Account > Privacy Settings > Apps, Games and Websites > Public Search

Next we check out “Public Search”.  Again, the option to “Enable” is on the bottom.

Facebook Public Search

Account > Privacy Settings > Block Lists

Facebook provides folks the ability to block users, application invites, and event invites.  Screen shown below:

Facebook Block Lists

Account > Privacy Settings > Connecting on Facebook

Then there is “Connecting on Facebook” settings, a quick overview in one place.  Here is an example.  Note, “Send you friend requests” cannot be further closed down from “Friends of Friends”.

Connecting on Facebook

Account > Account Settings

We are complete with what Facebook considers “Privacy Settings”.  Next we check out “Account Settings”.

Account > Account Settings > Account Security

One section worth highlighting is “enable login approvals” in this section.  If a person has not previously enabled it, here is what may be expected:

Facebook turn on login approvals

“Next” prompts a person to confirm a phone:

Facebook confirm your phone

This option does enable Facebook surfing encryption to help prevent attacks from applications like Firesheep.  Facebook has a roadmap that ensures applications will migrate to HTTPS mode, but that article is for another time.

Facebook Account Security

Further below on this Facebook page one will notice tracking of account activity.  A person may spot any potential malicious activity.

Facebook Recognized Devices Facebook Account Activity

Breaches can and do occur, and the only way to truly protect one’s information is to not have it online.  However, that does sort of defeat the purpose of social networking.  Still, if a person wants to deactivate their account from Facebook, on the same page simply click “deactivate”.

Facebook deactivate account

Lets take a look at some of the functionality available when dealing with Facebook Ads.

Account > Account Settings > Facebook Ads

 

Facebook Ads

There exist two settings to potentially adjust:

  1. Edit third party ad settings
  2. Edit social ads setting

Plus, here is some additional reading as reference:

Account > Account Settings > Facebook Ads > Ads shown by third parties

 

Facebook Ads shown by third parties

Account > Account Settings > Facebook Ads > Edit social ads setting

Notice the option is on the bottm.  If enabled, advertisements will serve up your name as having “liked” something.  If a person does not want their names showing up in ads, simple disable this entry.

Facebook social ads settings

To learn more:

Account > Account Settings

I like tooling around with passwords, and how they may be used.  Here is where Facebook has its password management system.

Facebook Password

Notice the little “?” on the “New Password” line?  Click it to reveal suggestions for a strong password:

Facebook Create a Strong Password

Edit my Profile

https://www.facebook.com/editaccount.php#!/editprofile.php

Checking into the Basic Information page, it is a person’s choice to fill this data in or not.  For maximum privacy, the recommendation is to keep it blank.  Do you want other companies (or Facebook) to have enhanced information on you?

Facebook Edit my Profile Basic Information

Similarly, the contact information (email addresses and websites are not depicted in this snapshot):

Facebook contact information

My Wall

Recall the default post setting earlier in this article?  Here is where it comes into play on your new feed.

Facebook News Feed - Your wall

The lock icon next to Share shows the same common information referred to earlier.  Reviewing:

Facebook Status Update Share Customization

Yes, that default setting has pretty large implications on your posting activity.

Facebook default posts

Public Directory

And if a person does not want to remain private or be found on Facebook, simply visit this setting.

Search for you on Facebook

Search Engines will find you on Facebook’s open directory, and other aggregation sites.  Your information will be publicly available on these third party sites with no Facebook affiliation.  Such sites run their own advertisements.  One to take note of is Facepinch.com.

Another thing to be mindful of if a person has someone from their past making them feel uncomfortable, keeping your profile public and switching your privacy settings to “Everyone” may not be such a good thing.  We explore a particular scam under the title “Is your ‘stalker ex’ still creeping your Facebook page?

Outlook Social Connector for Facebook

Although not a feature directly available on www.Facebook.com, the Outlook Social Connector (OSC) for Facebook enables a person to tap into their social network from the site and view friend updates, posts, photos in a secured manner. The following image from the Office Blog shows how a person can tap into their social community right from Microsoft Outlook.

It also serves as a reminder that information you store online may be shared virtually anywhere and without your knowledge.  Thus the purpose for this article to spread awareness and education.

Facebook Outlook Social Connector

Notice how “Michael” posted photos and they are made available right in the OSC.  One can make application level adjustments on your Facebook settings referenced earlier under the Apps, Games and Websites section. For more information on the Outlook Social Connector privacy and security, read this article. Last year I enabled surveillance on my computer while testing the Outlook Social Connector and can confirm communications were secure.  Perhaps in a future blog we shall explore the technical side of this.

Additional Reading

This has been a walk through of lots of information. Some at a high level, and some diving a little deeper.  It is my hope this blog article served its purpose as a model and a framework for having an account on Facebook.  For further reading, please see:

Sign in & Surf Safely

Use HTTPS! https://www.facebook.com/about/login/

exclusive download

Like our Facebook page and we will keep you posted on the latest developments on Internet Security.

Thank you Cyber Threat Analysis Center for the information, hopefully this helps spread the word.

Your Facebook Security and Privacy!

http://avgsa.co.za/blog/?p=241
@AVGSA

From your friendly neighborhood AVG Community.  Cheers!

Posted in Social Networking | Leave a comment