From McAfee blog:
"We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.
The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).
MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A."
[...]
"Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit."
Wednesday, December 06, 2006
Tuesday, September 26, 2006
"Small SMiSh, Big Pond"
From McAfee blog:
"Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.
The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.
Like his first try, VBS/Eliles.B also:
VBS/Eliles.B additionally:
VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits."
[...]
"VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.
VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.
Today's minor threat can become a component of tomorrow's devastating attack
"Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.
The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.
Like his first try, VBS/Eliles.B also:
- Hides Drives,disables Registry editing and generally makes removing it a pain.
- Tries to disable your antivirus software
- Sends itself via email to any address it can find
- Attempts a SMiShing attack against customers of two mobile phone companies based in Spain
VBS/Eliles.B additionally:
- Runs a script that types Eli's complaints on our naming and the occasional insult in the current window
- Tries to disable your firewall software
VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits."
[...]
"VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.
VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.
Today's minor threat can become a component of tomorrow's devastating attack
Monday, September 11, 2006
"Phone-y Money"
From McAfee blog:
"For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.
Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation."
[...]
"Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging."
[...]
"With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling."
"For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.
Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation."
[...]
"Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging."
[...]
"With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling."
Friday, September 01, 2006
Smishing? A real example -- VBS/Eliles.A
Smishing:
"This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams."What's so special about VBS/Eliles.A?
"[...]it includes a routine to send Smishing messages to users of two Mobile Phone providers[...]"
Tuesday, June 06, 2006
Fun with ROMS
From Mcafee Avert Labs Blog:
It looks like mobile malware authors may be moving into the kernel. Software that operates in the kernel has access to the entire system. Hidden, undocumented functions can provide untraceable access to the filesystem. Rootkits are generally used to hide the presence of other malicious software or activity.
Recently, an independent security research group released a number of ROM images(colloquially “ROMs”) from various Symbian phones. Their goal was to encourage vulnerability research on mobile phones.
The risk is not that these researchers have published the ROMs. Any one who owns a Symbian phone can, with publicly available tools, extract their own ROM image. The real risk arises from the nearly 600 KB of analysis and research guidelines they have provided.
The current situation is that malware authors are limited to user space. All current mobile malware has been created either with the publicly available SDKs or cobbled together from other malware. Essentially, most of the trouble so far is caused by applications. Malicious applications, but still only applications not system software.
Saturday, January 07, 2006
Symbian OS 9, "eclipsing", new executable format
Symbian SO 9 is looking more interesting by the minute.
It looks like Symbian now has an "official"(it's listed in FAQ-1304) term for the attack made popular by the Skulls family of trojans.
From the Symbian Developer Network FAQ database, the term is "eclipsing" :
On the new executable format, I've been a bit tied up the last few months so I missed that OS 9 is using ELF. New binary tools are becoming available on the Symbian Developer network. New OS version , new tools. Fun? We'll see.
[1] Applications are DLLs. So, no more overwriting the Application Manager.
It looks like Symbian now has an "official"(it's listed in FAQ-1304) term for the attack made popular by the Skulls family of trojans.
From the Symbian Developer Network FAQ database, the term is "eclipsing" :
"where the loader loads DLLs located on a higher order drive (e.g. C drive) to dynamically replace files on the firmware (Z drive)."The FAQ goes on to mention that this attack is no longer allowed by the v.9 installer. No longer will unsigned apps[1] be allowed to "eclipse" rom apps. As the underlying file-system has a bit more security the cost of this attack has been raised.
On the new executable format, I've been a bit tied up the last few months so I missed that OS 9 is using ELF. New binary tools are becoming available on the Symbian Developer network. New OS version , new tools. Fun? We'll see.
[1] Applications are DLLs. So, no more overwriting the Application Manager.
Friday, January 06, 2006
DumpSIS minor updates
A few minor changes to DumpSIS. More to come.
The current version is 0.94. The changes have been checked into CVS.
New features
The current version is 0.94. The changes have been checked into CVS.
New features
- (-x) Dump All files option added.
- Install name (displayed by App Manager) added to default dump.
Useful, for blind dumping of SIS file contents. Sometimes you want finer control. It's still available.
This is in the SIS header, at the offset to the language-dependent names block(0x64). Previously referred to in the dump as "Component". This is viewable in the SIS file in plain text. Easy to modify with hex editor. Even easier to modify by rewriting pkg file; this is the same as the Component Name in the package header.
Subscribe to:
Posts (Atom)
Protecting the ‘Metaverse ecosystem’…: Openness is healthy
Meta’s Reality Labs has an opening for “Malware Reverse Engineer” . Not an uncommon role, but this particular one is a bit more specific whe...
-
Keys can be a bother. You forget them inside the apartment, they're stuck in a pocket or bag with your arms full, or you just lose them.... -
The Internet of Things is not as complex as one would think. Smart Objects(e.g. Power meters, Fridge computers, etc.) or "Things" ...