Security Research | Page 57

It had been a while since we'd last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild. Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as 'pulse transfer' or 'M3-Transfer' and it works by ... SMS, without PIN nor registration ! The money is transferred from... [Read More]
by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research
The much anticipated out-of-band release was rolled out today by Microsoft in the form of MS10-002. Included is CVE-2010-0249 (see our advisory here), addressed by Microsoft through a security advisory (979352) late last week. We released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" to address this particular issue. The Microsoft advisory was, of course, the subject of many headlines through an Internet Explorer zero-day exploit with reports of targeted attacks -- probably the most since Conficker made waves in 2009. Activity on... [Read More]
by RSS Derek Manky  |  Jan 21, 2010  |  Filed in: Security Research
Appearing in the first quarter of 2009, Gumblar spread rapidly and has become one of the biggest threats today[1]. Gumblar infects PC by exploiting vulnerabilities of Web Browsers and Browser Plugins, such as Adobe Acrobat Reader and Flash player. There is some good information available regarding Gumblar, addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by Gumblar, and the question "How are the malicious PDF... [Read More]
by RSS Bin Liu  |  Jan 19, 2010  |  Filed in: Security Research
Bredolab should be a name becoming familiar to most of our readers - it has been our most dominant threat overall for the last half of 2009, continuing over to 2010. It's been discussed several times in our monthly Threat Landscape reports, and also connected to Gumblar attacks. For those unfamiliar, Bredolab is a simplified botnet - a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software ("scareware"), Bredolab's other favorite download is Pushdo. Pushdo, another prominent... [Read More]
by RSS Derek Manky  |  Jan 15, 2010  |  Filed in: Security Research
Information security is a top priority for many organizations today due to the significant security breaches that made headlines in 2009. Security threats are changing and becoming more targeted, making organizations more vulnerable to new attacks. Because of this, planning for 2010 is more important than ever. Next week, Anthony James of Fortinet will participate in a Webinar hosted by Fidelity National Information Services and will discuss the top information security issues of 2009, emerging threats and trends to look for in 2010 and a solution... [Read More]
by RSS Rick Popko  |  Jan 13, 2010  |  Filed in: Security Research
Microsoft released bulletin MS09-067 on Nov 10, 2009. Same as in 2008, this last bulletin for Microsoft Office Excel in 2009 gives a total number of 17 vulnerabilities for this popular product. As the biggest contributor, Fortinet is credited for seven of these vulnerabilities in 2009. Our topic today is the vulnerability referred as CVE-2009-3127. It is one of the eight vulnerabilities that were fixed in Bulletin MS09-067. I found this vulnerability by fuzzing (automatic crafted files creation) in April and when I analyzed it I found it is different... [Read More]
by RSS Bin Liu  |  Jan 06, 2010  |  Filed in: Security Research
Overall malware volume returned to pre-October levels this period, after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot... [Read More]
by RSS Derek Manky  |  Dec 28, 2009  |  Filed in: Security Research
While looking at some Pushdo botnet messages recently, I noticed a repeating pattern in the data. Here is an example, taken from an area where the pattern is most obvious: 0340 13 63 cc 69 13 63 cc 69 13 63 cc 69 53 63 cc 2b .c.i.c.i.c.iSc.+ 0350 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i 0360 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i This looked to me like a flaw in the encryption that potentially could be used for detection purposes. It might even be possible to automatically break the encryption. It... [Read More]
by RSS Doug Macdonald  |  Dec 15, 2009  |  Filed in: Security Research
** **Cyber crime continues to adapt to modern services and infrastructure, often leveraging legitimate services for malicious purposes. On top of this, blackhat services are also being created to aid in attacks. The result is a growing infrastructure available to cyber criminals who continue to innovate attack methodologies. Let's have a look at some examples. Leveraging Modern Services The use of legitimate web hosting for attacks is obviously not new - think of Geocities and Google Pages which were frequently abused in the past (which incidentally... [Read More]
by RSS Derek Manky  |  Dec 11, 2009  |  Filed in: Security Research
** **iPhoneOS/Eeki.B!worm is said to contain two malicious binaries: sshd, the binary searching for new victims, and duh, a binary found only in variant B and after which some antivirus companies named the worm. This article focuses on the latter. Duh is called by a malicious script named_ syslog_ (of course, there's no relationship with the traditional UNIX daemon syslog - it's just named that way to look less suspicious than if was named!): <span style="color: #993300;">/private/var/mobile/home/duh /xml/p.php?id=$ID... [Read More]
by RSS Axelle Apvrille  |  Dec 10, 2009  |  Filed in: Security Research