http://blog.fortinet.com/feed/category/Security Research/index.xml en Copyright 2013 Fortinet Inc. All Rights Reserved Tue, 14 May 2013 08:18:23 -0700 “Is mobile malware really an issue?” is probably among the most frequent questions my friends ask me regarding my work. I usually like to answer indirectly with a graph as below: Figure 1. Evolution of malicious Android samples. Light blue curve is the number of known Android samples in our databases. Dark blue line is the average number of new Android samples we received per day. Yes, we currently have over 150,000 Android samples, and they currently come in at a rate of 1,0... Mon, 13 May 2013 00:00:00 -0700 http://blog.fortinet.com/1-000-malicious-Android-samples-per-day http://blog.fortinet.com/1-000-malicious-Android-samples-per-day Some time ago, I analyzed two similar samples of Android/Smsilence.A!tr.spy, a fake Vertu application that spies on its victim. One of the samples was targeting a Japanese audience, while the other sample was for Korean end-users. I was interested in finding their similarities (and differences). At (decompiled) source code level, I identified for instance a similarity: both samples check incoming SMS messages and download another payload if the message body contains the keyword 113, or delet... Mon, 06 May 2013 00:00:00 -0700 http://blog.fortinet.com/Finding-Similarities-and-Differences-at-DEX-Level http://blog.fortinet.com/Finding-Similarities-and-Differences-at-DEX-Level Over the past two weeks, we’ve seen a big influx of Android malware samples coming our way from Korea. Upon closer examination of the samples, we saw some differences between them and decided to classify them into different variants. The first variant Android/Malapp.A!tr.spy ironically calls itself “SmsProctect”(misspelt) while spying on incoming SMS messages on the victim’s phone. In addition it also steals JPEG image files stored on the victim’s phone. Adde... Tue, 23 Apr 2013 00:00:00 -0700 http://blog.fortinet.com/Secure-malware-- http://blog.fortinet.com/Secure-malware-- A few days ago I received an interesting email message: Just your typical phishing email. Normally, I would just dump it into our signature automation processors and move on to the next piece of malicious code. This one was intriguing, though: within hours we received a handful of other samples similar to this, and having a couple extra hours in my day, I figured I’d stop and take a good look at it. The malware arrived packed with UPX and once unpacked I discovered it had its own me... Wed, 17 Apr 2013 00:00:00 -0700 http://blog.fortinet.com/W32-Kryptik-AX-tr---A-Masterful-FTP-Trojan http://blog.fortinet.com/W32-Kryptik-AX-tr---A-Masterful-FTP-Trojan Last week the security world was abuzz with news of a new attack vector for mobile attacks. The malware was sent to the accounts of Tibetan human rights advocates and activists from the hacked account of one of the activists regarding the the World Uyghur Congress (WUC) Conference that took place in Geneva from 11-13 March, 2013. What made the piece of malware particularly interesting was the targeted nature of the attack, once again highlighting the political aspect of cyber warfare and mak... Tue, 09 Apr 2013 00:00:00 -0700 http://blog.fortinet.com/Android-malware-gets-phish-y http://blog.fortinet.com/Android-malware-gets-phish-y Insomni’hack 2013 took place last week at Geneva and I had the opportunity to attend. Insomni’hack DAY 1 consisted of one day workshops on subjects ranging from “Linux exploitation” to “How to make sure your Pentest Report is never empty”. I had the chance to attend a workshop on “Practical ARM exploitation” given by black Steve (@s7ephen) and white Steve (Stephen Lawler). We initially had trouble getting the Gumstix we were supposed to wor... Mon, 25 Mar 2013 09:48:23 -0700 http://blog.fortinet.com/insomnihack-2013 http://blog.fortinet.com/insomnihack-2013 On March the 20th, little after 2pm, several South Korean financial institutions and TV broadcasters networks were impacted by a destructive virus, which wiped hard drives of infected computers, preventing them to boot up upon restart. Since then, the team here has been up on the deck, dissecting the attack components. So far, here is what we’ve found out, that, to our knowledge, hasn’t been published anywhere yet: * The attack made use of two different droppers, in charge of d... Fri, 22 Mar 2013 10:07:20 -0700 http://blog.fortinet.com/digital-attack-on-korean-networks-wipers-time-bombs-and-roman-soldiers http://blog.fortinet.com/digital-attack-on-korean-networks-wipers-time-bombs-and-roman-soldiers BlackHat Europe was last week, and Fortiguard Labs members were there for the briefings. Again this year, the 2 days event took place in Amsterdam downtown. 500 people from all over the world registered to the conference. About 5 parallel tracks were planned for briefings, workshops and arsenal. I will not give the details of each pres I attended like heavy-weight bloggers such as @xme and @corelanc0d3r, who are blogging faster than their shadows, did. I enjoyed the following talks * the Ha... Tue, 19 Mar 2013 10:52:15 -0700 http://blog.fortinet.com/2013-blackhat-europe http://blog.fortinet.com/2013-blackhat-europe Android/Claco.A!tr is a new mobile malware that has been in the news recently for it’s unique ability to infect PCs. Even though we’ve seen an attack vector of this kind on the Symbian OS before (SymbOS/CardTrap), this would be the first of it’s kind on the Android platform. The malicious packages come under the names SuperClean and DroidCleaner and claim to be applications that can speed up your phone. Upon looking into the code, we realize that the “strategy&#8221... Wed, 06 Feb 2013 09:36:42 -0800 http://blog.fortinet.com/mob-attacks-pc http://blog.fortinet.com/mob-attacks-pc I recently came across an Android malware sample that does your usual data stealing i.e. leaking data from the victim’s phone such as the phone number, contact information etc. Most vendors name this sample Uranico (Android.Uranico, Trojan:Android/Uranico.A) based on the package name “com.link.uranai”. However, a closer look at the sample led to the realization that it looked a lot like a sample I had seen before : Android/Loozfon.A!tr, and was hence a variant of it. Hence,... Mon, 14 Jan 2013 10:16:28 -0800 http://blog.fortinet.com/uranico-is-loozfon http://blog.fortinet.com/uranico-is-loozfon Following the disappointment at the failure of the end of the world, we decided to do a little recap on the Project Blitzkrieg that has been widely talked about in the security community over the past couple of months following a report by RSA. It might be on a smaller scale than the former but it certainly has a bigger chance of coming true. The operation was named and announced by a Russian hacker called vorVzakone (seen bragging about a car and his house in this video) in a post (translat... Fri, 21 Dec 2012 13:21:31 -0800 http://blog.fortinet.com/project-blitzkrieg-faqs http://blog.fortinet.com/project-blitzkrieg-faqs Zitmo Attack Scenario - taken from my slides at ShmooCon, January 2011 Zitmo’s attack scenario, taken from CheckPoint’s and VerSafe’s white paper (Dec 2012) Recently, Check Point and Versafe published a white paper on a mobile banking trojan they named Eurograbber. In fact, this is not new, it is called Zitmo, and s21sec, and Fortinet (and others !) have been talking about it for nearly two years. In January 2011, Kyle Yang and I presented full details of Zitmo at Shmoo... Fri, 07 Dec 2012 11:00:51 -0800 http://blog.fortinet.com/eurograbber-is-zitmo http://blog.fortinet.com/eurograbber-is-zitmo Our Hashdays Android challenge is over. The challenge turned out to be quite difficult (told you ;), we know that several among you worked on it, and two hackers found the correct solution. Congratulations! * 1st - Joerie de Gram (@the_ius) on Oct 31, 2012 (+3 days) solution * 2nd - Luigi Mori on Nov 14, 2012 (+17 days) The “official” solution can be downloaded from here. I had fun playing hide and seek in the DEX file, and hope you enjoyed it too. Unfortunately, Joerie was no... Fri, 23 Nov 2012 11:27:14 -0800 http://blog.fortinet.com/hashdays-android-challenge-the-solution http://blog.fortinet.com/hashdays-android-challenge-the-solution Feel free to browse through our Zitmo timeline. Please note that variant naming depends on many factors including but not limited to chronology. Hence variant letters (.A) don’t always reflect the order of appearance in the wild. iframe frameborder=”0” style=”border-width:0;” id=”tl-timeline-iframe” width=”750” height=”550” src=”http://www.tiki-toki.com/timeline/embed/73249/4278334161/” Mon, 19 Nov 2012 08:42:26 -0800 http://blog.fortinet.com/zitmo-timeline http://blog.fortinet.com/zitmo-timeline I absolutely have to mention Hashdays’s badge, as its one of the coolest I’ve ever had: an Arduino UNO board with blinking LEDs (blue/green for speakers, red for attendees). At Hashdays, I was happy to attend one of the free Arduino workshops, given by Jan Monsch. Just perfect for me: detailing the hardware, electronic components and working on several tutorials with the help of our instructor. Friday morning, I did not know a thing about Arduino, and Saturday, I managed to submi... Fri, 09 Nov 2012 07:21:17 -0800 http://blog.fortinet.com/hashdays-arduino-badge http://blog.fortinet.com/hashdays-arduino-badge