malware' | Page 24


As a "Crypto Girl" should, I wish to report that the latest Android malware, Android/DroidKungFu, uses AES encryption. It is certainly not the first time Android malware use cryptographic encryption - we have already seen use of DES in Android/Geinimi or Android/HongTouTou - but this would appear to be the first use of AES on Android (AES has already been reported in Symbian malware such as SymbOS/InSpirit). In Android/DroidKungFu, the malware uses AES to encrypt the two exploits it uses: CVE-2009-1185: packaged as gjsvro. located in the malware's... [Read More]
by RSS Axelle Apvrille  |  Jun 09, 2011  |  Filed in: Security Research
We often have requests on mobile malware statistics and although statistics are only an imperfect representation of reality, this is what we can share. Those statistics only concern malware which run on mobile phones (hybrid malware which run on a PC and send SMS do not count for instance) and the results are for malware families, i.e a group of samples which are 'similar' and, yes,unfortunately, this is quite subjective. Reminder: a family is then divided in several variants. An each individual malicious package is called a sample. we haven't... [Read More]
by RSS Axelle Apvrille  |  Mar 28, 2011  |  Filed in: Security Research
In the September edition of Security Minute with Fortinet, researcher Derek Manky talks about the most prevalent threats and threat trends plaguing the internet over the last 30 days, including the latest Twitter worm, Zeus and Zitmo, various software vulnerabilities, and the "Here You Have" virus. [Read More]
by RSS Rick Popko  |  Sep 30, 2010  |  Filed in: Security Research
Since the Belarus vendor VirusBlokAda pulled the alarm last week on a new malware deemed “Stuxnet”, a whole lot of information has been released here and there on different portions of the threat. As a matter of fact, the Stuxnet case presents a certain level of multiplicity, as it consists in an “exploit” part, a “rootkit” part, involves specific infection vectors, targets a specific class of victims, and has unusual characteristics (for instance regarding software certificates). The subsequent fragmentation of information across the... [Read More]
by RSS Guillaume Lovet  |  Jul 21, 2010  |  Filed in: Security Research
On Symbian phones, most malware are either implemented natively in C++ (over the Symbian API) or in Java (midlets). SymbOS/Enoriv.A!tr.dial uses another language called m. Usually, m scripts (.m extension) are run within the m environment, (mShell) using the various features offered by m library modules (messaging, obex, video, zip...). This is comparable to Java midlets, which run over a Java environment and use various Java API packages. The m scripts can also be compiled to be included in a stand-alone Symbian application. In that case, the... [Read More]
by RSS Axelle Apvrille  |  Apr 13, 2010  |  Filed in: Security Research
A few days ago we encountered a new variant of the Symbian worm, Yxes, that we named SymbOS/Yxes.H!worm. This worm contacts malicious remote servers, which host Java Server Pages, and propagates by sending 'attractive' SMS messages. For instance, this new variant sends an SMS with an URL promising private information concerning a Chinese actress. Globally, the logic (and much of the code) is the same as in previous variants. Yet, there are a few updates, one of the main ones being the use of new remote malicious Java Server Pages. I guess every... [Read More]
by RSS Axelle Apvrille  |  Mar 04, 2010  |  Filed in: Security Research
It had been a while since we'd last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild. Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as 'pulse transfer' or 'M3-Transfer' and it works by ... SMS, without PIN nor registration ! The money is transferred from... [Read More]
by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research
AV Lab's honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus. The message is sent as a notification from the "Centers for Disease Control and Prevention (CDC)". Because the sender's email is spoofed and because the URL leading to the rogue website contains a "gov" subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people. Here is what the email looks like: From: "Centers for Disease Control and Prevention (CDC)" <info-mess-id:01203428med@cdcmails.gov>... [Read More]
by RSS Karine de Ponteves  |  Dec 01, 2009  |  Filed in: Security Research
There has been a lot of confusion lately concerning the SymbOS/Yxes worm. Among those, it has now dawned on me the so-called Transmitter.C reported in numerous articles on the net (for instance, here and here), is not sexySpace.sisx (detected as SymbOS/Yxes.E!worm): those are two different malware. Why ? As a matter of fact, several issues startled me (ordered from weakest to strongest point): Transmitter.C is reported to send a massive amount of SMS messages (they are talking about 500 SMS). If Transmitter.C is Yxes.E, it is surprising because... [Read More]
by RSS Axelle Apvrille  |  Aug 26, 2009  |  Filed in: Security Research
There are days where I wonder if people really care about privacy (except for these people). Most people don't see any problem in telling the entire world what they're doing (Twitter), who they know or see (Facebook) or where they are: the kind of stuff teenagers hate to tell their parents. Mobile phones are just the perfect platform for spying because they are portable (iPhones are such beauties one hates to leave them behind!) and seen as private devices (would you share your nice iPhone, huh?). Depending on functionalities, mobile spyware record... [Read More]
by RSS Axelle Apvrille  |  Jul 16, 2009  |  Filed in: Security Research