Latest Posts | Page 138


Get rid of clichés: "Most of anti-virus software products detect malware pieces only through simple checksums. This is often the case for the anti-virus engines which are integrated into network gateways." People mainly believe that the main reason is that network gateways have limited resources to process the sheer amount of data exchanged through it "in real time". And also due to the fact that their OS is "embedded" thus limited. So people think that the bottom line is: "Too easy to bypass !" Let's be clear: reality is more... [Read More]
by RSS Alexandre Aumoine  |  Jul 30, 2012  |  Filed in: Security Research
I had always wanted to look into Firefox OS. It's done. I created my first application. What kind of application does a reverse engineer write as first app? A CrackMe of course. You can try it: the sources are available here. But, honestly, it is really a very (very) simple CrackMe, as my real goal was to get acquainted with Firefox OS, and understand the possible risks in terms of malware. We, anti-virus analysts, won't need disassemblers or decompilers for Firefox OS malware That's cool, isn't it (although part of the mystery of our job is... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
One of the hottest buzz of the moment certainly is the breaking news about NSA collecting phone records of Verizon subscribers. According to court order, Verizon has been asked to provide NSA daily information for all its phone records between April 25th and July 19th. According to the Wall Street Journal, AT&T and Sprint would have received the same order and it would make much sense if T-Mobile hadn't too. Many journalists have been reacting on the obvious infringement on our privacy, especially also with the recent disclosure of the PRISM... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
We recently had a company contact us regarding an email they received from their bank. The company's access to its online banking account was blocked by its bank due to fraudulent activity observed through the account. A screenshot of the email received can be seen below. What I found extremely strange and suspicious about the email, and set the alarm bells ringing in my head, was the fact that the email contained 5 zip-compressed images as attachments. After going through it a second time, even the Anti-Virus link started to feel suspicious. Even... [Read More]
by RSS Ruchna Nigam  |  Jul 30, 2012  |  Filed in: Security Research
As I was following the tweets of IEEE S&P, one of the top academic conferences on security, I saw they had created a special application for the people attending the conference, with the agenda, paper abstracts and a few news. Figure 1. IEEE Security & Privacy Android application Curious, I downloaded the application for Android (air.org.computer.confprog.sp.apk) and ran it through my automated analysis scripts. When the following warnings popped up, I initially wondered if I hadn't downloaded a Trojan: Tue May 21 07:19:02 2013... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
"Is mobile malware really an issue?" is probably among the most frequent questions my friends ask me regarding my work. I usually like to answer indirectly with a graph as below: Figure 1. Evolution of malicious Android samples. Light blue curve is the number of known Android samples in our databases. Dark blue line is the average number of new Android samples we received per day. Yes, we currently have over 150,000 Android samples, and they currently come in at a rate of 1,000 malware per day. Invariably, my friends - and perhaps you?... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
Some time ago, I analyzed two similar samples of Android/Smsilence.A!tr.spy, a fake Vertu application that spies on its victim. One of the samples was targeting a Japanese audience, while the other sample was for Korean end-users. I was interested in finding their similarities (and differences). At (decompiled) source code level, I identified for instance a similarity: both samples check incoming SMS messages and download another payload if the message body contains the keyword 113, or deletes it if the SMS comes from 1588366. See below, identical... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research
A few days ago I received an interesting email message: Just your typical phishing email. Normally, I would just dump it into our signature automation processors and move on to the next piece of malicious code. This one was intriguing, though: within hours we received a handful of other samples similar to this, and having a couple extra hours in my day, I figured I'd stop and take a good look at it. The malware arrived packed with UPX and once unpacked I discovered it had its own mechanisms in place to prevent emulation: I found this quite... [Read More]
by RSS Zandro Iligan  |  Jul 30, 2012  |  Filed in: Security Research
Tags:
Last week the security world was abuzz with news of a new attack vector for mobile attacks. The malware was sent to the accounts of Tibetan human rights advocates and activists from the hacked account of one of the activists regarding the the World Uyghur Congress (WUC) Conference that took place in Geneva from 11-13 March, 2013. What made the piece of malware particularly interesting was the targeted nature of the attack, once again highlighting the political aspect of cyber warfare and making us question whether governments and legitimate organizations... [Read More]
by RSS Ruchna Nigam  |  Jul 30, 2012  |  Filed in: Security Research
Last year, tech giant Yahoo! Inc. fell victim to a cyberattack. But unlike other high-profile attacks, the culprit wasn't an APT or sophisticated threat sourced to a nation state. The weapon of choice was a simple SQL injection. According to reports, the miscreants targeted a vulnerability in a Yahoo! Web application some was thought to be associated with the company's VoIP phone service, Yahoo! Voices. SQL injection attacks remain some of the most widely used cyberweapons for one main reason: They work. A Structured Query Language (SQL) injection... [Read More]
by RSS Stefanie Hoffman  |  Jul 30, 2012  |  Filed in: