Security Research | Page 57

Unless you're on a trek in the Himalayas, by now you've probably heard one way or another that the infamous "Jailbreakme" website is back to free iPhones (including iPhones 4 running iOS 4.0.1) and iPads : it's just everywhere on the web, even with videos and tutorials. However, fewer resources address the technical aspect of jailbreaking. You might have found out that the online jailbreaking tool is resorting to a drive-by-script exploiting a 0-day vulnerability. We'll try and provide a few other technical findings below. First, let's connect... [Read More]
by RSS Axelle Apvrille  |  Aug 05, 2010  |  Filed in: Security Research
I had already seen mobile malware SMS messages with a malicious URL inside (e.g SymbOS/Yxes), or MMS messages (e.g SymbOS/Album.A!tr, SymbOS/Beselo!worm...) with a malicious attachment. However I had never noticed a mobile malware piece sending a WAP Push SMS (special SMS messages typically used to send ringtones, wallpapers, OTA provisioning etc). The recent SymbOS/NMPlugin.A!tr does all three ! It sends: an MMS, whose title is “Hello Skuller”, and contains an attachment named Sunset.jpg a SMS containing a short message and a malicious... [Read More]
by RSS Axelle Apvrille  |  Aug 03, 2010  |  Filed in: Security Research
Two major operating system releases have officially come to end of life this month. On July 13th, Microsoft dropped support for both Windows 2000 and Windows XP SP2, meaning no more patches will be rolled out for these operating systems. This includes both Windows 2000 Server and Professional, as well as all editions of XP SP2. Of course, in terms of security, this is a significant development since any new vulnerabilities discovered that affect these products (and there are many on an ongoing basis, just have a look at our NVC coverage... [Read More]
by RSS Derek Manky  |  Jul 30, 2010  |  Filed in: Security Research
The analysis of SymbOS/NMPlugin.A!tr shows that, once again, a mobile malware was signed using the Symbian’s Express Signed procedure. It is the fourth malware we notice doing so since 2009 (and it is likely I missed a couple). See the table below. Malware name Signer’s identity (probably fake or impersonated) Probable signing date SymbOS/Yxes.*!worm XiaMen Jinlonghuatian Technology Co. Ltd ShenZhen ChenGuangWuXian Tech. Co. XinZhongLi Kemao Co. Ltd TianJin YouLiAn Technology, Co. Ltd. Beijing GuoShengMingDao Technology Co. Ltd. Xiamen... [Read More]
by RSS Axelle Apvrille  |  Jul 29, 2010  |  Filed in: Security Research
Our July 2010 Threat Report has been posted, below are some findings from the activity recap: Global detected malware volume continued its rise from last report, reaching levels observed earlier in the year. One major contributor to this was the Sasfis botnet, as it continued its strong run. Eight Sasfis variants landed in our Top 10 Malware listing this report. This is a recurring theme, as developers and their very own creations continue to roll out updated copies of themselves. Earlier in the year, the Sasfis botnet was dedicated to downloading... [Read More]
by RSS Derek Manky  |  Jul 29, 2010  |  Filed in: Security Research
I discussed in my last post how a variant of Bredolab typically resolves the API functions it needs. Basically, most malware embed an array of hash values, each corresponding to an API function, rather than storing plain API names. Then, a function is used to "resolve" hash values into the relevant API function addresses. A call to such a function looks like this (taken from actual malware): Concretely, an array of API hashes table may look something like below (we added an "Equivalent API" column for comprehension, but of course it's not present... [Read More]
by RSS Raul Alvarez  |  Jul 26, 2010  |  Filed in: Security Research
When The Pwnie Awards, aka the Oscars of security research, unveiled this year’s nominees on July 22, 2010, we were excited to discover that Fortinet researchers Guillaume Lovet and Haifei Li were nominated in the category of “Most Innovative Research” for their paper “Adobe Reader's Custom Memory Management: A Heap of Trouble.” “Most Innovative Research” is awarded to the person(s) who published “the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post”. Guillaume and... [Read More]
by RSS Rick Popko  |  Jul 23, 2010  |  Filed in: Security Research
Since the Belarus vendor VirusBlokAda pulled the alarm last week on a new malware deemed “Stuxnet”, a whole lot of information has been released here and there on different portions of the threat. As a matter of fact, the Stuxnet case presents a certain level of multiplicity, as it consists in an “exploit” part, a “rootkit” part, involves specific infection vectors, targets a specific class of victims, and has unusual characteristics (for instance regarding software certificates). The subsequent fragmentation of information across the... [Read More]
by RSS Guillaume Lovet  |  Jul 21, 2010  |  Filed in: Security Research
The more I analyze the SymbOS/Album malware, the more it scares me. The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look like a botnet, even though it isn't (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages. More in details, the Album... [Read More]
by RSS Axelle Apvrille  |  Jul 15, 2010  |  Filed in: Security Research
This month, Derek Manky, project manager, cyber security & threat research at Fortinet recorded an informative audio with Power Point presentation titled: “Threat Prevention: 2010 and Beyond.” This extremely enlightening discussion examines four real-world vulnerabilities (Dalai Lama, JBIG2 Zero-Day PDF, Operation Aurora and IE Zero Day) their timelines, what happened with these vulnerabilities, how the attacks occurred and what the payload was. Derek then concludes with examples of how you can best protect your network from becoming... [Read More]
by RSS Rick Popko  |  Jul 14, 2010  |  Filed in: Security Research