NEWS FROM THE LAB - June 2013
 

 

Thursday, June 27, 2013

 
Bitcoin to Mikko's 50,000th Twitter Follower Posted by Mikko @ 12:24 GMT

I started on Twitter in March 2009.

Twitter archive of @mikko from 2009 to 2013

I never would have thought this to happen, but I've gained a remarkable amount of followers since. Thank You. In fact, with almost 50,000 followers, I'm actually one of the most followed Finns on Twitter.

Follower count from 0 to 50,000

So I want to give something back.

My 50,000th follower will get a physical Bitcoin coin worth 1 BTC, made by Casascius.

Casascius 1 Bitcoin coin

But rewarding my latest follower and ignoring all the rest wouldn't be fair. So, I'll give another 1 BTC coin to a random follower.

The winners will also get a copy of Thomas Rid's new book Cyber War Will Not Take Place.

Cyber War Will Not Take Place by Thomas Rid

Rules and conditions: I select who wins. No complaints. Winners get the coins and books via mail.

Thanks,
Mikko

 
 

 
 
Wednesday, June 26, 2013

 
The Geography of Malware Posted by Sean @ 13:19 GMT

Yesterday, Google announced on its Online Security Blog that it will now include Safe Browsing statistics in its Transparency Report.

The Safe Browsing Malware Dashboard is fascinating.

Here's last week's Malware Distribution by Autonomous System, using just the "Attack Sites" filter:



The location of the attack sites by AS?

  •  USA
  •  Russia
  •  Ukraine

Hmm, the USA (San Diego) is at the top.

And now let's look at one year's time range:



And the locations?

  •  Transnistria
  •  Romania
  •  Latvia

Specialist Ltd in Transnistria?

A search for that yields a result from Dynamoo's Blog:



"Transnistria, a breakaway part of the former Soviet Republic of Moldavia. No UN members recognise Transnistria, and effectively it sits beyond the reach of international law enforcement."

There's always something new to learn regarding the geography of malware…

A picture gallery from Telegraph.co.uk: Welcome to Transnistria: a Soviet breakaway territory in Eastern Europe

 
 

 
 
Thursday, June 20, 2013

 
Do you cover up your webcam? Posted by Sean @ 13:01 GMT

(Web)camjacking is in the news.

This morning from BBC News: Webcams taken over by hackers, charity warns

As part of the report, BBC Radio 5 live interviewed a Finnish hacker who supposedly sells "female bots".

bbc_uk-22967622
Related audio

And last Friday from Forbes: Two-Year-Old Flash Bug Still Allows Webcam Spying On Chrome Users

You should update to the latest version of Chrome or else you'll be vulnerable to a bug that allows camjacking via Flash.

Researcher Egor Homakov's proof of concept: Click and say Cheese

homakov_github_io

Your software should always be up to date — but perhaps the best advice is to cover up your cam!

Sydney Morning Herald: Taping over prying eyes of web spies

camjacking_postit

This is how Mikko does it:

mikko_webcam

 
 

 
 
Wednesday, June 19, 2013

 
Post-PC Attack Site: Only Interested in Smartphones/Tablets Posted by Sean @ 12:50 GMT

We've discovered a server that only attacks and/or spams smartphones and tablets — and not PCs.

A Swedish-based colleague of ours, Johan, was recently using his (Android) phone to search for boat trips in the Galapagos Islands. He found a site called Vagabond. And on Vagabond he found an entry with a link to: galacruises.com.

From a Windows-based browser, the link redirects to a site called islasgalapagos.travel.

But the results are much different if a mobile device is used…



Mobile browsers are redirected to a .info domain which in turn redirects yet again.

Sometimes it redirects to a popular game on Google Play:



But much of the time, it's NSFW sites (here seen from a Windows Phone):



And sometimes… malware! (As was the case for Johan.)



Here you can see that the malicious .APK file was blocked by one of our "online" detections.



Specific "disk" detection identifies the threat as a variant of FakeInstaller: Trojan:Android/FakeInst.AV.

Our Mobile Security Safe Browser blocks the offending website:



Note: visiting the .info site without the attack's parameter will result in a redirection to google.com.

A site with an index page that redirects to google.com? Always a clue something's afoot.

Be Safe Out There.

 
 

 
 
Monday, June 17, 2013

 
Rogue Headlines in Google News Posted by Sean @ 09:12 GMT

A spam campaign is currently abusing Google News.

Search Engine Optimization (SEO) black hats are injecting "jailbreak" headlines into an iOS thread.

Google News

Here's a view of the full coverage:

Google News, Full coverage

The so-called "news" link readers to schemes offering iPhone jailbreaks.

Unlock iPhone spam

Here's an iPhone view:

Google News SEO Google News SEO

Google News SEO Google News SEO

The good news: it appears that current SEO abuse is limited to spammers.

The bad news: where spammers go — exploit kits are surely soon to follow.

Let's hope Google's search engineers plug this hole quickly.

 
 

 
 
Thursday, June 13, 2013

 
Fake Antivirus Scan Scam Via Google Play App Ads Posted by Sean @ 12:39 GMT

Yesterday, we wrote about some very bad piggies: pirated Rovio software being used to push unwanted ads at Google Play users.

What kind of ads?

Here's an example from an ad-network we've been tracking since we came across it back in March.

Yesterday, the ad-network directed Finnish IP addresses to an ad for a poker game app.

But today, the ad redirects to a fake "antivirus" scam:

Android virus-a.akeji.d Android virus-a.akeji.d

The scam's Finnish localization sucks…

…at least until you scroll down to the legal disclaimer at the bottom which claims it's all for "entertainment" purposes.

Android virus-a.akeji.d Android virus-a.akeji.d

Just enter your phone number for the service and…

Ouch!

Fifteen euro a week? Do not want.

Stay Safe Out There

 
 

 
 
Wednesday, June 12, 2013

 
Bad Bad Piggies On Google Play Posted by Sean @ 15:11 GMT

One of these things is not like the others.

Bad Bad Piggies

No, not the "Full Guide" — we're referring to the "Bad Pigs" by Dan Stokes.

The app's description:

Bad Bad Piggies

Wow. More than 10,000 installs since May 25, 2013.

AppBrain, an Android app portal, doesn't correct for relevance, so "Bad Pigs" ranks first.

Bad Bad Piggies

Dan's contact address is: hgfdhsdgjhd@gmail.com.

That's fishy.

Bad Bad Piggies

AppBrain has a very nice feature which lists "Concerns" as well as permissions required.

Bad Bad Piggies

Boy, that's a long list of extra permissions. These particular piggies aren't just bad — they're evil.

Dan Stokes has a few other apps as well.

Bad Bad Piggies

"Fruit Chop Ninja" also has more than 10,000 installs.

And here's an interesting note: the app ID, and therefore the URL, includes the word "Rovio".

Bad Bad Piggies

Our Mobile Security product detects and blocks this as Android/FakeInst.CI.

We've reported the issue to Google (and Rovio) and the apps are no longer indexed by Google's search.

Stay safe out there.

 
 

 
 
Thursday, June 6, 2013

 
Not the Mobile Antivirus You Were Looking For Posted by SecResponse @ 07:03 GMT

While browsing Malaysiakini (a popular Malaysian website) on an Android phone, one of our analysts spotted this advertisement:

mkini_scam_ad

Clicking on the ad led to an external site displaying the following:

mkini_scam_ad_download_screen

Looks reminiscent of the kind of text we've seen for years on webpages pushing rogues for Windows systems (and sometimes Mac).

Clicking on the "Download and Scan Now" button leads to an image, which looks like an antivirus app:

mkini_scam_ad_download_screen_2

Clicking on the image brings you to a page that asks for your phone number and displays some interesting text:

mkini_scam_ad_number_submission

"This is an ongoing subscription service until you quit. You will receive 4 sms per week and chargeable at RM4 per message. Only [REMOVED] user will receives max 3 sms per week and chargeable at RM4 per message. Data charges are billed separately by mobile operators."

So, it's an SMS subscription service. Provide a phone number, and the user gets an SMS message with registration instructions for the service.

Once registered, another SMS is sent providing a download link. When we tried the link, the only thing we got was a message saying "Sorry, you have exceeded the allowed download limit." The site's index page claims to be "under construction."

Fortunately, the SMS with the registration instructions also included instructions for stopping the service.

We normally recommend users read the permissions requested when downloading a mobile app. In this case, reading the text before downloading would also be prudent. This was probably not the service a user was looking for when they clicked on the ad.

Our Browsing Protection feature currently rates the site hosting the supposed APK download as Suspicious.

Updated to add:

Like Windows-based Rogueware, this "Android Antivirus" scam recognizes other operating systems — but fails to fine tune the bait.

iOS:

mkini_scam_iPod

Windows Phone:

mkini_scam_lumia620

 
 

 
 
Tuesday, June 4, 2013

 
Our Mac Team Wants Beta Users Posted by Sean @ 12:55 GMT

This is Rasmus.

twitter.com/pajp

According to his Twitter bio: he's a long-haired over-intoxicated geek from Sweden living in Finland, who likes shiny unixy things.

He's a senior software engineer/developer on our Mac Protection team (and a generally good guy).

If you're also a geek — Rasmus thinks it would be "neat" (that's a quote) if you'd give our "Safe Anywhere Mac Technology Preview" a try. The team is developing a new feature that they want to roll out in a few weeks time. So… if you have the skills to run beta software, Rasmus (and team) would really appreciate the feedback.

Cheers!

 
 

 
 
Monday, June 3, 2013

 
Coursera Offers Malware MOOC Posted by Sean @ 12:35 GMT

"A massive open online course is an online course aimed at large-scale interactive participation and open access via the web." And here's a MOOC we think you'll be interested in…

Coursera is offering a class called: Malicious Software and its Underground Economy

Coursera, Malicious Software and its Underground Economy: Two Sides to Every Story

According to instructor Lorenzo Cavallaro:

"Students will learn how traditional and mobile malware work, how they are analyzed and detected, peering through the underground ecosystem that drives this profitable but illegal business."

Sounds intriguing.