Mobile ‘Wallets’ Attract Greater Interest From Thieves, Researchers

As mobile phones allow us to carry our money in an electronic “wallet,” they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone.  Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks against Google Wallet and Square’s credit card readers have prompted improvements in security.

Square's credit card readers recently added encryption for credit card data.

Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.

Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.

NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.

These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.

Signed Malware: You Can Run, But You Can’t Hide

It’s been more than a year since McAfee became an Intel company, and the team and I have been privileged to be a part of designing and developing our DeepSAFE technology, as well as Deep Defender, the first available product that leverages this advancement. Recent threats in the news validate what we’ve been working on, and this blog serves an update to our followers.

Signed Malware Prevalence

Digitally signed malware has received a lot of media attention recently. Indeed more than 200,000 new and unique malware binaries discovered in 2012 have valid digital signatures.

Source: McAfee Labs Sample Database

Why Sign?

Attackers sign malware in an attempt to trick users and admins into trusting the file, but also in an effort to evade detection by security software and circumvent system policies. Much of this malware is signed with stolen certificates, while other binaries are self-signed or “test signed.” Test signing is sometimes used as part of a social engineering attack.

Which signature is real?

Answer: They’re both real and valid certificates, but one is test signed.

Test Signing

Test signing is particularly useful to attackers on 64-bit Windows, on which Microsoft enforces driver signing. By default such drivers will not load. However, Microsoft provides developers with the means of disabling this policy, and malware authors have learned to do the same. Rootkits on 64-bit Windows–such as Necurs used by Banker, Advanced PC Shield 2012, and Cridex–use this approach to compromise the operating system. To combat this, Deep Defender Version 1.0.1 blocks test-signed drivers by default, while allowing ePO administrators to selectively exclude in-house kernel driver developer’s systems as necessary.

This is just one layer of protection, of course. Security is about “defense in depth,” from network to silicon. Real-time memory monitoring allows Deep Defender to identify the Necurs rootkit as it attempts to compromise the kernel.

Trying to Hide

Being able to observe transient events in memory allows DeepSAFE to get past obfuscated file views that challenge traditional antivirus solutions.

Case in point is the Mediyes Trojan referenced in the aforementioned press articles. A quick check of our sample database shows more than 7,000 unique binaries in this family. Yet memory rules written over a year ago to cover rootkit techniques are able to proactively identify the latest signed attack, even as a zero day.

After the attacks were known, the certificate was revoked

Here DeepSAFE intercepts the malware attempting to modify the write-protection bit of the Cr0 control register, as well as install kernel inline hooks on the ZwResumeThread function.

VirusTotal shows traditional file scanning was not very successful against this particular sample (just two out of 43 scanners detecting):

More to Come

For some time we’ve seen malicious payloads that attempt to steal digital certificates for nefarious purposes, and we are likely seeing the fruits of that labor. With so much malware online, we are sure to see this trend of signed malware continue and increase.

P.S. Deep Defender Version 1.0.1 is currently in beta and is expected to hit the market in Q2. If you’re interested in helping protect the world beyond the OS, we’re hiring.

Opfake scam targets iPhone users

The Opfake gang has been targeting Android mobile devices, as well as Symbian, but that does not mean they are limiting their targets to these platforms. Where there is money to be made, they are willing to invest time and resources. This includes scams designed for iPhone users. We have come across a couple of Opfake websites that, while hosting malicious apps that Symantec detects as Android.Opfake, are also designed to perform social engineering attacks on iPhone users.

The iPhone is designed to prevent the installation of applications outside of the Apple App Store. This makes life difficult for bad guys attempting to fool users into installing malicious apps in a similar manner to Android and Symbian devices.  To get around this, the Opfake gang have developed a social engineering trick that does not require apps to scam site visitors.

We have seen two different types of websites.  The first attempts to trick users into thinking that their browser is out of date and needs to be updated.

When the user clicks on the update button at the bottom of the page, the browser is taken to an installation page showing the progress of the “update”, though in reality there is no updating taking place.

When the “installation” is completed, the user is asked to enter the phone number of their device in order to protect against the unauthorized copying of the application.

If this is done, the user is informed that an SMS message has been sent for confirmation.

We have not been able to confirm this, but given the Opfake gangs predilection for premium rate SMS messages, the message sent to the user most likely leads to premium-rate text fraud.

The second type of website displays a fake Android market, even though the site is viewed using an iPhone.  Users are allowed navigate throughout the market and can attempt to download apps as they please.  It is a bit peculiar for the user that an Android market can be viewed from an iPhone, but this may be what entices users into attempting to download the apps—some of the apps are not available in the Apple App Store.  Non-technical users may not be unaware that Android OS apps do not work on iOS. Like the browser trick mentioned above, the trick works by fooling the user into giving out their phone number after the “installation” of the app.

Although the iPhone has an excellent history of making available safe apps, it cannot protect users from attacks such as the one described here, or from phishing attacks, because they are entirely browser-based.  It is important that users are aware of these attacks, and protect themselves accordingly.

Attempts to Spread Mobile Malware in Tweets

It takes time and dedication for cybercriminals to be able to place their mobile malware somewhere on the Internet that will result in a high number of downloads. Target locations for cybercriminals include the official apps market, third-party markets, and even fake app markets. Other locations may include websites that are designed to specifically host a particular malware or serve a variety of malware masquerading as authentic apps.  However, the cybercriminals also need to carry out some advertising in order to direct traffic to wherever the malware resides. Some use forums to add comments with malicious links, while others use search engine optimization (SEO) to list malicious sites at the top of search results. Tweets are also used to lure mobile users to the malicious sites. In fact, we have noticed that tweeting is proving a popular method used to direct users to the infamousAndroid.Opfake malware.

Users can potentially end up infecting their mobile devices with Android.Opfake by searching for tweets on subjects such as software, mobile devices, pornography, or even dieting topics to name a few. Android.Opfake is not hosted on the Android Market (Play Store) and these tweets lead to malicious websites developed for the Opfake application. These tweets typically contain short URLs and the message is mainly in Russian with some English terms included. Once the user visits the site, they are prompted to install the malicious application. However, aside from these particular characteristics, all tactics used differ from each other making it difficult to confirm which tweets are actually bad unless you click on the link. Below are a couple of examples that include malicious tweets.

Some are easier to spot since similar tweets are constantly being sent out and they have no followers, but others do have followers and do not tweet as often. Some have content in their profiles, but most do not. Most account names are peculiar, but some have common names. Below are a few of the recognizable bad accounts.

Several operations are continuously taking place and some are executed at the same time, which amounts to a pretty large amount of tweets. For example, a recent 8 hour operation included over 130,000 tweets from around 100 accounts before it seized tweeting.

Data courtesy of Topsy Labs

This was only one of the operations performing simultaneously. Another operation taking place at the time sent out over 1,500 tweets from over 50 accounts in the space of one hour. There were other minor operations taking place as well. However, I was unable to confirm the number involved. Among 250 million Tweets sent every day, it is difficult to gauge how many tweets leading to malicious malware are actually out there.

Whenever we see certain patterns in malicious tweeting, we report our findings to Twitter to have them shut down and the company has been very responsive in taking them down. Twitter also provides the ability for users to report an account as spam. Below is a page that the company prepared for one of the operations that was shut down.

With traditional malware, security vendors continuously update detections for malware which is then updated again by the malware developers. Malicious tweeting is now also playing this cat-and-mouse game.  Cybercriminals mix their game around, thereby making it difficult to recognize all bad tweets and most of all: they are persistent.  Symantec will continue to work with Twitter to combat these operations and the combination of our defences will hopefully continue to protect our customers. Twitter’s Help Center also provides several tips on how to keep your account secure.

Smartphones have allowed users to access the Internet anytime, anywhere and perform tasks that were only possible using computers. While the convenience provides so many great advantages, cybercriminals are also taking this opportunity to accomplish their bad deeds. So be wary when using mobile devices. For tweets in particular, be selective when deciding which links in the tweets to click on. You may want to only trust tweets you are familiar with. Tweets are similar to email. You wouldn’t open an email from unknown sender and then click on the included link, would you? This usually means bad news and the same goes for tweets.

An Analysis of Jester's QR Code Attack. (Guest Diary)

[This is a guest diary contributed by STI Student TJ O'Connor ] [Many claim this to a be a hoax]

This week saw an interesting turn in the US government's battle against the Hacker Group Anonymous. Official court documents and details emerged that finally showed that #sabu was turned by the US government as an informant to arrest and dismantle members from the LulzSec splinter cell. (Bray, 2012) In the last two days, another dramatic turn of events highlighted the demise of the once though invincible hacker group; a group the Director of the NSA said could be capable of hacking the power grid within a year or two. (Liebowitz, 2012)

A lone-wolf patriot hacker, known as Th3J35t3r, claims to have successfully targeted, exploited, and raided personal information from members of Anonymous, LulzSec, and Anti-Sec alongside Islamic Extremists and Al Qaeda, and Rhode Island State Representative Dan Gordon. If you are living in a cave and haven't heard about the Jester, read the SANS whitepaper. (OConnor, 2011) So how did the attack occur? And how can you protect yourself? Lets quickly answer these questions.

The Jester laid the groundwork for his attack over two weeks ago when he changed the ICON for his Twitter account @th3j35t3r.

Here's where the Jester really relied upon his adversaries' technical prowess and curiosity as a weakness.  Changing the photo to a QR-code, The Jester encoded a url address into the photo as seen in the photo.  The victims used their mobile phones to scan the QR code and then visit the tinyurl address out of sheer curiosity. Since most of us (including the author) use our mobile phones to scan QR-codes, this allowed The Jester to scope his attack to browsers for the IOS and Android Operating Systems,. Both IOS and Droid rely heavily upon the WebKit framework for their web browser.

A Webkit exploit isn't necessarily novel. Previously exploits have succeeded in targeting Webkit. In 2010, Itzhak (Zuk) Avraham wrote a use-after free exploit for Webkit for the Droid 2.1 framework. (Abraham, 2010) Dr. Charlie Miller followed in March 2011 with a use-after-free Webkit exploit the IOS 4.2.1 operating system. (Naraine, 2011)

For a great example of how use-after-free exploits work, check out the Grey Corner Blog. Use-after-frees have been seen in usage for a while, especially during Advance Persistent Threat Attacks. Notably, the Operation Aurora attack that targeted Google succeeded via an Internet Explorer use-after-free vulnerability. By allocating memory for a specific object, then freeing the memory for the object, followed by accessing the pointer to the object's pointer can trigger arbitrary code execution. This can easily be combined with a technique known as heap spraying, filling the heap with executable code in multiple locations. When combined with a heap-spraying, a use-after free can jump to the heap to find its payload (shell code) and executes it.

In the Jester's attack this code executed a netcat command, passing the Twitter credentials to the Jester. At this point, the patriot hacker checked the credentials against a list of known targets before proceeding in his attack.  Specifically targeted in the attack were @alemarahweb,@HSMPress @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol, @DiscordiAnon, @RepDanGordon.

Even under the current IOS 5.1, the com.atebits.Tweetie2 database contains com.atebits.Tweet2.plist which holds Twitter username, recent searches, device UDIDs, among other information that makes identifying specific users easy if they have the default Twitter application installed.

 Next, the Jester raised his permissions on each exploited device. Under the IOS operating system, this proves trivial since the IOS has a default username/password combination of root/alpine. (Heider, 2012) Under Android, there are a variety of privilege escalation attacks. (Davi, 2010) With elevated privileges, the Jester then targeted specific databases that contained the SMS, Voicemail, Call Logs, and Email on the phone. Since, the default applications store all this data in default databases on the phone ; extracting this proves as easy as writing a few sqlite3 queries.

th3j35t3r$ sqlite3 sms.db
SQLite version 3.7.9 2011-11-01 00:52:41
Enter ".help" for instructions
Enter SQL statements terminated with a ";"

sqlite> select address, text from message;
+15555551234| Where can I download LOIC?
+15555551234| Whats the new IRC Hivemind Server?
+15555551234| Where can I find a good attorney?

At this point, the Jester has threatened to upload the contents of the raid to the Internet, holding the victims hostage. Unapologetic for the attack, the Jester continues his patriot hacking campaign.

"I also had a list of "targets" twitter usernames I was interested in, these were comprised of usernames of: Islamic Extremists, Al Qaeda Supporters, Anonymous Members, Lulz/Antisec Members

EVERYONE else without exception was left totally "untouched" so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.

I do not feel sorry for them.

In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How's that for "lulz"?

Included in the attack was US State Representative Dan Gordon. Angered over a 2010 new article about the US State Representative, (CBS, 2010) The Jester made the attack personal against the Representative. The twitter account for the US representative holds messages indicating that the FBI will now target The Jester under crimes ranging from threating a state official to hacking the cellular phone of the representative. As with all developing news, it is still unclear whether the representative's Twitter account has also been hacked with his phone. A less than professional message on Twitter leads us to believe his Twitter account has been hacked. This brings us to an interesting lesson learned in the attack. Once compromised on a mobile device, you must consider all your accounts compromised. Since our mobile devices often contain multiple mail, phone, contact, social media, and personal information ; we must consider all this information compromised.

 Some technical questions still remain. The Pw2Own exploit used by Charlie Miller in 2011 could not bypass Address Space Layout Randomization (ASLR). Since OS 4.2.3, The iPhone has had a limited ASLR implementation that would have made Miller's exploit not work correctly. Did the Jester recycle Miller's 1-year-old exploit or did he upgrade it for iOS? If so, how did he bypass ASLR? Further, CVE-2010-1807 only works for Android 2.1 and below devices. How was this exploit upgraded? Additionally, would changing the default credentials on iOS (through jail-breaking the device) have prevented the privilege escalation portion of the attack against iOS? If the victims used non-standard mail, twitter, and SMS applications ; the attacker would not have not noticed them (Win one for security through obscurity.)

Although we are constantly reminded of the threats facing us, at least this threat was targeted and against specific members of Anonymous and Al Qaeda, which the majority of us do not belong in.  But it reminds us of the threat that is out there. I'll repeat again what I've said multiple times: Cyber is assymetric warfare ; it favors the individual, it favors the adversary. Did the Jester just accomplish in two weeks what it took the federal government months and deals with a known criminal? Maybe, the details have yet to emerge.

References

Avraham, I. (2011, November 14) Android 2.0 / 2.1 Use-After-Free Remote Code Execution ÷ Packet Storm. Packet Storm ÷ Full Disclosure Information Security. Retrieved March 11, 2012, from http://packetstormsecurity.org/files/95850/Android-2.0-2.1-Use-After-Free-Remote-Code-Execution.html

Bray, C. (2012, March 9). FBI's 'Sabu' Hacker Was a Model Informant - WSJ.com. Business News & Financial News - The Wall Street Journal - Wsj.com. Retrieved March 11, 2012, from http://online.wsj.com/article/SB10001424052970204603004577269844134620160.html?mod=googlenews_wsj

CBSNEWS, (2011, November 24). Lawmaker's Gulf War claims, records don't match - CBS News. Breaking News Headlines: Business, Entertainment & World News - CBS News. Retrieved March 11, 2012, from http://www.cbsnews.com/2100-250_162-20111212.html

Davi, L. (2010, November 13). Privilege Escalation Attacks on Android. System Security Lab Ruhr-University Bochum, Germany. Retrieved March 11, 2012, from www.ei.rub.de/media/trust/veroeffentlichungen/2010/11/13/DDSW2010_Privilege_Escalation_Attacks_on_Android.pdf

Heider, J. (2012, February 27). Further Information on iOS Password Protection. Fraunhofer Institute for Secure Information Technology (SIT). Retrieved March 11, 2012, from http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords-faq.pdf

Liebowitz, M. (2012, February 21). Could Anonymous Really Knock Out the Power Grid? - Technology & science - Security - msnbc.com. msnbc.com - Breaking news, science and tech news, world news, US news, local news- msnbc.com. Retrieved March 11, 2012, from http://www.msnbc.msn.com/id/46468844/ns/technology_and_science-security/t/could-anonymous-really-knock-out-power-grid/

Naraine, R. (2011, March 10). Charlie Miller wins Pwn2Own again with iPhone 4 exploit | ZDNet . Technology News, Analysis, Comments and Product Reviews for IT Professionals | ZDNet. Retrieved March 11, 2012, from http://www.zdnet.com/blog/security/charlie-miller-wins-pwn2own-again-with-iphone-4-exploit/8378

OConnor, T. (2011, December 30). SANS Reading Room. The Jester Dynamic. Retrieved March 11, 2012, from http://www.sans.org/reading_room/whitepapers/attacking/jester-dynamic-lesson-asymmetric-unmanaged-cyber-warfare_33889