Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 - SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 - (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

The Apple iPhone is vulnerable to a new bug related to the signing of iPhone applications.  Applications that are created with the official iPhone SDK need to be cryptographically signed by the author and Apple before they’re allowed into the App store or installed on an iPhone.  The digital signing is a security measure that serves two purposes; helping to identify the developer in case of any problems and making sure that an approved application hasn’t been modified.

An iPhone developer discovered the bug while looking for a way to duplicate a feature of Apple created iPhone applications: dynamic default.png files.  The default.png file is displayed when an iPhone application is launched and can be used as a static splashscreen.  When you quit an Apple created application, it takes a snapshot of the screen when you quit and saves it as default.png within itself.  The next time you start the app it loads the new default.png, and everything looks like it was when it was last run. The application hasn’t fully loaded yet, but the saved default.png trick makes it look that way.

Unlike Apple’s apps, those created by other developers can’t modify their default.png files. Since the default.png is stored within the application as a part of itself, it gets digitally signed.  Modifying the image file and thus the app, makes the digital signature invalid.  An alternative would be to use a default.png in the application’s data directory, but only the file within the application is supported on the iPhone.

The method to replicate Apple’s default.png trick involves a defect in the codesign utility in the iPhone SDK.  codesign is the utility used by developers when they digitally sign their applications.  Normally codesign will take every file within an iPhone application into account when it creates the digital signature.  the problem with codesign is that it doesn’t handle symbolic links (symlinks) properly.

Symlinks are like shortcuts to files; if you want to refer to one file in two locations or with two different names you can create a symlink in the new location.  The symlink isn’t a new file copy, just a pointer to the original file.  codesign doesn’t follow the pointer to the original file, so it doesn’t consider that file during signing.  The new approach is to create a symlink named default.png that points to a location or file outside of the application that can be easily modified.

This is a neat trick, but harmless.  If it were only the codesign utility that has this symlink problem, then the technique would not work for an installed application.  The real trouble arises when symlinks are used to obscure other program files or components during signing.  The digital signature process was intended to ensure that no unapproved or unsafe modifications could occur.  An attacker could arrange for malicious components to be installed using a self-update feature.  Since the digital signature ignores symlinks, the malicious application could contain pointers to the yet to be downloaded parts.  Since the bad portions of the program don’t exist during the approval process, malicious applications can sneak through.  This effectively bypasses the iPhone OS’s protection against the running of malicious code.

Fortunately, since the application is signed, tracking down the author of such malware should be considerably easier.  Given that the vulnerability lies within a utility in the iPhone SDK and within the iPhone OS’s verification system, it should be fixed shortly in a future update.

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

We have been in contact with one of the German’s Crime Investigating Authorities (LKA). This is a case when a malicious program running on mobile phones was making unauthorised calls. All these calls were connecting to one and the same SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to top-up in-game cash via SMS messages is frequently used by online game vendors.

This is a really interesting twist because in the past malware writers simply programmed malware (either on a desktop or on a mobile device) to call a premium phone number (one where the cost of a call is high). Of course, with this old method it is easier to trace the destination of funds because for each such call real money is transferred from a phone company to the owner of the premium number. So the principle “follow the money” to track the perpetrators usually works.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination - several in-game assets’ transfers can be made before the money is taken out of the game through real-money trading (RMT - it is a bannable offence in most online games but some games allow that - for example, Second Life).

Our advice is not to use programs for mobile phones that come from untrusted sources (like game forums, Internet newsgroups, Emails, P2P networks, blogs, etc.)

Avertlabs would kindly ask all mobile phone users to be vigilant and submit suspicious programs for our analysis - the easiest way is to use our online Webimmune service www.webimmune.net.

The iPhone has generated a lot of curiosity in the hacker community. Last year when Apple released its iPhone, hundreds of hackers tried to break the iPhone software in multiple ways. Some of them succeeded in customizing the iPhone in the way they wanted. They changed their mobile service provider and deployed their own applications. Some hackers were able to break the iPhone by exploiting vulnerabilities in applications such as Safari.

Now Apple has released its official SDK to developers. By opening up the iPhone OS and publishing the SDK Apple looks forward to thousands of Mac developers developing iPhone applications. At the same time, Apple announced a lot of new features for enterprise customers.

It appears that Apple is carefully stepping forward to analyze and manage the security implications of opening up its platform for development. In the Leopard OS release Apple added security features such as sandboxing, code signing, etc. The same features are also used as the foundation for iPhone.

Let’s look at some of the security aspects of the iPhone’s application execution environment: Apple issues a certificate to the developer, who signs the iPhone application using this certificate. The iPhone OS then checks the authenticity and integrity of the application before installing and executing it. Each application runs in a sandboxed environment–with very limited access to the file system and other resources. The AppStore application on iPhone manages all third-party application deployments on the iPhone.

One application can interact with other applications using URLs. http://, https://, and feed:// are handled by Safari; mailto:// is handled by the Mail client; and itms:// is handled by iTunes. Third-party applications can declare their own urls (such as myapp://) to handle messages from other apps.

Each application is sandboxed to contain failures if it is compromised. However, an application’s access to a lot of other resources–such as network, phone, camera, address book, mail, and urls–is not controlled. Hackers may now focus on vulnerabilities in applications and also on the mechanisms provided to access iPhone resources.

Enterprise features such as Exchange Server support, and security features such as Cisco IPSec VPN, WPA2/802.1, etc. may encourage wider deployment of the iPhone in enterprises; and thus open up more possibilities for attackers.

Within four days of Apple’s announcement, more than 100,000 SDK downloads indicate the enthusiasm of developers. Sun has announced Java support for the iPhone, and that may attract even more developers.

For now the SDK is still in beta, which gives Apple some time to fix security issues that hackers are going to discover during the next few months. This seems to be a very good strategy. We look forward to Apple’s next steps and the impact they will make on the domain of mobile device security.

A week after Mcafee Avert Labs found WinCE/InfoJack, we’ve run across more malware in China. This time the malware, running on Symbian Series 60 phones, attempts to extort money from users. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.

The warning message is displayed after a delay

The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”

QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams. QQ coins, an in-network currency, are also heavily used, traded and stolen outside the QQ network. We’ve covered how theft of QQ coins is prosecuted in the past.

SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission.

On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:

• SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
• SymbOS/SmsSend.G forwards SMS received to the malware author
• SymbOS/Kiazha.A deletes any sent or received SMS message

Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.

Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.

The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.

We came across an interesting presentation at the recent Blackhat Conference that discusses a technique to decrypt cellular signals here. The article discusses a cheaper, faster method of cracking the encryption used between the mobile devices (phones), and mobile stations (cell towers). The encryption in question is the A5/1 algorithm, which is used widely in GSM networks in United States.

The encryption was actually proved to be vulnerable, and can be cracked with a long pre-processing stage (around 2^40 stages or so) with huge amounts of storage. More details can be found here, here, and here. There are also known plain-text based attacks, found here, that can attack A5/1 in minutes, but requires the attacker to be active in the attack.

What makes this attack interesting is that it is completely passive, and was able to overcome the long, pre-processing stage of the attacks discussed above by using custom designed FPGAs instead of the personal PC. With this, they were able to crack the encrypted data within 30 minutes, which makes “real-time” decryption a possibility. Furthermore, the presenters are planning to sell a hardware based product that can do this much faster. This could lead to easier espionage or other illegal activities if the technology lands in the wrong hands.

The presenters also shown various different weaknesses in the current implementation of cellular networks.

Besides the GSM cracking attack , there’s also another paper published on cellular network security, which can be found here. This paper simulates the scheduler (proportional fair) commonly used in several 3G networks and shows that malicious users, with access to a few mobile devices, can manipulate the scheduler into assigning an unfair amount of time slots to the attacker. This shows that with only a few attackers, they were able to steal a majority of time slots.

I think these works, although controversial, could provide the stimulus for a new and robust direction for security practices in cellular technology, since now, cellular networks are used as widely, or even more so, than the Internet. The Internet is relatively well understood compared to the cellular network. More attention focused on the security of the cellular networks might help both consumer and cellular service provider build a more secure network that we all already depend on.

A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China.

WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.

The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

The trojan is installed with a collection of legitimate games.

WinCE/InfoJack was created by a specific website. The website may have hired someone to create the trojan and distribute it to other sites. The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site. That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstallation method.

WinCE/InfoJack installs silently along with other applications.

WinCE/InfoJack has a number of features that show its malicious intent:

• installing as an autorun program on the memory card
• installing itself to the phone when an infected memory card is inserted
• protecting itself from deletion, copying itself back to disk
• replaces the browser’s home page
• allows unsigned applications to install without warning

WinCE/InfoJack installs as an autorun program on the memory card.

That last feature, allowing silent installation of an unsigned app, is used by WinCE/InfoJack to auto update itself. It also leaves the mobile open to other malware being installed silently. Fortunately the trojan’s website is no longer reachable, due in part to an investigation by local law enforcement.

With the large number of web applications for the iPhone, Apple lists more than 600, the Mobile Safari browser plays a large role. Recently a Denial of Service(DoS) vulnerability was discovered in iPhone’s web browser.

The researchers who found the vulnerability were looking for a method to unlock the filesystem on iPhones with the latest firmware(1.1.3). Unlocking the filesystem allows the installing of custom ringtones and 3rd party applications. With the last firmware version you could automatically unlock your iPhone by visiting a particular website with the Mobile Safari browser.

The DoS exploit can be triggered by visiting the proof of concept page and clicking on one button.

Fig 1 - Clicking “Go!” launches the exploit

Once it’s clicked a warning will pop up and the exploit code will run.

Fig 2 - The proof-of-concept site displays a warning

The iPhone will then become unresponsive, touching the screen or pressing the Home button will have no effect. Under a minute later, the iPhone will reboot.

The DoS bug exploit is partially based on JavaScript code from the Month of Browser Bugs(MOBB). During the MOBB, which we’ve covered previously, a group of security researchers released an exploit for a web browser vulnerability every single day. While the original exploit was targeted at desktop browsers, the modified version simply attempts to fill memory and crash the phone.

Fortunately because the researchers did not have enough time or possibly any inclination, they have not produced a more troublesome exploit. The bug will only prevent you from using the iPhone temporarily and doesn’t steal your data or permanently damage the phone.

While the proof of concept site requires you to press “Go!” before it runs the exploit, a more malicious site could run the code without permission.

It’s possible to avoid the DoS vulnerability, at the cost of not being able to access certain web applications. JavaScript can be disabled by going to Home > Settings > Safari.

Fig 3 - Changing Mobile Safari settings

Apple also provides details on other settings(cookies,plug ins, cache) that can be changed.

The SymbOS/Beselo worm is in the wild in Asia. It’s a malware very similar to SymbOS/Commwarrior. The worm travels by both Bluetooth and MMS.

It sends itself out in an MMS to every contact in your phone book, plus a number of randomly generated mobile phone numbers. The MMS messages use no subject line and a handful of short texts in their body.

Where this malware gets interesting is in how it attempts to reuse an old technique to disguise itself so that it will be installed by an unsuspecting user. SymbOS/Beselo pretends to be a harmless media file under the names “beauty.jpg“, “love.rm” or “sex.mp3“.

On Windows, changing an extension will prevent an executable from running. Renaming bad_program.exe to bad_program.bmp will make the file open in MS Paint and not run the program. On Symbian, files are recognized by their file type. Renaming a SIS installation file to beauty.jpg will not open the file in the picture viewer but instead begin the installation process. In the case of SymbOS/Beselo, a user will receive an MMS from someone they know and the attachment could be beauty.jpg. The message says “photo” and it comes from a friend, so the user is likely to open it to see the photo. When the request to install pops up, it’s very likely the user will click OK and be infected.

SymbOS/Beselo relies on users’ possible unfamiliarity with how appplications are installed on Symbian phones. Viewing media files(jpg, rm, mp3, etc.) on Symbian does not usually require installing addtional software and definitely doesn’t require one to install from an MMS message.

Unlocking your iPhone so that you can install third party applications can be fun. Using the Installer.app application on the iPhone and its default repository you can install utilities, games, and other applications. By adding additional repositories to the Installer, it is possible to gain access to a much greater quantity of software.

Occasionally, if you’re not careful you can end up installing malicious software from a bad repository. This happened to a number of iPhone owners a few days ago.

An application calling itself “iPhone firmware 1.1.3 prep” claims to be a tool to prepare your iPhone for the upcoming iPhone update. It actually installs another separate legitimate utility. The damage occurs if you already had the utility installed and you want to remove the false firmware update “prep” tool. Uninstalling the fake tool just uninstalls the real utilities.

Information from the STE Packaging repository site and its owner details how the “prep” tool functions and how it was distributed. Users who added the jmwiki.com repository site to Installer.app were offered the “prep” tool and two other similar packages. It was determined that the malicious repository and applications were created by an 11 year old. The child’s parents were informed and the repository was taken down.

Phone modification (changing the OS, reflashing, unlocking, etc.) can sometimes be dangerous. While corrupting a firmware upgrade for a mobile device might be possible, it is not surprising that someone has created much simpler malicious installation files. On the Symbian platform we have seen quite a few malware, such as SymbOS/Skulls and SymbOS/Appdisabler, that disable or overwrite legitimate applications upon installation.

Users can avoid such problems by:

• Acquiring software only from trusted sources
• Installing only official firmware updates

Occasionally we find PC malware that can have an effect on mobile phones or vice versa. The W32/Mobler worm installs SymbOS/MultiDropper.CC to any Windows system it infects. The Symbian malware has no effect on the PC. Similarly SymbOS/Multidropper.CC installs W32/Mobler to the memory card. The mobile version is arguably more effective as inserting a memory card with Mobler into a PC with AutoRun configured is enough to cause an infection.

The malware author was trying to save some effort in the creation of new malware by reusing older malware. This is not the usual case with malware as creators, driven by the need to avoid detection, produce their own code or use newer malware toolkits.

Multi platform exploits
The situation with vulnerability exploits is more complex. While exploits are usually tied very closely to hardware and operating systems, they are also occasionally distributed as source code allowing study and modification. An example of this is the libTIFF exploit used by hackers to install homebrew games on the Sony Playstation Portable(PSP). The PSP libTIFF exploit was subsequently ported to the iPhone and allowed the installation of third party applications. Security researchers later added the libTIFF exploit to a penetration testing framework.

Portable malware knowledge
Penetration testing frameworks help to tie exploits to payloads(e.g. gaining control of a vulnerable system). The frameworks allow the reuse of previous vulnerability research. This helps reduce the work needed by a penetration tester or attacker to fully utilize an exploit. They can write multiple payloads for a single vulnerability exploit.

In a series of blog postings, a security researcher detailed the process he used to port the libTIFF exploit and develop multiple payloads for the iPhone. It helped a bit that the iPhone and Macs are both running versions of OS X. Although they work on different types of CPUs(x86 for Mac; ARM for iPhone), he was able to leverage his Mac payload knowledge to produce iPhone payloads in a few week’s time.

Mobile exploits
This week we saw the release of a number of exploits for a buffer overflow vulnerability in various PC multimedia players. The vulnerability was limited to a specific MP4 video file codec. The exploits, we detect them as Exploit-MP4, were implemented as specially crafted MP4 video files.

There was a possibility that the malformed video files could cause issues on mobile phones. During testing we found that one of the exploits caused certain phones to hang when played. When we investigated further, we discovered that a similar buffer overflow to the PC existed on the phones. While the exploit will only cause a denial of service currently, it is possible that an attacker could develop a more malicious payload for the affected phones. The example of the penetration testing framework shows that it is relatively straightforward for dedicated attackers to use previously gained knowledge to produce mobile exploits in short periods of time.

In the past few weeks, a number of Symbian technical blogs have announced a hack of Symbian Platform Security on the latest Symbian phones. By modifying a file in an OS software update, you can install unsigned applications and gain access to the Nokia Series 60 (S60) phone’s file system. On older S60 phones it was easier to accidentally install malware such as Cabir or Commwarrior. The newest phones refuse to install old installation files and restrict file system access for new programs, unless they’re digitally signed.

Installing unsigned apps is not a big risk by itself, as unsigned programs will not install. After using this hack, you can sign an application yourself and also give it additional permissions–such as reading user data or monitoring email. Signing an app yourself limits it to being installed and running only on your phone, so this isn’t an effective way to spread malicious programs.

Others have suggested more harmful uses for this hack. Phone thieves may use the technique to read your e-mail or steal unencrypted passwords. The risk from this attack is also slim, as the hack may brick various phone models.

Sony Ericsson UIQ phones are also open to a variation of the hack. Instead of the more uncertain do-it-yourself method on the S60 phones, for around $30 you can purchase online a flash update from a phone-unlocking vendor. However, every time a new official UIQ update is released, you’ll need to purchase another unlocking flash.

Though playing with phone hacks can be fun, there is the possibility of ending up with a bricked phone. Here are few more things to look out for:

• Downloading and installing ROM updates from untrusted sources can sometimes be exploited. On some phone ROMs it may be possible to install malicious applications. Install the update and you could end up with a malware bonus.

• Hacking tools may either help disguise malware or in some cases may actually be malware.

People will sell you almost anything for your mobile on eBay, headsets, cases, replacement power adapters. Recently while looking for a data cable for a phone I ran across mobile “spying” software for sale.

We’ve run across relatively expensive commercial mobile spyware before. This was being offered at a tenth of the price with a lot of similar features. The software claims to allow:

• call monitoring
• reading text messages
• copying phonebook entries

Fig 1 - Capabilities claimed by the software

Other claims of compatibility with and control of a wide range of phones may just be hype on the part of the seller. Some of the sellers suggest that buyers install the software on phones and offer them as gifts or for sale to the unsuspecting. It’s interesting that dozens of sellers were offering nearly identical software. This is usually an indication that the item being auctioned comes from a common source. Buyers should be wary of such auctions.

eBay will take down auctions with objectionable or malicious content if requested. Some auctions may not actually break the rules or just come very close to the line.

Sellers will sometimes repackage publicly available information or open source software and set up an auction with terms like “Brand New” or “latest Pro version” in order to convince buyers that they’re getting a good value. There are also sellers offering CDs full of J2ME games. The prices for those collections imply that the included games are either freely available or pirated.

The cost of the software might be attractive, but none of the sellers offer any support. If it won’t run on your phone, there are no refunds. Even when the software is delivered on CD, no replacements are offered if its damaged in the mail. Occasionally pirated software is also sold in this manner. A number of the spying software auctions are actually selling links to download the software.

A vulnerability in Microsoft ActiveSync 4.x has been found that allows an attacker to discover the device password of a Windows Mobile smartphone. Normally you can lock your Windows Mobile phone by setting a password. Even if someone uses ActiveSync to connect to your phone they still need to enter the password before they get access to your email and private data.

The vulnerability is in the method ActiveSync uses to encrypt the password it sends to the phone. The attacker can sniff the USB cable network connection and capture the password. Due to the way the password is encrypted the decryption key is effectively included multiple times, one copy of the key for every character. Once the attacker has the decryption key, they’ve also got your password.

Fortunately, while this is an interesting vulnerability it’s not likely to be heavily exploited. There are a few obstacles in the attacker’s way.

First, the attacker needs to have physical access (a USB connection) to your Windows Mobile phone. They can only sniff the network from the ActiveSync host PC.

Secondly, the vulnerability only applies to the password that is sent to the phone. If the attacker can’t get the user to enter the correct password, they won’t be able to steal it. The Windows Mobile phone does not send the password to the ActiveSync PC.

At McAfee Avert Labs we have been looking into other possible attacks on Windows Mobile smartphones, especially those performed with malware. We’ve recently published some of our research in a white paper titled “Mobile Malware: Threats and Prevention “.

Among the topics it covers:

• Text Messaging (SMS interception)
• Audio and Video (Remote eavesdropping)
• File format attacks (Malicious .DOC,.XLS files)

We’ve also included a number of ways to prevent these attacks.

Today Apple announced the planned release of an SDK in February to allow the development of native third-party Applications on the iPhone. This seems like a logic step after various hacks that allow installation of unauthorized third-party applications, but reading the announcement closely, there is something groundbreaking:

“It will take until February to release an SDK because we’re trying to do two diametrically opposed things at once—provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc.”

In the initial design phase of the SDK security is specifically mentioned as a major aspect for it’s development! This is certainly a great step into the right direction and if everyone would look at security aspects and not just features during development, the electronic world may be a much safer place then it is now.

Also in openly acknowledging that malware for mobile phones is an issue and will become a bigger one with more sophisticated mobile phones, Jobs takes the right step in making the public aware of a problem and taking steps against it, unlike many other who’d rather play it down.

I applaude this move and will heavily recommend this as an example for others to follow.

Recently the website of the Bank of India was attacked and used to distribute malware. If there’s one site you’re likely to trust, it’s your Bank’s site. Phishing(and smishing) takes advantage of this trust to separate you from your login information and/or your money.

Online banking is already under attack by crooks and they are also likely turning their eyes toward mobile banking. McAfee Avert Labs has been following mobile payment and mobile banking security for quite a while. We’ve also seen how mobile internet sites(WAP) and the newly created .mobi domain can be used for malware distribution.

Apart from dedicated mobile banking sites, banks are using Transaction Authorization Codes sent by text messaging(SMS) to add an extra layer of security to online banking. Transaction Authorization Codes are used by a number of banks in Asia.

Transaction Authorization Codes: How they work

Transaction Authorization Code(TAC) are single or multiple use passwords. TACs are only required for certain transactions such as money transfers or setting up automatic bill payments. The codes are usually valid for two hours after they’re issued. To make things easier for customers, it’s common for banks to allow multiple transactions to be made with the same TAC.

1. Mr. Blue wishes to setup automatic bill payment for his utility bill. He requests a TAC from his bank, Green Bank.

2. Green Bank sends the TAC to Mr. Blue’s cellphone via SMS.

3. Mr. Blue can now setup payments for his utility bill.

What can go wrong

1. Mr. Blue is tricked into following a link to a malicious site with his mobile browser. The malicious site convinces Mr. Blue to install mobile spyware such as SymbOS/Mobispy.A. The site, belonging to Mr. Red, also fools Mr. Blue into entering his bank account information.

2. Later on Mr. Blue visits Green Bank’s site and requests TAC. Green Bank sends the TAC by SMS. Mr. Red receives copy of the TAC.

3. Mr. Blue performs a transaction requiring a TAC. Mr. Red uses the same TAC to transfer money from Mr. Blue’s account to his own.

Banks have been active in the creation of user friendly mobile banking sites. Many services are promoted to be accessible both on smart phones and ordinary cell phones. As computer criminals expand their reach towards mobile banking, McAfee recommends:

• Individuals should never allow their phone out of their control and always use a PIN code with their phone.
• Banks are advised to discuss the above scenarios and current level of device and service protection with carriers.
• Mobile carriers should consider protection for all devices that can access mobile internet services.

The author of a number of SymbOS/Appdisabler and SymbOS/MultiDropper variants has created a Wireless Application Protocol (WAP) site for the distribution of malware.

WAP sites are Web sites designed to be viewed by mobile phone Web browsers. The new .mobi Web domain was created to improve the mobile user experience and to give a boost to mobile Internet browsing (such as WAP sites).

The site currently offers two malware files for download. Fortunately the malware is not likely to spread as they are contained in password-protected ZIP files, and the malware author has not provided the password. By comparing the files with previously seen malware, we were able to determine that these files are SymbOS/Romsilly.B and SymbOS/Cardblock.A.

The use of Web sites to distribute mobile phone malware is not new. e10d0r, the author of the SymbOS/Commwarrior family, used Web sites as a distribution point for his creations.

Malware has also used Web sites to distribute itself to mobile phones. The VBS/Eliles family is notable for attempting to have phone users download Symbian malware from a Web site.

This WAP site eases the transfer of malware, as users no longer need a PC for downloading.

As seen in Europe and Asia, high-speed mobile data networks will further drive the creation of mobile Internet sites. This is the first mobile malware site designed to be accessed on mobiles. With the increase in mobile sites, we’re sure to see .mobi get its share of malicious sites.

For mobile phone fanatics, Woron Scan is a tool used to extract certain cellular information from the SIM card. We recently discovered a new Trojan (Spy-Wokiscan) that repackages the Woron Scan utility but also installs additional Trojans that are used to steal the victim’s cellular account information along with more data from the local computer. This Trojan is quite interesting as it takes a utility and repackages it to include Trojans. Once the Trojan installs itself, it starts the Woron scan utility. Then it takes the Woron Scan results and sends it to a remote Russian site.

Putting aside the fact that it is just about illegal in every country to use a cloned SIM, there are also dangers with using the software for creating these cloned SIM cards. This means that phone modders need to be aware of the source of the program they are using. Running this Trojan-repackaged Woron Scan will cause the SIM card’s private information to be sent to a remote hacker. Then once a cloned SIM is created, that person can use the cloned mobile phone to make calls as they please–while leaving their victims to prove those calls didn’t belong to them. In these days of cybercrime and terrorism, modders should really consider the risks involved in modding their phones.

Just a note for those who decide to use a cloned SIM card: Most cellular providers have the ability to track and log certain anomalies caused by the cloned SIM. That means the chances are pretty good that the cloned SIM will be blocked or the user of the cloned SIM will be getting a call from the local authorities.

For further information regarding the Spy-Wokiscan, please visit our VIL description located at http://vil.nai.com/vil/content/v_142989.htm.

In the light of Apple’s iPhone release, mobile malware hacking seems to have picked up again. While most prominent research topics are on client exploits (iPhone hacking, mobile malware, etc.) and messaging (SMS phishing, spamming, etc.), there are some other interesting mobile research topics that are worth a look.

One of the trends we have seen in the past year is that cellular mobile networks are incorporating themselves with the Internet. The iPhone, for example, encourages application developers to write browser-based applications using the Internet. Service providers are also rapidly deploying 3G networks throughout the world for faster Internet mobile services. As we know, when combining two different networks with different threat models, the end result might not be secure.

Several works in the academic area have pointed this out, and some have successfully exploited the cellular network via the Internet to cause a denial of service. Penn state’s paper used SMS, which can be sent freely on the Internet, to cause DoS on the cellular network. They exploit the fact that cellular networks, when sending SMS, use the same, narrow bandwidth control channel as phone calls. By flooding a service area with SMS messages, they can effectively block incoming and outgoing phone calls. UC Davis’ paper, on the other hand, used MMS to cause DoS on the host. They discovered that an outside server can obtain information from MMS messages from mobile devices, and attackers can use this information to send rogue packets to the phone, causing the battery life to decrease significantly. Furthermore, Sprint’s and Penn State’s papers further discuss the vulnerabilities on the cellular network that makes these attacks possible.

In addition, initial research from the cellular network against Internet traffic has emerged. A paper from Sprint outlines how a phone can manipulate the cellular network’s base station scheduler such that it will provide an unfair advantage to the attacker. In EV-DO networks, the base station is responsible for allocating time slots for competing mobile devices to transmit. The scheduler used in EV-DO is “proportional fair,” which calculates a score for each mobile device per time slot based mainly on their signal strength. Because the base station relies on each phone’s reported signal strength to assign time slots for each mobile phone to transmit, the mobile devices can manipulate their signal strength in such a way that could “starve” other users of timeslots.

These works, though research oriented, are very interesting. They take a new approach to looking at the cellular network–in a way that wasn’t obvious before Internet integration.

It seems the days of mobile phone functions have expanded greatly over the years. Phone nowadays can be organizers, email clients, web browsers or music players. The popularity of such devices means that the phone is slowly replacing some of the functions of a computer. In fact, one particular feature that I would like to talk about is the ability to completely customize your phone to have a whole new operating system loaded. In fact, each Windows mobile phone comes with a license for the Windows mobile operating system.

Let’s look into how phones (hardware) are married to the operating system. The process for installing a phone vendor will distribute an operating system for a particular phone model. Once you download the new operating system (usually in a ROM format), you simply flash the ROM file to your phone. The process is fairly straight forward for most people and the end result is the phone now has a fresh new operating system.

Putting aside the legal issues of licensing these operating systems for a moment, there is a trend for phone enthusiasts to install an un-official ROM or a cooked ROM. These ROMs are usually full operating systems that have been heavily customized for performance or functionality gains. Similar to Web 2.0, the content of these ROMs are no longer driven by the provider, but by individual enthusiasts. What’s the concern? Well, like we have seen with the MySpace worms, a ROM author may add an application into the standard ROM which will be automatically installed. Generically, the ROM authors usually post their ROMs online for sharing with other users who may not be as technically savvy and simply lets the application install without ensuring it is safe or not. Now imagine if that program was a BackDoor trojan that attempts to steal the personal information from the phone then sends it to a remote server. Worse yet, the Trojan also has a worm component that spreads itself via SMS, MMS and Bluetooth. Now the malware is spreading itself even further to the victim’s contact lists or other close by phones.

So can this happen? Well, yes it can. Take for instance the wildly popular Apple iPhone’s root password that was cracked within 3 days. Right after that, many of those iPhone users ventured to use their new found freedom but they forgot to do one thing…. close the backdoor on their phone by changing the password on it. Avert Labs has recently blogged about this in the Apply iPhone blog by Marius Van Oers (http://www.avertlabs.com/research/blog/index.php/2007/07/24/apple-iphone/). But the question to ask is Why mobile malware is not as prevalent as Windows malware? The simple answer is that most mobile phones are not used for monetary transactions (yet). Once you introduce a money factor into these phones as a mainstream function, then you can bet that someone will write malicious code to capitalize on their unknowing victims.

On July 31st Apple released the iPhone patch 1.0.1. The next day, Charles Miller released details of a vulnerability that was included in the patch release. The vulnerability was in an open source application on the iPhone, the PCRE (Perl Regular Expression Library) parser used by the JavaScript engine in Safari. Even though Miller found the exploit via fuzzing, he made a really interesting point which can lead to attackers finding easy 0-day exploits for the iPhone: the iPhone is running outdated open source applications. In this case, it was PCRE 6.2 with the latest version being 7.2. Just by simply looking at the changelog you can see that PCRE version 6.7 documented the vulnerability that was used,

18. A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error “Failed: internal error: code overflow” or in some cases to crash with a glibc free() error. This could even happen if the pattern terminated after [[ but there just happened to be a sequence of letters, a binary zero, and a closing ] in the memory that followed.

As more layers are uncovered with the iPhone and the Mac OS X underneath expect more 0-day exploits using the simple technique of open source version diffing. Also, hopefully, Apple will learn from this experience and keep the open source components up to date.

We received a sample of a virus written for the programmable calculator TI-89, produced by Texas Instruments. This calculator runs on the Motorola 68000 processor and has a computing power comparable to the first IBM PCs. It also offers cable connectivity to a PC and to other calculators to exchange programs.

Essentially, this calculator is a small computer that runs programs. One can get a wide variety of games for it–from classic Tetris and Pacman to full-blown chess! There is little security built in so programs have full access to all other programs–just like in the time of DOS for IBM PCs.

Reliable detection of this proof-of-concept virus (we call it TIOS/Tigraa) is easy, even though it attempts to hide by obfuscating the call to the virus body within the infected file. The problem is that there is no AV software yet for calculators, so protection can only be built on a PC. This would not block propagation between calculators should a similar virus ever get into the field. Fortunately, the chances of this happening are rather slim.

This incident would not normally be worth mentioning but it prompts me to emphasize one important point. More and more mobile devices (pocket organizers, smartphones, Internet tablets, calculators, etc.) receive enough computing power and not enough security features to create breeding grounds for malicious code. We urge developers for all mobile devices to make the necessary investment into securing the environment they create. Prevention is always better than a cure!

Here’s an interesting development. Hackers have been working on exploiting the Nintendo Wii. As a popular tech-item, it is safe to assume this–but it looks like one has achieved a modicum of success.

First, don’t worry–your Wii is not in grave danger, so you can relax and read on . . . .

A few months ago, a vulnerability in the Opera browser was disclosed (and promptly patched by Opera). Check here for their knowledge-base article. Well, it turns out that Opera is the Internet browser for the Wii (aka “Internet Channel”)–and, it turns out that the original (“trial”) version posted to the store is pre-patch.

So folks that have downloaded the original Internet Channel for the Wii have this vulnerability. You can see a demonstration of it here:

Go to a web page that has the specially crafted JPEG image in it and Opera will crash. That means it’s theoretically possible to run malcode–and according to the hacker conversations they are trying hard to do exactly that.

Hackers are going to be out of luck though, the patched version of Opera (9.10) was released to the store on 12 April. So time is rapidly running out on pulling off an exploit for this one.

The Internet Channel on the Wii has to be update manually. So Wii users, if you downloaded the Internet Channel, you need to update it.

Still, this serves as a good reminder the any system, closed or otherwise, is vulnerable to malcode.

But the story goes on: Opera is quite popular on mobile handsets, so we tried it out on several handsets with potentially vulnerable versions of Opera installed. In our brief testing, we had two cases where the image successfully crashed the browser (one Symbian8/s60 and one Symbian9/UIQ).

So there is the potential for concern–especially since a someone was kind enough to post the directions for generating the specially crafted images. Now anyone can crash the un-patched browser. Remember, a crash is an opportunity to compromise a system–hard to do, but it does happen.

Now, if only Accounting will approve the lab’s requisition for a Wii for ongoing research purposes. We should probably get a PS3 also, just in case . . . .

Recently we at McAfee Avert Labs have been looking into mobile payment security.

Currently many people who work overseas can use various money transfer services. Usually they need to go into a local office and fill out a form. The fees involved tend to be high and can be as much as a quarter of the money sent. There is an alternative though, let them send the money via their mobile phone. No forms, no office, and much lower fees.

The Philippines has a large number of its citizens who send a lot of money. It also has an existing mobile money transfer service. Users can send amounts to other people using their phones. The recipients get a confirmation number via SMS. Getting the cash does require going down to a center and presenting the confirmation number.

How it works

1. Blue sends money to his mother Green. Mother Green receives a confirmation SMS.

2. Mother Green presents the SMS to her local money transfer center and receives the money.

This is a pretty good system, where not much can go wrong. The transfer network is secure enough with the only real risk at the endpoints. Recipients of the money transfers are potentially open to attack.The SMS money transfer services ensure that money is delivered safely to the recipient by having them sign up for an account. When a recipient doesn’t yet have an account, they also get an account number in the SMS. They need the account number to sign up for an account in order to retrieve the money.

What can go wrong

1. Mother Green is expecting money from her son. Bad Mr. Red has received a copy of the confirmation SMS from Mobispy.

2. Mr. Red steals Mother Green’s money.

Anybody with the account number SMS could sign up for the account and get the money. An attacker could steal your mobile and sign up for the account and pick up your money. Alternatively, they could install snoopware like Mobispy, Acallno, or Mopifeli. Then they can just wait for the transfer SMS to arrive and take their copy to the center before you.

One can avoid such an attack in a number of ways:

• Try to never let your phone out of your hand and always use a PIN code when switching on your phone.
• Avoid installing unknown or untrusted software (for all types of phones), which are sometimes used to install snoopware.
• Ask your Mobile Operator/Carrier what they are doing for you to protect your mobile communication.

So far, we are used to seeing news about some virus for mobile phones that would send SMS messages, steal contacts database, etc…

Yesterday Apple officially released their (cool) iPhone, and just recently I read about Nokia’s (also cool) N800 model. Why am I talking about these? Well, this time we are not talking about SymbianOS, GEOS or the Palm OS, but MAC OS X (on the iPhone) and Linux (on the N800). All models with full networking connections and with Wi-Fi. What I want to say is that we may find this biennial of 2007/2008 to be a new era of malware for mobile phones, complete with fully functional malwares, because of the same PC-based behavior and functionality…

So, stay tuned!

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

• The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
• It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Recently one of our researchers, David Rayhawk, gave an interview to Fox news on mobile malware and smishing.

Fox News 35 has the video on their site. There is also a mirror on Google video. The interview covered topics such as data destroying malware and the advent of smishing and for-profit malware. We have covered these topics in earlier posts.

While the current threats are not very widespread, the samples we’re seeing indicate that the capability for greater trouble is approaching.

This week we received a sample of a variant of W32/Backdoor-DJC.

W32/Backdoor-DJC is a standard targeted backdoor trojan. It steals information from your computer and sends it back the attacker. Instead of using email to send back the stolen data, this variant uses SMS.

Using SMS to transfer stolen information. Malware authors are branching out in their communication methods. Not really innovation. System administrators have been able to monitor their machines via SMS for quite a while. This is more an example of malware authors turning legitimate methods and tools to their purposes.

Previously we've seen similar information stealing trojans on mobile phones. SymbOS/Pbsender swipes your phone and contact info and sends it out via Bluetooth.

Bluetooth is not as effective as email or SMS for sending information. Consider some of the difficulties involved:

• receiving anything requires user interaction, you can't let it sit in your inbox
• you need to be within range, if you're not there you don't get the message

On the other hand with SMS:

• your messages end up in the inbox
• range is not an issue, you can even be in a different country
• your phone does not even have to be on

Once a tool or communication method has been proven effective legitimately it is common for us to see them integrated into malware. So it's no surprise that SMS has now reached this stage.

Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.

The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.

Like his first try, VBS/Eliles.B also:

• Hides Drives,disables Registry editing and generally makes removing it a pain.
• Tries to disable your antivirus software
• Sends itself via email to any address it can find
• Attempts a SMiShing attack against customers of two mobile phone companies based in Spain

VBS/Eliles.B additionally:

• Runs a script that types Eli's complaints on our naming and the occasional insult in the current window
• Tries to disable your firewall software

VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits.

Considering that only the text and the download link have been changed in the SMiShing message, it is also doubtful that Eli had a hand in creating that routine. Eli is very likely a script kiddie, a relatively unskilled malware author. More of a mugger than a criminal mastermind.

VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.

VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.

Today's minor threat can become a component of tomorrow's devastating attack.

For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.

Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation.

Redbrowser tells the user that it’s a mobile web browser that works over SMS. Instead of browsing to the address that the user wants, Redbrowser actually sends SMS messages to a Premium Rate number. On certain phones, the Java runtime will prevent Redbrowser from sending SMS messages without your permission. Redbrowser’s creator has gone to some length to social engineer you into saying yes when it asks to send the SMSes.

Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging.

Like Redbrowser, Wesber also sends out SMS messages to premium number. It just doesn’t do it with as much style. Wesber has no user interface, so if the Java runtime doesn’t give a warning you would have no idea that you’ve just been charged roughly $15.

Wesber is found in a file named “pomoshnik.jar”. Pomoshnik is Russian and translates to “assistant”. It certainly assists its author in getting your money.

With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling.

McAfee Avert Labs has been getting a lot of questions about the dangers of data-retention on cell phones. There’s an article covering the concept here.

Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices.

“But I deleted those messages?!?! How can someone get it back?!?”
I think this is best explained by an analogy: think of your device (phone, computer, etc) data as being a textbook: Table of Contents in the front, informational pages towards the back. You write a document and you add pages to the book. The computer, when asked for a document, will look in the table of contents to figure out what page to read.

Makes sense so far, but when you remove a file, the computer doesn’t erase the pages in back-it removes the entry from the table of contents, so that it no longer knows or cares where the information is. “Why?!?” you may ask . . . well, in a nut-shell computers are lazy (i.e., efficient) and this is the fastest way to “remove” the file from the system. Heck, those pages may be overwritten some day . . . .

But, this introduces a problem: someone could manually search for the pages (skim the book, if you will) and then find and reconstruct the documents (until the page is recycled at least).

This is the problem that many people who have sold their cell phones are finding, those who have purchased them have (or are at least are able to) retrieve their deleted files-files that contain personal messages, email, address books, and worse.

If you are going to dispose of your phone, please contact the manufacturer or your carrier and ask them how to do a “low level” or “zero level” wipe. This is analogous to going through the book with an eraser and scrubbing out each and every letter so that the pages are blank. This makes is quite difficult for the data to ever be retrieved.

This is, of course, exactly what you should do with your computer’s hard drive if you dispose of it.

I can’t say it enough: your smartphone is a computer; you need to treat it as such and exercise the same level of caution you would give to your traditional PC.

Only a little while ago we were discussing the possibility of someone taking the techniques of phishing by email and porting them to SMS. SMiShing instead of phishing.

While the name is catchy, don’t be misled, it’s actually based on a real event. A number of SMS messages were sent out to users in Iceland and Australia telling them they would be charged $2 a day for membership on a dating website. Victims attempting to “unsubscribe” from the site and daily charge get their computers infected with a backdoor trojan. The South Australia Office of Consumer and Business Affairs (OCBA) even put out a warning to consumers about the scam.

Considering that this Smishing event occurred a few months ago with nothing since, one might reasonably relax. We at McAfee Avert Labs would agree with you except that we’ve just received a sample of a mass-mailing worm that performs a Smishing attack. VBS/Eliles.A.

This is a standard VBS worm that skips the loading of a backdoor trojan and simply opens a backdoor on the victims system. Most of the code is in Spanish, with a few comments in German. That incongruence along with variations in coding style of the various internal functions implies that this worm is composed from disparate sources. Very script kiddie.

The interesting part is that it includes a routine to send Smishing messages to users of two Mobile Phone providers in Spain. Rather than calculating random IP addresses to send messages, this worm generates phone numbers within the ranges used by mobile phones. Eliles.A sends its smish message free of charge through the mobile phone providers’ SMS-email gateways.

Unlike the previous smishing episode, Eliles.A does not use the error in billing ploy. Instead this worm tries to be helpful by offering the victim free “antivirus” software for their phone, supposedly from their mobile phone provider. The smishing message specifically targets Nokia Series 60 phones. Users that download and install the software from the link in the SMS find themselves infected with malware. Fortunately, the download link is now dead.

We were startled to see a smishing attack turn up in a simple mass mailing worm. A malware writer who spends time researching a new attack will usually write custom code for it rather than reuse someone else’s code. Over time the attack gets packaged into standard routines and eventually included in the script kiddie’s toolbox. The transition from brand new to script kiddie use can take months. This is the malware equivalent of finding a machine gun in the stone age.

The genie is out of the bottle with regard to smishing. Now that the script kiddies are involved, we’re bound to see a rise in the numbers of smishing attempts in the coming months. So much for relaxation.

Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.

Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.

Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.

Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

It looks like mobile malware authors may be moving into the kernel.  Software that operates in the kernel has access to the entire system.  Hidden, undocumented functions can provide untraceable access to the filesystem.  Rootkits are generally used to hide the presence of other malicious software or activity.

Recently, an independent security research group released a number of ROM images(colloquially "ROMs") from various Symbian phones. Their goal was to encourage vulnerability research on mobile phones.

The risk is not that these researchers have published the ROMs. Any one who owns a Symbian phone can, with publicly available tools, extract their own ROM image. The real risk arises from the nearly 600 KB of analysis and research guidelines they have provided.

The current situation is that malware authors are limited to user space. All current mobile malware has been created either with the publicly available SDKs or cobbled together from other malware. Essentially, most of the trouble so far is caused by applications. Malicious applications, but still only applications not system software.

While the latest CommWarrior variants continues to entice mobile phone users into clicking "Yes" to grant it permission to install, Collin Mulliner published the first remote exploit for Windows Mobile phones using MMS as the attack vector, at the Defcon 14 conference in Las Vegas.

The vulnerabilities in question will only require the Windows Mobile 2003 (Windows CE 4.2) user to open a malformed MMS message to cause a buffer overflow in the Sychronized Multimedia Integration Language (SMIL) parser. When successful, the exploit can execute code on the targeted mobile phone to silently install malware. The "success rate" of the exploit varies, as according to Collin, the return address, like a "key" to execute malicious code is random and can vary across mobile phone makes and models. This makes it less likely a worm candidate.