ANTI-MALWARE.info | The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in

Blog

Mobile Payments, DroidDream and a Reactive Policy Add up to Major Headaches

Malware writers are entrepreneurs who are always looking for the best return on investment. The Android operating system, combined with the Google Wallet Service, will offer a record-setting ROI if current policies continue. Let’s look at why.

According to Gartner and IDC, Android is the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can easily be spread through apps, which makes it an attractive target. Not only did the beginning of 2011 see the emergence of this trend, but soon Android will take the lead as the most targeted mobile operating systems in terms of malware.

A lot of problems result from the fact that apps can be distributed via different online shops and channels. And nobody, except for security experts, is looking for malware inside the apps.

The first proof of the official Android Market being interesting for cybercriminals was reported in March 2011, called DroidDream, a family of malware which uses a pair of exploits to gain root access on vulnerable Android devices. A large number of Android applications was reported to be infected and all were pulled from the Android Market after it was reported to Google. All of the applications were versions of legitimate programs that were Trojan-ised and rebuilt by the malware authors, loaded with malicious code. DroidDream sends a collection of information like IMEI, IMSI, OS version, etc. to the attacker and then attempts to download additional software and payloads.

(more…)

AMTSO, CARO and EICAR – conferences and events – an overview

The beginning of May was dedicated to three traditionally important security industry events of the year. It started with an AMTSO Meeting, then the CARO Workshop followed and it ended with the EICAR Conference. I participated for G Data in all of them!

You can find the original posting of this article at the G Data Security blog.

G Data is one of the members of AMTSO (www.amtso.org), an organization currently comprised of around 40 members, representing testers, vendors, academics and publishers involved in anti-malware research. I was at the last AMTSO members’ meeting which was held in Prague. As always, a lot of work was done during the workshops: The document “AMTSO Guidelines on Facilitating Testability” was initiated at the suggestion of testers and developed jointly by testers and vendors. The new paper is the latest in a succession of guidelines and best practice documents already published. The AMTSO members also agreed to expand the range of documentation the organization produces to include more educational material. They also introduced changes to the voting procedure to ensure that documents cannot be approved by the members unless a majority of testers agree that the content is up to standard. This step mentioned last is designed to avoid any possibility of bias in favor of any group within the organization.

(more…)

The Rise of the Targattacks*: Cyber espionage and sabotage: the new way

*Abbr.: targeted attacks

During the last 18 months we saw a growing number of targeted attacks against numerous companies and organizations. Let’s briefly have a look at some of them:

  • The Aurora Attack: an attack that began in mid 2009 and continued until December 2009. The primary goal of this attack was to gain access to high tech, security and defense companies and potentially modify source code repositories. For example at Adobe, Juniper, Google, Yahoo, etc…
  • German Emissions Trading Authority (DEHSt): suffered from phishing attacks carried out in January 2010. Scamsters circulated their fraudulent emails masquerading as email from the DEHSt and persuaded the recipients to login to a counterfeit website, ironically to protect themselves against alleged hacker attacks. Using the stolen access data, the attackers transferred emissions permits, primarily to Denmark and Great Britain, and in so doing allegedly gained up to three million Euros illegally. It is readily apparent that targeted phishing attacks can be very lucrative.
  • Stuxnet: a Windows computer worm discovered in July 2010 that targets industrial SCADA  software and equipment with the aim of attacking an Iranian nuclear plant. The attack seems to have been successful as the enrichment of Uranium was heavily delayed.
  • G20 Files attack: was announced in March 2011 but had already been going on for several months. The G20 is made up of the finance ministers and central bank governors of 19 countries and discusses key issues of the global economy. Over 150 ministry computers of the G20 were attacked. The attacks aimed at files related to the G20 meetings.
  • RSA breach: RSA is a well known security company specialized in identity and access solutions. Hackers may have gained access to part of the code generation algorithm used in RSA SecurID tokens. At least some information was extracted but it’s still unsure if it will actually cause future problems.
  • EU Commission Summit attack: this was a targeted attack against some specific servers at the EU Commission in Brussels, found and stopped before the EU March 2011 Summit. As not much is known about it, we suppose that nothing important has been leaked.
  • Epsilon email breach: Epsilon is a well known online marketing company that is working with hundreds of large companies around the world and stores millions of email addresses in its databases. Hackers have stolen customer email addresses and names belonging to a “subset of its clients”. Some big companies such as Disney, Citibank, Verizon, etc … were involved.

 And this list is still not complete.

(more…)