Android Botnet Infects Over 1 Million Phones in China

A piece of mobile malware believed to be hidden in around 7,000 Android applications has infected the devices of over 1 million users from China. Experts say that this may be the largest Android botnet the country has ever seen.

According to Chinese publication Xinhua, the Trojan that powers the botnet is Android.Troj.mdk, a threat first discovered back in 2011.

Once it’s installed on a device, the Trojan allows its master to take complete control of it. The malicious element can be used to harvest messages, phone numbers, contact details, geo-location data and even media files.

Bitdefender experts note that the Trojan also downloads additional applications that slow down the phone’s performance, generate aggressive adware, and drain the device’s battery.

With over 420 million mobile users, China has become an important target for malware developers.

Trojan disables Mac's built-in security defences

Malware coders have created a Mac-specific Trojan that is designed to attack anti-malware defences built into Apple's Mac OS X operating system.

The Flashback.C trojan disables the automatic update component of XProtect, OS X's anti-malware application, net security firm F-Secure reports. By wiping out files, the malware prevents future updates, making it more likely that the devilish code will be able to stick around for longer.

The approach mimics a tactic long seen in the world of Windows malware, where attempts to disable security software have been commonplace for years as well as illustrating the growing sophistication of crooks targeting Macs with malware.

"Attempting to disable system defences is a very common tactic for malware — and built-in defences are naturally going to be the first target on any computing platform," F-Secure notes.

The Flashback.C Trojan poses as a Flash Player installer. In reality, the malware sets up a backdoor connection to a remote host. Although currently inactive, the remote host linked to the malware might be used to push any manner of crud onto infected machines.

Previous versions of the Flashback Trojan shunned virtual machines, a technique designed specifically to frustrate anti-virus analysis.

Malware pretends to be Microsoft Utility

Researchers from PandaLabs have spotted a Microsoft themed ransomware variant.

The ransomware claims that a user's Windows machine is running an unlicensed copy of Windows and threatens to cripple the victim's computer unless marks pay €100 to obtain an unlock code, which can be purchased via credit card via a scam website. The malware attempts to spook intended victims with entirely bogus claims that a criminal prosecution will be launched unless payment is received within 48 hours. In addition, the Trojan says that all data and applications on targeted systems will be "permanently lost".

The malware, which targets German-speaking users (as illustrated by this screenshot), is being distributed via spam and P2P downloads. Panda Software, the Spanish net security firm which detected the threat, warned that the Trojan is difficult to remove manually.

Click on the image to enlarge

"These types of Trojans are very dangerous because once they infect the computer it is extremely difficult to remove them manually, forcing users to pay the ransom or reformat their devices," said Luis Corrons, technical director of PandaLabs. "In addition, because Ransom.AN appears to come from Microsoft and threatens actions from authorities, many users believe what the Trojan says and make the payment out of fear."

Previous ransomware strains have encrypted files in a bid to force users into paying for getting infected. The tactics used by Ransom-AN Trojan are a more aggressive extension of the basic scam, using threats of prosecution and outwardly convincing screenshots supposedly from Microsoft to peddle the ruse.

The unlock key for the ransomware currently detected as Ransom.AN is QRT5T5FJQE53BGXT9HHJW53YT

Free Banking Trojan Detection Tool

A Finnish penetration testing company has released a free tool it says can detect all variants of five major families of malicious software that steal online banking credentials.

The tool, called Debank, was built by Finnish penetration testing company Fitsec, which has used the tool to scan its customers' machines, said company founder Toni Koivunen.

The tool works by scanning a computer's process memory, Koivunen said. Most malicious software these days is "packed," or compressed, before it is distributed. That can fool antivirus programs, since the malware can appear to be a different program each time it is repacked.

Koivunen said antivirus programs often use heuristics as an alternative way to detect malware aside from traditional signatures, but that method is not always as successful as a full memory sweep.

Debank looks at the program after it has been executed on a computer. Malware authors rarely change the core code of the program, which is what Debank analyzes.

Koivunen said Debank can detect nearly all variants of SpyEye, Zeus, CarBerp, Gozi and Patcher, five well-known banking malware programs. The malware has to be running for Debank to detect it and the tool only works on computers running Windows, he said.

Debank was able to detect more than 200 variants of Patcher after FitSec found a part of its code common to all variants. FitSec has also tested it against hundreds of variants of SpyEye, a particularly advanced piece of code that operates as part of a botnet. It can harvest credentials for online accounts and also initiate transactions even while a person is logged into their account.

Fitsec decided to just give the tool away and has made it available for download on their blog. "We had no reason to start charging for it," Koivunen said. "Basically, we hate malware."

Want to be your friend on Facebook? A Fake Facebook Request

Malicious spam messages generated by the infamous Cutwail botnet are targeting Facebook users as potential banking Trojan victims.

The messages arrive in the guise of a Facebook friend invite notification. The emails look genuine enough on casual inspection, thanks to the malware-spinners' apparent use of a genuine Facebook template. But where a genuine Facebook invite contains links to the real social networking site, the malicious emails feature custom links to malware sites. In addition, the emails differ from the genuine article because they do not feature Facebook profile photos. The recipient's email address is also absent from the fine print at the bottom of the bogus invites.

Users tricked into clicking on the malicious link are exposed to a double-barrelled malware based attack. Firstly they are offered a bogus Adobe Flash update. In addition, clicking on the link opens a hidden iFrame, which then loads data from a remote server hosting the Blackhole Exploit Kit. The exploit kit attempts to exploit browser security holes, most notably involving insecure Java installations.

Both techniques attempt to download a variant of the infamous ZeuS banking Trojan onto compromised systems. Impersonating email notifications from Facebook is a common enough technique among spammers and purveyors of survey scams, but I've never seen it applied to punt banking Trojans before.

A full write-up of the scam can be found in a blog post by M86 Security here.

Android Trojan records phone conversation

A new Android Trojan that can log calls, record whole conversations and even send them to the bad guys has been discovered by security firm CA.

Earlier Trojans have been capable of logging call details, but this is the first one seen that can actually make a complete recording of the conversation.

After the malware finds itself onto a Android handset, it asks for a whole bunch of permissions - which should raise a number of red flags.

Once the malware is given the required permissions by the user, it installs a configuration file that contains remote server access information.

Now it’s ready to start recording conversations, which are stored on the microSD card in .AMR files.

Best defense against this sort of malware is to pay attention to the permissions that the app is asking for. Ask yourself - does this app really need all these capabilities? If in doubt, say no!

Bot attacks Linux and Mac but can't lock down its booty

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines.

Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private.

The bot can force its host to take instructions through internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim's Facebook account, among other things.

Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses.

“Even though it's encrypted and even though it was written in Java to make it cross-platform, it was still vulnerable to basically a directory transversal exploit,” Dean Turner, director of Symantec's Global Intelligence Network, said. “From a technical perspective, it goes to show that even if you have all those things where you're building in a secure platform, if you're not building application security into your malware, other bad guys will probably take advantage of it.”

Jnanabot's P2P feature is designed to make botnets harder to take down by providing multiple channels of communication. After sending an infected machine a single GET request, a website can discover all the information needed to upload any file to any location on the host's file system. Attackers can then install a simple backdoor on a user's machine by, for instance, writing a malicious program to a computer's startup directory.

Attackers can use the same vulnerability to steal files on infected machines.

Turner said the number of Jnanabot infections so far is “measured in the thousands,” rather than the hundreds of thousands for some of the better-known trojans. Still, infection statistics gathered by Symantec in December are surprising. They show that about 16 per cent of infections hit Macs. They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot.

Source: Symantec

The bot was discovered spreading over Facebook posts that planted the following message on infected users' Facebook pages: “As you are on my friends list I thought I would let you know I have decided to end my life.” An included link leads recipients to a cross-platform JAR, or Java Archive file that can run on Windows, Mac, or Linux. Once the recipient is infected, his Facebook page carries the same dire warning.

It's not the first time that malware developers have built gaping vulnerabilities into their wares. In September, researcher Billy Rios disclosed a weakness in the Zeus crimeware kit that makes it easy to take over huge networks of infected PCs.

Symantec has more about the trojan here, here, and here.