Android Trojan - Geinimi Raising the Bar...

A new Android Trojan has been found in the wild and its been found to have botnet-like capabilities
Named Geinimi, it's the most sophisticated Android malware to date. Its impact is apparently limited as to infected apps available only on Chinese Android app markets. That’s not to say it couldn’t be packaged into other geographic regions, but that it hasn’t been done as of yet.
 

The compromised list of applications includes Monkey Jump 2, President vs. Aliens, City Defense and Baseball Superstars 2010. The original versions in the official Android market are not affected.  It's spread by being grafted onto repackaged versions of legitimate applications which are then distributed in Chinese Android applications markets. The compromised applications request extensive permissions and once installed on a android phone, Geinimi can send personal data off the phone and accept commands from the remote control server.

When the application is launched, the Trojan lurks deep in the background, collecting user information - location coordinates, the phone’s unique IMEI and SIM identifiers. At 5-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server. Geinimi communicates currently with 10 domain names, including widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com.


Based on the analysis of the malware code, the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and to send a list of installed apps to the server.
Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls.  Users should also download applications only from reputable app markets, and check what permissions the app wants to ensure the request matches the app’s features.

The malware authors have definitely "raised the bar" Geinimi obfuscates its activities by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code, and encrypting significant chunks of command-and-control data to substantially increase the effort required to analyze it.

Stuxnet Trojan Wreaking Havoc in 2011?

The Stuxnet Trojan may have knocked out as many as 1,000 centrifuges at Iran’s nuclear facility earlier this year.  According to a Dec. 24 article in the Jerusalem Post, Stuxnet  may have hit as many as 1,000 of the approximately 10,000 IR-1 centrifuges at Iran’s Natanz uranium enrichment facility. This is based on a paper from the Washington-based Institute for Science and International Security which analyzed the malware’s code. The virus caused the engines in Iran’s IR-1 centrifuges, which normally runs at 1,007 cycles per second, to speed up to as fast as 1,064 cycles per second, causing the vibrations to break the motors. Stuxnet was meant to be subtle and work slowly by causing "small amounts of damage" that would not make the system operators suspect malware.If you recall,
Stuxnet infected the machines via USB thumb drives,  exploiting an AutoRun bug in the Windows operating system. Once on the machine, the malware checked for software programs that run Supervisor Control and Data Acquisition systems, often used to monitor automated industrial processes. If the infected machine happened to have logical controllers from Siemens, Stuxnet logged in using the software’s default password, which is the same for all Siemens controllers.

Future Stuxnet variants may be able to exploit critical physical infrastructure such as power grid controls or electronic voting systems. Enterprises have a number of systems and software that still have factory default passwords, or passwords that are so deeply embedded that they can’t be changed by the customer. Such was the case with Cisco’s Unified Video Conferencing 5100 series products, which had a hardcoded password for several accounts that can’t be changed or deleted. Cisco announced a free software upgrade to close the vulnerability in November, and also suggested a workaround where access to the Cisco UVC Web server was limited to only trusted hosts via access control lists on the network’s routers and switches.

 Security analysts have speculated that Stuxnet used thumb drives to spread because many SCADA systems are not connected to the Internet, but have a USB port. Once on a device, it can replicate over the local network. The point of entry can be something as innocuous as programmable and network-ready coffee makers, many of which come with USB ports.While Stuxnet has hit computers in various countries, including the United States, Indonesia, Malyasia, United Kingdom, and Australia, Iran was perhaps the hardest hit, with over 62,000 infected machines.

Merry Christmas - Another IE 0 Day

I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE).  Microsoft has put out an advisory 2488013 regarding the issue ( http://www.microsoft.com/technet/security/advisory/2488013.mspx).  The issue manifests itself when a specially crafted web page is used and could result in remote code execution on the client.

Microsoft suggests using Enhanced Mitigation Experience Toolkit (EMET) to help address the issue.  Details on that and a little bit more on the exploit can be found here http://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx

Cyber-espionage At the Crossroads

Aurora and Stuxnet - here to stay

It has been a milestone week in cyber-espionage developments . sounds like out of a spy movie, --  a confession, a killing, and a leaked intelligence cable: Iranian President Mahmoud Ahmadinejad issued a statement that "enemies" of Iran had successfully used software to disrupt centrifuges in Iran's nuclear facility, 

Iran's top nuclear scientist was assassinated, and a U.S. State Department cable obtained by WikiLeaks suggested the Chinese government had ordered the Aurora attack against Google. 

While the attacks on Google, Adobe, Intel, and other U.S. companies earlier this year served as a big wake-up call to Corporate America, the Stuxnet worm shook the SCADA and critical infrastructure industry with a reality check that even physical equipment without Internet access isn't immune to attack. 

Speculation that the Chinese government was somehow behind the Aurora attacks has been rampant since Google in January first revealed it had been hacked. And while Stuxnet was aimed specifically at Siemens' SIMATIC WinCC and PCS 7 systems and appeared to be focused on Iran's nuclear facility, there had been no solid indication whether Stuxnet had successfully executed its mission.

But both cases hit the headlines again this week in a big way: Ahmadinejad acknowledged publicly that "enemy" code disrupted a "limited" number of Iran's centrifuges. He didn't reference Stuxnet by name, but security experts believe he was referring to the now-infamous worm: "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," he said in a press briefing. "They did a bad thing. Fortunately our experts discovered that and today they are not able [to do that] anymore." 

Operation Aurora also re-emerged in the news, with reports that among the State Department cables leaked by WikiLeaks was one that implicates the Chinese government in the attacks on Google. According to a report in The New York Times, "China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said." 

Adding to the intrigue of the possible Iranian nuclear plant incident, a scientist described as Iran's top Stuxnet expert was killed this week either by a targeted bombing attack or a shooting ambush, according to news reports. Of course, plenty of unanswered questions still remain, and experts say these developments could ultimately be dead ends that can't easily be confirmed. Either way, the Aurora and Stuxnet attacks are classic espionage with a twist. 

Qakbot Trojan - Fast-spreading attack against U.S. financial institutions

This sorta thing isn't particularly new,  But the Qakbot Trojan recently has been causing plenty of ripples in the security pond. Qakbot is different in that it almost exclusively targets U.S. financial institutions. It also is the first Trojan to be exclusively targeting business and corporate accounts at these financial institutions. The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts. While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions. How does Qakbot infect its prey? It doesn't appear to be  HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms.

Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary bank Trojan. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks.  In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information. The targeted credentials are sent to  Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.

The sheer volume and detail of information stolen by Qakbot is astounding. Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits.


Qakbot's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system. Qakbot infected more than 1,100 computers at NHS, and while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers.  Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind. The Qakbot authors proprietary archive format forces  security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor.

Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground.