Archive
August 2011 Cyber Attacks Timeline (Part I)
Update Sep 2: August 2011 Cyber Attacks Timeline (Complete List)
It looks like the Dog Days did not stop the Cyber Attacks, which have been particularly numerous during August. This is the reason why I decided to divide my traditional collection in two parts. Today it is the turn of the first half covering the interval 1-15 August.
Following the trail of July, an attack against PCS Consultants, another U.S Government contractor opened this hot month, even if the controversial shady RAT affair monopolized (and keeps on to monopolize) the infosec landscape (and not only during the first half of the month). Easily predictable nearly every endpoint security vendor (and McAfee competitors) tend to minimize the event considering it only the latest example of RAT based cyber attacks with no particular features (see for instance the comment by Sophos, Kaspersky and Symantec).
Analogously the Dog Days did not stop hactivism with the infamous hacking group Anonymous (and its local “chapters”) author of several attacks in different countries and most of all of author of a kind of arm wrestling against BART (Bay Area Rapid Transit), sometimes carried out with questionable methods. Research in Motion was indirectly involved on the Anonymous Campaign during the London Riot, but also Anonymous was hit by (another) defacement attack carried on by Syrian hackers which affected Anonplus, the alternative Social Network.
South Korea was also hit with another massive breach (but the story for SK does not end here).
According to my very personal estimates, based on the Ponemon Institute indications, the cost for the data breach for which enough information was available, is around $ 43 million.
| Date | Author | Description | Organization | Attack |
| Aug 1 | 
|
Another U.S. Government contractor, PCS Consultants gets hacked by Anonymous & Antisec. Hackers extract website Database and leak it on the internet via Twitter on Pastebin (as usual!). Leaked Data include Admin’s and 110 users emails, plus passwords in encrypted hashes. |
 |
SQLi? |
| Aug 2 | |
Vitrociset
72 hours after the first defacement, Vitrociset, a contractor of Italian Cyber Police, is hacked and defaced again by Anonymous. |
 |
SQLi? Defacement |
| Aug 3 |  |
United Nations (Shady RAT)
In an interview to Vanity Fair (as to say, information Security is a fashion), a McAfee Security Researcher declares UN and other international institutions have been victims of a large scale Remote Access Tool based attack from a Foreign Country. The attack is dubbed shady RAT and suspects are directed to China. |
 |
Remote Access Tool |
| Aug 3 |  |
Colombia
Anonymous and Colombian Hackers shut down the websites of Colombia’s president, the interior and justice ministry, the intelligence service DAS and the governing party. The hacker attack was meant as a protest against government censorship. |
 |
DDoS |
| Aug 3 |  |
The SUN and News Corp. InternationalBritain’s Rupert Murdoch-owned tabloid The Sun sends a message to readers warning them that computer hackers may have published their data online after an attack on the paper’s website last month. A hacker styled ‘Batteye‘ claims to have posted details taken from The Sun on the Pastebin. |  |
SQLi? |
| Aug 3 |  |
Front National
As a consequence of the Massacre of Oslo, Anonymous France claims to have hacked a server belonging to Front National, leaking a list of 100 leaders of the party |
 |
? |
| Aug 5 | ? |
Eight weeks after a hacker cracked its credit card database, the company’s credit card unit in Japan, Citi Card, reported in a message to its user base that “certain personal information of 92,408 customers has allegedly been obtained and sold to a third party illegally.” Estimated cost of the breach is about $19.8 million. |
 |
unfaithful outsourcer |
| Aug 6 |   |
Law Enforcement Agencies
After the first attack to Law Enforcement Institutions in July, Anonymous and LulzSec, as part of what they define the ShootingSheriffsSaturday, leak again 10 Gb of Data from the same Law Enforcement Agencies, including private police emails, training files, snitch info and personal info. The attack was made in retaliation for anonymous arrests |
 |
SQLi? |
| Aug 6 |  |
SAPPE (Sindacato Autonomo Polizia Penitenziaria)
Anonymous defaces the Web Site of SAPPE (Independent Union of Prison Guards) and leaves a message on pastebin (here in italian) claiming more rights for detainees |
 |
SQLi? |
| Aug 6 |  |
Policia Federal (Brazilian Police)
LulzSec Brazil hacks Brazilian Police and discloses 8 gb of data from what they defined the Pandora’s Box |
 |
USB Key Stolen? |
| Aug 7 | |
Syrian Ministry of Defense
The Syrian Ministry of defense is hacked by Anonymous which defaces the web site and post a note supporting the Syrian people |
 |
Defacement |
| Aug 9 |  |
Anonplus (Anonymous Social Network)
In retaliation for the defacement of the Syrian Ministry of Defence, a Syrian Group of hackers dubbed Syrian Electronic Army, has defaced (for the third time), Anonplus, the alternative Social Network in phase of deployment by Anonymous, posting several gruesome images. |
 |
Defacement |
| Aug 9 |  |
Research In Motion
As an (in)direct consequence of the London Riots, a crew of hackers called TeaMp0isoN defaces The Official BlackBerry Blog after RIM has indicated to assist London police, who are investigating the use of the messaging service in organizing riots, with a “very extensive monitoring of the BlackBerry Messenger model”. |
 |
SQLi? |
| Aug 9 |
|
Operation Satiagraha
As part of Operation Antisec, LulzSec and Anonymous, release 5gb of documents, photos, audio files and videos, exposing that wich was one of the greatest corruption scandals in the recent history of Brazil |
 |
SQLi? |
| Aug 10 | ? |
University Of Wisconsin Milwaukee
The Social Security numbers of 75,000 students and employees at the University of Wisconsin-Milwaukee arE exposed after hackers planted malware in a campus server.ty-of-wisconsin-server. Estimated Cost of the Breach is $16 million. |
 |
APT |
| Aug 10 | ? |
Hong Kong Stock Exchange (HKEx)The Hong Kong stock exchange (HKEx) halts trading for seven stocks in the afternoon trading session after its website was attacked during the morning trading session. The seven stocks in question were all due to release sensitive results to the website that could impact the price of their stocks. Initially the attack was believed to have compromised the web site. Later it was discovered to be a DDoS |  |
DDoS |
| Aug 12 | Headpuster |
Welt.de
An hacker called Headpuster, to protest against the sale of user data to a third party operator, hacks Welt.de using an SQL Injection (http://boot24.welt.de/index_welt..php?ac =***) and steals a large amount of data including credit card information of 30,264 users from the database He then publishes censored excerpts. Estimated cost of the breach is around $6.5 million. |
 |
SQLi? |
| Aug 12 | ? |
Hong Kong stock exchange (HKEx)
The Hong Kong stock exchange comes under attack for the second day in a row on Thursday. The exchange blamed a Distributed Denial of Service (DDoS) attack against its news web server, hkexnews.hk. A Suspect has been arrested on Aug, the 23rd.
|
 |
DDoS |
| Aug 14 | |
Mybart.org
As part of their #OpBART and #Bart-Action in response to a temporary shutdown of cell service in four downtown San Francisco stations to interfere with a protest over a shooting by a BART police officer, Anonymous attacks the myBART.org website belonging to San Francisco’s BART (Bay Area Rapid Transit) system. They perform a SQL injection (SQLi) attack against the site and extract 2,450 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes. Estimated Cost of the Breach is $524,300. |
 |
SQLi |
| Aug 15 | ? |
GOMTV.NETAfter SK, Another South Korean service provider reports a large-scale data breach of usernames and passwords for subscribers worldwide. This time, it’s the turn of Seoul-based streaming media service GOMTV to suffer a data-spilling intrusion. According to GOM TV, the breach happened early in the morning of Friday 12 August 2011 Korean time; the company sent out a warning email to its subscribers on Sunday 14 August 2011. |  |
SQLi? |
Finally I Saw One!
Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.
Have a look to the fake sender: a message from beyond…
Original Post follows:
I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.
As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.
Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!
And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:
Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!
By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.
Original Source of Spear Phishing E-mail: http://www.cyveillanceblog.com, Kudos to @yo9fah for reporting me the link.
The Secret Behind LOIC? Simple!
Everyone dealing with Information Security knows very well that SNMP (which stands for Simple Network Management Protocol and corresponds to the standard UDP protocol used to monitor servers and network elements) is considered insecure. In too many circumstances network administrators forget to change the default community strings (the strings used to “softly” authenticate the manager and the agents) from their default values which are typically “public” for read-only access and “private” for read-and-write access on the monitored device. This happens sometimes for thoughtlessness, or simply because network administrators do not consider changing the default security strings a security issues.
And even if SNMP version 3 is used (which grants encryption and mutual authentication between the manager and the agents -at least the attackers may not spoof the default community strings-) in 12 years of honorable career I never found so far the right combination between manager and agent versions: I mean when you have a network manager supporting version 3, the agents only support version 1 or 2c and vice versa if the agents support version 3 you may be sure that the manager only supports version 1 or 2c.
Now there is a reason more to consider SNMP (and its default configurations) an hazard for Information Security. This reason is four letters long and is called LOIC, the infamous tool used by Anonymous to perpetrate the well known DDoS attacks.
So far the infosec community has been divided into two opposite factions: on one side those who think that Anonymous-perpetrated DDoS attacks are successful even with a small number of “enrolled cannons” since the same Anononymous owns a Botnet which from time to time is unleashed against the target. On the other side those claiming that this kind of attacks may be successful only if a huge number of participants volunteer accomplices is enrolled.
Today an article written by Alex Holden, Cyopsis Director of Enterprise Security, offers an alternative hypothesis. The attack method Holden describes is called a Reflected Denial of Service (RDoS) and just utilizes SNMP, which is UDP-based, exploiting the weaknesses in default configurations which populate many devices composing the Internet, with devastating consequences.
The SNMP paradigm, as the name suggests, is very simple: each device (server, network device or application) which must be monitored provides some status variables to the external world. The variables may be queried by a special application called network manager. The variables are organized in different groups (or leaves), and identified by OIDs (or Obiect IDentifiers). Querying the main OID (1.3.6.1) returns all the variables (this is an operation called snmpwalk).
If the assumption of Holden is correct, suppose you are able to spoof a manager with the same address than the target of the attack, and suppose to generate continuous SNMP queries with that address, querying the main OID from all the Internet devices which are known to have standard community strings. The unaware target will be flooded by SNMP replies from those devices with a lethal amplification effect and consequently an apparently innocent misconfiguration (that is the unchanged default community string) becomes an hazard for the Internet.
Of course this is a mere speculation (I did not verify source code), but this would explain why the Anonymous claimed that LOIC traffic is was hard to detect (but not always): the SNMP protocol is very popular and widespread on the Internet.
The same arrests of LOIC users are the reason why a new tool is in development called #RefRef. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself, causing the target to succumbs to resource exhaustion: looks like a Reflected attack against itself).
(Original link via Infosecisland).
The Dangerous Liaisons (Updated)
Did you know that a smartphone might involve as many as 250,000 patent claims? You may easily understand why the $ 4.5 billion auction to buy 6,000 Nortel patents by the consortium formed by Apple, Microsoft, Research in Motion, Sony Ericsson and EMC was so cruel. You may also easily understand why Google, the loser of the Nortel auction, decided to react immediately acquiring Motorola and its patent portfolio made of more than 17,000 approved patents (and another 7,500 patents filed and pending approval) for the large sum of $ 12.5 billion.
Said in few words, the mobile arena is getting more and more agressive and cruel. For this reason, a litte bit for curosity, a little bit for fun, I decided to draw a chart (and a table) showing all the moves of the giant players in this mobile chessboard. Although deliberately incomplete (I did not show in the table the patent saga of NTP Inc. against the rest of the world and the settlement of Motorola vs RIM), it gives a good idea of the dangerous intersections involving partnership, fees, alliances and, most of all, lawsuits… With the strange paradox that some companies (read Apple and Samsung) are enemies before the court, but in the same time business partners.
While visualizing the idea I stumbled upon this similar graph showing the status of the mobile arena on 8 Oct 2010. I decided to use the same layout, omitting some informations, but updating it to the current date. The graph is a little bit confusing, but the confusion of the arrows reflects betten than a thousand words the real situation.
Anyway the war will not stop here: the next targets? Interdigital Inc. with its 8,800 patents which are attracting several bidders such as Apple, Nokia and Qualcomm; and, most of all, Kodak, whose survival depends on the auction of the 10% of its patent portfolio (1,100 patents), valued as high as $3 billion which are vital to compensate the losses estimated in $2.5 billion.
As far as the table is concerned, in order to avoid repetitions, it only shows the status of the lawsuits and alliances from the perspective of Google, Apple and Microsoft. Enjoy your read and the 250,000 patent claims on your smartphone!
| Company | Filed Suit Against | Has technological alliance with | Filed Suite From: |
 |
No one (at least so far!) |  
Of course Google licensees his Mobile OS to HTC and Samsung (in rigorous alphabetical order), and it is the driver for the impressive market share growthof Samsung and HTC.
In an effort to defend Android’s Intellettual Property “to supercharge the Android ecosystem and will enhance competition in mobile computing”, on Aug 15 2011, Google announced the intention to acquire Motorola Mobility with a $12.5 billion deal. Motorola has nearly 17,000 patents. |
Aug 12 2010: Oracle has filed suit against Google for infringing on copyrights and patents related to Java,. Oracle claimed Google “knowingly, directly and repeatedly infringed Oracle’s Java-related intellectual property”. Android uses a light proprietary Java Virtual Machine, Dalvik VM, which, according to Oracle infringes one or more claims of each of United States Patents Nos. 6,125,447; 6,192,476; 5,966,702; 7,426,720; RE38,104; 6,910,205; and 6,061,520. The case is in U.S. District Court, Northern District of California, is Oracle America, Inc v. Google Inc, 10-3561. The lawsuit is still pending and will likely take several months. The trial between Oracle and Google is expected to begin by November and Oracle is seeking damages “in the billions of dollars” from Google. On Aug 1 2011, the judge overseeing the lawsuit Oracle filed over the Android mobile OS has denied Google’s attempt to get a potentially damaging e-mail redacted. |
 |
Mar 2 2010: Apple sued HTC for infringing on ten patents, nine of which involve technologies which apply to the iPhone, while one involves the use of gestures, but only in a specific use case. The suit has been filed in the U.S. District Court in Delaware , alleging twenty instances of patent infringement. The company also petitioned the US ITC to block the import of twelve phones designed and manufactured by HTC. On Jul 15 2011 Apple won a preliminary patent ruling in an early judgment before the US ITC, in which HTC was found to have breached two of 10 patents held by Apple. On Aug 8 2011 ITC announced to have dediced to review Apple’s patent infringement complaint against HTC.
Oct 31 2010: In response to Motorola lawsuit against Apple, Apple sued Motorola and Motorola Mobility for Infringment on several Multi-Touch patents infringments in the Wisconsin Western District Court with two distinct lawsuits. A total of six patents are involved in the two lawsuits. On Nov 23, 2010: US International Trading Commission announced to review Apple patent case against Motorola.
Apr 18 2011: Apple filed suit against Samsung for copying the design of its iPad and iPhone with its smartphones and tablets. Aug 10 2011: European customs officers have been ordered to seize shipments of Samsung’s Galaxy Tab computers after the ruling late on Tuesday by a German patents court. In the last days Apple has been accused of presenting inaccurate evidence against Samsung. Aug 24 2011: Samsung has been banned from selling some galaxy phones in the Netherlands. The ban is set to begin on October 13, but Samsung doesn’t seem to be taking it too hard. |
On Jul 1 2011 the intellectual property of the Canada giant Nortel (in Bankrupt), involving 6,000 patents, was sold for $4.5 billion, in a dramatic auction, to a consortium formed by Apple, Microsoft, RIM, Sony, EMC and Ericsson. Google was the other competitor (and the big looser) for the deal. This event acted as a trigger for the acquisition of Motorola Mobility by Google.
On Aug 3 2011, In a post to the Official Google Blog, Google Senior Vice President and Chief Legal Officer David Drummond said that Apple, Microsoft, Oracle, and others have waged “a hostile, organized campaign against Android” by snapping up patents from Novell and Nortel and asking Google for high licensing fees for every Android device”, accusing them of Patent Bulying.
Curiously, Apple is one of the main technological partners of Samsung for displays and semi-conductors. Samsung produces Apple’s A4 systems-on-a-chip (SoC) and also the two companies collaborate for iPad displays (Apple is moving from LG to Samsung because oof quality issues of the former). Nevertheless the lawsuits between the two companies are compromising their relationships so that Apple is evaluating a new supplier (TSMC) for its A6 nexy generation chipset. |
Oct 22 2009: Nokia sued Apple in Delaware court for infringing on ten patents related to GSM, UMTS, and WLAN standards that Nokia states they established after investing more than EUR 40 billion in R&D over the last 20 years. On Jun 14 2011 Apple agreed to pay between $300m and $600m to cover the 111m iPhones sold since its launch in 2007. Although the exact number was not specified, additional yearly fees could be part of the agreement.
On Jan 2010 Kodak sued Apple and RIM claiming Apple is infringing its 2001 patent covering technology that enables a camera to preview low-resolution versions of a moving image while recording still images at higher resolutions. The cases were filed in U.S. District Court in Rochester, N.Y., as well as the U.S. ITC. On Apr 2010 Apple argues that some Kodak still and video camera products violate two of its patents On Jul 2011: While Kodak’s claim is pending, the commission rules on Apple’s complaint and says Kodak’s digital-camera technology doesn’t violate Apple’s patents.
Oct 6 2010: Motorola sued Apple for patent infringement in three separate complaints; in district courts in Illinois and Florida and a separate complaint filed with the U.S. International Trade Commission. The suits covered 18 different patents, infiringed by Apple’s iPhone, iPad, iPod touch, and certain Mac computers. The Motorola patents include wireless communication technologies, such as WCDMA (3G), GPRS, 802.11 and antenna design, and key smartphone technologies including wireless e-mail, proximity sensing, software application management, location-based services and multi-device synchronization.
Jan 12 2011: Microsoft has motioned for a summary judgment to block Apple from trademarking the phrase “app store,” as it filed with the U.S. Patent and Trademark Office (USPTO) on July 17, 2008. Mar 30 2011: Microsoft filed a second objection to Apple’s enduring pursuit to trademark the phrase “app store hiring a linguist, Dr. Ronald Butters, to go head-to-head against Apple’s own hired linguist, Robert A. Leonard.
On Jul 1 2011 US ITC said Apple has violated two S3 Graphics Co. patents in its Mac OS X operating system, but not in the iOS platform. Although not directly related to Mobile, this ruling is meaningful since S3 has been acquired by HTC on Jul 6 2011 for $300 million in order to use their patents in the fight against Apple. HTC expects final ruling on Apple-S3 graphics case in November.
On Aug 16 2011 HTC filed a new lawsuit against Apple in Delaware’s US District Court, in an escalation of the legal battle between the two smartphone giants. HTC accused Apple to have infringed three of HTC’s patents through its sale of devices including iPads, iPods, iPhones and Macintosh computers. |
|
Oct 1 2010: Microsoft sued Motorola for patent infringement relating to the company’s Android-based smartphones. Microsoft filed its complaint with the International Trade Commission and in a Washington state district court. At issue are nine patents that deal with, among others, sending and receiving e-mail, managing and syncing calendars and contacts, and managing a phone’s memory. Patent dispute will begin from Aug 21 2011, the hearing procedure can take up to 10 days, the judgment procedure is expected to reach the final verdict point only in March 2012.
Nov 9 2010: Microsoft sued again Motorola for charging excessive royalties on network technology used in Microsoft’s Xbox game system. |
 Feb 11 2011: a deal with the Devil, Microsoft and Nokia announce their plansto form a broad strategic partnership that would use their complementary strengths and expertise to create a new global mobile ecosystem.
Besides the alliances with Apple and RIM (see the corresponding cell), on May 12 2011 Microsoft has teamed up with HTC, Nokia and Sony Ericsson in Europe, filing a challenge seeking to invalidate Apple’s trademarks on the phrases “App Store” and “Appstore.” |
Nov 11 2010: Motorola Mobility sued Microsoft with the U.S. District Courts for the Southern District of Florida and the Western District of Wisconsin alleging infringement of sixteen patents by Microsoft’s PC and Server software, Windows mobile software and Xbox products. Motorola Mobility asked for the infringing devices to be barred from importation into the United States. On Dec 21 2010, ITC has agreed to hear the complaint.
|
Antisec hacks another Defense Contractor
Update August 19: As part of #FFF IV Antisec has released full torrent for Vanguard Defense Industries Hack.
The Antisec Typhoon seems unstoppable and has apparently hacked another Defense Contractor. Continuing their campaign against law enforcement agencies and related organizations, driven by the infamous hash #FFFriday, this time they have targeted Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents were stolen.
According to TechHerald, AntiSec targeted VDI’s website due to their relationship with several law enforcement agencies from Texas and other parts of the U.S., as well as their relationship with the FBI, the DHS, and U.S. Marshals Service. Moreover, with this hack Antisec (in)directly targeted FBI since Richard Garcia is the former Assistant Director in Charge of the FBI’s field office in Los Angeles. To those supporting AntiSec, this alone is reason enough to target VDI and release Garcia’s corporate email to the public.
As usual the attack had been anticipated by an enigmatic and threatening tweet:
The emails were taken after AntiSec breached VDI’s website, based on the popular WordPress platform. According to Antisec source, VDI had two outdated plugins installed on their website, which had its development outsourced to a local marketing company in Texas. Although the person from AntiSec did not disclose the exact method used to access Garcia’s email, he stated that the hack was performed through the VDI website, and that his password was rather weak.
VDI is the responsible for ShadowHawk, an unmanned helicopter that can be tasked with aerial surveillance or equipped for military usage. At its base, the ShadowHawk comes with CCD TV optics, or an upgraded version includes CCD TV optics and FLIR optics. A third version, for military or law enforcement usage only, can be equipped with a single or multiple shot 37 mm or 40mm grenade launcher, as well as a 12g shotgun, and thermal cameras.
The is only the last leak to Defense Contractor, scroll down the list for attacks targeting Defense Contractors in this very troubled year:
| Date | Author | Description | Organization | Attack |
| Feb 5 |
 |
Anonymous hacks HBGary Federal Web Site, copies tens of thousands of documents, posts tens of thousands of emails online and usurps CEO Aaron Baar’s Twitter Account. |
 |
? |
| Apr 6 |
? |
An E-mail dated April 6, sent to 5,000 employees of U.S. Defense Contractor L-3 warns of an attack attempt made with compromised SecureIDs. It is not clear if the attack was successful (it was revelead half a month later). This is in absolute the first attack perpetrated with RSA Seeds. |
 |
Compromised SecureID |
| May 21 | ? |
This is the first known (and the only officially recognized so far) attack perpetrated with compromised SecureID seeds targeting a U.S. Defense Contractor. This Attack was detected before any sensitive information could be stolen. 100,000 accounts were locked as a precaution. |
 |
Compromised SecureID |
| May 26 | ? |
Third U.S. Defense Contractor attacked using Compromised RSA Seeds. Attacked detected before any sensitive data was stolen. |
 |
SQLi? |
| Jun 3 |
|
As part of the FFFriday campaign, LulzSec steals 180 usernames, real names, hashed and plain text passwords, are acquired and posted publicily |
 |
N/A |
| Jul 8 |
 |
Anonymous attacks IRC Federal and dumps the content of the attack on a torrent available at The Pirate Bay. The dumped content include databases, private emails, contracts, development schematics, and internal documents for various government institutions. |
 |
SQLi? |
| July 11 | |
Anonymous attacks consulting firm Booz Allen Hamilton and releases details of internal data including 90,000 military emails and passwords. Estimated cost of the breach is around $5,400,000.00. |
 |
SQLi? |
| Jul 11 | ? |
The Pentagon reveals to have suffered a breach of 24,000 documents in March, during a single intrusion believed to have been perpetrated by a Foreign Country. As a consequence of the Intrusion, a classified U.S. Military Weapon System will need to be redesigned after specs and plans were stolen during the breach. |
 |
? |
| Jul 28 |
|
Mantech International Corporation Anonymous hacks Mantech International Corporation, another FBI Contractor, as a consolidated tradition on Friday, and releases details of internal data and documsnts. |
 |
? |
| Jul 29 |
|
U.S. Law Enforcement Institutions As part of the Antisec operation and in retaliation for the raids and the arrest again alleged Anonymous and LulzSec members, Anonymous attacks 77 U.S. Law Enforcement Institutions, defacing and destroying their servers. |
 |
SQLi? |
| Aug 1 |
|
PCS ConsultantsAnother U.S. Government contractor, PCS Consultants gets hacked by Anonymous & Antisec. Hackers extract website Database and leak it on the internet via Twitter on Pastebin (as usual!). Leaked Data include Admin’s and 110 users emails, plus passwords in encrypted hashes. | |
? |
| Aug 16 |
|
Antisec targets Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents are stolen. As consolidated tradtion, the torrent is released on Friday, August the 19th. |
 |
Vulnerability in WordPress Hosting Platform |
Related articles
- Vanguard Defense Industries compromised by AntiSec (thetechherald.com)
Looking Inside a Year of Android Malware
As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.
Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.
First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.
So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.
You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).
If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.
What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.
Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):
So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).
Going back to the initial question there are at least three factors which make Android different:
- The application permission model relies too heavily on the user,
- The security policy for the market has proven to be weak,
- The platform too easily allows to install applications from untrusted sources with the sideloading feature.
As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.
This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.
As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.
Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.
So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.
Related articles
- Looking Back at a Year of Android Malware (engadget.com)
- One Year Of Android Malware (Full List) (paulsparrows.wordpress.com)
- One Year of Android Malware (wired.com)
MySpace Hacked? No It wasn’t!
Update: Next Web pointed out that that what has been reported is a standard error message used by MySpace since 2009. I know these are hard times of hoaxes and psychological terrorism driven by the recent hacks by Anonymous and LulzSec but I hope that the lesson will be learned. Probably it would be better, in times like these, to use clearer error messages. At any rate this is only the latest demonstration of what it means to be hacking in the time of Twitter: advertising an attack, too often before performing it, has become even more important than the effect of the attack itself.
Original Post
Even if the infamous OpFacebook announced a couple of days ago is probably a hoax, nevertheless it looks like other hackers did not waste time and hacked MySpace.
As usual the hack was announced with an (Anonymous) tweet:
Following the link (http://www.myspace.com/modules/common/static/html/error.html) leads to a bad surprise, a page whose title is meaningful “All is wrong 
“. By the way www.myspace.com is currently unavailable.
We messed up our code so bad that even puppies and kittens may be in danger. Please turn back …now.
One Year Of Android Malware (Full List)
Update August 14: After the list (and the subsequent turmoil) here is the Look Inside a Year Of Android Malware.
So here it is the full list of Android Malware in a very dangerous year, since August, the 9th 2011 up-to-today.
My birthday gift for the Android is complete: exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.
Scroll down my special compilation showing the long malware trail which characterized this hard days for information security. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention.
As you will notice, the average impact is low, but, the number of malware is growing exponentially reaching a huge peak in July.
Let’s go in this mobile malware travel between botnets, sleepwalkers, biblic plagues and call Hijackers, and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.
| Date | Description | Features | Overall Risk |
| Aug 9 2010 |
SMS.AndroidOS.FakePlayer.a
First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals. |
   |
 |
| Aug 17 2010 | AndroidOS_Droisnake.A
This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data. |
  |
 |
| Sep 14 2010 | SMS.AndroidOS.FakePlayer.b
Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense. |
|
|
| Oct 13 2010 |
SMS.AndroidOS.FakePlayer.c
Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense. |
|
|
| Dec 29 2010 |
Android.Geinimi
First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). |
  |
 |
| Feb 14 2011 |
Android.Adrd AKA Android.HongTouTou
New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands) |
|
|
| Feb 22 2011 | Android.Pjapps
New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server. |
|
|
| Mar 1 2011 | Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone |
|
|
| Mar 9 2011 | Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected. |
|
|
| Mar 20 2011 | Android.Zeahache Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit. |
|
 |
| Mar 30 2011 | Android.Walkinwat
Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites. |
|
|
| May 9 2011 |
Android.Adsms AKA AndroidOS_Adsms.A This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers. |
|
|
| May 11 2011 |
Android.Zsone AKA Android.Smstibook Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected. |
|
|
| May 22 2011 |
A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World). |
|
|
| May 31 2011 |
A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected. |
|
|
| Jun 6 2011 |
Android/DroidKungFu.A AKA Android.Gunfu Malware which uses the same exploit than DroidDream, rageagainstthecage, to gain root privilege and install the main malware component. Once installed, the malware has backdoor capabilities and is able to: execute command to delete a supplied file, execute a command to open a supplied homepage, download and install a supplied APK, open a supplied URL, run or start a supplied application package. The malware is moreover capable to obtain some information concerning the device and send them to a remote server: The collected information include: IMEI number, Build version release, SDK version, users’ mobile number, Phone model, Network Operator, Type of Net Connectivity, SD card available memory, Phone available memory. In few words, the device is turned into a member of a botnet. |
|
|
| Jun 9 2011 |
Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. When an infected application is installed, it attempts to exploit the udev Netlink Message Validation Local Privilege Escalation Vulnerability (BID 34536) in order to obtain “root” privileges. Once running with “root” privileges it installs an executable which contains functionality to communicate with a control server using HTTP protocol and sends information such as Subscriber ID, Manufacturer and Model of the device, Version of the Android operating system. The Trojan also periodically connects to the control server and may perform the following actions: send SMS messages, remove SMS messages from the Inbox and dial phone numbers. The Trojan also contains functionality to monitor phone usage. |
|
|
| Jun 9 2011 |
Android.Uxipp AKA Android/YZHCSMS.A Trojan Horse that attempts to send premium-rate SMS messages to predetermined numbers. Again the threat is as an application for a Chinese gaming community. When executed, the Trojan attempts to send premium-rate SMS messages to several numbers and remove the SMS sent. |
|
|
| Jun 10 2011 |
Andr/Plankton-A AKA Android.Tonclank This is a Trojan horse which steals information and may open a back door on Android devices. Available for download in the Android Market embedded in several applications, when the Trojan is executed, it steals the following information from the device: Device ID and Device permissions. The above information is then sent to a remote server from which the Trojan downloads a .jar file which opens a back door and accepts commands to perform the following actions on the compromised device: copies all of the bookmarks on the device, copies all of the history on the device, copies all of the shortcuts on the device, creates a log of all of the activities performed on the device, modifies the browser’s home page, returns the status of the last executed command. The gathered information is then sent to a remote location. |
|
|
| Jun 15 2011 |
Trojan found in alternative Android markets that predominately target Chinese Android users. This Trojan predominantly affects devices with a custom ROM. The application masquerades as a legitimate one and exploits a vulnerability found in the way most custom ROMs sign their system images to install a secondary payload (without user permission) onto the ROM, giving it the ability to communicate with a remote server and receive commands. Once installed the second payload may read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions), install apps trasparently, communicate with a remote server using DES encryption. |
|
|
| Jun 20 2011 |
This trojan is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan, which targets users in the United States by interacting with a number of premium SMS subscription services without consent, is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent. This can lead to unapproved charges to a victim’s phone bill. Android users are directed to install this Trojan after clicking on a malicious in-app advertisement, for instance a Fake Battery Saver. |
|
|
| Jul 1 2011 |
Repackaged and distributed in the form of “legitimate” applications, these two variants are different from the original one by re-implementing some of their malicious functionalities in native code and supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder. The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users. |
 |
|
| Jul 3 2011 | AndroidOS_Crusewin.A AKA Android.Crusewind
Another example of a trojan which sends SMS to premium rate numbers. It also acts as a SMS Relay. It displays a standard Flash icon in the application list. The Trojan attempts to download an XML configuration file and uses it to retrieve a list of further URLs to send and receive additional data. The Trojan also contains functionality to perform the following actions: delete itself, delete SMS messages, send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file, update itself. |
|
|
| Jul 6 2011 |
AndroidOS_SpyGold.A AKA Android.GoldDream This backdoor is a Trojanized copy of a legitimate gaming application for Android OS smartphones. It steals sensitive information of the affected phone’s SMS and calls functions, compromising the security of the device and of the user. It monitors the affected phone’s SMS and phone calls and sends stolen information to a remote URL. It also connects to a malicious URL in order to receive commands from a remote malicious user. |
|
|
| Jul 8 2011 | DroidDream Light Variant New variant of DroidDream Light in the Android Market, immediately removed by Google. Number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream. |
|
|
| Jul 11 2011 |
Android.Smssniffer AKA Andr/SMSRep-B/C AKA Android.Trojan.SmsSpy.B/C AKA Trojan-Spy.AndroidOS.Smser.a
|
|
|
| Jul 12 2011 |
Android.HippoSMS AKA Android.Hippo Another threat found bundled with repackaged versions of legitimate applications. When the Trojan is executed, it grabs a copy of all SMS messages received on the handheld device and sends them to a remote location. |
|
|
| Jul 15 2011 |
This threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server. |
|
|
| Jul 15 2011 |
Android/Sndapps.A AKA Android.Snadapps Five Android Apps found in the official Android Market share a common suspicious payload which upload users’ personal information such as email accounts as well as phone numbers to a remote server without user’s awareness. |
|
|
| Jul 27 2011 |
Trojan horse which steals several information from Android devices (for instance GPS Location or Wi-Fi position). For the first time on the Android Platform a malware is believed to spy conversations. |
|
|
| Jul 28 2011 |
Trojan horse that sends SMS messages to premium-rate phone number. When the Trojan is executed, it retrieves information containing premium-rate phone numbers from a malicious URL then sends premium-rate SMS messages. and attempts to block any confirmation SMS messages the compromised device may receive from the premium-rate number in an attempt to mask its activities. The Trojan also attempts to gather IMSI and location information and send the information to the remote attacker. |
|
|
| Aug2 2011 |
This is a detection for Trojan horses that send SMS texts to premium-rate numbers. These Trojan is a repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. The package name, publisher, and other details will vary and may be taken directly from the original application.. |
|
|
| Aug 9 2011 |
It belongs to the same NickiSpy family. However, it is significantly different from its predecessor since it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website. his threat is often found bundled with repackaged versions of legitimate applications. The repackaged applications are typically found on unofficial websites offering Android applications. When the Trojan is executed, it steals information and sends it to a remote server. |
|
|
Legend
Parallel Market
Android Market
Manual Install
Automatic Install of Apps
Send SMS or Calls to Premium Numbers
Server C&C
GPS Spyware
Root Access
Related articles
- Happy Birthday! One Year of Android Malware (paulsparrows.wordpress.com)
- Nine Months Of Living Dangerously (paulsparrows.wordpress.com)
Riot In Motion
As an (in)direct consequence of the London Riots, a crew of hackers called TeaMp0isoN has defaced the The Official BlackBerry Blog after RIM has indicated to assist London police, who are investigating the use of the messaging service in organizing riots, with a “very extensive monitoring of the BlackBerry Messenger model”.
The availability of BBM (Black Berry Messenger), a closed messaging system for one-to-one or one-to-many (encrypted!) communications at no charge, has made BlackBerry a very popular device among U.K. teens, who are believed to be the major responsible for the riots which have hit British streets. As a consequence BlackBerry Messenger is believed to have played a key role for rioters to organize themselves.
Since the Company decided to support the Police to contain the riot, granting access to BBM data and logs, it did not take so long for a resounding retaliation by the above quoted hacker group.
Curiously shortly after the attack, MP called for BlackBerry Messenger suspension to calm UK riots, and albeit this is claimed as a victory from rioters, I cannot help but notice that it is really a paradox: the whole story is a consequence of the need for authorities to extensively monitor BBM and the same authorities now ask for a complete lockdown of BBM which might be the ultimate remediation to stop the riots).
In my opinion, this hactivism event can be seen from a double perspective: at first glance this is only the last episode of hactivism, whose actions and impacts are nowadays natural extensions in the fifth virtual domain for wars and revolutions crossing the borders of the real world. But a second deeper analysis shows surprising and, somewhat, unexpected consequences.
The event was a consequence of the attempt by authorities to deprive rioters of their weapons, that is mobile technologies. Said in simple words, we are seeing a kind of Consumerization of Riots (the western world equivalent of what I defined Consumerization of Warfare that is the influence played by consumer technologies, mobile and social networks in primis, for spreading the riots in Middle East). Of course with the obvious difference of scopes and geography.
But if the contemporary use of both mobile technologies, for communicating and coordinating, and Social Media for virally spreading information useful for the cause (tweets like weapons), is a (quite) common and consolidated practice whose primary role has been recognized for the revolutions of Maghreb and Middle East, what is completely new is, for the first time, the impact and the price (to be) paid by the technology vendor, in this case RIM, (in)directly involved in the events. As a matter of fact RIM is suffering heavy aftermaths, which will not likely end here.
Not only the Waterloo based company was hacked with a resounding defacement, with huge consequences in terms of image, but also the brand seriously risks to be negatively associated with rioters, which could lead to further negative impacts for the brand, with possible consequences in terms of sells.
Is this maybe the reason why Twitter refused to shut down the accounts of the London rioters, besides the blog post according to which Tweets must always flow?
P.S. From an Information Security Perspective…
Several Information Security blogs were wondering if hackers managed to post on BlackBerry’s blog because of a software vulnerability, or because one of their administrators had his password cracked. In my opinion several tweets from TeaMp0isoN seems to confirm the first hypothesis:
Try to find out how we got in and patch…
Happy Birthday! One Year of Android Malware
Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.
For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.
Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.
| Date | Description | Features | Overall Risk |
| Aug 9 2010 |
SMS.AndroidOS.FakePlayer.a
First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals. |
|
|
| Aug 17 2010 | AndroidOS_Droisnake.A
This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data. |
|
|
| Sep 14 2010 | SMS.AndroidOS.FakePlayer.b
Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense. |
|
|
| Oct 13 2010 |
SMS.AndroidOS.FakePlayer.c
Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense. |
|
|
| Dec 29 2010 |
Android.Geinimi
First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). |
 |
|
| Feb 14 2011 |
Android.Adrd AKA Android.HongTouTou
New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands) |
|
|
| Feb 22 2011 | Android.Pjapps
New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server. |
 |
|
| Mar 1 2011 | Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools (rageagainstthecage and exploid) to root the phone |
|
|
| Mar 9 2011 | Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected. |
|
|
| Mar 20 2011 | Android.Zeahache Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit. |
|
|
| Mar 30 2011 | Android.Walkinwat
Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user trying to discipline users that download files illegally from unauthorized sites. |
|
|
| May 9 2011 |
Android.Adsms AKA AndroidOS_Adsms.A This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers. |
|
|
| May 11 2011 |
Android.Zsone AKA Android.Smstibook Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected. |
|
|
| May 22 2011 |
A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World). |
|
|
| May 31 2011 |
A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected. |
|
|
Legend
Parallel Market
Android Market
Manual Install
Automatic Install of Apps
Send SMS or Calls to Premium Numbers
Server C&C
GPS Spyware
Related articles
- Nine Months Of Living Dangerously (paulsparrows.wordpress.com)
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
