To πρώτο Backdoor και άλλο κακόβουλο λογγισμικό για Android τον Απρίλιο 2011

The most interesting viral events in April were related to the Android platform which drew attention of virus makers. Beside that, the last month traditionally saw discovery of several vulnerabilities in Adobe products. As before, most popular news topics became the subject of spam e-mails and were exploited in fraud-schemes at social networking web-sites. This time spammers took advantage of the UK royal nuptials.

New mobile malware

In April the first full-fledged backdoor for Android was found and now there are already two well-known modifications of the program. Android.Crusewin makes use of a few new methods to spread itself and incorporates previously unknown payload. A victim receives a message similar to the following: Updated MMS / GPRS / EDGE configuration received. Follow the link to use the new configuration: http://.../flash/MM329.apk». When the victim clicks on the link they download a Trojan APK—an Android distribution package (software is available in this format at the Android Market).

Figure 1.

After installation the Trojan downloads its XML configuration file. This malicious program is equipped with a whole set of features. For example, it is capable of sending SMS on command from the server.

In the face of growing complexity of mobile operating systems and increasing performance of devices that run them, smartphone malware also become more complex and similar in their properties to viruses for PCs. Emergence of a program like Android.Crusewind has been anticipated for quite a while. We can assume that with the spreading of anti-virus software for mobile platforms, virus writers will implement in such Trojan horses features found in other classes of malware targeting the x86 platform such as rootkits.

Several new Trojan horses for the mobile OS Android were also discovered. New versions of Android.Spy and Android.SmsSend Trojan horses were found in the wild.

Android.Spy.54 was detected on the Chinese web-site www.nduoa.com that provides access to a collection of applications for the Android platform. The Trojan horse was a part of the program Paojiao - the widget, allowing to make calls or send SMS to selected numbers. Spreading with a legitimate program is a standard method for the malware family Android.Spy to compromise smart phones.

The new modification of Android.Spy registers a background service, which connects to the malicious site and sends victim's identity information (such as the IMEI and IMSI to criminals). In addition, the Trojan horse downloads an xml configuration file containing commands that make it start sending spam SMS from the compromised device and add certain sites to the browser bookmarks.

More vulnerabilities in Adobe products

Our March review described a critical vulnerability in Adobe software. Then the traditional for such vulnerabilities term 0-day literally turned into 0-week—the vulnerability was closed in a week while several exploit samples had already been made available on the Internet.

On April 8, 2011 the public became aware of a new vulnerability CVE-2011-0611, its detailed technical description and implementation instructions followed shortly afterwards. As it happened in the last incident, here we are talking again about embedding a Trojan horse SWF-object into MS Office documents (doc-files) and PDF files. Shortly users began receiving spam messages containing exploits of the vulnerabilities Exploit.Rtf.based and Exploit.PDF.2177.

Figure 2. Exploit.Rtf.based

Figure 3. Exploit.PDF.2177

Mass mailings and fake anti-virus software

Also, the last month saw mass mailings containing numerous modifications of a common Trojan horse Trojan.Download.64325. Several modifications of this downloader were found in two weeks. The Trojan horse downloaded Trojan.FakeAlert.20509 to the victim's computer. Its distribution was fascilitated through the BlackEnergy botnet. Analysis of the botnet activity has revealed a significant mailing list containing a large number of corporate email addresses belonging to, in particular, pharmaceutical companies, such as SecureMedical Inc. It implies that information from e-mail addresses database may have leaked into the hands of spammers.

Fraudulent links and schemes at social networking web-sites

Fraudsters operating on social networking web-sites continue to exploit the interest of users in top news stories, while ignoring any ethical standards. Several accidents in amusement parks were recorded on video and widely publicized. Subsequently, the news about the accidents was used by criminals as a topic for Facebook messages aiming to lure users into clicking on a malicious link.

Figure 4, 5. Newsletter describing the accident in the amusement park in the UK

In other cases the news about the royal wedding served as the bait. Here the user who clicked on such links got to a site, spreading fake anti-virus software.

Figure 6. Fraudulent links to news stories about the royal wedding in the UK

Figure 7. The fraudulent page

Figure 8. The interface of Trojan.FakeAlert downloaded by clicking on malicious links

Conclusion

It is certain now that a new target of virus attacks has been established. Attackers have shown a growing interest in mobile platforms. Currently techniques and experience gained by virus writers for the PC platform is being put to use to develop malware for Android which will grow in complexity and diversity. Most likely, in the near future attackers will also pay attention to the rival platform iOS.

Samples of Trojan horse software detected in April 2011 in e-mail traffic

 01.04.2011 00:00 - 30.04.2011 23:00 

1

Trojan.Tenagour.3

12454766 (27.22%)

2

Trojan.Inject.28090

4602849 (10.06%)

3

Trojan.Inject.27975

3548126 (7.75%)

4

Trojan.DownLoader2.22364

2805880 (6.13%)

5

Trojan.Inject.28053

2252602 (4.92%)

6

Trojan.DownLoad2.20306

1482644 (3.24%)

7

Trojan.DownLoader2.265

1111063 (2.43%)

8

Trojan.DownLoader2.17823

1098522 (2.40%)

9

Trojan.DownLoader2.1901

912229 (1.99%)

10

Trojan.DownLoader2.2035

797515 (1.74%)

11

Trojan.DownLoader2.2977

752502 (1.64%)

12

Trojan.DownLoader2.25029

653112 (1.43%)

13

Win32.HLLM.MyDoom.33808

629032 (1.37%)

14

Trojan.DownLoader2.10188

573559 (1.25%)

15

Trojan.DownLoader2.32597

563802 (1.23%)

16

Trojan.Fakealert.20459

552961 (1.21%)

17

Trojan.Inject.27968

536032 (1.17%)

18

Trojan.DownLoader2.16572

532366 (1.16%)

19

Trojan.DownLoad2.22234

526171 (1.15%)

20

Trojan.DownLoader2.30543

505686 (1.11%)

Total scanned:

32,697,947,759

Infected:

45,761,288 (0.14%)

Samples of Trojan horse software detected in April 2011 on users' computers.

 01.04.2011 00:00 - 30.04.2011 23:00 

1

Win32.Siggen.8

18929309 (25.86%)

2

JS.IFrame.95

18457256 (25.22%)

3

Win32.HLLP.Neshta

10341001 (14.13%)

4

Win32.HLLP.Novosel

7473876 (10.21%)

5

Win32.HLLP.Whboy.45

2744737 (3.75%)

6

Win32.HLLP.Whboy.101

2583200 (3.53%)

7

Trojan.Click.64310

1786547 (2.44%)

8

ACAD.Pasdoc

948927 (1.30%)

9

Win32.HLLP.Liagand.1

897812 (1.23%)

10

Trojan.MulDrop1.48542

685507 (0.94%)

11

Win32.HLLP.Whboy.105

580001 (0.79%)

12

HTTP.Content.Malformed

533596 (0.73%)

13

BackDoor.Ddoser.131

513468 (0.70%)

14

Win32.HLLP.Rox

423250 (0.58%)

15

Win32.HLLW.Shadow.based

213901 (0.29%)

16

Win32.HLLW.Autoruner.5555

161020 (0.22%)

17

Program.RemoteAdmin

155310 (0.21%)

18

Trojan.DownLoader2.35872

151285 (0.21%)

19

Exploit.Cpllnk

147664 (0.20%)

20

Trojan.DownLoader2.42597

143945 (0.20%)

Total scanned:

218,706,105,678

Infected:

73,187,388 (0.03%)


Dr.Web  |   AV-Desk  |   Νέα  |   Προϊόντα  |   Downloads  |   Επικοινωνία  |   Υποστήριξη

Doctor Web ©
2003 — 2010

Doctor Web is a Russian IT-security solutions vendor. Dr.Web anti-virus software has been developed since 1992. The leader on the Russian IT security services market, Doctor Web has been the first vendor that offered an anti-virus as a service in Russia. The company also offers proven anti-virus and anti-spam solutions for businesses, government entities, and personal use. We have a solid record of detecting malicious programs, and we adhere to all international security standards. Doctor Web has received numerous certificates and awards; our satisfied customers spanning the globe are clear evidence of the complete trust customers have in our products.


Powered by PenguinCity sa, Doctor Web distributor, tel:(+30) 210 38 25 413

Created by Webelements