More Android Smartphone Malware Found, Removed from Marketplace

Kaspersky, makers of Kaspersky Antivirus just posted a lengthy piece on  new Android Malware called the "Plankton Trojan".

Originally discovered by Xuxian Jian (Assistant Professor and his research team at the Department of Computer Science, NC State University), his report on the Android malware disconcertingly begins,
This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.

"In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.

"Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers.

"Its stealthy design also explains why some earlier variants have been there for more than 2 months....

What does this mean?

For starters, it means that the bad guys have found a way to get onto your Android without requiring "root" access, which means that it's able to evade detection and avoid tripping the warning screens and whatnot that you'd expect to see.

The report details how this application silently hooks into the phone, downloads in the background more things it needs to run, and uploads information about your account to computers the bad guys control.

Kasperksy's analysis revealed,
...the virus does not provide root exploits, but supports a number of bot-related commands.

"One interesting function is that the virus can be used collect information on users’ accounts.
What exactly the bad guys are doing with the botnet either isn't yet clear or isn't yet being revealed by Professor Jiang or Kaspersky. And for that matter what they're doing with the users' data isn't clear/revealed either.

This may be a case where they're just trying to test the waters and see what kind of flags they raise and what kind of information they can glean from users.

Regardless, it's definitely cause for some concern amongst users and antivirus researchers alike, as it will require the AV companies to rethink some of their strategies in protecting phones.

What's Google Doing about it?

According to the piece by Kaspersky,
Google has historically taken a hands-off approach to policing the Android Marketplace.

"It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.

"A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.


DOJ and FBI flex muscles: Takedown of international botnet

Paul Roberts from Threat Post brings news in the battle against botnets: The Coreflood Trojan botnet takedown.

The U.S. Department of Justice stated Wednesday that they'd taken steps to disable an international botnet of over 2 million infected PCs. What's significant about this botnet is that it was stealing corporate data including user names and passwords and other financial data.

According to a statement from the U.S. Attorney's office for the District of Connecticut, thirteen defendants were charged in a civil complaint. A total of 29 domain names were seized in a raid connected to malware--code named "coreflood" --on machines attempting to communicate with the command and control servers.

The "coreflood" malware is believed to have been originated out of Russia and has been active for  ten years, which is staggering and unbelievable in-and-of itself. The DOJ said it had received a temporary restraining order allowing it to disable the malware.

This crackdown is considered to be one of the largest actions taken by U.S. law enforcement against an international botnet Trojan virus. In the past year, a similar botnet takedown was driven by the private sector (Micrsoft and FireEye).

[Editor's Note: See our prior post: Microsoft Working to Take Down Win32/Rustock Botnet. This crackdown against the "coreflood" malware and command and control servers mirrored the efforts by Dutch authorities that disabled Bredolab botnet back in October.]

According to the U.S. Attorney's office, five command and control servers were halted, plus the 29 domain name sites that communicated to these C&C servers.

The government replaced the C&C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties. While the infected machines were not disinfected of the malware, of course, the hope is that security software providers will develop tools to remove the coreflood malware and that victims will update their antivirus definitions.


Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.


Bredolab Trojan Botnet Dismantled

After infecting what's estimated to be 30,000,000 computers, the Bredolab Trojan, one of the worst ones ever to see the light of day, has been dismantled.

According to the official press release about dismantling the Bredolab Trojan Botnet from the Dutch authorities,

At the request of the Dutch Public Prosecution Service, Armenian police arrested the probable mastermind behind the criminal Bredolab botnet network at the international airport in Yerevan today.

A piece at The Register about the Bredolab dismantling describes the outcome saying, Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands.

That's good news, and clearly, capturing this individual and dismantling Bredolab is a big deal. Both the size and and horrible effects of this trojan make its destruction an especially big deal.

The Register piece goes on to say, Bredolab allow[ed] criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009.

This means if your computer has an infection, you'll need to take action immediately, including:

  1. contact your bank(s)
  2. contact your credit card(s)
  3. run a full antivirus scan of your PC
Once Bredolab was taken apart, the authorities used the botnet to send Bredolab infection notifications to the infected PCs.

One last thought: if you find you've gotten a notification like the one above, you might be well served to contact your financial institutions by phone for the time being so you can be sure your personal and financial information is safe 'til you can be certain you've gotten complete virus removal and your computer is clean.


Mega-D Spam Botnet Disabled

Score 1 for the good guys!

PCWorld bring news of how security company FireEye brought down the Mega-D Botnet, one of the most notorious spam spewing botnets to date.

Atif Mushtaq, a FireEye researcher, spent two years working to keep their clients' networks free of the dreaded malware, and in doing so,

"...he learned how its controllers operated it.

"Last June, he began publishing his findings online.

"In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down."

Obviously, taking on something of this scope isn't a small task, and according to the piece at PCWorld, Mushtaq and two colleagues began their efforts by going after the Mega-D command infrastructure in an effort to prevent the botnet from getting--or issuing--further instructions to the PCs that had been infected with their malware.

The story of how these guys took on Mega-D really is pretty incredible. They began by contacting the ISPs that hosted the botnet servers. It's easy for some to blame the ISPs hosting the servers, but the reality is that in large ISPs and datacenters, the datacenters know little about what happens on their servers. How can they?

As far as most datacenter owners are concerned, their customers are good customers, hosting legitimate websites. Setting up a legitimate website--or many--is easy cover for the malware operators: show the datacenter staff the legit sites and then secretly also host your bad stuff at the same place.

It's not rocket science.

So, having contacted the ISPs, which Mushtaq's research showed were mostly based in the United States, with one in Turkey and another in Israel.

For unknown reasons the foreign ISPs declined to take down the servers, but those in the U.S. complied.

Given the lack of cooperation from the foreign ISPs, they took another approach and contacted the domain registrars, which agreed to point Mega-D's existing domain names to nowhere.

Given that most registrars remain neutral in things like this, this was quite a win, and it meant,

"By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down."

The last part was getting the rest of the domains that Mega-D had queued to use, which the registrars then pointed to FireEye's servers so the good guys could then assume control of the botnet's last-ditch command-and-control efforts.

According to logs setup on the FireEye servers, they estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

As for what this all means in the big picture, it means a few things:

  1. Botnets aren't impervious to being taken down
  2. Cooperation from ISPs, and ultimately domain registrars, too, can be a critial component in shutting down these botnets
  3. Wresting control from the malware operators is a tough job, and even given their diligent efforts, it was a long, hard task to do
  4. In addition to keeping your PC and your software patched, there's no substitute for having the best antivirus firewall software installed and running, since Internet security suites can prevent many infections in the first place and clean-up your computer if you're already infected.

And, as for what it means to've taken down Mega-D,

"MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had 'consistently been in the top 10 spam bots' for the previous year (find.pcworld.com/64165).

"The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.

"Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says."

All-in-all, it's good news--and a good day--for those of us who hate spam and for those of us who're trying to keep our PCs free of viruses, trojans, worms, and any other malware.


Conficker: 1 Year Later, 7 Million Infected

"'The only thing I can guess at is the person who created this is scared,' said Eric Sites, chief technology officer with Sunbelt Software and a member of the working group.

"'This thing has cost so many companies and people money to get fixed, if they ever find the guys who did this, they're going away for a long time.'"

This from a Network World write-up on Conficker, 1 year later.

What a lot of folks find perhaps most interesting about Conficker is,

"Despite its size, Conficker has rarely been used by the criminals who control it.

"Why it hasn't been used more is a bit of a mystery.

"Some members of the Conficker Working Group believe that Conficker's author may be reluctant to attract more attention, given the worm's overwhelming success at infecting computers."

Regardless of whether or not it has been used a lot 'til now, the fact of the matter is, that the Conficker Working Group estimates 7 million PCs have been infected thus far with variants A and B of the worm.

Another thing that caught our eye about the worm was that it's apparently very (perhaps most?) common in China and Brazil, which according to the Network World piece (although we could not confirm this) cites the Conficker Working Group, as,

"suspect[ing] that many of the infected PCs are running bootlegged copies of Microsoft Windows, and are therefore unable to download the patches or Microsoft's Malicious Software Removal Tool, which could remove the infection."

This policy of Microsoft's is definitely a subject of some debate.

Clearly, regrettably, a lot of people pirate Microsoft's software; that Microsoft in effect actually punishes others by helping to perpetuate the worm by refusing to allow the pirates to update their copies of Windows (or download the Malicious Software Removal Tool), really doesn't make sense.

Microsoft's belief, no doubt, is that if pirates can't use their computers because of the worms, they'll wise-up and buy legitimate copies of Windows.

I doubt it.

If a computer is infected, the solution to the pirate is most often just to re-install their OS from scratch if needed and to take other steps (i.e. like installing antivirus software) to prevent re-infection. Others just think their computers are slow and don't know why or ignore the worm altogether and go on about their day.

Whatever the case in the mean time though, by preventing updates, Microsoft's policy allows Conficker to spread, grow, and perpetuate.


Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker


Computer Security Researchers Take Control of a Botnet

We got wind today of a research project out of the University of California Santa Barbara (UCSB) that took over one of the most notorious botnets, Mebroot.

In an article on the takeover of the Mebroot botnet, the scope of the Mebroot problem is revealed: They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Mebroot gained notoriety for taking over legitimate web sites and infecting those sites with malicious javascript code.

The idea behind such an attack was for the cybercriminal botnet operators to have a massively distributed network for attacking PCs visiting a range of legitimate websites, and thus for it to be much, much harder to stop and much, much more likely to be a stable place for them to get more end users' PCs to do their real bidding: cybercrime.

"'Once upon a time, you thought that if you did not browse porn, you would be safe,' says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors.

"'But staying away from the seedy places on the Internet is no longer an assurance of staying safe.'"

So the botnet worked like this:

  1. Take over legimate websites
  2. Infect these legimate websites with hidden malicious javascript that redirects visitors going to the legitimate sites to illegitimate websites where
  3. End users' PCs are then infected via a drive-by-download that silently takes over the visitors computer
  4. Use these end users' infected PCs to perform their cybercrimes (i.e. credit card theft, password theft, bank fraud, identity theft, etc.)

The article closes with this not-so-surprising detail:

"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems.

"About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

"The research suggests that users need to update more often, says UCSB's Vigna.

"'Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,' he says."

The notion of patching more frequently is one we've covered in our site numerous times, and it's a message that warrants repeating regularly.

Why computer users, regardless of whether or not they're running the latest antivirus firewall software or not, don't do so is puzzling.

Updating your OS is an extremely simple process and is well worth the few minutes of time it takes in most cases. (Even when it takes longer, it's still worth it vs. the consequences of not doing so, and having your computer be more susceptible to takeover.

Here's how:

  1. Open Internet Explorer
  2. Click 'Tools' in the upper menu
  3. Click 'Windows Update'
  4. Click Express Update (or Custom Update to get full details on what you're updating
  5. Install any updates that Microsoft recommends

 Typically, you'll have to reboot after this. Then do it again, as some updates cannot be installed concurrently with others, so sometimes a couple of update cycles are needed.


9% of Enterprise Computers are Bot-Infected

One of the most common misconceptions about computers in a business environment is that somehow, perhaps because of corporate firewalls, perhaps because of the presence of IT professionals in an office, office computers there are immune to virus, bot, worm, and other malware infection.

There's very much a mistaken attitude of, "It's not like *my* office could get a virus!"

In fact, because office machines are typically connected via high-speed (or even very high speed) Internet connection, they may actually be more prone to these types of infections. Why?

High-speed connections are more desirable for those running the botnets and malware than a single machine on its own cable modem or DSL. Furthermore, once one of these machines that is behind a firewall, even very, very good ones, it's much easier for worms and the like to spread because once their behind the firewall, leaping from machine to machine is far easier than trying to penetrate through the firewall to get to them.

Put another way, once they're in, they're in.

A very interesting article on botnets on darkREADING.com discusses how things are shifting to target enterprises. According to the piece Up to 9% of machines in an enterprise are bot-infected.

What's even more interesting is how the new bots are actually being targeted towards the enterprise.

"The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

"And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well.

'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets.'"

That's just the start, too. What it appears these new botnets are doing often is acting to steal information from the organization.

The article goes on to say, quoting Gunter Ollman further, is

"'I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment.

"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. '

"Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.'

One of the key things from this piece is that these botnets are actually using users' credentials--their usernames and passwords--on the networks to further penetrate the network and get what they're after.

 While we're definitely fans of firewalls--harware and software--it's clear that there's still need for running the best antivirus software and antispyware that your company can afford to help prevent and ferret out these botnet infestations.

Furthermore, while the article is specifically about hand-crafted bots, there's still risk from traditional garden-variety botnets and other malware threats, and here again, good antivirus firewall software can often serve as a last line of defense, even in the presence of a robust enterprise-grade firewall.


Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers

Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.

Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.

For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:

  1. Be smart about what you do online.
  2. Keep your PC updated with Windows Update
  3. Install (and run!) antivirus software or an Internet security suite

In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)

"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
  1. Identify compromised/infected computers
  2. Contact customer with infected computer(s)
  3. Provide information/advice on how to fix infected computer(s)
  4. Report / alert about serious large-scale threats (including ones that make effect national security)

Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:

If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.

Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.

No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.