This is a piece I wrote with my colleague Lee Chyen Yee on the ZTE vulnerability.
ZTE Corp, the world’s No.4 handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability that researchers say could allow others to control the device.
The hole affects ZTE’s Score model that runs on Google Inc’s Android operating system and was described by one researcher as “highly unusual.”
“I’ve never seen it before,” said Dmitri Alperovitch, co-founder of cybersecurity firm, CrowdStrike. The hole, usually called a backdoor, allows anyone with the hardwired password to access the affected phone, he added.
F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine – ‘Google.com’. If a user opens a malicious website, his/her computer gets hijacked – a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.
The name of the malicious website is ‘Googkle.com’. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.
I guess this kind of thing is more common than we realise. It seems to be a bunch of guys with Russian names who ahve registered misspelling of the Google name (how many more are out there) as a way to install phishing and other tricks on your computer. The website is still active at the time of writing.
Symantec say they’ve found the first Windows CE (PocketPC) backdoor Trojan, which they’re calling Backdoor.Bardor.A: “Once installed, the backdoor allows full control of the handheld system when it is restarted. When the infected handheld is connected to the Internet, the backdoor sends the attacker the IP address of the handheld device. It then opens port 44299 and waits for further instructions from the attacker.”
There are some limits: The backdoor only affects Pocket PC devices with ARM CPUs.
More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.
F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.
Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?
The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.
I’m getting quite a few warnings about a new worm called Bagle, so I thought I’d pass them along. MessageLabs, an email security company, says it’s currently spreading at an alarming rate. The first copy of the worm was intercepted from Germany, and at the moment the majority of copies are being captured as they are sent from Australia. It seems to have several bits to it:
The worm arrives as an attachment to an email with the subject line ‘Hi’ and has a random filename, with a .exe extension. W32/Bagle-mm searches the infected machine for email addresses and then uses its own SMTP engine to send itself to the addresses found. The worm makes a poor attempt to lure users into double-clicking on the attachment by using social engineering techniques.
Further analysis suggests that the worm includes a backdoor component that listens for connections from a malicious user and can send notification of an infected system.
It also appears that the worm may attempt to download a Trojan proxy component, known as Backdoor-CBJ. This Trojan is able to act as a proxy server and can download other code which could be used for key-logging and password stealing.
Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.
I got my first password stealing trojan yesterday. My, they’re good. I’ve never shopped at Citibank (sorry, Ditta) but for a moment I thought that maybe I had . This was what the email looked like:
Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn’t satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
The email came with all the right headers, and my virus checker didn’t notice anything wrong, but the folks at Sophos have identified the attachment as a two component backdoor Trojan, specifically, Troj/Webber-A. The first bit attempts to connect to http://www.joro71.addr.com, download a file to rtdx32.exe in the Windows system folder and execute it. The second bit is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at http://weyrauch.addr.com. Yuck. Beware.