Archive

Archive for the ‘Daily Thoughts’ Category

Virus Bulletin 2011

It’s 5:15 AM here in Barcelona and second day of the conference. For the past three years, I’ve been given an opportunity to present and discuss topic relating to malware or threats in Macs. And at the same time, attending VB conference allows you to meet, learn and discuss with fellow researcher sharing the same interest.

I have 30min. (11:20 – 11:50 am) this morning to discuss an interesting topic about Cyber attacks: how are Mac OS X and iOS users playing the role? The presentation is divided into two subtopics; I’ll first discuss Apple security defences and the financially motivated threats, then a topic that is complex because it’s beyond malware. However, in this forum, I’d like to draw attention and bring awareness of this subject.

Cyberattack is a form of threat motivated by ideals and belief, often responding to social and economic issues where people voluntarily participates and takes action as a response to an open call. Devices, system and application act as a tool and weapon – which aids in accomplishing a task or mission. Contrary to most people believe that threats are platform specific, and targets the biggest market share, this notion is not true. Attacks and threats today targets user’s data, the information space and user’s identity, and this occurs regardless of the platform.

On a sad note, I would like extend my deepest condolences and sympathy to a man of great spirit and high vision; his death is a great loss and his absence will surely be felt.

‘Olyx’ connection to Fake Apple Stores?

An interesting observation from a colleague, check out the digital certificate information of ‘Wolyx’ the Windows backdoor packaged with ‘Olyx’  below:

Issued By:      WoSign Code Signing Authority
Issued To:      CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Effective On:   11/03/2009 00:00 
Expired On:     11/02/2012 23:59

The place where the revoked digital certificate was issued to was Kunming, Yunnan China.

In the news, you’ll notice that this is the same city of the fake Apple stores.  

China officials find 5 fake Apple stores in 1 city

BEIJING

A Chinese city government website says local trade officials have found five fake Apple stores in a southwestern city.

The Kunming government website says authorities in the city in Yunnan province took action against two of the stores, which were found to be operating without a business license.

[Read http://www.businessweek.com/ap/financialnews/D9OME9280.htm]

Officials close 2 of 5 fake Apple stores

KUNMING – Officials looking into the illegal sale of Apple gadgets say they are waiting for the electronics company to respond before they decide whether to close three more possibly unlicensed stores. [Read http://www.chinadaily.com.cn/usa/us/2011-07/26/content_12980613.htm]
Coincidence?

Backdoor ‘Olyx’

In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.

Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.

Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page.  If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.

However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:

There’s another folder called ‘Photo-Current events 2009 July 5’, which contains 21 (disturbing) photos.

Q: So, the question now is, what happened on ‘2009 July 5’ ?

The World Uyghur Congress website describes it,

On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.

Q: Ok, that was 2 years ago right?

Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,

On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.

So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.

Q: What’s the protest? This Facebook invitation page explains,

Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.

The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled  World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,

Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.

So, how do you think Backdoor ‘Olyx’ fits in this picture?

The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.

Socially Engineered Threats

Socially engineered threats has been very active and in-the-wild for the past 48hours. Following the Eurosoft, Canadian Pharmacy and Porn sites spams, the internet viral activity is also observed spreading in Facebook.

The spammed URL redirects users to a Facebook looking website, where a malware is served. Although, Mac users are not directly targeted at the moment, it is important to be cautious especially ‘Boonana’ is known being spread via Facebook.

As observed, the viral activity seems to trigger the following:

  • Koobface known for spreading in social networks such as Facebook.
  • Sasfis/Oficla known as a spambot, spreading through email
  • Slenfbot and/or Rimecud for spreading in instant messengers

Along these malware families are the notable active threats such as TDSS, Zeus, Spyeye and FakeAVs.

Stay safe!

Malware Intelligence Report

“Crimeware 2009” extensive compilation of analysis, findings and intelligence  report  released in 262 pages, written by Jorge Mieres. [Refer this link]

2010 Security Outlook

In 2009, many in IT industry lost jobs because of the tremendous pressure to cut-cost – so companies could go through and survive the recession. However, not everything in IT were gloomy, IT services that are aligned to cost-reductions and value creation such as implementing virtualization, SaaS and cloud services are on the rise – and they are expected to grow in the coming year.

Because we’ve been in a difficult situation, where IT companies are expected to cut cost, maintain customers and at the same time, expected to adopt in changing market opportunity, many of us worked in survival mode. This provides opportunities for organized cyber criminals to take more steps in becoming sophisticated and expanding capabilities.

From Gartner futuristic security scenarios, “Perpetual Arm Race” is very close to what we have encountered this year, which I believe will continue in the next couple of years.

This is a perpetual fight where success changes sides. Hackers, cybercriminals, and criminal consortia invent and launch relentless and powerful attacks on enterprises and individuals. Enterprises and vendors relentlessly work on advancing protective measures, launch pre-emptive actions against hackers, and apply law and technology. Advanced technology laboratories exist inside vendors’ facilities, as well as inside criminal structures. Web business functions decently, but all necessary security precautions are taken.

Although, the “Security Nirvana” scenario is a good direction we look forward to.

The “good guys” prevail over the “bad guys.” Enterprises’ and vendors’ security specialists are always a few steps ahead of hackers. Security measures have created an impeccable shield around enterprises. Procured and subscribed software is “security bug-free.” This is a world without the fear of hackers. The entire world is happily and securely interconnected.

Yet another glorified bad behavior

“The author of the first iPhone worm “iKee” has been given a job with Australian iPhone app developer Mogeneration” [Read SC]

We’ve heard similar story early this year when the author of Twitter worm “Mikkey” landed a job  at exqSoft Solutions.

“adolescents engage in bad behaviour because they find benefits — such as the immediate gratification of peer acceptance — are worth the risks.”  as published in journal Psychological Science.

This trend tends to justify that crimes in the public interest are not prosecuted but instead glorified?