[ Security Alert ] 20 January, 2012 10:10

    On execution, RuFraud will check the country code in SIM card (figure 1&2). If matched, it will send premium-rate SMS after you click the "Next" button.  

Figure 1: Checking country code

 

Figure 2: snipped codes of checking country 

If not matched, it will run a "normal" horoscope program or try to download another APK.(figure 3) 

 

Figure 3: Try to download hxxp://91.213.175.148/app/angry.apk

The following table lists the countries were targeted and SMS number respectively.

C.C. Country
SMS Number
EE
Estonia
17013
CZ
Czech Republic
90901599
FR
France
81185
UA
Ukraine
7540
TJ
Tajikistan
1171
PL
Poland
92525
RU
Russian Federation
7781
LT
Lithuania
1645
LV
Latvia
1874
KG
Kyrgyzstan
4157
KZ
Kazakhstan
7790
IL
Israel
4545
GE
Georgia
8014
DE
Germany
80888
BY
Belarus
7781
AM
Armenia
1121
GB
Great Britain (UK)
79067
AZ
Azerbaijan
9014

 

By AegisLab 

 

[ Security Alert ] 19 January, 2012 16:51

    Recently, AegisLab found there are several variants of premium rate SMS trojans called “OpFake(a.k.a FakeNotify)and “RuFraud”. These two kinds of trojans mainly target on users in Russia Federation and European countries. For examples, please see the following premium-rate SMS numbers:

  • Estonia  17013
  • Czech Republic 90901599
  • Ukraine 7540
  • Tajikistan 1171
  • Poland  92525
  • and more ...(see update)

    In order to earn money from the premium-rate SMS, the trojan will fake itself as a famous app, like Angry Birds (see figure 1&2); or downloader/installer of well-known softwares, it looks like 'real thing' (see figure 3&4). Some of these kinds of apps appear on the third-party download sites, and some will repackage itself, post to the official Android Marketplace, and try to lure innocent people to install it.

         

  Figure 1 and 2: RuFraud asks “send SMS permission” and installing

 

 

Figure 3: Fake Android Market

 

 

Figure 4: Lure you to download some “real thing” 

  

    AegisLab has released hundreds of the latest SMS trojan signatures for our Android AegisLab Antivirus Elite and Free users. Some of what we have found as premium-rate SMS trojans is in the following list includes virus name and package name:

OpFake (a.k.a FakeNotify)

  • ad.notify1
  • com.registr.registrator
  • kk.android
  • midlet.com
  • com.pp.Download
  • opera.updater2
  • and more ...

 

RuFraud

  • com.Angry.Birds
  • com.Talking.Larry.Bird
  • com.Riptide.GP
  • com.Assassins.Creed
  • com.astrolog.shoot.birds.free
  • com.astrolog.sim.city.deluxe.free
  • com.astrolog.camera.reg.free
  • com.corazon.horoscope
  • com.Twilight.wallpapers
  • and more ...

 

By AegisLab  

[ Security Alert ] 12 January, 2012 17:39


    Hello my friends, @bulkneets found an interesting DOM-based XSS in http://jqapi.com ( https://twitter.com/#!/bulkneets/status/156620076160786432 )



The PoC exploit is --> http://jqapi.com/#p=<img src%3D/%20onerror%3Dalert(1)>

The root cause is in the following line in "js/main.min.js"
    a.p && r($('.sub a[href*="/' + a.p + '/"]:first'))

While executing, the value of a.p is <img src%3D/%20onerror%3Dalert(1)>.
jQuery interprets this string as the HTML tag:

  <img src%3d %20onerror%3dalert(1)>

As a consequence, the injected code is executed. BTW, the injected code is the hash, so WAF, firewall and IDS cannot see anything.

Always remember "jQuery is a sink". 

 

By AegisLab 

[ General ] 11 January, 2012 11:31

    In 2011, AegisLab found over 14 million unique malwares wordl-wide, most are Trojan types, the ranking #2 is packed/encrypted malwares and the 3rd is porn malwares. Please see the chart below for details:

    

                        Figure 1: Distribution by Types

 

               

                         Table 1: Detailed Distributions

 

by AegisLab 

[ General ] 11 January, 2012 10:54

    Per 2011 AegisLab statistics, we have found 163,769 all new malicious URLs, about 38.05% are download sites and the other 61.95% are hopping sites(incl. BlackHat SEO). As you can see domains from United States are domanated most of the malicious URLs, ranking #2 is South Korea and #3 is China. For more details, please see the following table and charts.

 

                          Figure 1: Distribution by Domains

 

   

                           Figure 2: Distribution by Types

 

                

                         Table 1: Detailed Distributions

 

 By AegisLab

[ Security Alert ] 02 January, 2012 11:35

    As we told you in "Security Alert 2011-12-02  SQL Injection Attack Again!", the infected pages/sites are increasing dramatically to 2 million!

Please  watch out whether your site is infected or not, you can use Google to search your site by the keyword(<script src="hxxp://lilupophilupop.com/sl.php">).

  Earlier last month:

 

By AegisLab