[ Security Alert ] 20 January, 2012 10:10

Security Alert 2012-01-20: RuFraud Analysis Updated

    On execution, RuFraud will check the country code in SIM card (figure 1&2). If matched, it will send premium-rate SMS after you click the "Next" button.  

Figure 1: Checking country code

 

Figure 2: snipped codes of checking country 

If not matched, it will run a "normal" horoscope program or try to download another APK.(figure 3) 

 

Figure 3: Try to download hxxp://91.213.175.148/app/angry.apk

The following table lists the countries were targeted and SMS number respectively.

C.C. Country
 SMS Number
EE
 Estonia
17013
CZ
 Czech Republic
 90901599
FR
 France
 81185
UA
 Ukraine
 7540
TJ
 Tajikistan
1171
PL
 Poland
92525
RU
 Russian Federation
 7781
LT
 Lithuania
1645
LV
 Latvia
1874
KG
 Kyrgyzstan
4157
KZ
 Kazakhstan
7790
IL
 Israel
4545
GE
 Georgia
8014
DE
 Germany
 80888
BY
 Belarus
7781
AM
 Armenia
1121
GB
 Great Britain (UK)
 79067
AZ
 Azerbaijan
9014

 

By AegisLab 

 

(0) Comment  | [ (0) Trackbacks ] | [Permalink]
[ Security Alert ] 19 January, 2012 16:51

Security Alert 2012-01-19: Watch out the Premium-rate SMS Trojans!

    Recently, AegisLab found there are several variants of premium rate SMS trojans called “OpFake(a.k.a FakeNotify)and “RuFraud”. These two kinds of trojans mainly target on users in Russia Federation and European countries. For examples, please see the following premium-rate SMS numbers:

  • Estonia  17013
  • Czech Republic 90901599
  • Ukraine 7540
  • Tajikistan 1171
  • Poland  92525
  • and more ...(see update)

    In order to earn money from the premium-rate SMS, the trojan will fake itself as a famous app, like Angry Birds (see figure 1&2); or downloader/installer of well-known softwares, it looks like 'real thing' (see figure 3&4). Some of these kinds of apps appear on the third-party download sites, and some will repackage itself, post to the official Android Marketplace, and try to lure innocent people to install it.

         

  Figure 1 and 2: RuFraud asks “send SMS permission” and installing

 

 

Figure 3: Fake Android Market

 

 

Figure 4: Lure you to download some “real thing” 

  

    AegisLab has released hundreds of the latest SMS trojan signatures for our Android AegisLab Antivirus Elite and Free users. Some of what we have found as premium-rate SMS trojans is in the following list includes virus name and package name:

OpFake (a.k.a FakeNotify)

  • ad.notify1
  • com.registr.registrator
  • kk.android
  • midlet.com
  • com.pp.Download
  • opera.updater2
  • and more ...

 

RuFraud

  • com.Angry.Birds
  • com.Talking.Larry.Bird
  • com.Riptide.GP
  • com.Assassins.Creed
  • com.astrolog.shoot.birds.free
  • com.astrolog.sim.city.deluxe.free
  • com.astrolog.camera.reg.free
  • com.corazon.horoscope
  • com.Twilight.wallpapers
  • and more ...

 

By AegisLab  

(0) Comment  | [ (63) Trackbacks ] | [Permalink]
[ Security Alert ] 12 January, 2012 17:39

Security Alert 2012-01-12: DOM-based XSS in jqapi.com


    Hello my friends, @bulkneets found an interesting DOM-based XSS in http://jqapi.com ( https://twitter.com/#!/bulkneets/status/156620076160786432 )



The PoC exploit is --> http://jqapi.com/#p=<img src%3D/%20onerror%3Dalert(1)>

The root cause is in the following line in "js/main.min.js"
    a.p && r($('.sub a[href*="/' + a.p + '/"]:first'))

While executing, the value of a.p is <img src%3D/%20onerror%3Dalert(1)>.
jQuery interprets this string as the HTML tag:

  <img src%3d %20onerror%3dalert(1)>

As a consequence, the injected code is executed. BTW, the injected code is the hash, so WAF, firewall and IDS cannot see anything.

Always remember "jQuery is a sink". 

 

By AegisLab 

(0) Comment  | [ (0) Trackbacks ] | [Permalink]
[ General ] 11 January, 2012 11:31

General 2012-01-11: Distribution of Malware Types in 2011

    In 2011, AegisLab found over 14 million unique malwares wordl-wide, most are Trojan types, the ranking #2 is packed/encrypted malwares and the 3rd is porn malwares. Please see the chart below for details:

    

                        Figure 1: Distribution by Types

 

               

                         Table 1: Detailed Distributions

 

by AegisLab 

(0) Comment  | [ (0) Trackbacks ] | [Permalink]
[ General ] 11 January, 2012 10:54

General 2012-01-11: Global Domain Distribution of Malicious URLs in 2011

    Per 2011 AegisLab statistics, we have found 163,769 all new malicious URLs, about 38.05% are download sites and the other 61.95% are hopping sites(incl. BlackHat SEO). As you can see domains from United States are domanated most of the malicious URLs, ranking #2 is South Korea and #3 is China. For more details, please see the following table and charts.

 

                          Figure 1: Distribution by Domains

 

   

                           Figure 2: Distribution by Types

 

                

                         Table 1: Detailed Distributions

 

 By AegisLab

(0) Comment  | [ (0) Trackbacks ] | [Permalink]
[ Security Alert ] 02 January, 2012 11:35

Security Alert 2012-01-02: Mass SQL Injection Attack! (updated)

    As we told you in "Security Alert 2011-12-02  SQL Injection Attack Again!", the infected pages/sites are increasing dramatically to 2 million!

Please  watch out whether your site is infected or not, you can use Google to search your site by the keyword(<script src="hxxp://lilupophilupop.com/sl.php">).

  Earlier last month:

 

By AegisLab 

 

(0) Comment  | [ (2) Trackbacks ] | [Permalink]