[ Security Alert ]
20 January, 2012 10:10
Security Alert 2012-01-20: RuFraud Analysis Updated
On execution, RuFraud will check the country code in SIM card (figure 1&2). If matched, it will send premium-rate SMS after you click the "Next" button.
Figure 1: Checking country code
Figure 2: snipped codes of checking country
If not matched, it will run a "normal" horoscope program or try to download another APK.(figure 3)
Figure 3: Try to download hxxp://91.213.175.148/app/angry.apk
The following table lists the countries were targeted and SMS number respectively.
C.C.
|
Country
|
SMS Number
|
EE
|
Estonia
|
17013
|
CZ
|
Czech Republic
|
90901599
|
FR
|
France
|
81185
|
UA
|
Ukraine
|
7540
|
TJ
|
Tajikistan
|
1171
|
PL
|
Poland
|
92525
|
RU
|
Russian Federation
|
7781
|
LT
|
Lithuania
|
1645
|
LV
|
Latvia
|
1874
|
KG
|
Kyrgyzstan
|
4157
|
KZ
|
Kazakhstan
|
7790
|
IL
|
Israel
|
4545
|
GE
|
Georgia
|
8014
|
DE
|
Germany
|
80888
|
BY
|
Belarus
|
7781
|
AM
|
Armenia
|
1121
|
GB
|
Great Britain (UK)
|
79067
|
AZ
|
Azerbaijan
|
9014
|
By AegisLab
[ Security Alert ]
19 January, 2012 16:51
Security Alert 2012-01-19: Watch out the Premium-rate SMS Trojans!
Recently,
AegisLab found there are several variants of premium rate SMS trojans
called
“OpFake(a.k.a
FakeNotify)”
and
“RuFraud”. These two kinds of trojans mainly
target on users
in
Russia Federation and European
countries. For
examples, please
see
the
following premium-rate SMS numbers:
- Estonia 17013
- Czech Republic 90901599
- Ukraine 7540
- Tajikistan 1171
- Poland 92525
- and more ...(see update)
In
order to earn money from the premium-rate SMS, the trojan will fake
itself as a famous app, like Angry Birds (see figure 1&2); or
downloader/installer of well-known softwares, it looks like 'real
thing' (see figure 3&4). Some of these kinds of apps appear on
the third-party download sites, and some will repackage itself, post
to the official Android Marketplace, and try to lure innocent people
to install it.
Figure
1 and 2: RuFraud asks “send SMS permission” and installing
Figure
3: Fake Android Market
Figure
4: Lure you to download some “real thing”
AegisLab
has released hundreds of the latest SMS trojan signatures for our
Android AegisLab Antivirus Elite and Free users. Some of what we have
found as premium-rate SMS trojans is in the following list includes
virus name and package name:
OpFake
(a.k.a FakeNotify)
- ad.notify1
- com.registr.registrator
- kk.android
- midlet.com
- com.pp.Download
- opera.updater2
- and
more ...
RuFraud
- com.Angry.Birds
- com.Talking.Larry.Bird
- com.Riptide.GP
- com.Assassins.Creed
- com.astrolog.shoot.birds.free
- com.astrolog.sim.city.deluxe.free
- com.astrolog.camera.reg.free
- com.corazon.horoscope
- com.Twilight.wallpapers
- and
more ...
By AegisLab
[ Security Alert ]
12 January, 2012 17:39
Security Alert 2012-01-12: DOM-based XSS in jqapi.com
Hello my friends, @bulkneets found an interesting DOM-based XSS in http://jqapi.com ( https://twitter.com/#!/bulkneets/status/156620076160786432 )

The PoC exploit is --> http://jqapi.com/#p=<img src%3D/%20onerror%3Dalert(1)>
The root cause is in the following line in "js/main.min.js"
a.p && r($('.sub a[href*="/' + a.p + '/"]:first'))
While executing, the value of a.p is <img src%3D/%20onerror%3Dalert(1)>.
jQuery interprets this string as the HTML tag:
<img src%3d %20onerror%3dalert(1)>
As a consequence, the injected code is executed. BTW, the injected code is the hash, so WAF, firewall and IDS cannot see
anything.
Always remember "jQuery is a sink".
By AegisLab
[ General ]
11 January, 2012 11:31
General 2012-01-11: Distribution of Malware Types in 2011
In 2011, AegisLab found over 14 million unique malwares wordl-wide, most are Trojan types, the ranking #2 is packed/encrypted malwares and the 3rd is porn malwares. Please see the chart below for details:
Figure 1: Distribution by Types
Table 1: Detailed Distributions
by AegisLab
[ General ]
11 January, 2012 10:54
General 2012-01-11: Global Domain Distribution of Malicious URLs in 2011
Per 2011 AegisLab statistics, we have found 163,769 all new malicious URLs, about 38.05% are download sites and the other 61.95% are hopping sites(incl. BlackHat SEO). As you can see domains from United States are domanated most of the malicious URLs, ranking #2 is South Korea and #3 is China. For more details, please see the following table and charts.
Figure 1: Distribution by Domains
Figure 2: Distribution by Types
Table 1: Detailed Distributions
By AegisLab
[ Security Alert ]
02 January, 2012 11:35
Security Alert 2012-01-02: Mass SQL Injection Attack! (updated)
As we told you in "Security Alert 2011-12-02 SQL Injection Attack Again!", the infected pages/sites are increasing dramatically to 2 million!
Please watch out whether your site is infected or not, you can use Google to search your site by the keyword(<script src="hxxp://lilupophilupop.com/sl.php">).
Earlier last month:
By AegisLab