[ Security Alert ] 31 May, 2012 16:30

   

    A new cyber attack worm called "Flame" is spreading in Middle Eastern government, AegisLab has collected several Flame or Skywiper virus samples. For preventing from being attacked, we advice our customers remember to update the latest signatures.  

     "Flame" Aliases:

  • Win32:Skywiper-D [Avast]
  • Worm/Pakes.ATI [AVG]
  • TR/Flamer.A.2 [AntiVir]
  • Trojan.Flame.A [BitDefender]
  • Worm.Flame [ClamAV]
  • Win32.HLLW.Flame.1 [Dr. Web]
  • Worm.Win32.Flame!IK [Emsisoft]
  • Win32/Flamer.A worm [eset]
  • W32/Flamer.A [F-PROT]
  • Trojan.Flame.A [F-Secure]
  • Trojan.Flame.A [G-Data]
  • Worm.Win32.Flame [Ikarus]
  • Worm.Win32.Flame.a [Kaspersky]
  • W32/Flame-Gen [Sophos]
  • Trojan.Flame.A [VirusBuster]

    References:

By AegisLab

[ Security Alert ] 24 May, 2012 11:15

    AegisLab discovered the new hacking group TheWikiBoat is launching DDoS attack to BPI (The British Recorded Music Industry) because of anti-ACTA. As TheWikiBoat said: "...the High Court of the United Kingdom has ordered all ISPs to block The Pirate Bay, this is all because of BPI which is the "representative voice of the UK recorded music business. The Pirate Bay is simply a search engine for torrents, it's like blocking Google for displaying search results. Therefore TPB has done nothing illegal, and is being wrongly shut down..." (see Figure 1).

   TheWikiBoat also established a web page tool for DDoS attack. Once you connect to the web page, it will launch DDoS attack to BPI automatically (see Figure 2).

 

 Figure 1: TheWikiBoat Press Release

 

Figure 2: TheWikiBoat Web DDoS Tool

By AegisLab

 

[ Security Alert ] 23 May, 2012 17:34

    According to pastebin paste data, there is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on ZTE Score M, which is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.

 

By AegisLab

 

 

[ Security Alert ] 21 May, 2012 17:46

    Congratulation to Facebook IPO success. But recently AegisLab found there are 35 sites their domains are similar to facebook.com as below, their ranking in Alexa achieved top 1M:

Alexa Ranking

Domain Name

71,235

faceboook.com

119,533

faebook.com

127,677

facebbok.com

152,878

fcebook.com

158,169

facebookc.om

161,693

facebopok.com

166,280

faceook.com

246,921

facebbook.com

247,789

acebook.com

314,305

faceebook.com

362,492

facebool.com

374,528

facebookk.co

403,964

favebook.com

454,804

faceboobk.com

456,258

faccebook.com

459,442

facrbook.com

485,193

gfacebook.com

506,776

facebokk.com

593,228

faceboock.com

622,926

facenook.com

743,397

facevook.com

781,616

fackbook.com

865,786

faqcebook.com

875,824

fracebook.com

929,487

facebookk.com

    AegisLab thought these sites achieve so high ranking in Alexa by SEO (Search Engine Optimization), not only to get benefit from advertisement traffic, but also maybe for malicious intent in further ?

By AegisLab 

[ Security Alert ] 15 May, 2012 11:24

   Updated: 2012-May-15, we found another download site that uses another domain name but points to the same IP as mentioned in GFI's blog. Several alternative markets use these download site to serve the malware. The IP is 91.223.77.204, located in Ukraine.

 

    According to GFI Lab's blog titled "New Twitter Spam Run Leads to Android Rogue AV", the download site serves a Jar file or an APK file depends on user agent. Further analysis discovered, the download site also trys to serve the same APK with different file hash value each time. Remember yesterday's blog, we discovered the APK malwares in RU domain also achieve this by inserting junk files into APK. While in this case, the download site uses another way: by changing the order of useless file inside the APK, which can also lead to different file hash values.

   As the Android malware also involving to being polymorphic, the one of true challenge for Android antimalware players just begins.

By

AegisLab

[ Security Alert ] 14 May, 2012 21:47

   TrendMicro found a RU(Russia) domain contain fake Flash Player for Android three days ago. Further tracking the similar web sites, AegisLab found it's a systemantic malware distribution. The malware writers collabrate/setup some blogs to advertise those APP domain and dedicated web pages. The APP domains are:

hxxp://android-google-play.ru/ hxxp://sims3android.ru/
hxxp://www.fruitninjaandroid-apk.ru/
hxxp://www.flashplayerandroid-apk.ru/
hxxp://www.cuttherope-android-apk.ru/
hxxp://www.cuttherope-experiments-apk.ru/
hxxp://www.cuttherope-apk.ru/
hxxp://www.angrybirds-android-apk.ru/
hxxp://www.jellydefense.ru/
hxxp://www.templerun-android.ru/

   And all the download currently leads to hxxp://www.radeon9200.net/download1/{deleted}, note that each download, the malware download server will inject some junk files into the APK file, in order to create different hash value of the APK to fool the antimalware programs.

    Right now most of antimalware program still can identify those malicious APKs, user have to be careful before install program from untrusted sources.

 

By AegisLab

1 2  Next»