Spyware code targets BlackBerry users

Proof-of-concept code released by a security researcher could be tweaked for use on almost any device. Demonstrates need for caution with mobile applications.

A security researcher demonstrating some of the weaknesses in mobile devices has chosen to target Blackberrys with new proof-of-concept code that could be used to listen to conversations, view messages and track users of the device.

Tyler Shields, a senior researcher at application security testing vendor, Veracode, demonstrated his code at the Shmoocon hacker conference last weekend in Washington, D.C. The malicious application is not stealthy and doesn’t pose a major threat to users for now. It can view contacts and messages, listen to conversations and track the location of the device using its GPS system.

Shields and Chris Eng, Veracode’s senior director of security research said the project is purely educational. It demonstrates that a savvy attacker could develop a malicious application and if it passes the screening processes of an application store, could find its way onto user devices.

Eng wrote on the Veracode research blog:

Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort … We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World.

Called txsBBSpy, the code could be built into what appears to be an innocuous application. Once downloaded onto a device the application could quietly steal data, which could be sold on the black market. Applications that use stored data on a mobile device are required to ask permission, according to most OS maker terms and conditions.  Veracode also posted a video demonstration of the Blackberry spyware app.

In addition, OS makers, Apple, Symbian, Google Android and Research in Motion typically test applications for stability issues before making them available for download. Eng said the process poses a false sense of security for users because the applications rarely undergo security testing.

Tighter IT policies restricting users from downloading applications could significantly reduce the risk, but according to Shields, most enterprises have an “allow-all” policy. Enterprises can also reduce the risk by investigating applications themselves and then creating an approved list of applications for end-users, he said.

A number of spyware applications are being sold online. FlexiSpy must be manually downloaded onto a device, but once installed it can listen to conversations, log SMS and email messages and track a user.

In December, Google removed dozens of suspicious applications that had potential to steal banking credentials from users, from its Android Market online application store. Several banks and credit unions warned customers of the potential for fraud using the applications. The apps used the names of banks without permission and many security experts said it could have been used in a phishing scheme, though there were no reports of fraud.

Torrent phishing scheme trips up Twitter users

Attacker steals torrent site account passwords and attempts to access Twitter, other social networks.

If you signed up for an account on a torrent forum or website and use similar passwords for other accounts, change your passwords now. A savvy attacker is skimming passwords from the users of a number of torrent sharing sites he created, using the credentials to try to break into Twitter and other third-party sites.

Torrent sites were made popular by people who wanted to share music files in the early 2000s. The file sharing protocol enables users to “seed” files and share small pieces of large amounts of data. In the early days it was difficult for a non technical user to tweak network settings and load a torrent file, but a set of new programs have automated that process. Today torrent files have grown more popular with users sharing files of popular movies and television shows, though the legality of this is in question.

Twitter said it detected anomalies in several Twitter accounts that had a surge in follower activity. A further investigation led to the discovery of the phishing scheme. As a precaution, Twitter anyone following the suspicious accounts were temporarily suspended until they reset their account credentials.

In a post on the Twitter Status Blog, Del Harvey, Twitter’s director of trust and safety, said the hacker is suspected of building a number of different torrent sharing forums and torrent websites that require users to sign up for an account. The sites were sold to other people, but they were riddled with holes – malicious code and backdoors that enabled the hacker to skim account credentials of users who signed up for the sites he built.

This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information.

Harvey warned users to change their passwords if they signed up for a torrent forum or torrent site.

Torrent sites aren’t exactly ‘new’; however, this is one of the first times that we’ve seen an attack that came from this vector. … We felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account.

The scary part of all this is that it appears that the hacker had been using the scheme for “a number of years,” according to Harvey. So if you think you may have signed up for a torrent site a number of years ago, go back and address your passwords now.

Another ongoing issue is that people use the same email address and password to multiple sites, Harvey said. Security experts have warned against doing this. A number of new password management programs are available including some smartphone applications that help users create a strong password and securely store it. While it may seem difficult, using them could alleviate any unnecessary headaches in the future.

Popular Password Management Programs:
Here are links to popular password management programs. I don’t advocate any one program. This is an area to be especially careful. Do a search for reviews to find the right one that meets your needs:

Sixipper: Firefox add-on.

Roboform: Windows-based but provides online access for Mac and Linux users.

1Password: Popular Mac-based password management.

KeePass: Open source light-weight password manager.

Aurora Password Manager: Windows-based with full encryption capabilities.

SplashID: Apple iPhone and RIM Blackberry password manager.

eWallet: iPhone password manager.

AsCendo DataVault: Supports RIM Blackberry, Apple iPhone and Windows desktops.

Chinese hacker says most are not skilled coders

Automated tools fuel rise in less savvy hackers. How much do they really profit?

The New York Times managed to track down and interview a China-based hacker, offering a glimpse into what it says is a thriving hacking community there. The headline says “Hacking for Fun and Profit in China’s Underworld.” But there’s no real evidence of profit.

David Barboza’s description of the hacker, who goes by the name Majia, lives up to the old-school hacker stereotype: He’s young. He seems to be in it for the fame and he lives in a dingy apartment. He has a government job by day and at night spends long hours checking the statistics on his automated tools and time seeking out website vulnerabilities to crack into business websites in China and other countries to steal sensitive data or to install a malicious script to expand the scope of his automated attack tool’s reach. He claims to be making a lot of money. But then Barboza tells us this:

Majia lives with his parents, and his bedroom has little more than a desktop computer, a high-speed Internet connection and a large closet. The walls are bare.

Barboza found a very active community of hackers, willing to share and trade information. But the hacker Majia admits that today most hackers aren’t very skilled at all. We’ve been reporting on SearchSecurity about the rising level of automated attack tools making it relatively easy for non-technical people to become cybercriminals.

Last summer new research emerged painting a picture of the economics driving many underground black hat hacker communities. Security researchers Cormac Herley and Dinei Florencio found that there are far too many people attempting to make money phishing for passwords, account numbers and other sensitive data. While the picture isn’t exactly crystal clear and their work centered around automated phishing tools, it appears that a majority of the money being made in cybercriminal activity are by a handful of individuals. It’s like a pyramid scheme. The most skilled hackers are at the top. They create and sell (also rent) the automated tools to the minions below them. Those in the lower levels of the pyramid are often exposed to data stealing malware themselves. There’s a lot of infighting. There’s a lot of grandstanding. Most hackers need to prove themselves as legitimate.

“Some people probably try it for a while, don’t make much, and then wander off to try something else,” Herley told me at the time. “Breathless stories about ‘easy money’ probably ensures enough new entrants to keep the phenomenon going.”

More research needs to be done to get a clearer picture. Security researchers Billy Rios and Nitesh Dhanjani, who infiltrated the underground phishing market in 2008, agreed with the main points of Herley and Florencio’s assessment: The total annual losses associated with phishing at $61 million. Much less than the $3.2 billion estimated by Gartner Inc.

Unless he’s investing his earnings in a retirement fund, the hacker Majia is far from the top of the hacking pyramid. That’s why he’s living with his parents in a dingy apartment in one of China’s poorest neighborhoods.

Browser exploit kit probe highlights need for patching, vigilance

Eleonore exploit kit targets browser vulnerabilities and plug-in holes that have been patched by vendors.

A standard, but widely used exploit kit known as “Eleonore,” attempts to exploit dozens of commonly known vulnerabilities, looking to prey on users who fail to install the latest patches and who likely don’t have the most up to date antivirus software.

Former Washington Post security blogger Brian Krebs took a dive into the browser exploit kit last week to reveal the holes being targeted by the kit. In addition to Adobe Reader holes, the kit targets Internet Explorer vulnerabilities and a Java bug, Krebs said.

While the numbers are just a snapshot, those provided by the kit seem to show a high success rate from Google Chrome users. Of 211 uses of Google Chrome 3.0 visiting the malicious site hosting the exploit kit, 27 or 12.8% were successfully infected by the kit. The kit targets a number of known vulnerabilities in earlier versions of Firefox, though it’s success rate is fairly low.

Not surprisingly, Internet Explorer users were where the kit was most successful. Of over 3,500 users of IE 6, 30% or more than 1,050 were successfully targeted. Even users of IE 8, Microsoft’s latest browser fell victim. Of more than 6,800 IE 8 users visiting to the malicious site, 11.6% or about 800 were successfully victimized.

Just from observing some of these stats, it’s clear that some of the most successful exploits target vulnerabilities that were patched quite some time ago.

As Brian explains, these kits are not new, yet they have proliferated in recent years as black hat hackers have improved their automation features and made them a fairly cheap investment for anyone wanting to get into the cybercriminal business.

While Krebs found Eleonore proliferating on porn websites, users who are disciplined enough to browse only to trusted websites are still not immune to this kind of toolkit-driven attack. All it takes is a simple website vulnerability and successful code-injection to create an attack webpage that scan’s visitor’s systems for holes to exploit.

Kris Lamb of IBM’s ISS X-Force security research team told me last summer that researchers had been tracking an increasing number of trusted websites hosting malicious webpages. In the X-Force 2009 mid-year report Lamb said a site hosting the toolkit can deliver all the exploits at once to a victim or select specific exploits based on a person’s referring URL, browser cookies or geographic location. Many other security vendors, including Symantec, McAfee, Sophos and others have released reports showing a similar rise in malicious webpages targeting application layer holes.

Malware in Google attacks uses spaghetti code

Coding technique designed to tie up reverse engineers has been used in the past, Symantec says.

Researchers reverse engineering the malware used in a string of attacks against Google and at least 30 other firms and government agencies, has found the cybercriminals behind the attack using spaghetti code.

The obfuscation technique is not new. It is designed to make reverse engineering more difficult, but today it usually doesn’t give researchers much trouble. There are a variety of convoluted “pasta coding” techniques. Lasagna code is favored in structured programming, ravioli code is likened to object-oriented programming (OOP).

Symantec calls the Trojan attempting to exploit a now patched zero-day vulnerability in Internet Explorer Trojan.Hydraq. The coding was first discovered in 2006 and today it can be deployed using a variety of automated tools.

Symantec researcher Patrick Fitzgerald compared the Trojan to two more complex malware samples.

While many threats are simpler than Hydraq in not using any obfuscation or using well-known packers, the obfuscation method utilized by Hydraq is fortunately not novel and is easily reversible, unlike other prevalent malware samples in today’s threat landscape.

Attackers continue barrage of SEO attacks

Popular search term exploited to funnel users to a rogue search engine. A variety of tactics continue to prey on search engine users.

Research analysts at Trend Micro have identified another attack attempting to use popular search terms in Google and other search engines. Using the phrase “free printable,” users will get a variety of results including some pages designed with malicious JavaScript redirecting them to a rogue search engine.

According to TrendLabs’ JM Hipolito:

As of now, the cybercriminals’ goal in all this seems to be hijacking search traffic from search engines, and redirect them into their own search engine to earn them money. If it stays as such is not yet known, but users need to be wary, since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

We recently wrote about popular search terms being optimized by cybercriminals to ensure their attack websites are highly visiible in search results. Some are less nefarious and try to get as many users as they can to view their ad riddled sites. Others host malware and rogue antivirus programs.

A popular search for Tiger Woods in December resulted in a number of malicious sites hosting rogueware. In the case of “free printable,” Trend said the term is a highly popular phrase in South Africa and the United States.

Users of Internet Explorer can be tricked easily since the programs are designed to look like a Windows Security alert followed by a fake scan and instructions to download a program to remove malware. Sometimes victims are asked to pay a fee for the fake antivirus, other times they are duped into downloading the program, riddled with malicious programs.

At the time Sean Sullivan of F-Secure urged people to search for topical items on Google News rather than Google’s main search engine. Many legitimate news sites have Web admin teams protecting them, he said.

Security researchers warned last June that cybercriminals were attempting to exploit the Michael Jackson and Farrah Fawcett deaths. Poisoned search engine results sent users to a variety of malicious sites, many leading to bogus antivirus downloads.

Credit union warns of phony banking Android app

Mobile banking app tries to gain access to financial data. App removed from Android marketplace.

In what could be one of the first signs that attackers are testing smartphones as another way to gain access to sensitive information, a Beaverton, Oregon credit union is warning its customers about a rogue Android application that attempts to set up online access to bank accounts.

The Android App has been removed from the Android marketplace, according to First Tech Credit Union. Called Droid09, the application didn’t target a specific financial institution. In a message to customers, the credit union said the app was designed to appear as a shell of a typical mobile banking app, but after a person configures their account information, it then tries to gain access to the victim’s financial information.

Smartphones running more powerful processors are now capable of handling ever more sophisticated applications. Apple, Research In Motion, Palm and now Google closely monitor the applications they make available to smartphone users. All four smartphone OS makers have a strict application approval process, but some security experts say it’s unclear exactly how closely the application is scrutinized. There’s no word on how the app made it through Google’s approval process, making it into the marketplace for Android OS phones.

Graham Cluley, a security consultant with UK-based security vendor, Sophos, blogged about the rogue Android application today. Apple heavily scrutinizes the applications developed for the iPhone and has been known to reject them for a variety of reasons. Its applications are also run sandbox-like, making it more difficult for an attacker to use an application as a loophole into the phone OS itself. Cluley said the only malware that has recently emerged targeting smartphones has been the iKee worm, which targeted jailbroken iPhones – a tiny fraction of Apple’s overall user base.

The Android marketplace, however, is not as closely monitored as Apple’s equivalent, and adopts a more “anything goes” philosophy. This, combined with the current buzz around new phones running Android such as the Motorola Droid and the Google Nexus One, may make the platform more attractive to cybercriminals in future.

With Apple’s rumored iSlate announcement anticipated at the end of the month, and a slew of tablet-like devices introduced at the recent Computer Electronics Show last week, attackers may be tempted to take a look at how those devices handle applications. It’s unclear whether those devices will be an extension of the smarthphone OSes and how easy it will be to develop applications for the tablet PCs. If users will have free reign to download and install anything they like and there’s enough marketshare, it’s a safe bet that cybercriminals will see money to be made.

Other security experts believe most cell phone users won’t have to worry about mobile malware for quite some time. PandaLabs security researcher Sean-Paul Correll said the cell phone market continues to be too fragmented. And he may be right, recent statistics suggest that even with the iPhone’s success and now Google’s Android OS, their marketshare isn’t significant enough for attackers. Even Symbian phones, which carry slightly more than 50% of the worldwide market, haven’t been targeted in great numbers.

Gartner acquires Burton Group, bolsters presence

Independent analysis thrives in face of consolidation of large analyst firms.

Stamford, Conn.-based Gartner Inc. announced the acquisition of rival analyst firm Midvale, Utah-based Burton Group today, acquiring the research firm for $56 million. The Burton Group has 41 analysts that cover security, identity and access management, virtualization and cloud computing. It also has about 40 sales and support staff.

The acquisition makes Gartner an even larger market analysis giant, bolstering its presence against Framingham, Mass.-based IDC, a firm that conducts broad industry market analysis.

Gartner CEO Gene Hall summed up the acquisition in the official announcement:

“Gartner has traditionally focused on providing strategic insight to CIOs and senior IT executives, while Burton Group has built a leading niche providing practical, how-to advice to front-line IT professionals. Thus, Burton Group is a great strategic fit for Gartner and should enable us to offer a more complete solution to every level and functional expert within an IT organization. By leveraging our scale and worldwide distribution capabilities, we expect to significantly grow Burton Group’s business over time.”

It’s the third large acquisition made by Gartner in recent years and one that consolidates the market into only a handful of large analyst firms. Only a few weeks ago, Gartner acquired AMR Research, a Boston-based firm that focused on enterprise software research and analysis. That sale was for $64 million. The Meta Group, a research firm with a consultancy practice, was acquired in 2004 for $162 million.

Other firms include Cambridge, Mass.-based Forrester Research Inc., which provides analysis of nearly all parts of the IT landscape and the Yankee Group Inc., which focuses on networking and mobile communication technologies. Forrester has also been busy, acquiring JupiterResearch LLC in 2008 for $23 million. It acquired Giga Information Group in 2003 for $60 million. Giga also focused on enterprise software and brought with it hundreds of customers. Today Giga been completely integrated into Forrester; most of its analysts either joined Forrester, left to create their own independent research firms or consultancies or joined other remaining analyst firms.

The Yankee Group was acquired in 2005 by a private equity firm, Alta Communications. The 451 Group also continues to thrive, providing industry research in the areas of virtualization, storage and enterprise security.

Despite the market consolidation, a number of former analysts are doing well independently, providing research and consulting services. Former Gartner analyst Rich Mogull runs Securosis with security expert Adrian Lane. The firm announced the addition of industry veteran analyst Mike Rothman to its team this week.

What impact will the array of acquisitions have on the bigger picture of IT buying strategies? Michael Coté of Red Monk offers up some analysis of the Gartner acquisition, but essentially says it’s unclear to tell if it will have any impact.

“Individual voices” matter because of the past cycles of Big Bang IT, where large firms like Gartner thrive with with their categorization and ranking models (which application server will solve my problem?), have been steadily chipped away by consumer and “bottoms up” technology innovation.

Alex Williams, a writer for ReadWriteWeb, said the acquisition further transforms the analyst industry into a kind-of hybrid model in which traditional analyst firms balance out analysis offered by smaller independent firms including RedMonk and the Altimeter Group as well as industry expert bloggers and consultants.

The purchase is another example of how the analyst community is becoming increasingly homogeneous, dominated by a handful of firms such as Forrester and IDC. And it points to a growing debate about the value that companies can receive from analyst firms when there is little diversification in the market.

Securosis adds Security Incite, Rothman to its roster

Analyst and research firm Securosis announced today that it will merge with Security Incite, the popular blog and analysis site founded by Pragmatic CSO author Mike Rothman.

Everything will remain under the Securosis brand, says founder and CEO Rich Mogull, a former Gartner analyst, who along with CTO Adrian Lane have quickly built the Phoenix-based operation into a go-to for security analysis and insight.

Securosis has focused heavily on data protection and application security since its inception less than two years ago. Rothman’s addition, Mogull says, will bring endpoint and network security expertise into the fold, as well as Rothman’s Pragmatic CSO program which helps chief informtion security officers put a business context on information security programs.

Mogull says the company’s research will target mid-sized companies.

In addition to specific advisory projects for user and vendor clients, Securosis has pursued research projects such as Project Quant, a survey-based initiative that established metrics to measure the costs and effectiveness of patch management efforts. The firm boasts of its open research process, called Totally Transparent Research.

“We open up our R&D process to the world,” Mogull says. “I want to produce research that would help improve the industry, not just those who pay us. “

Is mobile malware all hype? New figures show fragmented mobile phone market

Despite being one of the hottest smartphones on the market, Apple iPhone 3G represents only 4% of devices in the United States.

The popularity of smartphones from Apple’s super hot iPhone to Android and even BlackBerry devices have some security pros predicting a smartphone apocalypse. But new figures released this week by Nielsen Media Research reveals a highly fragmented U.S. mobile market with literally hundreds of different kinds of handsets. It may mean that malware authors could have a very difficult time gaining a foothold deep enough in the mobile market to make it lucrative.

With all of the iPhone popularity, Nielsen found the Apple 3G iPhone making up only 4% of the subscriber base. In a Nielsen chart outlining the Top 10 mobile phones in use in the United States, Research In Motion’s (RIM) BlackBerry shows up three times, but still only manages to make up about 6% of the subscriber base.

The issue, according to experts I’ve talked to, is that people tend to hold on to their cell phones for as long as possible or at a minimum until the end of their two year contract with their cellular service provider. In addition to 3G iPhones and BlackBerrys, the top 10 list reveals a smattering of Motorola phones. Samsung and LG phones took four spots on the list.

So, you say it doesn’t matter the kind of phone a person is using, it’s the underlying operating system. We’ll I turned to marketshare figures provided by Gartner showing Apple’s iPhone firmware skyrocketing. What does that mean? Well, it’s popularity has earned it about a 17% marketshare worldwide. Even the most popular OS - known for being targeted by phishing attacks via texting - Symbian - earns its place at about 50% of the worldwide market. RIM’s BlackBerry software platform, which is mainly popular in many enterprises, makes up about 20% of the global market, according to Gartner’s marketshare figures.

This leads me to think the fear and loathing we hear about 2010 being the year of smartphone malware may be overstated. If there’s anything I’ve learned in the relatively short time I’ve been covering the security industry, it’s that malware authors have shown throughout history they will always pick the low hanging fruit. It doesn’t take a lot of effort and there’s still a rather big payoff. A fragmented mobile phone market, further complicated with different cellular providers and different systems from country to country, may shelter smartphones from being actively targeted.

That’s not to say we shouldn’t keep an eye on the market. Security researchers should continue to turn their attention to the rising use of smartphones and the more powerful the memory and processors being packed into the tiny devices. SRI International released an analysis this week of the iPhone botnet created by the iKee worm, which targeted jailbroken iphones in November.

In fact, the SRI researchers make a good case for the importance of the research:

Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a light-weight smartphone application. … While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.

There’s no excuse for not being prepared.