Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well.
Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun. They are also detected by heuristic methods as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic respectively.
These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload.
For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation. However, in the last three months we have seen a dramatic rise in the number of new Worm.Java.AutoRun modifications.
Detection levels for unique script worms, AutoRun script worms, and heuristically detected AutoRun script worms April 2012 - May 2013
Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.
The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Labs products detect this malicious program as Backdoor.AndroidOS.Obad.a.
Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.as in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan.
The Trojans quirks
The creators of Backdoor.AndroidOS.Obad.a found an error in the popular DEX2JAR software this program is typically used by analysts to convert APK files into the more convenient Java Archive (JAR) format. This vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan.
Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance.
The name NetTraveler comes from an internal string which is present in early versions of the malware: NetTraveler Is Running! This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.
The NetTraveler builder icon
Everyone has their own preferences in choosing applications: a favorite browser or instant messenger, media player or email client, etc. Many users are so accustomed to them in everyday life that they feel uncomfortable without access to their favorite programs at work or in college. As a result, they come to use the portable applications which we will discuss in this article.
Portable applications, stored on removable media, are very convenient: they need no installation and can be used in almost any environment. For users, this means their favorite tools are always at hand, and ready to do anything from playing movies and music to analyzing and restoring the system.
However, such applications can also pose a threat to information security. Users who do not have local administrator rights cannot install software on the PC, but they can bypass this restriction by taking advantage of portable applications that do not require installation. Since these applications are mobile and are stored on removable media, they often go undetected by auditing applications on the LAN. This makes it more difficult to investigate incidents related to the use of portable applications as the information about removable media and software installed on it is often unavailable to the IT security specialists.
Case study
An analytical company engaged in processing large amounts of personal information offered part-time work to students and non-IT-specialists: a couple of days a week they would transfer data from paper into electronic forms, recheck the available data for errors and contact people for further information.
Kaspersky Lab’s mission is to protect the world from viruses. But the company also believes it has a duty to safeguard our children from content which could be harmful to youngsters. In order to carry out this important task, Kaspersky Lab’s products integrate a special component named Parental Control.
This component allows caring parents to control their children’s computer and Internet activity. For example, Parental Control allows parents to easily restrict the time their children spend using the computer or surfing the web.
In addition, Parental Control enables parents to restrict the launch of certain applications and to monitor their children's activities on social networks and chat sites. One of the most important functions of this module is to limit access to potentially harmful web resources. Many of these, of course, are adult content sites. However, social networks, forums and even online stores can also pose a threat. The module currently includes 14 different categories of sites, enabling parents to decide which are undesirable for their child. Here are the categories:
- Pornography, erotic materials
- Illegal software
- Drugs
- Violence
- Explicit language
- Weapons
- Gambling
- Forums and chats
- Web mail
- Online stores
- Social networks
- Anonymous proxy servers
- Payment systems
- Casual games
About a year ago we
described how Parental Control worked with different web resources. At that time the statistics only considered resources which had been blocked by the Parental Control tools. Since then we have improved the mechanism of collecting statistical data and now we can identify the categories of sites which are most popular with youngsters, regardless of whether Parental Control allows them to visit or not.
That is why our worldwide statistics on the sites most frequently visited by children in 2013 varies considerably from the previous year’s figures.
The sites most often visited by children worldwide
We know that the family of malware called Trojan.MSIL.Jumcar and Trojan.Win32.Jumcar was developed in Peru with the primary aim of attacking Peruvian users. We also know that Chilean and Peruvian users have latterly been targeted as well. You can read more about this in our preliminary reports:Jumcar. From Peru with focus on Latin America [First part]
Jumcar. Timeline, crypto, and specific functions [Second part]
During the initial investigation we saw a very striking series of strings from the source code of the first variants: "Armada Peruana". This is the Peruvian navy.
String "Armada Peruana" observed in decompilation of the Jumcar variant.
Lately, our traps have been catching emails like these:
In them someone with a very English name is asking to book a hotel or air tickets for their family. A naïve recipient would think “Ah, wrong address”.
Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.
In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.
In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.
The following diagram shows multiple instances used by the second generation of Jumcar:
Some .NET instances used by a variant of the first generation of Jumcar
Jumcar is the name we have given to a family of malicious code developed in Latin America particularly in Peru and which, according to our research, has been deploying attack maneuvers since March 2012.
After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.
Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.
Percentage of the phishing attacks by countries
Fostering knowledge exchange among different generations of security researchers is maybe one of the best traits of a good security conference. Judging by its attendance, NoSuchCon can easily claim to be one of these. It's rare to see such a mix of young researchers and old gurus exchanging ideas and getting to know each other. Organized this year in Paris, NoSuchCon takes place in the premises of the Espace Oscar Niemeyer; admittedly, indeed a nice move putting a security conference within an art exposition center (congrats to the organizers :)) .
Espace Oscar Niemeyer