Monthly Archives: December 2013

MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages

| By , , and | Botnets, Mobile Threats, Threat Research

FireEye has uncovered and helped weaken one of the largest advanced mobile botnets to date. The botnet, which we are dubbing “MisoSMS,” has been used in at least 64 spyware campaigns, stealing text messages and emailing them to cybercriminals in China.

MisoSMS infects Android systems by deploying a class of malicious Android apps. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention platform detects this class of malware as “Android.Spyware.MisoSMS.”

Here are some highlights of MisoSMS:

  • We discovered 64 mobile botnet campaigns that belong to the MisoSMS malware family.
  • Each of the campaigns leverage Web mail as its (CnC) infrastructure.
  • The CnC infrastructure comprises more than 450 unique malicious email accounts.
  • FireEye has been working with the community to take down the CnC infrastructure.
  • The majority of the devices infected are in Korea, which leads us to believe that this threat is active and prevalent in that region.
  • The attackers logged in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.

MisoSMS is active and widespread in Korea, and we are working with Korean law enforcement and the Chinese Web mail vendor to mitigate this threat. This threat highlights the need for greater cross-country and cross-organizational efforts to take down large malicious campaigns.

At the time of of this blog post, all of the reported malicious email accounts have been deactivated and we have not noticed any new email addresses getting registered by the attacker. FireEye Labs will closely monitor this threat and continue working with relevant authorities to mitigate it.

Continue reading »

Letting The Wrong Ones In: Email Security’s Big Blind Spot

| By | Executive Perspectives, Security Perspective, Technology

In the course of my systems engineer duties at FireEye, I get the chance to speak with security professionals at a lot of organizations. Many of them seem confident that their email security gateways or email software-as-a-service (SaaS) providers can safeguard them from spear-phishing attacks.

Here are some of the typical comments I hear from companies:

  • “My email security provider has specific phishing filters, so we’re confident that we have eliminated the risk of an infection via a spear-phishing email.”
  • “Our users receive virtually zero spam, so the solution works just fine.”
  • “The contents of the email quarantine are so accurate that we don’t bother checking any more.”
  • “We have a strict attachment policy and multiple AV engines within our email security solution. That adds a very high level of protection from malware threats.”

In general, people believe that the email security headache has been solved. So they tend to relegate it to a secondary concern, far below Web security.

That could be a huge mistake. While spam filters and other email security tools have defanged many high-volume campaigns, they’re futile against some of the most dangerous targeted, personalized attacks.

Continue reading »

Hacking a Revolution

| By | Threat Research

Ukraine-protest
Ukrainian protesters. (Credit: Ryan Anderson. Used under Creative Commons CC-BY-SA-3.0 license.)

In April 2005, General Boris Miroshnikov, head of the Russian police’s cybercrime division (Department К for “Кибер” or “Cyber”), announced that Russian hackers were the “best in the world.”  At DEF CON 13 that year, I explained how Soviet scientists had honed their reverse engineering skills on Western products for decades during the Cold War. More recently, Western reporting such as Tom Kellermann’s “Peter the Great versus Sun Tzu” and FireEye’s “World War C” suggests that Eastern European hackers are still more advanced and stealthy than their peers around the world. Ukraine was even called the world’s newest “haven for hackers.”

So, given the current political crisis in Ukraine, it seems like a good time to ask, what role is there for computer hackers in political revolutions? And could computer hacking play a decisive role in this would-be revolution? If we assume that there are two basic antagonists in this struggle – the government and the protesters – which side benefits the most from the existence of a strong hacker culture?

Continue reading »

Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs

| By | Advanced Malware, Advanced Threat Trends, Threat Intelligence, Threat Research

This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.

Our report provides further proof that cyber espionage is a reality in today’s world. First, attackers appear to have no financial incentive to hit these targets. Instead, the goal appears to be collecting time-sensitive geopolitical information — in this case, insight into the intense international diplomacy surrounding Syria’s ongoing civil war.

FireEye was able to access just one of 23 command-and-control (CnC) servers responsible for managing cyber espionage against a handful of countries. But how many more countries were attacked? How many more CnC servers are a part of this attack campaign? Only the attackers know for sure — but the known scope of their efforts implies that this was only the tip of a much larger iceberg.

Since we began writing this report, this APT has continued its cyber espionage activities. Furthermore, we have recently located an additional cluster of Ke3chang activity.

Continue reading »

CVE-2013-3346/5065 Technical Analysis

| By and | Advanced Malware, Exploits, Threat Research, Vulnerabilities

In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox. CVE-2013-3346 was exploited to execute the attacker’s code in the sandbox-restricted Reader process, where CVE-2013-5065 was exploited to execute more malicious code in the Windows kernel.

In this post, we aim to describe the in-the-wild malware sample, from initial setup to unrestricted code execution.

CVE-2013-3346: Adobe Reader ToolButton Use-After-Free

CVE-2013-3346 was privately reported to ZDI by Soroush Dalili, apparently in late 2012. We could fine no public description of the vulnerability. Our conclusion that the sample from the wild is exploiting CVE-2013-3346 is based upon the following premises:

  1. The sample contains JavaScript that triggers a use-after-free condition with ToolButton objects.
  2. CVE-2013-3346 is a use-after-free condition with ToolButton objects.
  3. The Adobe Reader patch that addresses CVE-2013-3346 also stops the in-the-wild exploit.

CVE-2013-3346 Exploitation: Technical Analysis

The bug is a classic use-after-free vulnerability: Within Javascript, nesting ToolButton objects and freeing the parent from within child callbacks results in a stale reference to the freed parent. More specifically, the invalid free can be triggered as follows:

  1. Make a parent ToolButton with a callback CB
  2. Within the callback CB, make a child ToolButton with a callback CB2
  3. Within the callback CB2, free the parent ToolButton

The sample from the wild exploits the bug entirely from JavaScript. The code sets up the heap, builds ROP chains, builds shellcode, and triggers the actual bug. The only component of the attack that wasn’t implemented in JavaScript is the last-stage payload (executable file).

Continue reading »