Suivre ce blog Administration + Créer mon blog
11 janvier 2012 3 11 /01 /janvier /2012 01:12

I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...

In a nutshell, this adware will:

- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine

- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity

- remain active as a background service... 


But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:



Most of the installed AV I've tested do not detect it: 

- Norton (no screenshot available at the time of the test... :( )

- DrWeb 


- Weebroot


- Kaspersky Lite 


Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) the game twice, with several days between each install, the KSN did not find anything.


I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.


But that's not all, this app will also install a service, that could be surprising for "just" a game...




Now here is the new icon on the main/first desktop:



But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!




(bottom of page)



You have to go read the "privacy" link, down the page, to confirm our expectations:



Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:



While the "real" Google says:



Therefore I'd say that:

- yes, antimalware on some smartphones is more and more needed. I suggest everybody tries one...

- as we have been saying for years on regular computers, be careful regarding the links you click and the apps you download... 



Update 1, 01/15/12:

Let's see what's going on deeper within Android:



It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification. 

Searching Google for it returns the following PDF document:



Pretty interesting too, as it explains the ad's implementation:



There we go: service androidname="com.moolah.NotificationService"!


Therefore, this will act as the adware component, and will remain active even if the game is not being run.

Let's see the result:




"Android app offer", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).

Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:



Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ad will create extra (and most likely uncontrolled) data transfer over 3G!


If the mobile network operator does charge data in anyway, those apps may become painful for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!

Partager cet article
8 janvier 2012 7 08 /01 /janvier /2012 21:20

A bit strange, isn't it, that alert from Certificate patrol? This came up while accessing Facebook with Firefox...






Well, that would mean Facebook rolled back their HTTPS certificate, to re-use a former one, issued on November 2010... Why so? no real clue...

How are we (professionals) supposed to explain that to lambda users? :(


Anyway, I do suggest that more people use browsers add-ons like Certificate Patrol! 

Partager cet article
8 janvier 2012 7 08 /01 /janvier /2012 20:49

Qui a dit que cela n'arrivait pas à tous les fournisseurs de service ? GMail ne fait pas exception à la règle.




Bien que le Copyright sur la page date de 2008, le message lui, date bien de 2011 ! (je n'avais pas eu l'occasion de le poster).


Attention donc à ceux qui veulent "mettre dans le nuage" leurs services informatiques : dans ce cas-là, certains métiers peuvent presque rentrer chez eux... :( 

Partager cet article
8 janvier 2012 7 08 /01 /janvier /2012 20:34

Il y a peu, en démarrant la machine, Kaspersky a affiché des avertissements et la session ne se chargeait plus correctement (pas complètement).


Voici tout d'abord les infos de version du produit, pour savoir de quoi il est question :





Ensuite, le message d'erreur proprement dit (apparu donc soudainement) :




Il semblerait que KAV n'ait pas assez de droits pour se mettre à jour.... étrange !

Pourtant, même en lançant son interface avec un compte administrateur local, rien n'y fait.



Essayons alors en mode sans échec...!




Le fait d'être en mode sans échec est visiblement un "danger", mais qu'importe, la mise à jour ne se fait toujours pas : le message d'erreur de bases corrompues revient.


Il faut en fait faire un retour arrière sur une version antérieure des signatures, redémarrer toujours en mode sans échec, puis relancer la mise à jour ! 





Moralité, si vous avez une présentation à faire ou un travail en mobilité, prévoyez 5 min pour faire un arrêt plus redémarrage de la machine, afin d'être sûr qu'elle redémarrera une fois sur place ! 


Partager cet article
8 décembre 2011 4 08 /12 /décembre /2011 01:08

L'avertissement est, je pense, suffisamment explicite !




Mais où se cache le HTTPS ?

Solution possible : utiliser HTTPS EveryWhere dans Firefox... 

Partager cet article
6 décembre 2011 2 06 /12 /décembre /2011 21:55



First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...

The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).



But when I clicked on it, surprise... The real URL is:

http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.

But this will in fact redirect the user to:

http://87.255.77. 35/fw2.pl


Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).


Under IE9, here is what happens:




If I click on Yes, it goes:







Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:





 IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:






 KAV 2011 does not detect the sample. Neither does MalwareByte.


VirusTotal's results are quite clear! only 2 engines out of 41...!


AhnLab-V3 2011.12.06.01 2011.12.06 -
AntiVir 2011.12.06 -
Antiy-AVL 2011.12.06 -
Avast 6.0.1289.0 2011.12.06 -
AVG 2011.12.06 -
BitDefender 7.2 2011.12.06 -
ByteHero 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.06 -
ClamAV 2011.12.06 -
Commtouch 2011.12.06 -
Comodo 10859 2011.12.06 -
DrWeb 2011.12.06 -
Emsisoft 2011.12.06 -
eSafe 2011.12.06 -
eTrust-Vet 37.0.9607 2011.12.06 -
F-Prot 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.06 -
Fortinet 4.3.388.0 2011.12.06  W32/Kryptik.TAF!tr
GData 22 2011.12.06 -
Ikarus T3. 2011.12.06 -
Jiangmin 13.0.900 2011.12.06 -
K7AntiVirus 9.119.5608 2011.12.06 -
Kaspersky 2011.12.06 -
McAfee 5.400.0.1158 2011.12.06 -
McAfee-GW-Edition 2010.1D 2011.12.06 -
Microsoft 1.7903 2011.12.06 -
NOD32 6681 2011.12.04 -
Norman 6.07.13 2011.12.06  W32/Kazy.NA
nProtect 2011-12-06.01 2011.12.06 -
Panda 2011.12.06 -
PCTools 2011.12.06 -
Prevx 3.0 2011.12.06 -
Rising 2011.12.06 -
Sophos 4.71.0 2011.12.06 -
SUPERAntiSpyware 2011.12.06 -
Symantec 20111.2.0.82 2011.12.06 -
TheHacker 2011.12.01 -
TrendMicro 9.500.0.1008 2011.12.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.06 -
VBA32 2011.12.06 -
VIPRE 11212 2011.12.06 -
ViRobot 2011.12.6.4811 2011.12.06 -
VirusBuster 2011.12.06 -
MD5: c7fa7ebcb697b26ac684f8b18a0f30b4
SHA1: 98561e513580021bbd2f715e54a53e96558a8a1f
SHA256: bc9264cd51df7815a96c0753cbacbde9f2f491a191b78a06782854abb93171f4
File size: 129536 bytes
Scan date: 2011-12-06 21:48:09 (UTC)


 About the file:

 I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.





Update 1:

Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.

This is also what ThreatExpert tels about the file execution history:


Buggy malware?


Partager cet article
1 décembre 2011 4 01 /12 /décembre /2011 13:46


If you access your Facebook profile, from your cellphone, without using the "facebook app", you'll most likely be redirected to: m.facebook.com.


The problem is that HTTP is being used when you send your email address and password over the network, and not HTTPS! Obvioulsy, this is a pretty bad mistake in security.


For instance, as I train my students to do it (within the lab), it is quite easy to steal a password that is being sent over HTTP, for example with an ARP spoofing attack (and Ettercap or other tools from BackTrack Linux). Let's say that you connect to Facebook using the mobile browser, while being connected to a WiFi... it is then quite simple to launch the spoofing attack!


Therefore I do recommend that people use the official Facebook App, and not the mobile browser, since AFAIK the app uses HTTPS to send credentials to Facebook!


Partager cet article
9 novembre 2011 3 09 /11 /novembre /2011 12:06

Yes, a bit surprising, but yeah, even Google...! I'm talking about the classical GMail interface, which is still regular (the new one has not yet been put as a standard...)


While trying to reply to an email, or even write a new one, here is the warning that is being displayed:



Meaning: "impossible to load the rich text editor".

It is then impossible to write at least within the data part of the email. If you were going to write a new one, you won't be able to write the recipients'addresses nor the subject.

Update 1, 01/15/12:

Bug fixed in version 9...




Partager cet article
9 novembre 2011 3 09 /11 /novembre /2011 01:32


This malware did succeed to install itself on the following configuration:

- Win7 64 bits, fully-patched

- KAV 2011

- user account not administrator (account switch using UAC)

- Opera 11.52 up-to-date

I was just surfing... Therefore I do believe it is a kindda drive-by-download.


Once installed, it will:

- kill all programs running (yes!), including a lot of services (sometimes KAV's service too)

- prevent you from launching new/other programs

- display a fake shield within the taskbar...


 Here is how it starts itself at the beginning of the user's session:  


 The Sysinternals tool "autoruns" does not show it, AFAIK.


According to VirusTotal, only 3 AV engines out of 43 (command line versions) do detect it !

(link: http://www.virustotal.com/file-scan/report.html?id=c6d83ab1348c548b7581153100b8b7eb7c1b89b3e753151594828c2ac78f2c12-1320798644# )


Kaspersky Antivirus 2011 does not detect anything. 

MalwareByte does detect something, but the problem is you can't start it once the malware is being run...





As you can see, the malware stores a file in %appdata%, so that's the Appdata\roaming for the current user.


One hour after my first scan, VT says 3 new engines detect it:

Antivirus Version Last Update Result
AhnLab-V3 2011.11.08.01 2011.11.08 -
AntiVir 2011.11.08 -
Antiy-AVL 2011.11.08 -
Avast 6.0.1289.0 2011.11.08 -
AVG 2011.11.08 -
BitDefender 7.2 2011.11.09 -
ByteHero 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.08 -
ClamAV 2011.11.08 -
Commtouch 2011.11.08 -
Comodo 10714 2011.11.08 -
DrWeb 2011.11.09 -
Emsisoft 2011.11.09 Trojan.Win32.Agent.AMN!A2
eSafe 2011.11.08 -
eTrust-Vet 36.1.8663 2011.11.08 -
F-Prot 2011.11.08 -
F-Secure 9.0.16440.0 2011.11.09 -
Fortinet 4.3.370.0 2011.11.08 -
GData 22 2011.11.09 -
Ikarus T3. 2011.11.08 -
Jiangmin 13.0.900 2011.11.08 -
K7AntiVirus 9.117.5413 2011.11.08 -
Kaspersky 2011.11.09 -
McAfee 5.400.0.1158 2011.11.09 Artemis!61E2511F79EF
McAfee-GW-Edition 2010.1D 2011.11.08 Artemis!61E2511F79EF
Microsoft 1.7801 2011.11.08 -
NOD32 6612 2011.11.08 a variant of Win32/Kryptik.SES
Norman 6.07.13 2011.11.08 W32/Krypt.BD
nProtect 2011-11-08.01 2011.11.08 -
Panda 2011.11.08 -
PCTools 2011.11.09 -
Prevx 3.0 2011.11.09 -
Rising 2011.11.08 -
Sophos 4.71.0 2011.11.09 Mal/FakeAV-PG
SUPERAntiSpyware 2011.11.09 -
Symantec 20111.2.0.82 2011.11.09 -
TheHacker 2011.11.08 -
TrendMicro 9.500.0.1008 2011.11.08 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.09 -
VBA32 2011.11.08 -
VIPRE 11001 2011.11.09 -
ViRobot 2011.11.8.4761 2011.11.08 -
VirusBuster 2011.11.08 -
Additional information
Show all
MD5 : 61e2511f79ef738d73d766c0ab8c8c1a


Most of these detections are heuristic/generic ones!

I've submitted a sample to ClamAV.


About the file:


There even is a Copyright for it...  


Partager cet article
6 novembre 2011 7 06 /11 /novembre /2011 22:40

Just to say that the Opensource world does manage to provide tools being able to filter spams according to a sender's reputation.


Below a few (daily) stats that I have on a messaging server, running:

- Debian fully-patched

- SpamAssassin and Exim4 (with Razor, Pyzor, DCC, *RBL,...)

 TOP SPAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 BAYES_99 958 51.45 89.20 0.00 2 RCVD_IN_BRBL 921 51.93 85.75 5.84 3 DCC_CHECK 886 53.54 82.50 14.09 4 RAZOR2_CHECK 867 50.00 80.73 8.12 5 RAZOR2_CF_RANGE_E8_51_100 864 49.36 80.45 6.98 6 RAZOR2_CF_RANGE_51_100 864 49.36 80.45 6.98 7 DIGEST_MULTIPLE 852 47.31 79.33 3.68 8 RCVD_IN_XBL 769 41.35 71.60 0.13 9 RDNS_NONE 736 40.87 68.53 3.17 10 RCVD_IN_PBL 689 37.06 64.15 0.13 11 PYZOR_CHECK 625 34.00 58.19 1.02 12 HTML_MESSAGE 512 54.56 47.67 63.96 13 RCVD_IN_SORBS_WEB 479 25.94 44.60 0.51 14 RCVD_IN_BL_SPAMCOP_NET 466 25.24 43.39 0.51 


As we can see, lots among the top 14 of the triggered spam rules are "sender's reputation" related...!


And yes, the filtering efficiency is good.

BTW, congrats to the guys who worked on the Pyzor issue, for it hadn't properly worked for years...

Partager cet article