Home anti virus

ExpensiveWall Affects Millions

Google has been battling malicious apps throughout the year, most recently malware was packed in an app called “Lovely Wallpaper”. This new strain of malware was titled “ExpensiveWall”, and hid in the wallpaper application while stealthily racking up premium SMS fees. It further propagates by sending out text messages on your behalf, inviting others to download the same compromised app.

The malware was compressed and encrypted within an SDK used by roughly 50 different apps without being detected by Google. It is still undetermined how much money was actually generated from this SMS scam.

How it Works

ExpensiveWall uses JavaScript along with the enhanced permissions on the infected device to orchestrate the attack. It creates an interactive interface between the app downloaded and a web interface called WebView. This action allows the malware to run in-app controls through this WebView interface including but not limited to sending SMS messages and registering the user devices to premium paid services without notice. The only way for this malware to work is if the user allows full SMS control and communication to its command and control server. This communication will send data about the infected device including IP address, MAC address and Geolocation data.

What can you do to Prevent it?

Simply put, be aware of what permissions you are granting applications when you install them. The fact that millions of other people have downloaded an app and given it good reviews does not mean that it is safe. This app is clear cut proof to that effect. Below are some things that should throw up red flags when installing an application.

• Make calls or texts on your behalf
• Receive SMS
• Read contacts or sensitive device logs
• Communicate with other applications
• Control/disable the keyboard
• Kill processes
• Write secure settings
• Have the ability to authenticate accounts
• Create system services
• Control in-app billing/services
• Accessing GPS data

Some of these may actually be needed in order for certain applications to function properly, but be cautious. If you don’t think that flashlight app needs to make calls on your behalf, don’t install it. Lastly, a solid antivirus with web-browsing and application scanning is a necessity for your mobile device.

PIFTS

Something is rotten in the state of security.

Users of Symantec’s Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn’t be news in and of itself, but it seems that Symantec doesn’t want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can’t turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they’ve been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn’t intended to do any harm.

Nice of them to respond…

But won’t they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

“David Cole, senior director of product management at Symantec, said the PIFTS file was part of a ‘diagnostics patch’ shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.”

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, “hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.”

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like ‘hey, how come part of your software wants to access the Internet?’

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn’t that have saved everyone a lot of trouble?

Coin Toss

http://tinyurl.com/akvagb

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss – 50/50 chance – that your network is secure.

“The average delay in detection and remediation was 54 days.”

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn’t in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn’t like having your house robbed.

It’s like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must – MUST – move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven’t the good guys evolved?

The numbers speak for themselves:

“About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware — even within organizations running up-to-date antimalware tools.”

“Antivirus software immediately discovered only 53 percent of malware samples.”

“Another 32 percent were found later on, and 15 percent were not detected at all.”

Now you may be thinking that 15% doesn’t sound like a lot, that maybe that’s an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?

The Enemy Within

Two weeks ago, users of AVG’s virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file – only to find that they were now stuck in an endless cycle of reboots.

User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.

In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.

Even Microsoft is guilty of such casual coding. In 2007, Microsoft’s OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google’s Gmail as a Virus. Even Microsoft’s own product weren’t safe, with OneCare regularly quarantining or deleting all of the email in a user’s inbox.

AV companies tout their wares as the silver bullet for personal protection. You know this isn’t true. I know this isn’t true. So, why doesn’t everybody else?

It was bad enough that the generic, non-technical computer user didn’t know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their “protection” might sometimes do more harm than good.