Archive for May, 2011

Android SMS Trojan

Posted in Malware with tags , , on May 30, 2011 by keizer


A new threat method is on, we cannot even trust Google’s Android Market for security anymore…
I am talking about a n Android platform based Trojan, that secretly sending a text message to a certain phone number.


Its nickname is zsone because the ID of the developer who registered this malicious app in the Android Market was zsone.
A a total of 13 apps are currently registered in the name of zsone and 10 out of them contain malicious codes.
Currently all 13 registered apps are banned from the market. So they cannot be downloaded any longer.


Currently the malicious behavior we observed only works in China, therefore if your location is in China, please check your system and see if any zsone’s apps appear on your device.


Below is the list of the malicious apps:



* iMatch
* 3D Cube horror terrible
* ShakeBanger
* Shake Break
* Sea Ball
* iMine
* iCalendar
* LoveBaby
* iCartoon
* iBook



















Lets take for instance: iCalender from the list above…
Looking at the ‘iCalender’ SourceCode, you can see that after running the app, if showImg() is called five times, sensSms() will be called and a text message will be sent.
showImg()


sendSms()


Then, it sends a text message to: ‘1066185829’, using sendTextMessage().
This number is used for premium phone calls in China. It is known for being a number for billing a kind of certain service.


The save() function below is a flag as explained above. It save the ‘Y’ value.
save()


Also, this app separately installs smsReceiver and hides text messages that are received by a certain phone 특정 number:
smsRecieve()




There are some more static analysis available on Internet, like here: p4r4n0id.com

ARP Poisoning / Spoofing

Posted in Network Security, Valnurability with tags , , , on May 26, 2011 by keizer

What is ARP?
The Address Resolution Protocol (ARP) is a networking protocol for determining a network MAC address when only its IP is known.
This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined.

How does it work?
Lets say a new computer has been connected to the local network…. how does it know where to send its traffic?
The new computer asks everyone in the network (broadcast) “Oi! can someone please tell me what is the MAC address for IP: 10.0.0.1 (Gateway)…?”
So the Gateway gets this query and reply to it “Hello mate, this is mi MAC: 00-AA-11-BB-22-CC”.
and so the new computer updates his ARP-Table, associating the IP: 10.0.0.1 with the MAC: 00-AA-11-BB-22-CC… “Cheers!”

Spoof’em! (How to poison…)
The ARP Poisoning also known as ARP spoofing, ARP flooding, or ARP poison routing.
Ok, so this is the network:
Network
Now comes the new computer with the question, asking what is the MAC of the gateway:
Query

this is where we enter!
We constantly send the victim computer ARP answers telling him that the MAC address belonging to the IP of the gateway machine (router) is our MAC address:
Response
in order to do so we use: # arpspoof -t victim gateway

We do the same thing with the gateway machine just the other way round, using: # arpspoof -t gateway victim

so after everyone updated their ARP Table, the network will look like this:

Table update

The results is that now the victim’s computer (10.0.0.3) will go through us instead of sending the data to the gateway…

You’ll have to enable IP forwarding on your host so that the traffic goes through your host. Otherwise victim will loose connectivity.
# echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can watch all the traffic between the victim host and the outside network going through your machine, using:
# tcpdump host victim and not arp


There are tools to do that easily… I can recommend Cain & Able
you can d\l it from here
MD5 – 76605141C11167F7EF0CDCAD3AFBA9FA
SHA1 – DC9C46955F4715859AEE41B9022503808362CEC1
This is how:

Select the Sniffer tab; Click the + (plus sign), select All hosts in my subnet and click Ok.
After the scanning process, it will show all connections that have continued on with your series. Right click it and select resolves host names to know the IP address of the router (192.168.1.1)

(another) Facebook Scam – “dislike” Button

Posted in Malware, Programming, Scams with tags , on May 24, 2011 by keizer

Have you seen this post around?

A messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls…

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.

Although, researchers from Sophos have spotted a currently circulating “Enable Dislike Button” Facebook scam.

a “Follow the steps below to get the Dislike button” instructions page similar to the one seen in the Osama Execution video scam published by ZDNet is next:

However, clicking on it will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.

Once the users copy and paste the obfuscated javascript in their browsers, all of their friends will be spamvertised with a wall post about the non-existent Dislike feature. The campaigners appear to be monetizing the campaign through a survey scam.


For the time being, no “dislike” button provided by Facebook and there isn’t ever likely to be.

But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.

and surprise… here’s the JavaScript Sourcecodehttp://pastebin.com/uzCkfFQ4

Evil evil facebook…. 😉

Who viewed your profile on Facebook? (Profile Peekers)

Posted in Application, Scams with tags , on May 22, 2011 by keizer


You’ve probably noticed, or at least heard about a Facebook app that pretend to be able to show whoever viewed your profile.
This application is no more than a SCAM, it will NOT show you who’s been viewing your profile…
This scam can appear in various names, such as:

  • creepy profile peekers,
  • catch them being creepy
  • creep exterminators
  • privacy bros,
  • we catch stalkers

If you’ll lunch this application, pressing Go to app, you will get the following screen:

You’ll have to allow access from the application so they can show you who’s been stalking around your profile, not before it’ll ask you to complete a survey in order to see the results…
These of course, are typical fake surveys.

  • For instance, there is particular survey that asks you to download SmileyCentral:
    ff8d221113615909b07b1ba9ceb8466a (SmileyCentralPFSetup2.3.78.2.NoSA.NoHP.ZNfox000.exe)
  •  A different one tempts to download Webfetti:
    9ed197b533fdf53ab8cf9e83a1b5951d (Webfetti.exe)
  •  Another one asks you fill in your phone number, and then it sends a costly SMS in order to unlock the application.

And it won’t settle for that… it will promote itself on (all of) your friends’ walls, as you can see below:


If you now remember you already saw these screens on your on profile… that’s that time to remove this application:

  • Look for the the post on your wall that contains the stalker application.
  • Hover it and you will see an X appear on its top right, then click on it and choose Remove .
  • Go to Account then choose Privacy Settings. at the bottom you’ll see Apps and Websites. Click on Edit your settings.
  • Find where it says: Apps you use, Click on Edit Settings (on the right of it), find the scam application and remove it by clicking the X on the right of it.

So you’d know…
Facebook’s policy does not allow to reveal who’s wondering around in your profile, so any attempt of such applications is necessarily a scam!
Please help the innocent users of Facebook by Report as abuse if you come across such cases…

Keep an eye (some graphs)

Posted in Graphs, Malware with tags , , , , , , on May 19, 2011 by keizer

ESET Top Ten Threats at a Glance

PandaLabs Annual Report 2010

What??

Where?

What about the rest? (by Microsoft)


Where is it coming from? (by Microsoft)

so next time someone’s asking you “do you know how many Malware threats are in Brazil ?”    – you’ll know!

…and Go! (null pointer dereference)

Posted in Programming, Valnurability on May 18, 2011 by keizer

Hello World…

Since this is my first On-Air blog, and the name of it is ‘Null Pointer’ I think it would be appropriate to actually write about it, and explain what’s lying behind the name:

The name nu11p0inter was taken from the vulnerability – Null Pointer Dereference:

A null pointer dereference occurs when a pointer with a value of NULL is used when the program attempts to read/write to a valid memory area, causing an immediate segmentation fault error.

Some call it a crash, some a security bug…

You ask why?

One could say that if a program attempts to dereference a NULL pointer, the program will always terminate with a segmentation fault error and a crash of the process.
Another will say- unless exception handling is invoked…

But even then, a little can be done to salvage the process, so i guess its only a matter of the security policy where it found.

Of course, i will not leave you without a code sample of a null pointer dereference:

int main(int argc, char ** argv) {  

 char buf[255]; char *ptr = NULL; // NULL is assigned 

 if ( argc>1 ) {

 ptr = argv[1]; } strcpy(str,ptr); // pointer is dereferenced 

 return 0;
}

How to avoid it? it is very simple:

1. Before using a pointer, ensure that it is not equal to NULL:

if ( ptr != NULL ) {
 /* use pointer... */
 /* ... */
}

2. When freeing pointers, ensure they are not set to NULL, and be sure to set them to NULL once they are freed:

if ( ptr != NULL ) {
 free(ptr);
 ptr = NULL;
}

…and now you know what’s behind the mind!