Analysis: The Icefog APT: frequently asked Questions

Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.

Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets organizations in the Western world as well, like the U.S. and Europe.

At the moment, we are not disclosing the names of the victims. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.

Our technical research indicates the attackers were interested in targeting a number of entities, mainly in South Korea, Taiwan and Japan. These include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.

The fact that the organizations above were targeted does not imply the attacks were also successful. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.

One of the most prominent incidents that involved this threat actor took place in 2011, when the Japanese House of Representatives and the House of Councillors were infected

As usual, it-s difficult to get an accurate estimate of the number of victims. We are only seeing part of the full picture, which shows several dozen Windows victims and more than 350 Mac OS X victims. It-s important to point out that the vast majority of Mac OS X victims (95%) are in China.

The name "Icefog" comes from a string used in the command-and-control server (C&C) name of one of the malware samples we analyzed. We also confirmed that the C&C software is named "Dagger Three" ("????") when translated from the Chinese language.

For martial arts fans, "????" is similar to "???", which is an ancient Chinese weapon.

Note: Another name for the backdoor used in these attacks is "Fucobha".

At its core, Icefog is a backdoor that serves as an interactive espionage tool that is directly controlled by the attackers. It does not automatically exfiltrate data but is instead manually operated by the attackers to perform actions directly on the infected live systems. During Icefog attacks, several other malicious tools and backdoors are uploaded to the victims' machines for lateral movement and data exfiltration.

Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities (eg. CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim.

Lure document shown to the victim upon successful execution of the exploit.

In addition to Office documents, the attackers use malicious pages with JAVA exploits (CVE-2013-0422 and CVE-2012-1723) and malicious HWP and HLP files.

Note 1: Oracle had released the patches for both JAVA exploits on Jan 20, 2013 and June 12, 2012 respectively.

Note 2: "HWP" are document files used by Hangul Word Processor. According to Wikipedia, Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. It is used extensively in South Korea, especially by the government.

We have not encountered the use of any zero-day vulnerabilities. However, we cannot completely rule out the fact that unpatched software vulnerabilities may be targeted.

On one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for what it appeared to be an escalation of privileges, although we do not know if it was a zero-day or not, as the file has been deleted by the attackers after being used.

There are both Windows and OS X variants of Icefog. The Windows machines are infected through "hit and run" targeted attacks. The attackers come, steal what they want and leave. The Mac OS X machines were infected through a different method in what appeared to be a "beta testing" phase of the Mac OS X backdoor.

Although we suspect a possible Android variant, we haven-t been able to find it yet.

Once the backdoor gets dropped onto the machine, it works as a remotely controlled Trojan with four basic cyber-espionage functions:

Hijacks and uploads basic system information to C&C servers owned and controlled by the attackers.Allows the attackers to push and run commands on the infected system.Steal and upload files from the victims to the command-and-control servers. Downloads files (tools) from the C&C servers to the infected computers.Allows the attackers to directly execute SQL commands on any MSSQL servers in the network.

In general, each APT attack is different and unique in its own style. In case of Icefog, there are certain characteristic traits that set it apart:

Focus almost exclusively on South Korea and Japan targets.Stealing files isn't automated, instead the attackers are processing victims one by one - they locate and copy only related information.Web-based command-and-control implementation using .NET.Command-and-controls maintain full attack logs filled with each and every command ran by the attackers on their victims.Use of HWP documents with exploits.Several hundred Mac OS X infections.

In June 2013, we obtained a targeted attack sample against Fuji TV. The spear-phishing e-mail contained a malicious attachment that dropped the Icefog malware. Upon further analysis, we identified other variants and multiple spear-phishing attacks.

While analyzing the new attack, it became obvious this was a new version of the malware that attacked the Japanese Parliament in 2011. Considering the importance of the attack, we decided to do a thorough investigation.

There are multiple variants which were created during the years. During our analysis we observed:

The "old" 2011 Icefog - which sends stolen data by e-mail; this version was used against the Japanese Parliament in 2011.Type "1" "normal" Icefog - which interacts with C2-s.Type "2" Icefog - which interacts with a proxy that redirects commands from the attackers.Type "3" Icefog - we don-t have a sample of this, but we observed a certain kind of C2 which uses a different communication method; we suspect there are victims which have this malware.Type "4" Icefog - same situation as "type 3".Icefog-NG - which communicates by direct TCP connection to port 5600 of the C2.

Yes, there are multiple active Icefog C&C-s at the moment, with live victims connecting to them. We were also able to sinkhole several domains used by Icefog and collect statistics on the victims. In total, we observed more than 3600 unique infected IPs and several hundred victims. The full sinkhole statistics are available in our Icefog paper.

The attackers are stealing several types of information, including:

Sensitive documents and company plans.E-mail account credentials.Passwords to access various resources inside and outside the victim-s network.

There is no concrete evidence to confirm this was a nation-state sponsored operation. The only way to distinguish adversary groups is by identifying their motivations within the scope of the campaign.

APTs can target any organization or company with valuable data, whether it be a nation-state sponsored cyber-espionage/surveillance operation, or a financially-motivated cyber-criminal operation. Based on the analysis and the topology of victims, the attackers could be converting stolen data into money or using it for cyber-espionage purposes.

The "hit and run" nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned.

During the past years, we observed a large increase in the number of APTs which are hitting pretty much all types of victims and sectors. In turn, this is coupled with an increased focus on sensitive information and corporate cyber-espionage.

In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations.

Attribution information on Icefog is available through our private report available for government and law enforcement partners.

Yes, we observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. However, we believe that this list of countries might not represent the real interest of the attackers. Some of the samples were distributed via publicly available websites and could hit random victims from any country in the world. We believe, that was done to probe the malware in different environments and test its efficiency.

Icefog has been active since at least 2011, targeting mostly South Korea and Japan. Known targets include governmental institutions, military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.

The command-and-controls are unusual in their extensive use of AJAX technologies, making them graphically enticing and easy to use. To attack victims, the Icefog attackers commonly uses HWP documents, which are an unusual and rare form of attack, partly because the HWP product is used almost exclusively in Korea.

One one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for an escalation of privileges, although we do not know if it was a zero-day or not as the file was no longer available.

Yes, our products detect and eliminate all variants of the malware used in this campaign:

Backdoor.ASP.Ace.ah
Backdoor.Win32.Agent.dcjj
Backdoor.Win32.Agent.dcwq
Backdoor.Win32.Agent.dcww
Backdoor.Win32.CMDer.ct
Backdoor.Win32.Visel.ars
Backdoor.Win32.Visel.arx
Exploit.MSWord.CVE-2010-3333.cg
Exploit.MSWord.CVE-2010-3333.ci
Exploit.MSWord.CVE-2012-0158.ae
Exploit.MSWord.CVE-2012-0158.az
Exploit.MSWord.CVE-2012-0158.bu
Exploit.MSWord.CVE-2012-0158.u
Exploit.Win32.CVE-2012-0158.j
Exploit.Win32.CVE-2012-0158.u
Exploit.WinHLP.Agent.d
Trojan-Downloader.Win32.Agent.ebie
Trojan-Downloader.Win32.Agent.gxmp
Trojan-Downloader.Win32.Agent.gzda
Trojan-Downloader.Win32.Agent.gznn
Trojan-Downloader.Win32.Agent.tenl
Trojan-Downloader.Win32.Agent.vigx
Trojan-Downloader.Win32.Agent.vkcs
Trojan-Downloader.Win32.Agent.wcpy
Trojan-Downloader.Win32.Agent.wqbl
Trojan-Downloader.Win32.Agent.wqdv
Trojan-Downloader.Win32.Agent.wqqz
Trojan-Downloader.Win32.Agent.xrlh
Trojan-Downloader.Win32.Agent.xsub
Trojan-Downloader.Win32.Agent.xyqw
Trojan-Downloader.Win32.Agent.yavh
Trojan-Downloader.Win32.Agent.yium
Trojan-Dropper.Win32.Agent.gvfr
Trojan-PSW.Win32.MailStealer.j
Trojan-Spy.Win32.Agent.bwdf
Trojan-Spy.Win32.Agent.bxeo
Trojan.PHP.Agent.ax
Trojan.Win32.Genome.ydxx
Trojan.Win32.Icefog.*

Yes, these have been released as part of our detailed report on Icefog.

Blog: Icefog APT: a tale of Cape and three daggers

The world of advanced persistent threats (APTs) is well known. Skilled opponents compromising well-known victims and stealthily precious data exfiltration over many years. These teams are sometimes dozens or even hundreds of people, passing by terabytes or even petabytes of data exfiltrated.

There is an increasing focus on paternity and to identify the sources of these attacks, not much is known about a new emerging trend: small gangs hit-and-run that goes at the end of the supply chain and compromise targets with surgical precision.

From 2011, we followed a series of attacks that bind us to an actor threat called Icefog. We believe that it is a relatively small group of attackers who go after the supply chain - targeting government institutions, military contractors, marine groups and naval construction, telecom operators, satellite operators, industrial enterprises and high technology and the mass media, mainly in South Korea and the Japan. Ce Icefog campaigns rely on tools to measure of cyber-spying for Microsoft Windows and Apple Mac OS X. The attackers directly control machines infected during these attacks; In addition to Icefog, we noticed other malicious tools and backdoors for lateral movement and the exfiltration of data.

Key findings on the attacks of Icefog:

Kaspersky Lab would like to thank KISA (Korea Internet & Security Agency) and INTERPOL for their support of this investigation.

We share indicators of compromise, based on the OpenIOC for Icefog framework. Organizations in this way have an another way to check their network for the presence of (active) Icefog infections.

You can download the file to IOC (.zip) here.

A detailed FAQ on Icefog is available.

The Death of an Adjunct, The School Revolution, and More

“On Sept. 1, Margaret Mary Vojtko, an adjunct professor who had taught French at Duquesne University for 25 years, passed away at the age of 83,” writes Daniel Kovalik. “She had just been let go from her job as a professor at Duquesne, that she was given no severance or retirement benefits, and that the reason she was having trouble taking care of herself was because she was living in extreme poverty.” Shame on Duquesne University. Shame on the whole university system that increasingly relies on adjunct labor. Shame on a country that does not believe in universal health insurance and a living wage for all.

EdX launched a new program, “the XSeries,” that will offer certificates for students who complete a sequence of classes offered on its MOOC platform. The program starts with two series: Foundations of Computer Science and Supply Chain and Logistics Management. These new certificates will require an ID verification program, newly launched from edX too. More details on the courses and the fees in Inside Higher Ed.

The UK MOOC consortium FutureLearn officially opened its doors this week, with 20 upcoming classes on the schedule. There was a bit of furor online about FutureLearn’s Terms of Service, which included an “English-only” provision that, thankfully, has been amended.

CalTech joins edX.

Nanyang Technological University joins Coursera.

All of the courses that make up the first year of Wharton’s MBA program are now available online via Coursera.

The Minerva Project, a for-profit education startup that promises it will offer an “elite” education, revealed its tuition prices this week: $10,000 per year. That figure does not include other expenses like textbooks and room-and-board. That’ll run you about $28,850 per year. Applications for the inaugural class, starting Fall 2014, are due at the end of the year.

Faculty at Penn State objected to a new health plan that requires “nonunion employees, like professors and clerical staff members, to visit their doctors for a checkup, undergo several biometric tests and submit to an extensive online health risk questionnaire that asks, among other questions, whether they have recently had problems with a co-worker, a supervisor or a divorce. If they don’t fill out the form, $100 a month will be deducted from their pay for noncompliance.” The story hit The New York Times; the administration backed down.

The University of Alabama student newspaper investigates sororities and segregation.

The broke-ass University of California system is considering spending between $3.5 million to $6 million to renovate Blake House, the 13K-square-foot mansion once home to UC presidents. Because higher learning.

The faculty union at the University of Oregon has signed its first contract; and among the “wins,” the administration has caved on its its proposals to curb faculty speech. So much happiness in Eugene, particularly as the Ducks football team is 3–0, ranked number 2, and YAY FOOTBALL. THE REAL REASON FOR COLLEGE AMIRITE.

iOS7, the latest version of Apple’s mobile operating system, was released this week. Somewhere out there are the Top 10 Reasons Why This Changes Education Forever. Or something.

Google Creative Labs plus Raspberry Pi equals Coder, “an open source tool that turns Raspberry Pi into a simple, tiny, personal web server and web-based development environment – just what you need for crafting HTML, CSS, and JavaScript while you’re learning to code.”

Fluencia, a new language-learning site (for Spanish), has just launched. Comparing itself with Rosetta Stone, Fluencia says it costs “$” to the other’s “$$$$$.” How do you say “price transparency failure” is Spanish?

Pearson is partnering with The Community College Preparatory Academy, a charter school for adults that’s just opened in Washington DC. The school will use online classes and services from Pearson.

Pearson has named the participating companies in its newly launched India-based education accelerator program. The cohort of 15 is listed here.

Boston-based education accelator program LearnLaunchX graduated its first cohort of startups. Edsurge covers the Demo Day, where the 7 startups made their pitch to investors.

The Cybersecurity Competition Federation has just been formed, reports The Chronicle of Higher Education, to put (secondary and postsecondary) student cybersecurity hacking competitions under one organization.

The Randolph County (North Carolina) school board has banned Ralph Ellison’s 1952 novel Invisible Man citing a lack of “literary value.”

The US Department of Education has issued guidelines on how to handle the “double-testing” that might arise from the requirements for NCLB testing along with the new CCSS assessments. According to Education Week, this will give states “the chance to suspend their current tests this spring, as long as they administer field tests being designed by the two common-assessment consortia in math and English/language arts.”

The US Senate’s education committee has started the super-fun-awesome-productive-efficient-no-worries-they’ll-fix-it process of updating the Higher Education Act. Stay tuned.

The Atlanta Journal-Constitution continues its coverage of testing in schools, this time with a (paywalled – boo) article on their many errors. “In a year-long national investigation, the newspaper examined thousands of pages of test-related documents from government agencies — including statistical analyses of questions, correspondence with contractors, internal reports and audits. The examination scrutinized more than 100 testing failures and reviewed statistics on each of nearly 93,000 test questions given to students nationwide. The reporting revealed vulnerabilities at every step of the testing process. It exposed significant cracks in a cornerstone of one of the most sweeping pieces of federal legislation to target American schools: The No Child Left Behind Act of 2001.”

PARCC has put out an RFP for a technology platform to be used to deliver its new Common Core State Standards assessments and build a data management and reporting system for them. Estimated price: $16.5 million and $17.5 million.

The free school-to-home messaging app Remind101 has raised $3.5 million in a Series A round of investment. (Hey David and Brett: What’s your business model?)

Wikibrains has raised $750,000 in funding. More details on the startup in Edsurge.

The online training company Simplilearn has raised $10 million in a Series B round of investment.

Shmoop has taken its first venture capital investment, an undisclosed amount from Fortune 8. Fortune has a closer look.

Texas A&M raised a record-breaking $740 million in donations last year. ONCE AGAIN YAY FOOTBALL.

Marc Sternberg, the NYC Department of Education official in charge of school closures, is leaving the agency to work for the ed-reform bonanza at the Walton Family Foundation. Nothing to see here. Move along…

ISTE has named Jodie Pozo-Olano, formerly head of PR for Promethean, as its new Chief Communications Officer.

Jaime Aquino, the instructional chief for the Los Angeles Unified School District, resigned last week, saying that the “school board’s recent efforts to stall key reform initiatives have left him unable to do his job.” More via the Los Angeles Daily News.

Layoffs at Blackboard, reports The Washington Business Journal. The rumored figure of 140 employees let is too high, insists CEO Jay Bhatt. No matter what the final number, this one doesn’t bode well for Blackboard: it now has just 45% of the market share, down 26 points over the past 6 years. Ouch.

Northeastern University history prof Ben Schmidt has built a wonderful interactive visualization on “How are college majors changing.”

The Chronicle of Higher Education writes up the results of a recent Public Agenda survey of employers and community college students which finds pretty tepid support for online education. Among the findings, “community-college students disputed the idea that online courses were more convenient and easier than traditional courses. According to the survey, students said not only were the online classes harder but they learned less.”

The Atlantic looks at research based on UNC pharmacy professor Russell Mumper’s use of the flipped classroom. “In one setting, in one class, over 3 years, student performance improved in a statistically significant way in a flipped classroom model. That’s the news.”

“Students Really Do Learn Stuff on Field Trips.” More details on the research, and a call to reverse the trend of cutting the budgets for field trips, also in The Atlantic.

Congratulations to the winners of the Reclaim Open Learning Innovation Contest: DigiLit Leicester, DS106, FemTechNet, Jaaga Study, and Photography BA Hons and Phonar-Ed. (Disclosure: I was a judge.)

Education history and activist Diane Ravitch’s latest book, Reign of Error, was released this week. My review is here.

Libertarian and former Texas Congressman Ron Paul has a new book on education out this week too. The School Revolution tells women to quit their jobs and homeschool their kids. (He offers a curriculum online.) Kevin Carey's review is here.

Image credits: Pedro Szekely and The Noun Project

Blackhat USA 2013 Day 2 - Double Fetch 0day, ICS/SCADA, and Remembering Barnaby Jack

Blackhat 2013 day 2 brought 0day, a sad remembrance of young researcher Barnaby Jack, and ICS/SCADA security vulnerabilities and review.

Highlights of day 2 included a mind blowing talk from Mateusz "j00ru" Jurczyk and Gynvael Coldwind, further exploring the kernel level double fetch vulnerability research that attracted interest since at least 2008. It is interesting stuff considering buffer overflow code is particularly well audited, but race conditions simply are not. Race conditions like these enable EoP exploitation and other severe potential attacks. The two developed the Bochspwn framework to implement CPU level OS instrumentation to locate double fetch vulnerabilities, and have been cranking out substantial findings in the Windows and Linux kernel since. They dropped Windows 8 0day (although, reported to Microsoft) with yet more discoveries, releasing their Bochspwn project code during their talk "Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns". It's interesting that the FreeBSD code they examined has been audited before and thus doesn't maintain these bugs, while Linux and Windows pours out related issues.

They are hoping that folks can port the code to assess interesting and exotic embedded platforms and contribute to the body of work. Unfortunately, a second part of their work, Hyperpwn, presented some unexpected technical challenges in the structure of the memory regions they are most interested in, and it was not ready for primetime. Research is like that, and the talk was fantastic without it. Their work also happened to win a well deserved "Most Innovative Research" Pwnie the night before.

"SCADA Device Exploitation" highlighted a large dependency in attacking ICS environments - "it's all about the pivot". Meaning, ICS environments are best infiltrated from the backoffice and down through the reporting and control ennvironment, historian servers and other Windows resources, potentially to the PLCs themselves. A later talk, "Compromising Industrial Environments from 40 Miles Away", chipped away at that myth by exposing poor and insecure crypto implementations in various, heavily used ICS products. In addition, realities of present day ICS implementations certainly do not follow the generic network maps positioning PLC's buried layers down in the network. Network resources are distributed, and operations and implementations poor and messy . But they had other interesting points and demos. They pointed out OPC as a DCOM based technology used "everywhere in the process control industry", resulting in tons of firewall ports allowing access across LANs, and that 93,793 insecure Modbus based ICS services were listening on ports directly connected to the internet in 2012. They then demoed weaknesses in often used PLC devices, forcing a pump to overflow a tank while the reporting HMI claimed devices were operating properly, in another throwback to the Stuxnet incident.

"Compromising Industrial Environments from 40 Miles Away" outlined impressive audits of several unnamed vendors' commonly used SCADA devices, showing that authentication and crypto schemes on these devices frequently fail to deliver on the marketing messages these vendors' pitch. ICS radio encryption can enable remote access to insecure Modbus based devices, and the speakers demoed an animated small tank explosion. The guys even identified remote memory corruption 0day in a remote gateway device, resulting in system freeze, a significant problem in ICS environments.

Of course, Barnaby Jack's slot "Implantable Medical Devices: Hacking Humans" was not replaced. Instead, the room was used to celebrate Jack and his work as an inspiration, a colleague, a friend and authentic hacker. The night before he was awarded the only "Pwnie for Lifetime Achievement", "Awarded to those of us who have moved on to bigger and better things."

Cheers to looking forward to another gathering in 2014...

AntiHacking DNSSec day in Colombia

August 14, 2013

The Event was ?Day of technology and DNS Security?.? This was the 3rd edition of a very technical conference where network experts discussed future trends in DNS Security, IP managing and IT Sec related issues.

This year Kaspersky Lab also participated and I had the opportunity to give a presentation about attacks on network devices and network attacks inside of the Colombian Internet space. We also showed how Russian cybercriminal operations work inside the .CO space. Speaking about .CO domains, these recently became very popular, which is why even cybercriminals have begun to use them.

The good thing is that the .CO provider takes security very seriously and takes down malicious domains very quickly.

The list of the participants included: Nic Chile, Renata, Internet Society, Lacnic, Ministry of Information Technologies and Communications of Colombia.

Raquel Gatto from Internet Society gave a presentation on the legal side of the regulation of the Internet and called for collaboration to make the Internet better. Official information is available at http://www.internetsociety.org/deploy360/experts/

Juan Alejo Peirano from Lacnic presented the current state of IPv4 in LatAm and the usage of IPv6 in the region. He also showed practical scenarios of advanced network security by using IPv6 and DNSSec as best practices.

Mauricio Vergara from Nic Chile gave a very nice presentation on the practical management of DNS servers, how to secure them and what not to do in order to avoid any problems. Also, he explained the way to obtain protection against DDoS attacks by using anycast.

The official paper in Spanish about the objective of the event, the audience and the complete list of speeches is available at http://www.slideshare.net/villamizarfmarco/co-internet-dia-tec-y-seg-dns-agosto-14-20131

 

Blog: GCM in malicious attachments

Android OS offers an interesting service known as Google Cloud Messaging, or GCM. This service allows small (up to 4 KB) messages to be sent via the Google server from their mobile devices in JSON format. These messages may contain any structured data, such as links, advertising information, or commands.

In order to use this service, a developer must first receive a unique ID for his applications, which will be used to register the applications with GCM. After registration, the developer may send data to all devices on which the registered applications are installed, or to just some of them.

The service is used to determine the coordinates of stolen telephones, remote phone settings, send out messages about the release of new game levels, new products, and more.

It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service. We have detected several malicious programs that use GCM as a C&C.

This is one of the most widespread threats targeting Android. Kaspersky Lab detected over 4,800,000 installers for this Trojan, and in the last year alone, Kaspersky Mobile Security (KMS) blocked over 160,000 attempted installations.

The Trojan can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other malicious programs that are spread under the guise of useful applications or games.

The Trojan is registered in the GCM system:

The Fakelnst.a Trojan was detected in over 130 countries. Its primary targets are Russia, Ukraine, Kazakhstan, and Uzbekistan.

This Trojan is disguised as a porn app, but in fact it consists of just two images. The main objective of this Trojan is to send premium text messages. Kaspersky Lab detected over 300 installers for this Trojan.

Furthermore, GCM is also used to issue commands to send text messages and create notifications with information or advertising content in the notification zone:

In total, KMS blocked over 6,000 attempts to install Trojan-SMS.AndroidOS.Agent.ao. This Trojan targets mainly mobile devices in the UK, where 90% of all attempted infections were detected. This threat has also been detected in Switzerland, Iran, Kenya, and South Africa.

This threat is a classic example of an SMS Trojan. It is proliferated in the APK, under the guise of a number of games, apps, etc. Kaspersky Lab has detected over 1,000,000 different installers for this Trojan.

GCM and the Trojan’s C&C have equal rank when it comes to sending commands.

The Trojan has a relatively wide range of functions:

sending premium text messages to a specified numbersending text messages (typically with a link to itself or a different threat) to a specific number, typically to numbers on the contact listperforming self-updatesstealing text messagesdeleting incoming text messages that meet the criteria set by the C&Ctheft of contactsreplacing the C&C or GCM numbersstopping or restarting its operations

Remarkably, during the installation of certain modifications of this Trojan, Android 4.2 warns the user that this is in fact a malicious application. Unfortunately, this does not happen for all modifications.

Kaspersky Lab has detected this Trojan in 97 countries. It is most often detected in Russia, Ukraine, Kazakhstan, Azerbaijan, Belarus, and Uzbekistan. KMS blocked over 60,000 attempts to install OpFake.a in these countries.

Over 1,000 attempted installations were blocked in Italy and Germany.

Kaspersky Lab first detected this backdoor back in late 2011, and new modifications have been appearing ever since. Currently there are over 40 variants of this threat. All of these modifications are very similar to one another; the app opens websites with games, while malicious operations are executed in the background.

The first thing the backdoor sets out to do is collect information about the phone and the SIM card, including the phone number and the mobile provider. All of this data is uploaded to the androidproject.imaxter.net C&C. This is the server that manages all of the Trojan’s primary functions.

Next, the threat is registered with GCM, which is then used as an additional command source:

The backdoor’s functions focus mainly on secretly manipulating text messaging features, such as sending, deleting, and redirecting incoming messages. Furthermore, the threat can also install shortcuts without the user knowing, and independently open web pages. It can also initiate phone calls, although that action requires user confirmation.

This threat is spread through the website http://www.momozaap.com/.

Over the past year, KMS blocked nearly 500 attempted installations of this backdoor. This malicious program is detected most often in Malaysia, and it has also been detected in Thailand, the Philippines, and Burma.

Incidentally, this threat’s code includes a Malaysian telephone number.

This number is not used anywhere, but the malicious users likely plan to use it as an additional command source.

Kaspersky Lab has had Trojan-SMS.AndroidOS.Agent.az on its radar since May 2012. It is a shell app for a Vietnamese porn website which also sends text messages to a premium number. Presently, over 1,000 modifications of these apps have been detected, and in the past year alone KMS has blocked over 1,500 attempted installations.

Next, it sends text messages to a premium number.

The Trojan uses GCM to receive certain messages and add them to the cell phone’s notification section.

Apparently since this Trojan clearly targets users in Vietnam (all of the text displayed to the user is in Vietnamese), our test phone with a Russian number never received any of the messages. Nevertheless, experience has shown that sooner or later, this type of advertising will be sent out by other malicious programs disguised as useful apps or games.

This Trojan has been detected primarily in Vietnam, although Kaspersky Lab has also detected it in Russia, Italy, Indonesia, and Malaysia.

Even though the current number of malicious programs using GCM is still relatively low, some of them are widespread. These programs are prevalent in some countries in Western Europe, the CIS, and Asia.

No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device. The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.

Kaspersky Lab has already reported the GCM IDs found to be associated with malicious programs to Google.

iPhone 5 s Fingerprint Sensor pirate! Hacker can get $16K after verification

A group of lucky hammer had already nailed the iPhone 5 s fingerprint sensor. The phone will finally hit the surface sales Friday and another group is already preparing to penetrate this new security feature of the iPhone.

Well, the news is that the hacker community is ready to put his dirty hand by cracking in the new system of security sensor ID Touch of Apple. The sensor has been integrated on the home button on the iPhone 5 s. Two masters of security Robert David Graham and Nick Depetrillo have launched a website that says sensor system has not yet been broken by anyone.

The two began to collect rewards for anyone who becomes the first person to enter the security ID by the acquisition of fingerprints through some Cup or beer etc.

"Gummy bears had already been used by some hackers to acquire fingerprints", says Graham in conversation with ABC News. He added "we defend the fact that it is very difficult to do so and therefore began to collect a premium for the first lucky who can make...". »

People by hacking and security community have already begun to pay their contributions to the premium. #istouchidhackedyetis the hashtag with which the sums are paid. The sum has already reached a total of $ 16000 and contributions are made in the form of biticons, bottles of alcohol and money. Capital I/O partners have donated $ 10,000 to this effect.

Graham explained that a principle well established among the communities of security is that you can't trust anything unless you have a premium it tagged. The concept here is that of the return on investment. Well, if there's no return to stuff any piracy or to test where a security system is in fact, most of the hacker doesn't bother any fatigue. Similarly those who tries to make a dedicated effort. Some companies like Google, Facebook and some other big guns have announced rewards for those who will designate any security flaw in their system.

Graham said however the fact that where someone managed to hack the ID of contact, it must collect the premium of each person by himself/herself. In the meantime put all the award-winning news on its website.

No immediate response was given by Apple even after the request by ABC News. However, last week they have clarified the fact that fingerprints are encrypted in the processor of the iPhone.