Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New Android trojan virus is nastiest ever discovered yet

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 8, 2013

Internet security technicians at Kaspersky Labs report that a recently discovered Android Trojan virus is the nastiest and most sophisticated mobile malware yet to be identified as such, and a lot of thought has been put into it by its creators to cause the most security issues on a typical Android device.

In a recent blog post to Kaspersky Labs' Securelist website, Roman Unuchek describes the virus' malicious program, appropriately called Backdoor.AndroidOS.Obad.a or "Obad" for short, as being closer to Windows malware than to your typical mobile Trojan, owing to its complexity and sophistication.

To be sure, Obad uses multiple layers of encryption and code obfuscation to conceal what it's doing to the operating system, and it exploits previously unknown security vulnerabilities in the Android OS to gain near total control over an Android smartphone or tablet.

The worse element is that it simply runs in the background and has no visible user interface, but communicates with command and control (C&C) servers over the device's internet connection, and can even accept commands via SMS text messages.

Worse, once Obad gains Device Administrator privileges, it takes advantage of an Android security vulnerability to hide itself from the list of applications that have such privileges, making it impossible for the user to remove it from the infected device.

Once installed, Obad can be commanded to perform a variety of several nasty functions. It can connect to preprogrammed IP addresses, ping servers, download files from servers and install them, and send text messages.

It can also send data about the compromised device to the C&C servers, including information about installed applications and the user's full contact information.

On the more sophisticated side, Obad can also allow cybercriminals to execute console commands via remote shell access, send infected files to all detected Bluetooth devices, and can act as a proxy server, sending data to a specified address and returning the response.

Additionally, Obad has the ability to block the device's screen for up to ten seconds, to help conceal its malicious activity from the user.

Kaspersky Labs has offered no theory as to who might be running the Obad malware, and no point of origin has been identified yet.

Unuchek added that Kaspersky Lab has already informed Google about the Android security vulnerabilities exploited by the Trojan, and Obad can now be detected by security software from Kaspersky and other security vendors.

If there is a bright spot to any of this, it's that however sophisticated, Obad is still relatively rare. Over a three-day observation period, Kaspersky Lab found that Obad accounted for no more than 0.15 percent of all security attempts to infect mobile devices with malware, well at least for now that is.

In other internet security news

On average, and with all the many forms of internet attacks system admins are seeing these days, one of the most common types of attack are SQL injections, and although the vector is rather old and well-understood, it's still very difficult to defend against, despite all the precautions already in place in most systems.

Kevin Kennedy, senior manager for Juniper Networks' security business division, is in Australia this week to demonstrate Juniper's latest shot at defeating SQL injection, not with block-by-signature, but by trapping attackers.

Spotlight Secure was first launched across the board in February of this year, and the concept behind it is that signatures in Web application firewalls are no longer that effective against the patient attacker, and input validation only goes so far, and now the time has come for better defenses against such forms of attacks.

Kennedy said it's been proven that input validation must fail at some point. There will inevitably be a collision course between a genuine input that should be passed, and a malicious input that should be blocked, and that's the whole intent of the project.

It's also inevitable that even with a Web application firewall standing between the SQL server and the Internet, a patient attacker will find a combination of inputs that doesn't trigger a signature alert on the firewall – but does give an attacker an SQL injection vector, nevertheless.

It isn't perfect-– nothing ever is, but the idea is to make SQL injection attacks a lot slower and a lot more expensive, while at the same time, using super-cookies to fingerprint the attacker, in an effort to discover him (or her).

And to take a simple example of an attack on a SQL server, an attacker might first try changing some parameters in a URL with the aim of generating errors that offer them more information about the database behind the Website.

From that starting point, the attacker then begins passing increasingly sophisticated parameters to the SQL engine with the ultimate aim of retrieving valuable user IDs and passwords that will gain him access to the system.

Rather than just trying to create a perfect validation list, Juniper is instead building some fake parameters into the URL, for example, offering database parameters such as columns that don't even exist.

If someone tries to access a “trap” parameter, the system starts treating the user as a likely attacker. Rather than simply blocking that user's IP (which isn't particularly useful long-term), there are a number of actions still available to the system administrator.

One of them is to slow down system responses to that user-– a very simple but very effective method to make the attack more 'expensive' when it comes to the attacker.

Another method is the super-cookie mentioned earlier. The principles of super-cookies is that they're harder to detect than the standard cookie, and they collect information to more accurately profile the machine they're installed on.

With enough data captured, the browser, the installed fonts, timezone, screen resolution, pointer device, camera type and so on, the system can capture a more exact fingerprint of the attacking machine that might not be unique, but is a pretty useful characterisation of the attacker in the case of a criminal investigation.

Rather than just watching for something easily changed, like the IP address, the system is now looking for the fingerprint of the super-cookie, and acting accordingly.

The aim, Kennedy said, is to track attackers rather than merely blocking them. “We want to change the economics of the attack,” he said. “Slow them down, waste their time, plant the cookie so we can recognise them and go after them.”

In most circumstances, Kennedy said, the characteristics that the super-cookie uses to build its fingerprint change incrementally but very slowly. It's far more common for someone to replace a keyboard or buy a new screen than to configure a whole new system.

And at the same time, since the ordinary user of a typical website is never going to try to get the SQL database server to display the contents of the fake field in the first place, Juniper also hopes to address the false positive issue that makes even owners of Web application firewalls under-use the technology from the getgo.

But of course not, it isn't perfect-- an experienced attacker will know how to protect themselves against super-cookies. But Kennedy said, this doesn't invalidate the trap in and by itself, since the attack will still be identified and logged anyway.

Another example is-- you can't just 'plant' a super-cookie on a Linux server booted from a USB stick with no write privileges either. But, Kennedy said, the failure of the cookie will flag the server as a likely attacker, and will render the machine useless anyway, as an added security feature.

We asked Kennedy if the fingerprints collected by super-cookies wouldn't be more useful if they could be shared between security vendors. The answer Kennedy told us is yes, if the challenges involved could be overcome.

“In and by itself, the concept of simply sharing fingerprints isn't useful in isolation,” he said. “But we believe that sharing the benefits of security technology is important. This industry does not share well together, and we'd like to improve on that.”

"To begin with, Juniper Networks has a partnership announced with RSA, but broader sharing is difficult, because it requires that you have an active proxy using the fingerprints. This is more complex than scoring the reputation of IP addresses," added Kennedy.

“What should be shared is granular and enforceable information-- that's the whole idea. But what we need is for other security solutions vendors to say 'yes, this is something we could do.' We're open to having that conversation,” said Kennedy.

In other internet security news

A new report this morning suggests that hackers are increasingly turning to DNS reflection techniques in an effort to increase the volume of DDoS (distributed denial of service) attacks on the internet infrastructure.

Overall, those techniques have been known about for a few years but they were seldom used in anger, until the debilitating DDoS attacks in March that peaked at 300 Gbps against anti-spam firm Spamhaus and cloud-based DDoS mitigation company Cloud Flare.

DNS reflection attacks involve things like sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim. And there are a few more ways to do that.

Open public-facing DNS servers then respond to the request with a large file. The attackers' requests are only a fraction of the size of the responses, meaning the attacker can effectively increase his attack by a factor of 100 from the sheer volume of bandwidth they control.

And the same sort of technique has been used as well to run a series of other attacks since, according to Matthew Prince, Cloud Flare's CEO. Traffic of 50 to 60 Gbps in each attack is becoming typical, and that's something that was unheard of, until March.

The numerous attacks on German-based Spamhaus illustrated the open DNS server issues. Mitigation actions since that attack mean that there are less open resources to exploit. But not every security expert agrees on that notion.

Nevertheless, exploiting open systems to run serious attacks of that nature remains relatively straightforward, according to Prince-- "All you need is just ten lines of code or so and a lot of patience,” he said.

As well as the recent high volume attacks, Cloud Flare is also seeing a certain growth in smaller but more sophisticated attacks, often targeting online multiplayer games and similar targets.

In one example, attackers are targeting login credential servers by blitzing them with fake usernames and passwords. The technique is designed to stop hacker rivals being able to log back after being denied access by so-called booter servers.

And with rivals unable to log back into the session, hackers can win by default, and that's the whole issue.

Initial "caveman with a club" SYN flood attacks designed to swamp an internet connection are being followed up by more sophisticated app layer attacks against credential servers, Prince explained. He added that, in many ways, DDoS attacks are getting run for much the same reasons that IRC flamewars used to take place in the old days.

Prolexic, another DDoS mitigation security company, separately announced that it had successfully blocked a massive DNS reflection DDoS attack that peaked at 167 Gbps against an unnamed "real-time financial exchange platform" on May 27.

“This was a massive attack that made up in brute force what it lacked in sophistication,” said Scott Hammack, Prolexic's CEO. “Because of the proactive DDoS defense strategies Prolexic had put in place with this specific client, no malicious traffic reached its website and downtime was avoided for the most part. The company wasn’t really aware it was under attack.”

The DDoS mitigation for this attack was distributed across Prolexic’s four cloud-based scrubbing centres in Hong Kong, London, and two in the United States.

Prolexic’s London-based scrubbing center mitigated the majority of the malicious traffic, which peaked at 90 Gbps back in mid-March.

More background information on DNS reflection DDoS attacks can be found in a whitepaper by Prolexic. We will continue to monitor these developments as they happen, and we'll report them to you once available.

In other internet security news

Google has decided that it's more than kosher to tell everybody about newly-discovered security holes in various software used in such things as PCs, laptops, tablets and smartphones a full seven days after it learns about them, even if that's not enough time for makers of vulnerable software to provide a good solution to the security issue.

Google used its Online Security Blog to deliver this writing-- “We recently discovered that attackers are actively targeting a previously unknown and unpatched security vulnerability in software belonging to another company.”

Ed. note: Google didn't name that 'other company' but whom other is it than Yahoo... Read on-- “We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution.”

But that following up seems that it's not happening fast enough and Google seriously thinks that it's totally appropriate, as the post goes on to say “we believe that more urgent action -- within 7 days -- is appropriate for critical security vulnerabilities under active exploitation by hackers and attackers all over the globe.”

Seven days is therefore the time limit that Google will allow it to elapse before it “will support researchers making details available so that users can take steps to rapidly protect themselves.”

The logic behind Google's unilateral 'hurry-up guys' is that “each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.” And Google is 100 percent right when you think of it.

But Google hasn't explained yet what it considers “critical security vulnerabilities”. The Online Security Blog directs readers to this document at the Chromium Projects that details different levels of security-related severity.

The guidelines on offer there pertain only to web browsers. Just what represents a “critical security vulnerability” in a word processor or Android app isn't explained, at least not yet.

So there are some that wonder if Google has just proclaimed itself judge, jury and executioner all at the same time when it comes to software security bugs, inasmuch as it will decide what is a critical issue, and has set the time line in which software makers and vendors must address these issues or face public shaming (by Google).

And let's face it-- there's massive potential for this to blow up in Google's face. Imagine if Google publicises a security flaw that has been imperfectly mitigated, but the outing of the issue sparks even wider attempts at exploitation.

So there are some that will be keeping a close eye on this. A more nuanced response seems sorely needed and seven days seems a reasonable time to wait for the update, in our view. The internet community will be a better place, thanks to initiatives made by Google and others in the quest for better online surfing.

In other internet security news

Kaspersky Internet Security firm CEO and founder Eugene Kaspersky suggests that Huawei's telecom equipment could contain some doors, but they are probably not back doors, but somewhere in-between. However, there is nothing really wrong with Huawei, he said.

The Russian internet security company is nonetheless taking proactive steps to ensure that his company doesn't experience the same 'cold shower' reception Huawei has found in U.S. markets as well as in India recently.

Kaspersky comes to Australia almost every year and behaves a bit like a Richard Branson but Russian-style, putting on a stunt of some sort for the press, revealing extra-curricular adventures and offering some tidbits that hint at his history of association with Russia's various security programs.

For example, Kaspersky adopted the term “SCADA-Geddon” to describe a likely outcome of online warfare related to the Stuxnet Virus, but also not quite ever appearing entirely serious, nevertheless.

So the question is-- how much weight to place then, on Kaspersky's claims of grey areas in Huawei products? “We are not going to detect Huawei software as malicious,” he said. “And it's not just Huawei that has this grey area in their products. There was a very famous story about Sony rootkits as well, and a similar one with China's ZTE” he pointed out, before adding that he feels Huawei's troubles in the U.S. and India can be attributed to the detection of some suspicious behavior in its equipment and the knowledge of those issues being politicised.

Whatever it is, Kaspersky didn't want to talk politics, but did say that his company is aware of the fact it can be hurt from this, since Kaspersky sells security software in about fifty countries, including the U.S. and India.

“In the U.S., Australia and Western Europe, we are facing similar issues of trust,” he said, and he outlined plans to address those problems before they intensify or grow out of control.

“We are about to have a second backup and compiling systems in the U.S.,” he said. “Americans will have access to the source code and we will be very open to disclose the source code in case of specific requests.”

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Kaspersky Labs.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.