PhoenixDzine

We’d like to wish all our readers a very happy New Year and offer you a small gift – a selection of wallpaper calendars with the dates of the most significant events in the history of the IT security industry.

Right now you can install wallpaper dedicated to past events that occurred in the month of January. Throughout 2011 you will be able to download different wallpaper for each month.

1280×800 | 1680×1050 | 1920×1200 | 2560×1600

As well as being a pleasant background for your desktop we hope that our wallpaper will help you recall the key events and epidemics in the history of IT security. And hopefully such things won’t affect you in future, even if they did in the past.

Modern game consoles are not only dedicated to gaming anymore, they rather offer a great variety of entertainment and many methods to support the whole gaming experience by offering platforms to meet other gamers from around the globe, share thoughts via private messages and status updates, a fully fledged browser to surf the web, media server capabilities and even online stores to buy games and additional game content via credit cards and gift coupons, which can be bought at shops if you’re not having a credit card.

Does that remind you of something? Indeed, it’s actually pretty similar to a social network – and it can also be connected to Facebook & Co. to keep your friends updated what trophies or achievements you just won.

In terms of security the vendors of these consoles did a pretty good job, all inner systems got hardened and signed installers made sure you can’t install anything you want – which may annoy some people but keeps the system secure. But now it seems like the game has changed for the PS3. While it was possible to jailbreak the system with specially crafted USB sticks before, the first soft-mods are now available. The reason behind this? Four years after the release of the PS3 the master key was now found out by a group of modders. Many gamers now take their chance to individualize their system by installing a home-brew environment that allows to roll out programs unapproved by Sony.

So what are the consequences? First of all, many people will jailbreak the PS3 just for the sake of it, because it’s considered fashionable as it is with the iPhone, as my colleague Costin points out in a recent issue of Lab Matters. Unfortunately most people are unaware that this might open the floodgates for malicious or unwanted software. Parallels to the Ikee worm on iPhones are inevitable. This worm spread itself only via jailbreaked iPhones – making apparent how many devices are actually jailbroken and how dangerous this can be. And now home-brew software variants for the Playstation 3 have been released and are spreading through the web over different sources. Who knows what’s behind those offers? The original intention of the programs might be benign, but who knows if the installer package has been compromised and re-offered for downloading?

As pointed out before, buying games and related content from the online shop via credit card is popular and potentially dangerous if homebrew software is installed,as the software could carry out a man-in-the-middle attack or redirect to phishing sites. Alternatively, installed games or the respective game scores could be blocked and thus the software would act as ransomware or send out spam via the internal message system… There are many malicious possibilities that the bad guys can utilize for financial profit!

Are these scenarios realistic? -Unfortunately yes

Is it going to happen? -I hope not…

Since Monday, my colleagues and I have been attending the annual Chaos Communication Congress 27C3 in Berlin. For the past 27 years, the Chaos Computer Club has organised this four day conference for hackers from all over the world.

The sold-out event at Berlin’s bcc covers a wide range of topics, separated into six different tracks: Community, Culture, Hacking, Making, Science and Society. Take a look at what’s known as the Fahrplan or schedule.

All the talks are streamed and recorded. Check out the conference wiki.

Yesterday also marked the start of a new, CCC independent side event called BerlinSides, which focuses on infosec and is organised by Aluc.TV and SecurityBsides.com. This free event takes place at one of the oldest hackerspaces in the world, Berlin’s famous c-base.

The use of all kind of services in a cloud basis is becoming more and more popular, enhancing productivity and reducing the needs of setting up a complex infrastructure. This approach is progressively being taken by IT industry. However, malware reacted faster in abusing this virtual infrastructure for its profit.

We have seen many examples in the past: the use of Twitter as a communication channel for a botnet, using Amazon EC2 for hosting C&Cs or abusing advertising channels for distributing malware. Today we will see, through a sample, how malware maximizes its revenues using this kind of services with a minimum impact on victim?s computer.

Our sample belongs to Trojan-Dropper.Win32.Drooptroop family, which has more than 7000 variants. The sample is detected by Kaspersky Internet Security as Trojan-Dropper.Win32.Drooptroop.jpa, and its peak of activity corresponds to 6^th of December, mostly based in the US.

It is being distributed through an email message with a link to a Rapidshare file:

hxxp://rapidshare.com/files/4XXXXXXX0/gift.exe

Taking advantage of the Christmas campaign, the name of the binary is gift.exe. As suspicious as it is, however, most filters fail in detecting this as malicious for two reasons: the binary is not in the body message and the domain of the URL is legitimate. We have detected more than 1000 infections were technique was used for distributing the sample.

This is not the only use of external infrastructure done by the sample. Once the computer is infected,Drooptroop.jpa injects code into spoolsv.exe and intercepts browser?s network functions, resulting in hijacking user?s requests.

Doing this, Drooptroop performs click fraud redirecting legitimate requests:

This remuneration programs are abused on a regular basis by malware. Apart from that, this malware redirects the user to rogue AV sites:

It is interesting how everything is shown in the browser. All is javascript highly obfuscated simulating explorer, so further binaries are downloaded to the computer at the scaring phase.

At this point, you probably want to run Kaspersky Internet Security to clean your system.

Summing it up, the distribution was using a remote file sharing service, the malware used click fraud to monetize and the rogue AV was all happening in the browser. However this malware still needed to infect your computer, so don?t forget to protect yourself.