Security Response

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.

Contribution: Takayoshi Nakayama

I was going through some files we acquired related to targeted attacks the other day and an unusual set of files caught my eyes. We did some analysis on the files and it turns out a pair of files in the set exploits a vulnerability we have not seen in the wild before. Microsoft is aware of the issue and notes users who have applied MS11-073 are fully protected.

The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email.

The exploit makes use of an ActiveX control embedded in a Word document file....

During the summer of 2011, one-click fraud targeting smartphones was discovered. One-click fraud has now become so common that doing a quick search for certain keywords on the Internet using a smartphone leads to a high possibility of coming across one of the scam sites. The typical attack simply attempts to trick users into registering for a paid service. Details of the users and their phones are displayed on the page in an attempt to convince them that the site owners may take legal actions if the user does not pay them a certain amount of money.  There were no malicious files involved. More details are available in this blog.

Now, in 2012, one-click fraud for smartphones has evolved  and begun to use applications.  File usage for the fraud is common on the Windows platform and has been used for years.  When users attempt to view a video on a computer, they...

Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks.

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.

These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only...