Counterclank

Counterclank: Info-stealing Trojan or advertising tool?

Posted on 31.01.A couple of days ago, Symantec has warned about Counterclank, an Android Trojan that has been unknowingly installed by users on over five million devices.

This huge number was possible because the Trojan has been grafted onto a number of applications available for download on the official Android Market.

Having analyzed and recognized Counterclank as a variant of the Tonclank Android Trojan, the researchers have come to the conclusion that it has been created by the same developer - a company that distributes a software development kit (Apperhand) to third parties to help them monetize their applications, primarily through search.

Counterclank records and send information such as the device's IMEI, brand, manufacturer, model, and Android OS version, metrics such as screen size and resolution, the user's language preference, the browser user agent and the identity of the application using the software development kit.

Apart from that, it is also capable of setting the device's browser's homepage, create bookmarks and shortcuts on the home screen. According to them, the homepage, bookmarks, and shortcuts can be sent to searchwebmobile.com, a domain belonging to Infospace, a firm that pays money to applications that redirect search queries through their website.

Although Symantec considers these apps and Counterclank as malware, others disagree. Lookout says that it is "an aggressive form of ad network" that does not appear to be malicious, but that should, nonetheless, be taken seriously.

"Due to the combined behavior of the applications, negative feedback from users who installed the applications, and the fact that previous applications (Android.Tonclank) using this code were initially suspended from the Google Market, we chose to notify users of Counterclank," reiterated Symantec.

"We have also submitted a ticket to Google for the removal of Counterclank from the Android Market. Google replied quickly informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market."

സോണി സൈറ്റുകള്‍ വീണ്ടും ഹാക്ക് ചെയ്തു

പ്രമുഖ ഇലക്ട്രോണിക്ക് കമ്പനിയായ സോണി കോര്‍പ്പറേഷന്റെ ഗ്രീസിലേതുള്‍പ്പടെ മൂന്നു രാജ്യങ്ങളിലെ വെബ്‌സൈറ്റുകള്‍ ഹാക്ക് ചെയപ്പെട്ടു. കമ്പനിയുടെ ഗ്രീസിലെ മ്യൂസിക്ക് എന്റര്‍ടെയിന്‍മെന്റ് ശൃംഖലയില്‍ കടന്നു കയറിയ ഹാക്കര്‍മാര്‍ 8500ഓളം ഉപഭോക്താക്കളുടെ അക്കൗണ്ട് വിവരങ്ങള്‍ ചോര്‍ത്തിയതായും കമ്പനി വ്യക്തമാക്കി.

കമ്പനിയുടെ പ്ലേ സ്റ്റേഷന്‍ നെറ്റ്‌വര്‍ക്കില്‍ ഈയിടെയുണ്ടായ ആക്രമണത്തിന് പിന്നാലെ സുരക്ഷ ശക്തമാക്കാന്‍ നടപടികള്‍ കൈക്കൊള്ളുന്നതിനിടയിലാണ് രണ്ടാമതും ഹാക്കര്‍മാര്‍ നുഴഞ്ഞു കയറിയത്. കഴിഞ്ഞ തവണയുണ്ടായ ആക്രമണത്തെ തുടര്‍ന്ന് കമ്പനിയുടെ ഒരു കോടി ഉപഭോക്താക്കളുടെയെങ്കിലും അക്കൗണ്ടുകള്‍ തകര്‍ന്നിരുന്നു.

പുതിയതായി ഉണ്ടായ ആക്രമണത്തില്‍ ഏകദേശം 8500 പേരുടെ പാസ്‌വേഡുകളും ടെലിഫോണ്‍ നമ്പറുകളുമടക്കമുള്ള സ്വകാര്യ വിവരങ്ങള്‍ ചോര്‍ന്നിട്ടുണ്ടെന്ന് കമ്പനി പറഞ്ഞു. തായ്‌ലന്‍ഡിലെയും ഇന്‍ഡോനേഷ്യയിലെയും യൂണിറ്റുകളിലും ഹാക്കര്‍മാര്‍ നുഴഞ്ഞു കയറുകയും വെബ്‌സൈറ്റില്‍ മാറ്റങ്ങള്‍ വരുത്തുകയും ചെയ്തിട്ടുണ്ട്.

Facebook plugs third-party access to user accounts

Tokens are like "spare keys" that Facebook users grant to applications that allow them to perform actions on their behalf or access their profile.

Facebook has plugged a hole that was inadvertently providing advertisers and other third parties access to user accounts via tokens that serve as "spare keys," Symantec said today after disclosing the problem to the social-networking company.
"Facebook was notified of this issue and has confirmed this leakage," Nishant Doshi, a senior software engineer at Symantec, wrote in a blog post. "Facebook notified us of changes on their end to prevent these tokens from getting leaked."

"We estimate that as of April 2011 close to 100,000 applications were enabling this leakage," Doshi wrote. "We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."

A Facebook spokesperson told CNET that the company could not find any evidence that private user information was being shared with unauthorized third parties and that contractual obligations prohibit advertisers and developers from obtaining or sharing user information in a way that violates the site's policies.
"We have no evidence of this information being used in a way that violated our policies, but nonetheless, we take any potential issue seriously and quickly took steps to prevent this from happening with apps on Facebook," a company statement said.

User access tokens, which are akin to "spare keys," allow applications to perform certain actions on behalf of the user or to access the user's profile, according to Doshi. Most tokens expire after a short time, but the application can request offline access tokens, which allow them access until the user changes the password, even when the user is not logged in, according to his post.

The leak was happening when an application used a legacy Facebook application programming interface with older authentication schemes, instead of the new OAuth 2.0 data sharing protocol, Doshi said. (Google began supporting OAuth in mid-2008.) If certain parameters were used in the coding, the tokens would be sent in a URL to the application host, and from there could be leaked to advertisers and analytic platforms via iFrame applications embedded in the page, he said.

Its unclear how many people are affected by this problem.

"There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007," Doshi wrote. "We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers."
Facebook users can change their passwords to invalidate any leaked access tokens, effectively changing the lock on your profile, he said.

The Symantec research prompted Facebook to make some changes in its developer road map, including requiring all sites and apps to migrate to OAuth 2.0 and obtain an SSL (secure sockets layer) certificate by October 1.

"We have been working with Symantec to identify issues in our authenticationflow to ensure that they are more secure," the company said in a post on its developer blog. "This has led us to conclude that migrating to OAuth & HTTPS (Hypertext Transfer Protocol Secure) now is in the best interest of our users and developers."
Joey Tyson, a security engineer at Gemini Security Solutions who blogs about social networking at TheHarmonyGuy.com, said Facebook has been progressively improving the security of its platform and that many apps have limited permissions now. "This is a problem worth addressing, but it may not be as serious as some people are thinking it is, and it's certainly not as widely exploited as some people may fear," he said.

Facebook fixes bug, but 'Nicole Santos' hoax lives on

Facebook has fixed a bug that allowed malware to take over accounts and spread overnight, but the "Nicole Santos" hoax has turned into a viral sensation.

The hoax was evident on pages littered with wall posts that use profanity and urge people to "vote for Nicole Santos." The posts say that the only way to remove them is to disable them by clicking a "remove this app" link below the post. Doing so allows the malicious code to access your Facebook account and post the hoax to your friends' pages.

"This spam was spread by a vulnerability in our code and we worked quickly to resolve this matter," Facebook said in a statement today. "The bug caused a small number of spam comments to be posted to users' walls, and we are in the process of cleaning up any spam it may have caused."
Basically, the vulnerability allowed people to post malicious code in comments and they were treated as URLs and allowed to spread. The bug improperly allowed a specific category of URLs (javascript: URLs), according to Facebook. The company is removing the posts from users' pages, but the malware continues to spread when people click on the links.
Users should not click on the links or on any links that are circulating that require people to "'Verify you account to prevent spam,' as this may be how the hack gains access to your Facebook wall in the first place," reports The Next Web. "Simply block the friend sending it to you as their account is now compromised. Once the problem has been fixed by Facebook you can re-enable them."
The Facebook hoax has already taken on a life all its own. "Nicole Santos" was a trending topic on Twitter and a bunch of anti-Nicole Santos Facebook pages were created. Someone began selling a "Vote for Nicole Santos" shirt on e-commerce site Etsy. And a comedian created a rap music video called "You Just Got Hacked: A Nicole Santos Musical Parody." Which all leads us to the question of who is Nicole Santos?

The Spam King is free again, claims his spamming days are over

Robert Soloway, one of the most prolific spammers whose activities earned him the nickname Spam King, has been released from prison after a little less than 4 years inside.

He is allowed to go back online, but according to his plea deal, probation officers will monitor his e-mail correspondence and which websites he visits for the next three years.

“If I send out spam e-mails, that’s a violation of my probation. End of story,” he said to Wired. “I’m being very careful. If I send out an e-mail, I’m not even going probably to CC it. I’ll send a unique e-mail to each person.”

After and estimated 10 trillion spam e-mails sent doing his "career", teaching other people to spam, selling spam packages and using botnets to spread the e-mails - and living the good life during all that time - he now lives in a modest studio apartment in Seattle and works in a print shop.

He says he learned the lesson and now wants to help businesses and consumers avoid spam. “I don’t expect anyone to trust anything I say until they see me making good,” he declared. "I would like to assist in some way by basically revealing what went on inside the cybercrime industry."

Virus yearbook 2010

PandaLabs is closing the year with a look at some of the unique and noteworthy viruses that have appeared over the last twelve months. The list of viruses is vast and varied, since in 2010, PandaLabs received more than 20 million new strains of malware.

This compilation does not contain the most prolific threats or those that caused the most infections, but is simply some of the more interesting viruses.



The viruses that are included in the 'Virus Yearbook 2010' are:

The Mischievous Mac Lover: This title was earned from a remote-control program with the unsettling name of HellRaiser.A. This virus only affects Mac systems and needs user consent to install on a computer. Once installed, it can take remote control of the system and perform a host of functions, including opening the DVD tray.

The good samaritan: Bredolab.Y came disguised as a message from Microsoft Support claiming that a new security patch for Outlook needed to be installed immediately. Upon download, users were exposed to the SecurityTool rogueware, which told users their systems were infected and then offered a fake solution that many fell for and purchased.

Linguist of the year: MSNWorm.IE emerged as a virus that was distributed via MSN Messenger with a link tempting the user into viewing a photo. This virus was created in 18 languages and always featured an emoticon at the end ":D" of each note.

The most audacious: The Stuxnet malicious code was designed to target SCADA systems, i.e. critical infrastructures. The worm exploits a Microsoft USB security hole and has the sole intention of silently manipulating the core of industrial control systems.

The most annoying: Oscarbot.YQ was a virus that infected your computer and continually prompted a pop-up window to ask users, "Are you sure you want to close the program? Yes - No?" Regardless of how many times users would close the window the same screen would appear repeatedly.

The most secure worm: Clippo.A, a name that might remind some users of "Clippy," the Microsoft office assistant, is the most secure worm. Once installed on a computer, it password-protects all office documents. A user then can't open any documents without a password. There is no financial motivation for this worm, but it is yet another example of an annoying virus.

A victim of the crisis: Viruses oftentimes mirror the state of the global economy. Typically, all ransomware (programs that block computers and demand a ransom to release them) demands a fee upwards of $300 to unblock a program. During the current financial crisis, however, PandaLabs discovered Ransom.AB, which was blocks the computer and asks for a mere $12 for a code to unblock it.

The Most Economical: SecurityEssentials2010 was a virus that served as a fake counterpart to the official Microsoft antivirus product. Classified as adware, this acted like any other fake antivirus and alerted users to infections on their computers. Since the design and warning looked so authentic, many users were duped into buying the fake solution, making it one of the top 10 infections of 2010.

Vendor creates malware to sell its anti-malware product

Chinese antivirus software companies seem to have a unusual strategy for keeping its services and products in demand - secretly developing threats themselves and unleashing them online, then turning around and making their products detect and remove them.

This is supposedly a well known open secret in the industry, and the fact has come to light in the recent territory war between to Chinese antivirus companies - Rising Antivirus and Eastern Micropoint - which resulted in the 11 months long imprisonment of Micropoint's VP Tian Yakui and the suspended death sentence of one Yu Bing, who used to be the director of the Internet monitoring department of Beijing’s Municipal Public Security Bureau.

According to The Register, Bing has allegedly been receiving bribes from Rising to push the company's agenda and hinder that of Micropoint, which resulted in him mounting a sham investigation against Micropoint and falsely accusing their executives of releasing malware they have developed in the wild in order to boost their sales - and ended up with Tian's incarceration.

Subsequently, Micropoint had been seized on Yu's orders, sent to Rising and he made sure that China's only antivirus testing facility would reject its application for assessment in order to receive the proper certifications.

Yu also used misused his position by issuing a warning to the public about a specific computer virus, and advising them to use Rising's software to clean their computers.

Whether or not he deserved to be sentenced to death for his crime is debatable, but these revelations and ensuing comments by industry insiders have revealed that developing malware just to kill it is a "sound moneymaking strategy and makes good business sense", reports The Epoch Times.

Supposedly, that was the main strategy used by most antivirus vendors in the 1990s, but has been used less and less after 2000. Although, it seems, is still used by some - the virus that Micropoint has been accused of developing and releasing into the wild, was allegedly created by Rising.