Bangkok--1 Nov--Oasis Media
How attackers administer malicious Web servers; An android threat that claims to charge your device
Report highlights
- Spam — 75.0 percent (an increase of 2.7 percentage points since August)
- Phishing — One in 245.4 emails identified as phishing (anincrease of 0.088 percentage points since August)
- Malware — One in 211.0 emails contained malware (an increase of 0.04 percentage points since August)
- Malicious websites — 780websites blocked per day (a decrease of 29.1 percent since August)
- A look at how attackers administer malicious Web servers
- An innovative Android app that’s too good to be true
A Glimpse Inside the Spam and Malware Underworld
by Nicholas Johnston
Compromised Web servers are a common occurrence in the treat landscape. They’re often the heart behind spam delivery and can play host to the exploit kits that facilitate the spread of malicious code. While we often talk about how these compromised servers administer malicious code, there’s an aspect to the attacks we don’t often talk about: how the attackers administrate these servers.
As a brief reminder, compromised servers are popular with spammers and malware authors as they reduce costs and complexity of hosting their own servers, and make it more difficult for security companies to deal with abuse: instead of the reputation of a Web server being simply 'good' or 'bad', this mixed reputation has to be handled carefully.
A Symantec.cloud system recently identified an interesting compromised Web server in Kazakhstan. The server is a shared hosting server, hosting many legitimate web sites. However, spammers had uploaded a PHP-based shell application, giving them almost full control of the server through a convenient Web interface.
The application is quite full-featured. At the top of the screen, information about the system is shown: free disk space, version of the Linux kernel, and so on. By default, the application ("BOFF") opens in file manager view, allowing files to be created, viewed, downloaded, renamed, etc. However, the application offers plenty of other functionality. There's a console, effectively providing basic shell access to the server. If this level of access isn't sufficient, there's an option to set up a server on an arbitrary port, with 31337—representing "elite" in so-called "leet-speak"—being the default. Any doubt that this shell is a malicious tool is removed when some of its other features are uncovered, giving an attacker the ability to do the following:
- Run arbitrary PHP code, bypassing PHP's safe mode if it’s enabled.
- Bruteforce FTP, Mysql and Postgres accounts.
- Use shortcuts to find Web server configuration files.
Android Application Makes “Incredible” Technological Breakthrough
by Hon Lau
The world of Android applications is truly a buzzing hive of activity these days. As a result, more and more scammers jump on this highly productive bandwagon, and the types of attacks and scams get more creative—some are so incredible they defy belief.
As any smartphone user knows, battery life is a perennial problem. The high processing power of embedded CPUs and large, bright LCD screens, coupled with frequent usage, means a lot of juice is required to keep the show going throughout the day. Device users can sometimes be caught short for power, finding themselves with a dead device when they need it.
This has spawned a whole genre of applications aimed at addressing this problem.There are some applications that will offer status updates on battery life and notify you when your battery is getting low. Still others help make your battery last longer by turning off features that are not necessary.
The effectiveness of these types of applications varies from the useful to the negligible, so a little research is required to determine this.Unfortunately there are also malicious applications, such as “Battery Long” (Android.Ackposts ), thatappear to help with the battery life, but simply steal information from the compromised device.
Breaking through the boundaries of credibility area bunch of applications that will supposedly turn your phone screen into a solar charger.Even though this is completely false, there are a number of “legitimate” applications out there making this claim. Many operate by using the cameras to measure the ambient light levels to move an onscreen dial, indicating the “charge rate” for increased accuracy. These are joke applications at best, in some cases even including small print on the application description page denying it has the ability to actually charge the phone.
Beyond the fun that can be had playing practical jokes, there is good reason to avoid such applications altogether. Take the following iteration of Android.Sumzand for example.
The application claims to be able to convert the screen on your device into a solar panel and use it to charge the battery, if exposed to sunlight. However, there are some unstated capabilities within this application that you need to watch out for—Android.Sumzandalso happens to steal contact data from your phone.
Spam Analysis
In September, the global ratio of spam in email traffic rose by 2.7 percentage point since August, to 75.0 percent (1 in 1.33 emails). This follows the continuing trend of global spam levels diminishing gradually since the latter part of 2011.
Global Spam Categories
The most common category of spam in September is related to the Sex/Datingcategory, with 47.93 percent.
Spam URL Distribution based on Top Level Domain Name
The proportion of spam exploiting URLs in the .com top-level domain decreased in September.
Average Spam Message Size
In September, the proportion of spam emails that were 5Kb in size or less increasedby 17.8 percentage points. Furthermore, the proportion of spam messages that were greater than 10Kb in size decreasedby 9.2 percent.
Spam Attack Vectors
September highlights the increase in spam emails resulting in NDRs (spam related non-delivery reports).In these cases, the recipient email addresses are invalid or bounced by their service provider. The proportion of spam that contained a malicious attachment or link decreased, with periodic spikes of spam activity during the period.
Phishing Analysis
In September, the global phishing rate increasedby 0.088 percentage points, taking the global average rateto one in 245.4 emails (0.41 percent) that comprised some form of phishing attack.
Analysis of Phishing Websites
The overall phishing increased by about 4.46 percent this month. Unique domains increased by about 13 percent as compared to the previous month. Phishing websites that used automated toolkits decreased by 3 percent.
Phishing websites with IP domains decreased by about 29 percent. Webhosting services comprised of 3 percent of all phishing, anincrease of 9 percent from the previous month. The number of non-English phishing sites increased by 103 percent. Among non-English phishing sites, French, Italian,Portuguese, and Spanish were highest in August.
Email-borne Threats
The global ratio of email-borne viruses in email traffic was one in 211.0 emails (0.47 percent) in September, anincrease of 0.04 percentage points since August.
In September, 22.2 percent of email-borne malware contained links to malicious websites, 2.6 percentage points higher than August.
Web Policy Risks from Inappropriate Use
Some of the most common triggers for policy-based filtering applied by Symantec WebSecurity.cloud for its business clients are social networking, advertisements and pop-up, and streaming media category. Many organizations allow access to social networking websites, but facilitate access logging so that usage patterns can be tracked and in some cases implement policies to only permit access at certain times of the day and block access at all other times. Web-based advertisements pose a potential risk though the use of “malvertisements,” or malicious advertisements.
Web-based Malware Threats
In September, Symantec Intelligence identified an average of 780websites each day harboring malware and other potentially unwanted programs including spyware and adware; a decrease of 29.1 percent since August. This reflects the rate at which websites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.
Frequently Blocked Email-borne Malware
The table below shows the most frequently blocked email-borne malware for September, many of which relate to generic variants of malicious attachments and malicious hyperlinks distributed in emails. Approximately 30.5 percent of all email-borne malware was identified and blocked using generic detection.
Endpoint Security Threats
The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.
Oasis Media
02-937-4658-9