F-Secure has identified three China-based companies as the creators of the "Sexy Space" Trojan, which was identified last week to have passed through Symbian Foundation's digital-signing process.
XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin cloaked the malware, also known as Yxe, and submitted it to the Symbian Foundation under its Express Signing program, security company F-Secure said Wednesday in a statement.
Developers are required to submit mobile applications to the Symbian Foundation for evaluation, before the applications are accepted and enabled for handsets running the Symbian operating system. The apps are first automatically scanned for viruses. After that, random samples are submitted for human audit. Sexy Space had not been subjected to human scrutiny, Symbian's chief security technologist Craig Heath said last week.
F-Secure's senior security response manager, Chia Wing Fei, explained that the Trojan would have allowed attackers to simply send a link via text message to a malicious Web site and prompt the mobile recipient to download the worm. Once the malware would be installed, it could send similar text messages to all contacts listed on the phone.
"These messages are sent in your name and from your phone," Chia said. "It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you ($25)."
According to F-Secure, this is the first identified text message worm.
The Symbian Foundation became aware that Sexy Space was a Trojan earlier this month, and the signature was revoked. But an error on Symbian's servers meant the application was still available for download until last week.
F-Secure said that although the problem is currently not widespread, there have been a few confirmed reports in China and the Middle East so far.
All Symbian Series 60 third-edition phones by Nokia, LG and Samsung are potential targets of the malware, including popular models such as Nokia N95 and Nokia E71, said F-Secure. The Symbian platform is used in just under 50 percent of all smartphones.
Vivian Yeo of ZDNet Asia reported from Singapore.
With all the Internet attacks that exploit Adobe Acrobat Reader people should switch to using an alternative PDF reader, a security expert said at the RSA security conference on Tuesday.
Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader while six vulnerabilities have been discovered that target the program, Mikko Hypponen, chief research officer of security firm F-Secure, said in a briefing with journalists.
Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.
In 2008, the favored targeted attack vector was Microsoft Word, which had 15 known vulnerabilities (compared to Acrobat Reader's 19) and which represented 34.5 percent of the attacks (compared to 28.6 percent for Acrobat Reader), he said.
Top-level executives, defense contractors, and other people who have access to specific sensitive corporate or government information are subject to targeted attacks where an attacker sends a file that has malicious code embedded in it. Once the file is opened, the computer is infected typically with a back door that then steals data.
PDF and Flash browser plug-ins are also used in attacks known as "drive-by downloads" in which malware is surreptitiously downloaded onto a computer while the user is surfing the Web. The number of PDF files used in attacks rose from 128 between January 1 and April 16 last year to more than 2,300 in that same time period during this year, said Hypponen.
Adobe should make security a priority, he said.
Adobe "has a lot to learn from, of all places, Microsoft," which offers regular security patches on a monthly basis as part of Patch Tuesday, Hypponen said.
Part of the problem is people don't expect that Acrobat Reader upgrades necessarily contain important security patches like they do with Microsoft software, he said.
Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.
(Credit:
F-Secure)
Helsinki-based security firm F-Secure said on Thursday that a breach of its Web site earlier in the week by a Romanian hacker site was limited in scope and impact.
On Wednesday the HackersBlog site said it had used a SQL injection and cross-site scripting attack to get access to data on an F-Secure Web site. Earlier, the site had launched similar attacks on a site of security firm Kaspersky and one belonging to a partner of BitDefender.
F-Secure said the problem with its site was due to a bug in a Web application and not related to an unpatched system.
"One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack," spokesman David Frazer said in an e-mail. "Fortunately we utilize defense-in-depth strategies so the attack was only partly successful. The Server was taken down immediately after the blog was discovered to ensure the SQL injection was contained and to also analyze the level of the threat."
Although the attackers could read the F-Secure database information, they were not able to write or manipulate the data and were unable to access any other data on that server because the SQL user only had access to its own database, he said. The data accessed was statistics information used for marketing purposes, he added.
"So while the attack is something we must learn from, it was very minimal with no impact to F-Secure, our partners or our customers," Frazer said.
A Romanian hacker site said on Wednesday it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.
F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."
An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes.
"It is slightly embarrassing as a security company that we have had the breach," David Frazer, a spokesman in F-Secure's San Jose, California office, said in a phone interview. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."
HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.
Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.
SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, have become very popular exploit methods. Cross-site scripting vulnerabilities, which allow for injection of malicious code in Web pages, also are common.
Updated 3:25 p.m. PST with F-Secure comment.
One of the spam messages using Obama's election to entice people to download malware.
(Credit: Sophos)Within hours of settling the U.S. presidential election on Tuesday, spam seen worldwide began incorporating the name and image of Barack Obama, according to various security vendors. The U.K.'s Sophos reported 60 percent of all spam seen by the lab on Wednesday was in some way Obama related.
One piece of spam alleges to contain a link to video of Obama's acceptance speech. If you follow the video link within the e-mail message you will be taken to a Web page where you'll be asked to update your Adobe Flash Player with a file, adobe_flash9.exe, first. This is not an official Adobe update file and downloading this file may in turn infect your computer with a Trojan.
Sophos named the Trojan Mal/Behav-027. F-Secure named it W32/Papras.CL. Sunbelt Software also has a blog about this particular piece of spam.
Meanwhile, Websense is reporting a separate threat. An e-mail appears to be an interview with the new president elect. The e-mail features embedded links to a video site that attempts to install a file, BarackObama.exe. Downloading this file may infect your computer with a Trojan.
- prev
- 1
- next
