Tricking a Laptop's Fingerprint Authentication

The joys of fingerprint biometrics with a duplicate fingerprint of the original.

Commercializing Mobile Malware

Visionary enough, I predicted this over an year ago, and despite that for the time being there are only two publicly known pieces of mobile malware sending sms messages from the infected devices to premium numbers, it's an emerging trend for customers and mobile operators to keep an eye on :

"After installation, the Viver trojans immediately start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia. We've already seen for-profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to send messages to Russian premium-rate numbers. But these trojans require user acceptance per each message and are able to send messages correctly only inside Russia."

Some comments I made back then :

"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."

Something else to think about is related to Europe’s most recent mega-music event Eurovision and the sms voting power that, given enough infected mobile devices are in place the results could change pretty fast if you’re following my thoughts. Thankfully, compared to zombie networks making it possible to do intelligence and espionage tweaks given the large infected population, we still cannot talk about mobile botnets. The most juicy target for the time being however, remains the rise mobile banking.

Another comment I made a while ago :

"Malware authors indeed have financial incentives to futher continue recompling publicly available PoC mobile malware source code, and it's the purchasing/identification features phones, opening a car with an SMS, opening a door with an SMS, purchasing over an SMS or direct barcode scanning, mobile impersonation scams, harvesting phone numbers of infected victims, as well as unknowingly interacting with premium numbers are the things about to get directly abused -- efficiently and automatically."

Related posts:
Proof of Concept Symbian Malware Courtesy of the Academic World
Mobile Devices Hacking Through a Suitcase

Yet Another Malware Cryptor In the Wild

Just stumbled upon a newly released cryptor in the wild, and as I pointed out in a previous post related to yet another cryptor, they're signature-based malware scanning's worst enemy. By the time AV vendors obtain a sample and analyze the routines they use, unless an IPS solution is in place, and end user friendly perimeter defense detecting the bot-ization of the host are in place - an infection occurs.

What's the big picture? It's launching a denial of service attack on anti virus vendors' labs in the form of distributing couple of hundred malware samples - future family members of a malware group. Polymorphism encrypting routines are nothing new, but with DIY cryptors in the wild the result can be quite successful even for copy cats:

"Another example is the Stration family of malware, responsible for worms and other forms of malware in late 2006. “Stration was changing so quickly—the encryption packaging, the compiler, everything. We saw up to 300 variants in a single day,” says Ron O’Brien, senior security analyst at anti-malware vendor Sophos."

File size: 4608 bytes
MD5: 406e3a1443ec617f2c968a957a460f10
SHA1: 187abe8cec588b53126afbe8e600379a3bac2321

Corporate Espionage Through Botnets

Following my previous post on OSINT Through Botnets, here's a company that's categorizing Fortune 500 companies whose networks are heavily polluted with malware infected hosts :

"Support Intelligence (SI), a network security company in San Francisco, has been running what it called "30 Days of Bots," featuring corporate networks infected with spam-churning bots. It began analyzing data in February, monitoring 10,000 domains that plow data into a trap much like a fishnet, except the intelligence in the data is designed to determine what information to keep by looking for spam. In total, SI analyzed traffic from more than 100 sources, including the aforementioned spam traps."

Considering the possibility for gathering open source intelligence through military and government infected PCs only, it is logical to conclude that a specific company can be targeted on the basis of the already infected hosts on its network as well. Think about it. For the time being, a botnet's master doesn't really care if it's a military or Fortune 500 company that's infected as long as spam, phishing and malware goes out of these hosts. But passive corporate espionage in the form of intercepting the traffic going out of a specific company's network shouldn't be excluded as an opportunity.

Visual Script Obfuscation

We often talk and deobfuscate scripts aiming to hide their real and often malicious intentions. But what if malicious attackers have become so efficient in their obfuscation, that they decide to show some JAPH style in order to make them harder to analyze by visually obfuscating the scripts as you can see here?

The Jihadist Security Encyclopedia

A month ago, the Media Jihad Battalion started distributing a 118 pages long encyclopedia on anything starting from secure communications to keywords not to search for as they'll raise an early warning system alarm. The front cover is so Blade's style, but the PSYOPS motive is highly influential. Here's a translated table of contents and the original version attached.