Update (2014.10.15) - administrative notes for preparation... Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.
This morning was possibly one of the most information rich in the history of Microsoft's patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.
The most interesting of today's vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments - an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacks. MS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.
The Windows OLE vulnerability patched with MS14-060 is surprisingly rated "Important" by Microsoft. The APT known as the "Sandworm team" deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that's for a different blog post. Our GReAT researchers Maria Garnaeva and Sergey Lozhkin spoke about interesting BlackEnergy functionality at the May 2014 PHDays conference.
Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.
The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.
More can be read about October 2014 Microsoft Security Bulletins here.
UPDATE / OCT, 15.
Further to this blog post, describing malicious functions of a mobile Trojan camouflaged as the TicTacToe game app, Lacoon Mobile Security company stated that TicTacToe was developed by them as a proof-of-concept.
Kaspersky Lab would like to reiterate, that as a security company, we detect all forms of malicious program, regardless of their origin or purpose. We recieved the samples through malware exchange with other antivirus companies and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app – and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file's size. The rest is functionality appeared for monitoring user and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.
We respect and support other security companies who aspire to the development of mobile technologies, but we also believe that proof-of-concept programs should be marked clearly and shouldn't demonstrate fully-operational functions, to avoid situations where malicious users replicate the techniques.
Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.
It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:
However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user's contacts and the SMS archive or to be able to process calls and record sound? We analyzed the 'game' and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.
A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file's size. The rest is functionality for spying on the user and stealing personal data.
Game code is marked in green, malicious functionality – in red
What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:
It also has SMS-stealing functionality:
In addition, the Trojan collects information about the device and sends all the data collected to its masters' server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.
The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.
After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc/ /maps. The file contains information about memory blocks allocated to the application.
After getting the list of memory blocks, the malware finds the block [heap] containing the application's string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals' server.
Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.
As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user's personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.To reduce the risk of infection by mobile malware we recommend that users:
- Do not activate the "Install applications from third-party sources" option
- Only install applications from official channels (Google Play, Amazon Store, etc.)
- When installing new apps, carefully study which rights they request
- If the requested rights do not correspond with the app's intended functions, do not install the app
- Use protection software
Trojan-Spy.AndroidOS.Gomal.a uses an old version of the exploit, which is effective on Samsung devices running Android 4.0.4 or earlier. This particular version of the malware could not successfully attack a corporate email client on devices with newer firmware.
So far, we have not seen any attempts to infect our users with the Gomal Trojan. However, even though this sample is not currently active in-the-wild, we detect it so we will be able to block any future attacks by mobile malicious programs based on this proof-of-concept malware.