General14.03.2012

Kaspersky Lab Malware in February reports: Duqu dissected and Google Wallet plundered

Kaspersky Lab provides insight into Malware detected by the company in February 2012 and what the topics of the month were.

Duqu’s prime target
Following analysis of the targeted organisations and the type of data of interest to Duqu’s authors, Kaspersky Lab’s experts have concluded that the attackers were mostly seeking information about production management systems in different industrial sectors in Iran, as well as information about the trade relations of several Iranian organisations. It was also established that in addition to using a certain kind of standardised platform, Duqu’s authors most likely used their own framework developed in an unknown programming language.

Attacks against individual users
A month to forget for Google
February saw Google come under the scrutiny of IT security specialists for two reasons. At the beginning of the month Kaspersky Lab detected a wave of infections involving the seeding of malicious code disguised as Google Analytics code. Visitors to hacked sites will be taken through a number of redirects before ending up at a server hosting the BlackHole Exploit Kit. If the exploit launches successfully, the user’s computer will be infected with malware.

Also in the first few days of February two methods were detected for hacking Google Wallet, an e-payment system that allows users to pay for goods and services using Android phones with Near Field Communication (NFC — contactless transactions).

First of all it was discovered that armed with root access to a phone it wouldn’t take a malicious user long to crack the four-digit PIN code for the Google Wallet app. Just one day later a vulnerability was detected in the Google Wallet app itself that made it possible to access the Google Wallet account on a lost or stolen phone without even having to hack the system or obtain root access. This second vulnerability was later fixed, but there was no information regarding the first problem as of early March.

Mobile threats
Chinese virus writers were able to create the mobile botnet RootSmart, with anything from 10,000 to 30,000 active devices currently infected. The total number of devices infected since the botnet’s appearance is already in the hundreds of thousands. All of the devices infected with RootSmart are capable of remotely receiving and executing commands from a C&C server.

“The malicious users controlling the RootSmart botnet are able to set a frequency at which costly text messages are sent and the period over which the messages will be sent out, as well as the short numbers which text messages will be sent to,” explains Denis Maslennikov, Senior Malware Analyst at Kaspersky Lab. “Unlike SMS Trojans, this approach allows cybercriminals to generate a stable, substantial cash flow over a long period of time.”

Recent events involving mobile threats around the world have shown that in 2012, mobile botnets will become one of the main problems for smartphone users and antivirus companies alike.

Attacks targeting corporate networks
Hacktivist attacks continued throughout February, as members of Anonymous targeted financial and political web resources. Major incidents included attacks targeting the websites of the US-based companies Combined Systems Inc. (CSI) and Sur-Tec Inc. These companies were found to be responsible for supplying certain countries with surveillance devices used to monitor citisens, in addition to tear gas and other tools used to suppress protests. There were also DDoS attacks that forced the websites of NASDAQ, BATS, the Chicago Board Options Exchange (CBOE), and the Miami Stock Exchange offline for several hours. In Russia, ahead of the presidential elections, DDoS and hack attacks were employed as political campaigning tools. The websites of media outlets, opposition groups, and government agencies were all subjected to politically motivated attacks.

More detailed information around the threats detected by Kaspersky Lab is available at: www.securelist.com.

Sign up to the MyBroadband newsletter