Hackers use Dropbox, WordPress to spread malware

The Chinese cyberspies behind the widely publicized espionage campaign against The New York Times have added Dropbox and WordPress to their bag of spear-phishing tricks.

The gang, known in security circles as the DNSCalc gang, has been using the Dropbox file-sharing service for roughly the last 12 months as a mechanism for spreading malware, said Rich Barger, chief intelligence officer for Cyber Squared. While the tactic is not unique, it remains under the radar of most companies.

"I wouldn't say it's new," Barger said on Thursday. "It's just something that folks aren't really looking at or paying attention to."

The gang is among 20 Chinese groups identified this year by security firm Mandiant that launch cyberattacks against specific targets to steal information. In this case, the DNSCalc gang was going after intelligence on individuals or governments connected to the Association of Southeast Asian Nations. ASEAN is a non-governmental group that represents the economic interests of ten Southeast Asian countries.

The attackers did not exploit any vulnerabilities in Dropbox or WordPress. Instead, they opened up accounts and used the services as their infrastructure.

The gang uploaded on Dropbox a .ZIP file disguised as belonging to the U.S.-ASEAN Business Council. Messages were then sent to people or agencies that would be interested in the draft of a Council policy paper. The paper, contained in the file, was legitimate, Barger said.

When a recipient unzipped the file, they saw another one that read, "2013 US-ASEAN Business Council Statement of Priorities in the US-ASEAN Commercial Relationship Policy Paper.scr." Clicking on the file would launch a PDF of the document, while the malware opened a backdoor to the host computer in the background.

Once the door was open, the malware would reach out to a WordPress blog created by the attackers. The blog contained the IP address and port number of a command and control server that the malware would contact to download additional software.

Dropbox is a desirable launchpad for attacks because employees of many companies use the service. "People trust Dropbox," Barger said.

For companies that have the service on its whitelist, malware moving from Dropbox won't be detected by a company's intrusion prevention systems. Also, communications to a WordPress blog would likely go undetected, since it would not be unusual behavior for any employee with access to the Internet.

In general, no single technology can prevent such an attack. "There's no silver bullet here," Barger said.

The best prevention is for security pros to share information when their companies are targeted, so others can draw up their own defense, he said.

In The New York Times attack, the hackers penetrated the newspaper's systems in September 2012 and worked undercover for four months before they were detected.

The attack coincided with an investigative piece the newspaper published on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China's prime minister.

Source: http://www.pcworld.com/article/2044262/hackers-use-dropbox-wordpress-to-spread-malware.html

Malware-like program lets your Android phone spy on you

A security firm has figured out how to turn an Android smartphone into a surveillance device that would make Q, the fictional gadget master in the James Bond movies, proud.

The Security Labs of Kindsight, a part of Alcatel-Lucent, has built a proof-of-concept program capable of tracking the user's location, intercepting messages, recording conversations, and taking pictures.

"Effectively, it turns the Android device into a spy phone," Kevin McNamee, lab director for Kindsight, said Friday. McNamee plans to present the espionage tool at the Black Hat USA conference next month.
Runs inside any app

The technology, codenamed DroidWhisper, can be hidden as a component within any Android app and run covertly in the background, booting up automatically when the device is turned on.

Once installed, the spyware would receive instructions from a command-and-control (C&C) server, which could communicate either over the Internet or through the phone's Short Message Service used for text messaging.
spyware privacy

From a control panel on the server, criminals or government spies would be able to control the phone's camera, video and still, and make use of its microphone and recording capabilities. The panel also would be used to collect all the recorded content and images, as well as any personal information on the phone.

"The smartphone is an excellent platform, if you want to launch an insider attack against a corporate network or government network," McNamee said. "The device has all the capabilities that it needs. It has Internet access over the air, it can take pictures [and] it can record sound—a very powerful surveillance platform."

While not part of the proof-of-concept, the spyware platform could be used to download tools for scanning a corporate network for vulnerabilities when an employee logs into a Wi-Fi network, McNamee said.

"[The phone] has a completely fully functional network stack, so if it has access to the corporate Wi-Fi, yes, it can scan the network," he said.
Anti-malware programs may halt it

The most likely ways the spyware could be installed secretly is through an email-carried link to a malicious website, or an app provided through an online store. For example, the component could be injected in a bogus version of a popular game.

While Google Play, the official Android store, scans for malware, most third-party stores do not. Roughly three in five of such stores originate in China and Russia, notes the latest mobile threat report from Juniper Networks.

As of March 2013, more than 90 percent of the mobile malware detected by Juniper targeted the Android platform, nearly double the percentage in 2011.

To install and run Kindsight's component on a device, the criminal would have to find a way to bypass Android's built-in security features. By default, applications do not have the permission needed to perform operations impacting other apps or the device in general. Such permissions would have to be granted by the user.

Assuming that the spyware penetrated those defenses, then the next mode of detection for businesses would be in catching the network traffic between the component and the command-and-control servers.

Source: http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html