Archive

Posts Tagged ‘mariposa’

Virus Bulletin 2010

October 5th, 2010 7 comments

This year’s Virus Bulletin conference in Vancouver was a big success as it included some very interesting talks, specially on Stuxnet and social media security issues. There were also some presentations about ongoing efforts in the IEEE regarding telemetry on malware and a taggant system for runtime packers. Overall some great talks by very knowleadgeable folks.

I also gave a presentation on the ButterFly and Mariposa botnet shutdown with details of the arrests made earlier this year. Both Kaspersky and Avira mentioned the talk in their respective blogs here and here.
img_2190
img_2199

Tony Lee and Jimmy Kuo from Microsoft giving a presentation on telemetry sharing and an interesting idea of using telemetry to prioritize certain signatures over others, something we have been doing with Panda Cloud Antivirus for almost 2 years now ;)
img_2855

During the conference Andreas Marx from AV-Test.org officially handed us the “Certified” plaque for Panda Internet Security, which achieved the top ranking in the Full Product Test of Q2 2010.
IMG_2207

VB is a great chance for people from competing AV companies to get together and talk shop. If you’re lucky you might even catch the rare sight of competing testing labs talking together. Here we can see “the Andreases” from both AV-Test.org and AV-Comparatives.org:
img_2233

Jeff Williams (Microsoft), myself and Mark Kennedy (Symantec) during the gala dinner:
img_2713

Phillip (Avira), Jong (Webroot), Andreas (AV-Test.org) and Tjark (Avira) hanging out:
img_2235
img_2286

Andy from ICSALabs always behind a camara:
img_2307

The Ikarus and G-Data crews. Great guys!:
img_2321

Finally as is now a yearly tradition, G-Data held they table soccer tournament. Unfortunately Luis and I were only able to get 4th rank after Sophos brought in the guns from their local Vancouver office. But next year’s VB 2011 in Barcelona will be payback!!

Spain (Panda) kicking some UK (Sophos) butt during the initial rounds:
img_2251

USA (Microsoft) losing to Germany (G-Data) in the final:
img_2899

All pictures above were taken by Andreas Marx from AV-Test.org. I’m sure VB will soon be uploading more photos to their VB2010 conference webpage here, so be sure to keep an eye on that.

Vodafone distributes Mariposa – Part 2

March 17th, 2010 7 comments

It seems that my original post Vodafone distributes Mariposa botnet caught a lot of attention. It was very interesting to see the reactions from the different actors. On the one hand Vodafone called it an isolated incident, deleted all posts on their forum from users asking about the incident, and then two days later announced the end of life of the HTC Magic. On the other hand reactions from users all over the blogosphere ranged from applause for uncovering this to accusing us of making it up, along with the inevitable and always amusing Android vs. iPhone fanboy quarrels.

However it also caught the attention of an employee of a different IT security company here in Spain, S21Sec, which specializes in researching banking trojans & vulnerabilities. This guy had also purchased an HTC Magic direct from Vodafone’s official website the same week as my co-worker. He hadn’t connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding.

htc-magic-sd-autorun

He immediately contacted us and was kind enough to send us the microSD card and allowed us to connect to his PC to analyze what had happend. According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1st, 2010 at 19:07, a little over a week before the phone was delivered to him directly from Vodafone.

This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven’t done so yet).

The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers.

00129953  |.  81F2 736C6E74  |XOR EDX,746E6C73 ; â€tnls”

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

If these are not enough coincidences, there was also more malware in the SD card in addition to Mariposa. I also found a Win32/AutoRun worm in the following location of the phone’s card:

I:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe

And for those conspiracy theorists amongst you (bess you!), the AV that he has installed was not Panda but AVG.

htc-magic-avg

So what conclusions can we draw from all this?

  • Vodafone stated it was an isolated incident, but that theory is losing ground as quick as you can say “p0wn3d”
  • Originally I had thought it was an issue with a specific refurbished phone as well. But having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with QA or with a specific batch of phones.
  • If you’re in Europe and you’ve purchased a HTC Magic from Vodafone a few weeks before or after March 1st 2010, I’d double-check my PC and my HTC’s microSD card if I were you.

The lesson to be learned here could be: either stop pre-loading malware into the phones or at least stop selling them to employees of IT security companies ;)

Categories: Malware, News Tags: ,

Vodafone distributes Mariposa botnet

March 8th, 2010 41 comments

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.
0-pic-htc-magic-vodafone

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.
1-pic-htc-drive
2-pic-autorun

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953  |.  81F2 736C6E74         |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

6-pic-comm-candc

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days :(