Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple’s iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.
What he found is that the batteries are shipped from the factory in a state called “sealed mode” and that there’s a four-byte password that’s required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into “unsealed mode.”
From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it’s not changed on laptops before they’re shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.
“That lets you access it at the same level as the factory can,” he said. “You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You’d need a vulnerability in the OS or something that the battery could then attack, though.”
As components get smarter, they also get more vulnerable.
Posted in Bruce Schneier, English-Italian Translations by admin with no comments yet.
ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook “Like” button or the Google “+1” button) until the user actually chooses to interact with them. That is, ShareMeNot doesn’t disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on them, at which point ShareMeNot releases the cookies and the user gets the desired behavior (i.e., they can Like or +1 the page).
Posted in Bruce Schneier, English-Italian Translations and tagged ShareMeNot by admin with no comments yet.
Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.
First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.
The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn’t ask for anything other than Internet access:
However the later versions get a bit more personal than that:
With the changes, the app is able to access various bits of information from the device: the carrier and country, the device’s ID, e-mail address and phone number.
The information is sent out to a remote server.
An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.
What was interesting is that both the earlier ‘unremarkable’ and later ‘suspect’ versions of the app appear to be from the same developers:
It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We’re still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.
This case is interesting to us as we see it as an evolution in Android application development, specifically ‘greyware’. This kind of behavior seems to bear out one of our earlier predictions, where an ‘established’ developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user’s privacy.
The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.
In another case even more recently, we’ve been discussing the odd behavior of another reported Android app, this time a trojan.
It didn’t make sense that the trojan intercepted an SMS message and then reported it to a loopback address:
From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.
However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:
That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.
Analysis and post by: Zimry, Irene, Raulf and Leong
Posted in F-Secure, English-Italian Translations and tagged Android, Android/SndApps.A, Trojan:Android/SmsSpy.D by admin with no comments yet.
The Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.
However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.
This fact was quite surprising to us, considering the popularity of the Android and iOS platforms and the growing prevalence of malware being written for the Google Android operating system in particular.
In the last couple of days, however, there has been quite a lot of discussion on the mobile malware analysis mailing lists about a version of a an Android version of Zeus.
We eventually concluded that this was a malicious application that Sophos products have been detecting as Andr/SMSRep-B since 31st May 2011.
The malicious application pretends to be an Android version of Trusteer Rapport banking security tool, and was served to devices running the Google Android OS by a web server which was set up to deliver Zbot malware to multiple platforms.
After the fact, it was not difficult to connect the Android application with Zeus toolkit, although we could not conclude 100% that there was a connection.
The installed application uses a stolen Rapport icon and displays a simple screen when launched on affected device.
The fake Rapport application registers a Broadcast receiver which intercepts all received SMS messages and forwards the messages to a malicious web server using HTTP POST requests. The stolen SMS messages are encoded using a JSON encoding scheme, often used by various web services.
Although the application is clearly designed to steal the content of SMS messages, its not very sophisticated.
That’s why we cannot be 100% sure that this is indeed a part of the Zeus kit. The URL of the command and control server is hard-coded into the source code, for example, which makes the application quite inflexible for installation on an alternative server.
Nevertheless, this malicious Android application is interesting as it combines spyware functionality with the concept of fake security software. As we’ve seen recently in the Mac OS X world, fake anti-virus software is one of the most common themes adopted by malicious hackers in their attacks.
Eventually, the doubt whether this is really part of the Zeus family or not remains.
I suppose only the developers of Zeus kit know for certain. Unfortunately I have no means of contacting them, and even if I did I doubt they would be prepared to confirm or deny this theory.
Posted in Naked Security, English-Italian Translations and tagged Android, IOS, Trusteer Rapport, ZBot, ZeuS by admin with no comments yet.