These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.

Overview of an attack.

As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.

Redirector.

The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:

Plug-in detects Version 0.7.7.

We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:

• hxxp://[domain name]/ewci.htm
• hxxp:// [domain name]/hmod.html
• hxxp:// [domain name]/mhes.html
• hxxp:// [domain name]/hmpu.html
• hxxp:// [domain name]/asjs.html
• hxxp:// [domain name]/aces.htm
• hxxp:// [domain name]/aoef.htm

Also, the landing page has the code to download malicious .jar and .pdf files. These files target the vulnerabilities CVE 2012-1723 and CVE 2010-0188.

A Red Kit landing page.

This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:

• hxxp://[domain name]/332.jar
• hxxp://[domain name]/887.jar
• hxxp://[domain name]/987.pdf

The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:

• “332.jar”  downloads payload from  “hxxp://[domain name]/33.html”
• “887.jar”  downloads payload from  “hxxp://[domain name]/41.html”
• “987.pdf” downloads payload from  “hxxp://[domain name]/62.html”

The final payloads are identified as a downloader that delivers additional payloads from the remote server.

How to prevent this attack:

• Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.

• In spite of the availability of patches for known vulnerabilities such as CVE2012-1723 and CVE2010-0188, this exploit kit still targets these vulnerabilities. McAfee recommends that you update to the latest patches available for Java and Adobe Reader.

• We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

McAfee products detect these exploits as “JS/Exploit.Rekit.”

These QR codes are safe. They point to McAfee mobile security downloads and our Virus Information Library. To verify, download one of the QR code apps mentioned and view the preview URL.

My friend’s little joke drove home the necessity of not blindly scanning every QR code I run across. Some of my colleagues aren’t as lucky. I was discussing a recent threat of malware distributed by QR codes with a couple of coworkers who are penetration testers. They test the security of their clients’ networks and systems nearly daily and are very skilled computer security professionals. Although both of them had QR code-scanning apps on their phone, neither had one that could provide a preview of the URL. I ended up suggesting a couple of free barcode-scanning apps that would keep them from being unpleasantly surprised.

Although distributing mobile malware through QR codes is becoming popular, it’s not a new idea. Security researcher Felix “FX” Lindner described similar attacks about three years ago at the 24th Chaos Communications Congress and DefCon 16. FX claimed that newspaper ads with QR codes are trusted implicitly by readers (“It’s in print; it must be true”) and would make a good vector for exploits and malware. The functionality that enabled the attacks was the automatic loading and following of URLs in QR codes. Point your phone at the QR code and you end up downloading mobile malware.

In 2007-2008 FX publicly painted a number of scenarios in which QR codes could be used maliciously. We have since seen malicious QR codes that link to mobile malware.

The risk from such downloaded malware is still relatively low, as these are not drive-by downloads. Users would still need to choose to install the JAR or APK files on their smartphones. The risk from exploits, though, is one to worry about. An attacker who places a link to a modified Apple iOS jailbreak exploit or an Android root exploit can take over a victim’s device or steal sensitive information (emails, social network credentials, credit card numbers, etc.).

As I told my two colleagues, there are a number of free QR code- and barcode-scanning apps with preview functions for both Android and Apple iOS. The following are my suggestions for safer QR code scanners:

Google Android

 
Apple iOS

Protecting yourself from malicious QR codes and avoiding shock sites, mobile malware, and exploits doesn’t have to be too difficult.

• Use a mobile QR code-/barcode-scanning app that previews URLs
• Avoid suspicious URLs (for example, domains that don’t match ads, shortened URLs)
• Do not play “QR Code Roulette”

Starting off the batch is a presentation on Android security by researchers Jon Oberheide and Zach Lanier. They’ve previously had success with social-engineering users into downloading malicious proof of concept (PoC) apps. Their last app pretended to be an update for the Android version of the Angry Birds game. The timing was fortunate as it was after the release of the game, but before the official game update. Instead of offering new levels of bird launching fun, the app exploited a security flaw that allowed it to download additional malicious programs without the user’s permission. The talk promises similar fun with the OS and an extension to third-party apps.

Anti-malware researchers Axelle Apvrille and Kyle Yang will do a detailed teardown of Symbos/Zitmo.A. Zitmo.A was the mobile phone spyware used by the criminals behind the Zeus botnet to steal mTANs/TACs (Mobile Transaction Authorization Numbers/Codes). Your bank will send an mTAN to your mobile phone by SMS. An attacker would need to steal both your banking login and password (using the Zeus Trojan) and the SMS containing the currently active mTAN (with SymbOS/Zitmo.A or other spyware). The researchers will show how it works and a bit of how it may have been designed by the malware authors.

Recent threats like Android/Geinimi.A have generated a lot of interest in Android reverse engineering. Security Researcher Scott Dunlop’s talk will cover methods using the Android SDK and emulator and other open-source tools for tearing apart, instrumenting, and modifying Android apps. The talk will include a practical example showcasing the reverse-engineering process on a mobile antivirus app. Dunlop will go over how it updates its signatures, how its SMS scanning functions, and the security of its network communication–essentially a case study on how not to write security software.

Mobile apps have access to a lot of personal information. We’ve already seen the type and quantity of personal information available from iOS to an attacker using PoC spyware. Using an app to access your favorite social network might seem safe, especially since our personal data and that of our friends and contacts is stored in the cloud. Computer forensics investigator Sarah Edwards will enlighten us, in detail, on how that might not be entirely accurate.

Mobile botnets are a growing area of research, with investigators looking into various smartphone platforms and methods for command and control (C&C). Security researcher Georgia Weidman will look into botnets evading detection on Android phones. The presentation will include a demo with a live Android botnet controlled via SMS messages. Weidman extends Collin Mulliner and Charlie Miller’s research on fuzzing SMS to help hide the C&C channel and messages from the user. The talk will also cover issues relating to securing the botnet from takeover by other attackers.

Mobile phones aren’t the only things under attack; the mobile networks are also at risk.  Although attacks against GSM networks are becoming common and easier to perform, attacks against new 3G and 4G networks are still rare or unknown. Researchers Enno Rey and Daniel Mende will attempt to change that with their presentation on the security architecture of new mobile networks. The researchers will provide tales from their experience in testing real-world networks, and not just discuss theoretical attacks.

This year there are nearly twice as many smartphone-related talks as at last year’s Shmoocon. It looks like the start of an interesting year in smartphone and mobile threat research.