Fortinet: Mobile grey software increases by 30% in 6 months

Fortinet's Fortiguard threat Research and Response Lab (Fortiguard Labs) released the latest security threat reports, including a security threat trend for the first half of 2013, and recommended that a timely patch be necessary to avoid an attack. The grey software for mobile devices has been observed in the Fortiguard labs that over the past 6 months, the number of gray software for mobile phones has increased by 30%. Now you see more than 1300 new samples per day and are currently tracking more than 300 Android grey software families and more than 250,000 Android malware samples. The image below shows an increase in mobile phone grey software between January 2013 and July. Self-carrying equipment and asking for trouble "self-carrying equipment (BYOD)" is of great benefit to the company, the most important of which is the improvement of employee's efficiency and productivity. However, the disadvantage of a loose BYOD strategy is that mobile device malware infects user devices, followed by threats to the entire business network. "Three years ago, the malware of mobile devices has not been much noticed by users or businesses. Most malware at the time for smartphones and tablets was simply annoyware (a general obsession with software), such as Cabir virus or scam software for SMS scams or replacing user icons. "Axelle Apvrille,fortiguard Labs, a veteran mobile device anti-virus researcher, said. "With the proliferation of mobile devices, cyber criminals want to take advantage of the growing user base," he said. The proliferation of malicious software on mobile devices will not soon weaken. "From the start of Symbian System 2009, the majority of the existing mobile device gray software Target is Symbian Os;ios and Android in the market relatively new." In addition, a large number of malware coding programmers in Eastern Europe and China, Symbian has a large number of user base groups in these places. Figure 2 shows the 2009-year mobile device grey software spread as an active country. The following figure shows the most frequent target operating system information for 2009 Grey software attacks 2013 the change in the threat pattern of mobile devices in 2013, the pattern of mobile device threat changed dramatically. Global mobile manufacturers have adopted Google's Android operating system to bring the popularity of smartphones in the market. Android devices are everywhere, priced from cheap to expensive, plus a variety of applications that have greatly expanded the capabilities of mobile devices, and cyber criminals and other illegal network black hands are waiting to use this platform. Extortion software appears in mobile devices in 2012 Fortiguard Labs predicts that the software will be moving toward mobile terminals. Now they're coming. "Extortion software is so notorious for cyber crime that they have turned their attention to mobile devices, which is not surprising. "Fortiguard Labs AnnStrategy expert Richard Henderson said. "The software goes into the Android system in the guise of protective software--like the way counterfeit anti-virus software is immersed in PCs--and it's the real purpose of being a big altruism." This malware will lock the victim's phone until the required payment is executed before unlocking the device. Once the phone is locked, the victim can pay the ransom or if the phone photos and other data have a full backup, then you can abandon the phone in disregard of the brush machine. "New attacks on old vulnerabilities although recent patches to Ruby on Rails,adobe acrobat and Apache have been made, Fortiguard Labs found that there are still some attackers who exploit these old patches. Ruby on Rails released an important flaw in the Ruby on Rails architecture This January, and remote attackers can exploit this vulnerability to execute code on the Web server. Ruby on Rails (ROR) is a Ruby programming language for Web application frameworks. Simply put, you can make Web2.0 Web sites quickly and easily and beautifully edited. Quite a lot of websites are using the ROR framework. Metasploit's design can be used for vulnerability scans, finding Web servers and cracking is a trivial matter. "Crack requires the XML processor to restore the bugs in the serial number program, this makes it possible to create a Ruby object in the Run," The Ror patch fixes this flaw, but it has been four months since the patch was released, and the attacker is still searching for a patched Web server for embedded code infection. " Henderson said. Java Remote code Execution this January, the discovery of a 0 attack can bypass the Java sandbox and run arbitrary Java code. Java is a ubiquitous technology application in the Web, and most computer devices are secure and start some form of java. The vulnerability allows a malicious applet to run on any Java program, bypassing the Java sandbox and allowing full access to infected computers. Such attacks are widely discovered, and the methods of cracking are quickly integrated into many popular crime-making software attack packs, such as Blackhole, Redkit, and nuclear packs, which are used to install grey software on a computer by buying such an attack pack. Metasploit can also be used for vulnerability creation, making it easier to find infected people through a simple click. "This vulnerability involves a flaw in a jmx (Java Management Extensions) component that allows malicious applets to elevate their permissions and allow any Java code." Oracle quickly released patches, but such vulnerabilities have been included in the network crime package. New victims are still being found., because it runs a patch-only java. "Herderson said. Acrobat/acrobat Reader 0 attacks are flooding in February, a PDF file disguised as a travel visa from Turkey was found to be popular everywhere, exploiting an uncovered loophole in Adobe Reader. The vulnerability exists in all recent versions of Adobe Reader (9.5.X, 10.1.X, and 11.0.X), as well as most Microsoft Windows, including 64-bit Windows7 and Mac OS X system versions. This PDF vulnerability is exploited by network crime to install grey software in its targeted computer system. Adobe released Patches on February 20, but cyber criminals still use the patch version to launch harpoon-style phishing attacks. Cdorked attacked Apache at the end of April, a new attack on the Apache web server was discovered. Dubbed Cdorked, a gray software that can be compatible with a Web server and redirect users accessing the server to other servers, thereby using the Blackhole Vulnerability tool to implement grey software chaining. The attack could target lighttpd with the Nginx Web server platform. Cdorked shows many similarities with the Darkleech attacks on Apache servers in the 2012, but it is more subtle and tricky than the Darkleech: cdorked does not load additional malicious modules into infected servers, But to maliciously modify the existing httpd. Cdorked is interesting, it does not have the hard drive of the Web server to write any information: All information is stored in memory and accessed through an attacker sending a fuzzy get request to the attacking server. These get requests are not logged. Cdorked shows some tricks in the way it operates. "It has a built-in quota system, in other words, cdorked doesn't attempt to redirect each server visitor to the blackhole site," Herderson said. It also hides users who are trying to access the admin page of an infected Web server, preventing the user from noticing that they are redirected to a malicious Web site. Cdorked Such practices are not unique. Other malicious grey software is also embedded to prevent grey software analysts or other white-hat hackers from viewing the practice.