Round 1: SndApps.A
The malware in question, Android.Trojan.SndApps.A, was firstly discovered on the 4 July by Xuxian Jiang, then Assistant Professor at NCSU. It targets Android mobile devices and was available on the official Android Market. Once installed by the user, the malware adds certain services to be allowed to start some of the assumedly malicious services at boot. The user does not have any influence on those services.
The applications themselves are very simple. The airhorn application just displays a picture of an airhorn, which, when touched, plays the corresponding sound. The other applications like whoopee cushion, mosquito repellent etc. work the same way.

With a fair distance to the time the apps were installed ads are shown to lead the user to the other, very similar apps of the same developer. This often occurs hours later. Other suspicious behavior of the apps of this developer is the theft of personal data like the users’ contacts and further data, like the phone number and the IMEI of the smartphone. This data is transmitted, unencrypted, to the Typ3-Studios’ server, what adds to the impression mentioned: this is malware. After Jiang’s discovery and report, the Android Markets security team pulled the apps from the Market. 

Round 2: They try it again… and succeed
In late August 2011, Typ3-Studios published a new set of apps, confusingly similar to the ones described before. Only the background color of the icons was changed. They otherwise show the same possibly malicious behavior as the prior versions but are not yet removed from the Google Market, status today.

Why haven’t those apps been removed again?
In the Android.Riskware.SndApps.B version, the only indication of a change is the added End-User-License-Agreement (short: EULA). Its popping into existence is announced merely by a short notice in its Android Market “What’s new” section. There it reads: "Please read the new Privacy Policy and Terms of Use in the app menu." Also, the permission to let the apps advertisement service boot on start-up was now added. To interpret this behavior as malicious now seems to be hindered by the developers move to include those parts mentioned - especially when the user approves the permissions in the first place.

But, the EULA of all mentioned apps published in “round 2”, is only visible if a user presses the smartphone’s menu key. But, the apps’ only use is to play a sound after a touch and it is therefore very obvious that some users never get to see the license agreement – they implicitly agree on this EULA by using the app. 
The beginning of the EULA reads as follows: “By using this Mobile Application (the "Application"), you agree to be bound by this Mobile Application Privacy Policy and Terms of Use.” Sounds quite convenient for the developers when the user never stumbles upon it, right? And the EULA’s mere existence seems to be enough for Google, to let the app pass – at least that’s the way it looks to us.
Another point that the developers had to change to not to get kicked out again was to encrypt the transmitted user-data. How easy it is to decrypt the data afterwards is not specified at all. Typ3-Studios’ apps were not only re-published, but also stayed in the Market where, status today, e.g. the whoopee cushion app was downloaded 10,000+ times. 

Conclusion: Why isn’t such an app labeled as malware or at least as riskware more often? 
As the title of this article indicates, labeling software as malware becomes more and more difficult, especially when the user agrees on dubious permissions.
The sole existence of an EULA should not suffice to make an (already) suspicious behavior legit. Another questionable tendency: the EULA is not easily accessible for the user. An app that includes permissions and EULA’s that are beyond the use case of the app should therefore not stand above reproach. Such an incident should at least be called riskware to call attention to circumstances the user otherwise would not notice.

What you should keep in mind when you install an app: 

• Only use trustworthy sources to install software. Within the Android Market, read the reviews and comments, keep yourself informed.
• The Android Market also displays the permissions the app would like to obtain to function. Evaluate if you want to assign these permissions asked for. Security software like G Data MobileSecurity for Android can discloses these permissions even after the installation.Don’t ignore or carelessly click notifications you don’t know the origins of. Check those phases online or contact your providers support service.

After the regular upload, the file is scanned with the different products and their engines and the results will be available for everyone, together with links to various third party tools and websites. One very interesting feature is the link to the ThreatExpert sandbox analysis (if one already exists) as it shows what the file is actually doing.
Another great feature: all files uploaded are sent to every security software vendor participating, after the scan and analysis. Of course, this whole forwarding process takes some time and it does not imply that you cannot directly send your suspicious files to your personal AV software vendor any more. Actually, you are invited to send the files in, as this could reduce detection time! But using the free online scanner services can give you some pre-analysis results, at least.

What do the multi scanner analysis results mean?
A possible analysis result could be that you have sent in a sample which every single scanner used detects as malware. That’s the best result!
In case some products or engines are not detecting the sample as malware, the file was not rated malicious by using the signatures provided in that particular engine or product. This does not mean that the malware is not at all detected by the AV product!
These days, comprehensive AV products consist of many more anti-malware techniques than only a signature scanner. Obviously, behavior detection, heuristic methods, intrusion prevention, sandbox mechanisms, cloud technologies and other technologies, like e.g. our own G Data BankGuard technology against banking trojans, are not included in the overall result or av online multi scanners. 
Conclusion: If a malicious file is not detected as malicious in such a multi online scanner, you cannot automatically conclude, out of this analysis, that some new malware is actually not detected or stopped by your AV product. Online multi scanners do not consider all the other protection technologies!

The good: some don’t understand the system
The strange thing is, that some script kiddies or wannabee malware writers are still using the popular public online scanning services to test their newly created malware creations and to check whether they are detected or not. During a popular European hacking conference last year, even a professor from the UK showed the public that this method was very interesting to create new malware with.
But, as these tested files are actually sent to all security vendors and real computer protection is not only depending on signatures, it is almost unbelievable for us that this still occurs. 

The bad: underground websites and going offline
Underground members understood that uploading their malware files to such a public scanner is not the best idea for their means and they have therefore set up their own services and sites where they can upload their own new malware to. These sites are obviously not forwarding the files to the security software vendors. 
The problem: If a John Doe stumbles upon such an underground scanner website, he cannot rely upon the results presented, because the websites and services are controlled by the bad guys. It is often quite difficult to distinguish public, safe websites from the underground ones – therefore, one should be informed and, for example, stick to the sites mentioned above.

Sometimes, malware writers are using offline multi scanner software like “Kim Multiscanner” or “antivirusmulti” to try their new malware stuff as well. “Kim Multiscanner” has continuously been improved since its first appearance in 2006. The application is built around pirated versions of the included anti-virus products. While scanning, the tester can even choose whether to include the heuristic scan technologies in addition to the signature scanning. This way, the tester might find out if the malware tested can bypass the different scanning techniques at some level. 

The conclusion
Behavior detection, heuristic methods, intrusion prevention, sandbox mechanisms, cloud technologies and other technologies, like our own G Data BankGuard technology, will stop a lot of new malware proactively or just right after its appearance on the Internet. Comprehensive AV products do not rely on virus signatures only. But online multi scanners do – and this is a huge difference you should know about while using the public services. The online multi scanner analyses can give you an initial idea of the file checked, but not more. You need to know how to interpret and read the results properly.

The ad server used in this case is a different one (Sponsorads.de) and the registrar as well as server host country (Denmark) changed as well. The fraudsters ask the users to post a very similar phrase on their wall (“Die große Neueröffnung”, now even with a capital “N”) but this electronic retailer’s shop is online since October already. 

The retailer reacted and commented on a customer’s Facebook wall entry to explain that they have nothing to do with this campaign:

What users can do to be protected:

• Use an up-to-date, comprehensive security solution with a virus scanner, firewall, http scan and real-time protection. A spam filter, to get rid of unwanted spam, is a must-have, too.
• Do not click on links or download files if you received a message from a foreigner. The websites and files might harm your PC. Even if the message comes from a friend, but looks different from usual messages, you better ask him and reassure yourself that he willingly sent you this message. The domains used for this kind of scam try to lure users with a combination of key words related to the dominant topic, in this case the electronic goods retailer and free gift cards, to look more credible.
• Do not surf the Internet while you are logged in to services like social networks simultaneously in the same browser. Fraudsters can manipulate your browser session and use your social network account to spread unwanted messages, etc.
• Always log-out after your visit in social networks. Especially if the computer you are using is used by several other people or is a public machine, e.g. in universities, internet cafés, etc.

This particular domain was registered on Monday, 23 January 2012 by Ralph Berger and his company EnergizeYourWeb AG from Panama and is currently hosted in Turkey, like many other similar shady sites on this server. The company normally offers the provision of (competition) subscription services for cell phone owners. He seems to be a very generous person, to give away so many valuable gift cards for a German online shop. Well… later on we’ll explain how he actually earns the money. But let’s have a look at the website first:

As far as the site suggested in the Facebook comment form Wednesday afternoon, more than 8,500 people already participated in this fake gift card offer on mm-gutscheine.info alone. This counter actually should make the whole campaign look more credible.
BUT: We actually wonder about this high number, because even if this ad was for real, which it certainly is not, the website states that only “the first 5,000 Facebook users receive a gift card for free” and still, the website visitor’s follow the instructions on how to allegedly “win” the gift card.
RESULT: The fraudsters behind this campaign seem to have realized that this high number is inappropriate for their business and by the late afternoon, the counter was down to a number around 700 again. They simply create a new Facebook comment form with a brand new counter and the procedure starts all over again.

What’s behind it?
The websites we analyzed currently did not host malware, but each and every launch of the website generates money for the fraudsters, because they integrated ads into the website via IFrame, like the one you can see on the screenshot, offering electronic devices – which perfectly suits the electronic goods retailer environment. The ads are served by ad.yieldads.com and are not limited to electronic device offers.
Furthermore, the user is forwarded to another site, with the real URL hidden behind a bit.ly short link.
 

In our case, we were sent to a dating server with young ladies offering themselves as potential dating partners in our area. Use a proxy service to simulate your computer into another location and those exact same ladies will come from another area. Who would have guessed?!

So, this is where the money comes from, which Ralph Berger & co. are promising to give away to Facebook users *wink*

Is it for real?
No! This promotion is not an official promotion initialized by the electronic goods reseller. No participant will receive any money or gift card. The company itself already posted a message on their own Facebook wall to warn users not to participate:

There are several other website offering this particular 50€ gift card or even higher amounts in connection with shady competitions similar to the ones have seen before, e.g. in the Lady Gaga case we reported about.

Don’t forget: “Stinginess is cool” doesn’t work out all the time!


What users can do to be protected:

• Use an up-to-date, comprehensive security solution with a virus scanner, firewall, http scan and real-time protection. A spam filter, to get rid of unwanted spam, is a must-have, too.
• Do not click on links or download files if you received a message from a foreigner. The websites and files might harm your PC. Even if the message comes from a friend, but looks different from usual messages, you better ask him and reassure yourself that he willingly sent you this message. The domains used for this kind of scam try to lure users with a combination of key words related to the dominant topic, in this case the electronic goods retailer and free gift cards, to look more credible.
• Do not surf the Internet while you are logged in to services like social networks simultaneously in the same browser. Fraudsters can manipulate your browser session and use your social network account to spread unwanted messages, etc.
• Always log-out after your visit in social networks. Especially if the computer you are using is used by several other people or is a public machine, e.g. in universities, internet cafés, etc.

Character 1:
The malware modifies the DNS settings on an infected Windows PC. These settings include the “hosts” file and the DHCP settings.
If the DNS settings are changed, a user does not reach the website he/she intended to reach when using the web browser. The attacker redirects the user to a predefined target.

Character 2:
The malware modifies the name server settings within the router.
This means, that the changes are not directly made on a PC but on the router, which, e.g. connects the home network with the Internet. 
The Trojan is equipped with password lists which contain the standard log ins for the most common routers on the market. The Trojan can easily gain access to the router’s web interface in case the user never edited the standard factory-set password. This way, the bad guys can change telecommunication service provider’s name server settings for their individual purposes and control each and every user attempt to open a website.

What is going to happen on 8 March 2012?
The FBI will shut down the formerly rogue DNS servers they now have under their control. This means that all users with computers which 

• are infected with the “DNSChanger” malware spread by the bad guys and
• have not set their DNS settings to “normal” state

can expect to experience problems connecting to the WWW after the FBI took down the DNS servers.

How can I test my Internet settings?
At this point, we present measures computer users with Microsoft Windows operating systems (XP, Vista and 7) can perform themselves to check their PC for immediate damages caused by “DNSChanger” malware.
If the device to be tested is a computer in a company’s network, please contact your system administrator first. 

Before you manually start testing the settings described below, perform a complete antivirus scan on your entire PC. After that, visit the website dns-ok.de
If this website shows a red warning sign (see below), you inevitably have to go through the steps described below. 
If the website displays a green bar, the DNS settings of your system and router are ok and there has been no manipulation by the current “DNSChanger” malware. Please be aware that this online test can only be performed flawlessly without any proxy settings in the browser.

Attention: If the online test or the manual tests presented show your DNS settings are correct, this does not necessarily mean your computer is free from malware! In any case, please conduct regular computer scans with comprehensive and up-to-date antivirus software, e.g. G Data InternetSecurity 2012 with BootCD.

On the PC
Step 1: Check the “hosts” file
Open a text editor. When using Windows Vista or Windows 7, run the text editor as administrator. To do so, right-click the text editor executable file and then left-click “Run as administrator”.

Now, within this text editor, open the “hosts” file. You can find it under
C:\Windows\system32\drivers\etc
You might have to choose “All files (*.*)” at the bottom right corner of the file selector window to see and subsequently select the “hosts” file.

When using Windows XP, the “hosts” file contains only one entry: localhost is connected to 127.0.0.1
The default “hosts” file under Microsoft Windows Vista and Microsoft Windows 7 contains no entry at all. Note: All lines starting with a hash (#) character are comment lines and are therefore ignored by the system and can be ignored by you as well.

If you see additional entries in your “hosts“ file, without a preceding hash character and regardless of the operating system, this can be an indication of a modification made by malware.

You can add a hash character to the beginning of each line with an additional entry to verify the situation. Restart your browser if necessary and visit the website dns-ok.de


Step 2: Check the DHCP settings
Users with a Windows XP computer need to click Start > Control panel > Network and Internet Connections > Network Connections and choose the active connection they are using to access the Internet. Right-click the connection and choose “Properties”.
Windows Vista and Windows 7 users click Start > Control panel > Network and Sharing Center and choose the active connection you are using to access the Internet as well, click and choose “Properties”.

The option “Properties” will open up a new window (see screenshot 3).
Choose Internet Protocol (TCP/IP) under Windows XP and Internet Protocol Version 4 (TCP/IPv4) under Windows Vista and Windows 7. In any case, the options “Obtain an IP address automatically” and “Obtain DNS server address automatically” should be activated. If you can find any unknown DNS server address at this point, delete the IP and activate “Obtain DNS server address automatically”.

Following this, open the Windows command-line shell (Start > All Programs > Accessories > Command Prompt). Windows Vista users have to run this command prompt as administrator to make the following instruction work. In the command prompt, type ipconfig /flushdns and execute it by pressing the enter key. This short command empties the system’s DNS cache. Restart your browser if necessary and visit the website dns-ok.de


Step 3: Check the browser settings
Microsoft Internet Explorer (Version 9)
Click “Tools” > “Internet options”. Then choose “Connections”. Click “LAN settings” and check whether one of the three possible boxes is ticked. None of them should be ticked by default.

Mozilla Firefox (Version 9)
Click “Tools” > “Options” > and choose the “Advanced” tab. Then, choose the “Network” tab and “Settings” in the “Connection” section. Now check whether you see any entry in “Manual Proxy settings”. By default, “No Proxy” should be activated.

Google Chrome (Version 16)
Click “Customize and control Google Chrome” and choose “Options” and then “Under the Hood”. In the “Network” section, click “Change proxy settings”. As Google Chrome uses the computer system’s proxy settings, the Google Chrome settings are equivalent to the ones the Internet Explorer has.

In the newly opened window, click “LAN settings” and check whether one of the three possible boxes is ticked. None of them should be ticked by default.


After checking your browser settings, restart the browser if necessary and visit the website dns-ok.de

On the router
Step 4: Check the router’s network settings
If several computers in one local network are experiencing the potential “DNSChanger“ problems, access your router via web interface. Please refer to the manual of your specific device to see how this access works.

By default, the setting “Obtain an IP address automatically” should be activated. If you can see DNS server addresses at this point, delete those. Restart your router.
Subsequently, open the Windows command-line shell (Start > All Programs > Accessories > Command Prompt) on any PC of the local network. Windows Vista users have to run this command prompt as administrator to make the following instruction work. In the command prompt, type ipconfig /flushdns and execute it by pressing the enter key. This short command empties the system’s DNS cache. Restart your browser if necessary and visit the website dns-ok.de

For security reasons, you should furthermore change your router password immediately. This password change is especially important if you have never changed the factory-set password and also in case you now found settings on your router, which have been made by any unauthorized third party. 


Attention: If the online test or the manual tests presented show your DNS settings are correct, this does not necessarily mean your computer is free from malware! In any case, please conduct regular computer scans with comprehensive and up-to-date antivirus software, e.g. G Data InternetSecurity 2012 with BootCD.
 

You can download the information given in this blog post as a PDF:
G Data SecurityLabs "DNSChanger" Information (English)
G Data SecurityLabs "DNSChanger" Informtaion (German)

General advice

• Use an up-to-date, comprehensive security solution with a virus scanner, firewall, spam filter, http scan and real-time protection. A spam filter, to get rid of unwanted spam, is a must-have, too.
• Always keep your software, browser and operating system up-to-date and regularly install updates to close existing security vulnerabilities.
• Change the factory-set passwords on devices right after configuring those devices.
• If you realize your computer has been infected, change all passwords in use, e.g. for (online) email accounts, online-banking accounts, shopping websites, social networks, instant messengers and many more.

A brief overview about the main topics to come:
One of the emerging issues, which will definitely stay in the focus, is concerning mobile devices. The versatile high-tech devices are common in private and business environments and this makes them an attractive target for attackers. What we have seen so far are social engineering attacks, where users install the infected apps on their devices and this gets them into trouble – they can lose money, device data, personal data, … We expect to see automated attacks, such as drive-by-infections, quite soon, because the mobile devices have so many technical possibilities and some proof of concept exploits were already written.

We also await that attacks against companies and organizations, no matter what size or sector, will increase. The appearance of DuQu, in 2011, has shown that not only high profile industrial facilities are targeted as it was thought of when StuxNet appeared. DuQu can be used in manifold ways to compromise data and/or to infiltrate a network to prepare specialized targeted attacks as a follow up, etc. The possibilities to use the stolen data and critical information are vast – blackmailing, espionage, specialized targeted attacks, sophisticated phishing attacks, etc. 

Furthermore, there are major events taking place in 2012 and we consider them an interesting ground for cyber criminals to use for their means. The European Football Championship and the Olympic Games are among the occasions with the highest public interest and there are several ways how scamsters could arrange traps, e.g. fake online ticket shops, website defacements, attacks at the venue sites and much more.

Another promising attempt to steal money in the past has been the use of banking Trojans and there are no signs of this trend reversing, as the number of online banking users - similar to the number of mobile device users - is constantly on the rise. The banking Trojan malware can be bought quite easily and “composed” individually by the attackers, which makes it such a widespread threat.

Looking at virtual currencies, the G Data SecurityLabs experts see a new possibility of acquisition. We have seen various attacks, phishing and malware, which want to steal e.g. in-game money. But a new method could arise from the use of internet-capable consumer electronics, such as web-enabled TV sets or modern gaming consoles. They could, infected with malware, be used to “mine” virtual currencies in distributed computing projects and more. 


The G Data Report “Trends 2012”
To read the full G Data Report “Trends 2012” with more detailed information on and insights in all of the topics mentioned above, download the report:

The host IP, 91.[REMOVED], is currently not available and therefore we did not get hold of the current counter.php file, yet. According to posts in malware research related forums, a former counter.php-script related to the IP 91.[REMOVED] changed the src attribute, which initially referred to the IP 91.[REMOVED], to direct to the legitimate and popular jquery resource. Furthermore, the .php-script removes the manipulated script injected from the DOM (Document Object Model). This entails, that an analysis of this webpage, with the browser’s JavaScript functions enabled, shows no signs of malicious or suspicious code – all tracks are deleted locally, on the visiting machine. But, the HTML code on the web server remains infected and therefore still potentially dangerous for all visitors.

The attackers can adjust the counter.php file to their needs and can include commands to download and install malware or redirect visitors to malicious websites or anything else.

Regarding the given WHOIS information, the server hosting counter.php is/was located in Russia and the exact same IP has been involved in the so-called TimThumb attack, earlier this year. TimThumb is a plug-in for the content management system Wordpress and suffered from a zero day vulnerability which has subsequently been exploited.

The G Data security solutions detect the mentioned script as JS:Downloader-AZF [Trj].

What Wordpress users can do now
By now, we cannot verify whether the infections result from a vulnerability in any of the Wordpress plug-ins installed in the case seen, the Wordpress CMS itself or a password hack (e.g. an automatic attack). But we can definitely advise you to do the following in case you are using a Wordpress page: 

• Update your content management system to the latest version!
• Update all of the plug-ins you are using in this CMS and delete plug-ins you are not using!
• Change your CMS passwords!
  
  
• If you suffered from the above mentioned code injection, delete all of the malicious scripts and update the aforementioned components!

They want to lure the potential victims to a website they prepared themselves. The website’s domain is, again, very similar to the original. The chance to miss the small alteration is very high.

We can speculate what the attackers had in mind and can imagine two possible scenarios:

1. The attackers prepared a convincing replica of the tintencenter.com website to phish further data. Prime targets would be the login credentials to the site and the customers’ bank account details or credit card data. If the attackers can get hold of this information they can compose a whole identity and use it for further fraud.
2. The attackers prepared their own website and try to infect the visitors’ computers with any kind of malware by exploiting vulnerabilities on the machines.

What you, as a customer of tintencenter.com, can do now:
You might have received or maybe will receive order confirmations or invoices, allegedly sent by tintencenter.com, for goods you haven’t actually ordered – as described above. The attackers might also use your personal data to send you spam messages labeled with any other company’s name. Insurance spam messages and similar ones are a quite common consequence of this kind of data leak.

• If you receive an email from a shop/service you have never used, ignore the email, delete it, but under no circumstances open attachments or click on URLs.
• Never disclose any personal information and/or bank data - either via e-mail or on dubious websites.
• Never transfer money to an unknown person.
• As a preventive measure, change your login credentials on the original tintencenter.com website.
• Enter website addresses with user logins manually or use your browser's Favourites function.

If you want to read more about the scamsters’ tricks regarding emails, feel free to read our G Data Whitepaper about “dangerous emails”, currently available in German, French, Dutch and Italian - more translations coming soon.