Photo.zip – Stolen nude photos and police investigations

Cybercriminals are attempting to infect the computers of internet users, via a spammed-out email that has a malware-infected file attached.  Computer users are being warned to be wary of email messages which suggest they contain nude photographs of girlfriends, or claim that they have been reported to the police, as the attached file (Photo.zip) really contains a Trojan horse.
There are many different subject lines being used in the malware campaign, including:

  • These pictures should be taken down immediately.
  • You can’t say I haven’t warned you now enjoy the consequences.
  • The police investigation is under way now. You’ll be really sorry about what you have done.
  • The criminal investigation against you has started. Grave privacy violation is a serious thing.

Here are some examples of what the emails look like, each with a file called Photo.zip attached.
Subject: Let’s put this behind us once and for all I know you broke into my email.
Message body: Hate to bother you I have a proof that you broke into my email and stole my private photos and financial information. It can be clearly seen in the files attached to this message. If you don’t respond within 48 hours I will have to report you.

Subject: How can you be so cruel to me? I’ll have to react and destroy you.
Message body: Hate to bother you This is quite crazy but someone sent me a nude picture of your girlfriend. Is seems to be her in attachent right? We’ll have to track down the bastard who do it I can help you!

Subject: Your private photos are there for anyone to see. why??
Message body: Sorry to disturb you Someone sent me thee pictures they seem to be from you and your boyfriend I’m really troubled by this why do you send your private naked photos around?? this is beyound my understanding. It’s in attachment

Subject: I can assure you you’re in deep sh*t now over those photos. You know what I mean.
Message body: Hello there I got to admint your GF has a nice butt:) I just don’t know how these photos leaked online. I don’t think your GF in in adult business isn’t she?? anyway I received this picture from three of mine FB buddies today. It’s in attachment

Subject: You’ll reap just what you sow! You’ll be really sorry about what you’ve done to me.
Message body: Hello I always considered you to be my buddy but after that I’ll have to try to destroy you. You ruined my life! Why did you have to put these photos online?? I reported you to the police check the attachment

Subject: This has the potential to ruin you completely.
Message body: Hate to bother you This is quite crazy but someone sent me a nude picture of your girlfriend. Is seems to be her in attachent right? We’ll have to track down the bastard who did it I can help you!

You can just imagine how some folks would react if they received one of these emails. Many would probably open the attachment – either out of curiosity or concern – and could end up having their Windows computer infected as a result.

Please remember to always be suspicious of unsolicited emails, and keep your security software updated.

Library file in certain Android Apps connects C&C servers

TrendMicro has uncovered certain Android apps (detected as ANDROIDOS_BOTPANDA.A) containing a malicious library file, which when executed, renders the infected device as a zombie device that connects to specific command and control (C&C) servers. What is also noteworthy about this file is that it hides its routines in the dynamic library, making it difficult to analyze.

The malicious library libvadgo contained in ANDROIDOS_BOTPANDA.A was developed via NDK and loaded using Java Native Interface. NDK is a toolset used by would be-Android developers in creating apps. ANDROIDOS_BOTPANDA.A contains the file com.airpuh.ad/UpdateCheck, which loads libvadgo library and calls the Java_com_airpuh_ad_UpdateCheck_dataInit function using the following code:

Based on our analysis, one of the noteworthy routines of Java_com_airpuh_ad_UpdateCheck_DataInit is it verifies whether an infected device is rooted by checking the file /system/xbin/su. If found, this file executes /system/xbin/su and then the commands below in /system/xbin/su:

Java_com_airpuh_ad_UpdateCheck_DataInit also executes .e[int_a]d file, which will be removed after several minutes. The first thing that .e[int_a] file does is to check the existence of /system/lib/libd1.so, replace files, and hook some important system commands [rm move mount ifconfig chown ] under system/xbin/ by creating corresponding files under system/bin/ to prevent detection and clean up. All of the created files are duplications of system/lib/lib1.so. It also modifies system/bin/svc by adding a malicious line into it so that the malicious can be launched automatically.

The .e[int_a]d file also performs the malware’s main routine, which is to communicate with C&C servers ad.{BLOCKED}ew.com ad.{BLOCKED}o8.com and ad.{BLOCKED}8.com through port 8511. These servers, however, were already down during our analysis thus we cannot confirm the exact commands that it performs on the infected device.

As mentioned previously, what makes this threat noteworthy is ANDROIDOS_BOTPANDA.A’s use of the dynamic library libvadgo.so. This type of malware hides its malicious routines in the said dynamic library, making it hard to analyze. It also kills certain processes, hooks important system commands, and replaces files to make detection and removal solutions difficult. If more Android malware use this technique in the future, delivering analysis and solutions will prove to be challenging for security experts.

This malware also runs specifically on rooted devices, thus it is likely that this may spread through third-party app stores. ANDROIDOS_BOTPANDA.A is another reason why users are advised to be cautious in downloading apps, specifically those from third-party app stores.

To know more about how to better protect yourself from Android-OS specific threats, you may refer to our digital life e-guides below:

When Android Apps Want More Than They Need

5 Ways to Secure Your Android-Based Smartphones

Updates as of June 12, 2012 3:15 AM PST time
Trend Micro protects users from this threat via Mobile Security Personal Edition, which detects the apps that contain this malicious library file.

To determine if a device is infected, users should look at the application’s files, in particular this folder path system/lib and check for the file libd1.so. Also users can look at svc file in the folder path /system/bin and check if it contains line /system/bin/ifconfig to determine if device is infected.

As always, any questions we are here!