Malware whitelisted by Chinese antivirus after third-party bribes

Cyber criminals have managed to hide their malware under the cover of a popular Chinese antivirus product, after they allegedly bribed the staff of a third-party gaming company to include the malicious code within their legitimate apps.

According to Check Point Software, IT security company Qihoo 360 unintentionally whitelisted malware as part of the complex cyber attack.

Feixiang He, a security researcher with the Check Point research team, said the criminals bribed employees of a Chinese gaming company into including their malware among the legitimate apps it sent to Qihoo 360.

“These apps passed Qihoo's inspection and were whitelisted, allowing them and the contraband malware to run on machines protected by the widespread and free anti-virus solution offered by Qihoo for mobile and PC. Once this phase was complete, the attackers could initiate their true malicious activity,” Feixiang He said.

Criminals would then would disguise themselves as customers of the popular Chinese eBay clone Taobao.com. These criminals initiate the purchase by sending a picture of an item they want to buy back to the buyer using Aliwanwang, an instant messaging app. But the picture would be injected with a whitelisted trojan using steganography techniques.

The seller would open the picture on a PC and become infected because the trojan would not be detected by Qihoo anti-virus. The seller then validates the purchase and requests payment via Alipay, Aliwanwang's payment platform.

“The attacker would then request a refund from the seller, requiring the seller to log in to their Alipay account. The trojan would then keylog their credentials, allowing the attacker to steal money from the seller's account," He said.

The security researcher said many AVs use a whitelist approach to avoid false positive detection, “but the way these whitelists are generated [mean], like as we saw in the Qihoo 360 case, they can be compromised”.

“If malware can be installed on machines protected by Qihoo and can infiltrate into its own app store, this example illustrates how important it is to avoid third-party stores and to instead at least rely on stores with more reliable security,” he said.

Chris Boyd, malware intelligence analyst at Malwarebytes, said the focus should be on what checks and safety nets the gaming company has in place to ensure rogue code or files aren't shipped out to the general public.

“This could be difficult to stamp out if the company is made up of a handful of people and, when something like this can happen, it does raise the possibility that people will tolerate the occasional false positive if it means they don't get caught by something along these lines,” Boyd said.

“A layered approach to security means there's more chance of stopping something which gets past the initial point of entry, but the threat to businesses is likely to be low in this case, as there can't be too many running random Chinese gaming apps on the network.

"Having said that, any company may have people willing to take a short term gain from a criminal, which is why it is so essential to have a rigorous testing and vetting process in place.”

David Kennerley, senior manager for threat research at Webroot, said the attack on Qihoo 360 shows how creative cyber criminals are and how the industry needs to be fully aware of their techniques.

“Each application whitelist request should be evaluated on its own merits, independently of previously certified offerings, company relationships or politics,” Kennerley said.

“Application whitelisting doesn't always involve code analysis as we have seen previously in the PC world, with malware being whitelisted due to trusted code signing certificates becoming compromised.”

This article originally appeared at scmagazineuk.com