Hello, welcome to the Tuesday, April 25th, 2017 edition of the Sands and the Storms anders Stormcast. My name is Johannes Ulrich.

Android, I'm recording from Jacksonville, Florida. In a blog post, Trent Micro is reporting that it found a new

version of Android malware that it calls Milky Door. Now, Milky Door appears to be a more

modern version of what used to be known as Trescode, according to Trent Micro's nomenclature.

But what these two pieces of malware have in common is that they use the Android device as a proxy.

So this way, an Android device that's, for example, connected to a corporate Wi-Fi network

may be used to infiltrate that network from the outside.

In order to build the back doors that are being used by this malware

milky door does use the S.H protocol. S.H, of course, isn't so far attractive that it's

built into Android. It's also encrypted, so makes it a little bit more difficult to investigate what's

actually happening. And some firewalls do let Port 22 ZH traffic pass. Trend Micro did not post

any packet captures as far as I can tell, but I would expect that the malware is using the standard

Android ZH client. And so far, you wouldn't be able to tell apart a connection established

by the Trojan from a connection established by a normal user. Another thing to look for that doesn't just apply to this particular piece

of malware is always lookups for GOIP location services. A lot of malware is using that to get more

information about the victim and typically you don't have a lot of users that use these services in your network.

Well, and if you're using the popular open source webmail package, Squirrel Mail,

I would have told you that it is time to patch and urgently time to patch,

but sadly I can't because there is no patch available for a remote code

execution vulnerability that was disclosed last Wednesday actually with sufficient detail

to easily reproduce and create the exploit.

I was just looking at the Squirrel Mail website and the last announcement here was from

...