Posts Tagged ‘malware’

Dangerous Linux Trojan could be sign of things to come

Friday, August 16th, 2013

‘Hand of Thief’ Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines

Desktop Linux users accustomed to a relatively malware-free lifestyle should get more vigilant in the near future — a researcher at RSA has detailed the existence of the “Hand of Thief” Trojan, which specifically targets Linux.

According to cyber intelligence expert Limor Kessem, Hand of Thief operates a lot like similar malware that targets Windows machines — once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to anti-virus update servers, VMs, and other potential methods of detection.

Hand of Thief is currently being sold in “closed cybercrime communities” for $2,000, which includes free updates, writes Kessem. However, she adds, the upcoming addition of new web injection attack technology will push the price to $3,000, and introduce a $550 fee for major version updates.

“These prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux,” she notes.

Getting Linux computers infected in the first place, however, could be more problematic for would-be thieves — Kessem says the lack of exploits targeting Linux means that social engineering and email are the most likely attack vectors, citing a conversation with Hand of Thief’s sales agent.

Kessem also says that growth in the number of desktop Linux users — prompted, in part, by the perceived insecurity of Windows — could potentially herald the arrival of more malware like Hand of Thief, as the number of possible targets grows.

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows install base.

Users of Linux-based Android smartphones, however, have become increasingly tempting targets for computer crime — and with the aforementioned growth in desktop users, the number of threats may increase even further.

Source:  infoworld.com

FBI, Microsoft takedown program blunts most Citadel botnets

Friday, July 26th, 2013

Microsoft estimates that 88% of botnets running the Citadel financial malware were disrupted as a result of a takedown operation launched by the company in collaboration with the FBI and partners in technology and financial services. The operation was originally announced on June 5.

Since then, almost 40% of Citadel-infected computers that were part of the targeted botnets have been cleaned, Richard Domingues Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit, said Thursday in a blog post.

Microsoft did not immediately respond to an inquiry seeking information about how those computers were cleaned and the number of computers that remain infected with the malware.

However, Boscovich said in a different blog post on June 21 that Microsoft observed almost 1.3 million unique IP addresses connecting to a “sinkhole” system put in place by the company to replace the Citadel command-and-control servers used by attackers.

After analyzing unique IP addresses and user-agent information sent by botnet clients when connecting to the sinkhole servers, the company estimated that more than 1.9 million computers were part of the targeted botnets, Boscovich said at the time, noting that multiple computers can connect through a single IP address.

He also said that Microsoft was working with other researchers and anti-malware organizations like the Shadowserver Foundation in order to support victim notification and remediation.

The Shadowserver Foundation is an organization that works with ISPs, as well as hosting and Domain Name System (DNS) providers to identify and mitigate botnet threats.

According to statistics released Thursday by Boscovich, the countries with the highest number of IP addresses corresponding to Citadel infections between June 2 and July 21 were: Germany with 15% of the total, Thailand with 13%, Italy with 10%, India with 9% and Australia and Poland with 6% each. Five percent of Citadel-infected IP addresses were located in the U.S.

Boscovich praised the collaboration between public and private sector organizations to disrupt the Citadel botnet.

“By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel’s operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business,” he said Thursday in the blog post.

However, not everyone in the security research community was happy with how the takedown effort was implemented.

Shortly after the takedown, a security researcher who runs the abuse.ch botnet tracking services estimated that around 1,000 of approximately 4,000 Citadel-related domain names seized by Microsoft during the operation were already under the control of security researchers who were using them to monitor and gather information about the botnets.

Furthermore, he criticized Microsoft for sending configuration files to Citadel-infected computers that were connecting to its sinkhole servers, saying that this action implicitly modifies settings on those computers without their owners’ consent. “In most countries, this is violating local law,” he said in a blog post on June 7.

“Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer,” Boscovich said on June 11 in an emailed statement. “In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into the command and control structure for Citadel which is hosted in the U.S.”

Source:  computerworld.com

Report: Markets at risk due to cyberattacks against exchanges

Thursday, July 18th, 2013

Survey finds more than half of the world’s financial exchanges fell victim to some kind of cyberattack in the last year

A new report from the Research Department of the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) Office says that cybercrime within the securities markets can be considered a potentially systemic risk.

 

A joint study, published by the IOSCO and the WFE, examines how cybercrime is evolving, and what kind of threat it poses to the world’s markets. In a survey of 46 financial exchanges, 53 percent of them reported experiencing some kind of cyberattack in the last year. As such, the study’s authors say that cybercrime within the securities markets can be considered a potentially systemic risk, a notion that a majority of the exchanges surveyed agreed with.

Based on the responses sent by the exchanges, most of the attacks that have been experienced are disruptive in nature, such at DDoS attacks that seek to prevent access to websites and networks. Other wise they are malware related. It should be noted that financial theft didn’t show up in any of the responses. These responses, the report notes, suggest a shift from financial gain, and towards more disruptive aims.

In addition, the report also says there is “a high level of awareness of the threat across exchanges surveyed.” Accordingly, 93 percent of the exchanges responded that cyber threats are discussed and understood by senior management, and the same amount also confirmed that there are disaster recovery plans in place to deal with the aftermath of an attack. All of them reported that they’d be able to identify a cyberattack within 48-hours.

Overall, the report shows that exchanges are highly aware of the risks they face, the full extent of the threat remains unknown.

“One way to overcome this uncertainty and still engage with cybercrime is to envision and list potential factors and scenarios where cybercrime could have the most devastating impacts and then mould responses to best engage with those factors, effectively minimizing opportunities for cyber attacks to manifest systemic consequences,” the report concludes.

One thing that a majority of the respondents confirmed was the fear that the potential impact of a major cyberattack could affect confidence and reputation, followed by integrity and efficiency, and financial stability. Thus, a broader and more robust system-wide response to the issue is needed.

Source:  csoonline.com

Espionage malware infects raft of governments, industries around the world

Friday, June 7th, 2013

http://cdn.arstechnica.net/wp-content/uploads/2013/06/nettraveler_02.1-640x452.png

“NetTraveler” stole data on space exploration, nanotechnology, energy, and more.

Security researchers have blown the whistle on a computer-espionage campaign that over the past eight years has successfully compromised more than 350 high-profile targets in 40 countries.

“NetTraveler,” named after a string included in an early version of the malware, has targeted a number of industries and organizations, according to a blog post published Tuesday by researchers from antivirus provider Kaspersky Lab. Targets include oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies, military contractors, and Tibetan/Uyghur activists. Most recently the group behind NetTraveler has focused most of its efforts on obtaining data concerning space exploration, nanotechnology, energy production, nuclear power, lasers, medicine, and communications.

“Based on collected intelligence, we estimate the group size to be about 50 individuals, most of which speak Chinese natively and have working knowledge of the English language,” the researchers wrote. “NetTraveler is designed to steal sensitive data as well as log keystrokes and retrieve file system listings and various Office and PDF documents.”

The highest number of infections were found in Mongolia, followed by India and Russia. Other countries with infections include Kazakhstan, Kyrgyzstan, Tajikistan, South Korea, Spain, Germany, the United States, Canada, the United Kingdom, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Iran, Turkey, Pakistan, Thailand, Qatar, and Jordan. The earliest known samples of the malware are dated to 2005, but there are references that indicate it existed as early as 2004, Kaspersky said. The largest number of observed samples were created from 2010 to 2013.

Six of the NetTraveler victims were also compromised by Red October, the much larger espionage campaign that went undetected for five years. With more than 1,000 distinct modules, the operators were able to craft highly advanced infections that were tailored to the unique configurations of infected machines and the profiles of those who used them.

For a much deeper dive into NetTraveler, see the full Kaspersky report.

Source:  arstechnica.com

Malware that drains your bank account thriving on Facebook

Monday, June 3rd, 2013

In case you needed further evidence that the White Hats are losing the war on cybercrime, a six-year-old so-called Trojan horse program that drains bank accounts is alive and well on Facebook.

Zeus is a particularly nasty Trojan horse that has infected millions of computers, most of them in the United States. Once Zeus has compromised a computer, it stays dormant until a victim logs into a bank site, and then it steals the victim’s passwords and drains the victim’s accounts. In some cases, it can even replace a bank’s Web site with its own page, in order to get even more information– such as a Social Security number– that can be sold on the black market.

The Trojan, which was first detected in 2007, is only getting more active. According to researchers at the security firm Trend Micro, incidents of Zeus have risen steadily this year and peaked in May. Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE), has noticed an uptick in Zeus-serving malicious links on popular N.F.L. Facebook fan pages such as one created by a group called “Bring the N.F.L. To Los Angeles.”

Mr. Feinberg said he had noticed an increase in such pages and malicious links in recent weeks. He sent those links to Malloy Labs, a security lab, which confirmed that the links on these pages were serving up Zeus malware. The malware was being hosted from computers known to be controlled by a Russian criminal gang known as the Russian Business Network, which has been linked to various online criminal activities, ranging from malware and identity theft to child pornography.

Mr. Feinberg said he has tried to alert Facebook to the problem, with increased urgency, but wasn’t satisfied with their response. A Facebook spokesman directed this reporter to a previous Facebook statement reminding users that it actively scans for malware and offering users the opportunity to enroll in self-remediation procedures such as a “Scan-And-Repair malware scan” that can scan for and remove malware from their devices.

Mr. Feinberg said that after-the-fact approach was hardly sufficient. “If you really want to hack someone, the easiest place to start is a fake Facebook profile– it’s so simple, it’s stupid.”

“They’re not listening,” Mr. Feinberg added. “We need oversight on this.”

Source:  nytimes.com

Microsoft warns of new Trojan hijacking Facebook accounts

Tuesday, May 14th, 2013

Malware focusing on the social network’s users in Brazil masquerades as a legitimate Google Chrome extension and Firefox add-on.

Microsoft has issued a warning that a new piece of malware masquerading as a Google Chrome extension and Firefox add-on is making the rounds, threatening to hijack Facebook accounts

First detected in Brazil, Trojan:JS/Febipos.A attempts to keep itself updated, just like normal, legitimate browser extensions, Microsoft noted in a security bulletin late Friday.

Once downloaded, the Trojan monitors whether the infected computer is logged into a Facebook account and attempts to download a config file that will includes a list of commands for the browser extension. The malware can then perform a variety of Facebook actions, including liking a page, sharing, posting, joining a group, and chatting with the account holder’s friends.

Some variants of the malware include commands to post provocative messages written in Portuguese that contain links to other Facebook pages. The number of likes and shares on one such page grew while malware experts at Microsoft were analyzing the Trojan, suggesting that the infections are continuing to occur.

Microsoft did not indicate how the malware installs itself or how many infections might have occurred.

There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.

So while the malware appears to be designed to target users in Brazil — where Portuguese is the dominant language — Microsoft concluded that the Trojan could easily be modified to target users in other regions.

Source:  CNET

Attack hitting Apache websites is invisible to the naked eye

Monday, April 29th, 2013

Newly discovered Linux/Cdorked evades detection by running in shared memory.

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.

“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on their with your standard tool sets and destroy the evidence.”

Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analyzed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.

“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”

In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behavior in other ways. End users who request addresses that contain “adm,” “webmaster,” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.

It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.

The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.

Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.

Source:  arstechnica.com

Malware found scattered by cyber espionage attacks

Monday, April 29th, 2013

 

Researchers following a cyberespionage campaign apparently bent on stealing drone-related technology secrets have found additional malware related to the targeted attacks.FireEye researchers have been tracking so-called “Operation Beebus” for months, but only last week reported the connection to unmanned aircraft often used in spying. Drones have also been used by the Obama administration to assassinate leaders of the Al-Qaeda terrorist group.

Malware linked to spying

FireEye researcher James Bennett, who was the first to make the drone connection, said last week that he has found two new malware associated with the attack, bringing the total to four.

The first two were versions of the same malware called Mutter. The new malware includes one that uses the same custom encryption scheme, but a different command-and-control protocol. The fourth malware is completely different from Mutter, but uses the same C&C infrastructure.

Bennett has yet to fully analyze the new malware, which he hopes will provide “more threads to follow.”

Operation Beebus is a cyberespionage campaign that FireEye has linked to the infamous Comment Crew, which security firm Mandiant has identified as a secret unit of China’s People Liberation Army. The hacker group attempts to steal information from international companies and foreign governments.

Bennett reported in a blog last week that he had uncovered evidence of cyberattacks against a dozen organizations in the U.S. and India. The attacks against academia, government agencies, and the aerospace, defense and telecommunication industries targeted individuals knowledgeable in drone technology.

The spear-phishing campaign included sending email that contained decoy documents meant to trick recipients into clicking on the file, which would download the malware. One such document was an article about Pakistan’s unmanned aerial vehicle industry written by Aditi Malhotra, an Indian writer and associate fellow at the Centre for Land Warfare Studies in New Delhi.

How it worked

Once downloaded, the Mutter malware opened a backdoor to the infected systems in order to receive instructions from C&C servers and to send stolen information. To avoid detection, Mutter is capable of remaining dormant for long periods of time, so that it will eventually be categorized as benign by malware analysis systems.

Despite the exposure, Operation Beebus is still active, although its infrastructure has changed. All but one of the domain names studied by Bennett is no longer in use, but several IP addresses are still active, probably being used with other domains.

“We are still seeing active communications going out with this Mutter malware, so we do know that it’s still going,” Bennett said.

One in five data breaches are the result of cyberespionage campaigns, according to the latest study by Verizon. More than 95 percent of cases originated from China, with targets showing an almost fifty-fifty split between large and small organizations.

Source:  pcworld.com

 

Ongoing malware attack targeting Apache hijacks 20,000 sites

Tuesday, April 2nd, 2013

Mysterious “Darkleech” exposes visitors to potent malware exploits.

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of “Darkleech,” a mysterious exploitation toolkit that exposes visitors to potent malware attacks.

The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet’s most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren’t ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.

Researchers also don’t know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don’t access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.

“Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.,” Mary Landesman a senior security researcher for Cisco Systems’ TRAC team, told Ars. “Unfortunately, the nature of the compromise coupled with the sophisticated conditional criteria presents several challenges.”

The injected HTML iframe tag is usually constructed as IP address/hex/q.php. Sites that deliver such iframes that aren’t visible within the HTML source are likely compromised by Darkleech. Special “regular expression” searches such as this one helped Landesman ferret out reported iframes used in these attacks. Note that while the iframe reference is formed as IP/hex/q.php, the malware delivery is formed as IP/hex/hex/q.php.

In active development

With the help of Cisco Security Engineer Gregg Conklin, Landesman observed Darkleech infections on almost 2,000 Web host servers during the month of February and the first two weeks of March. The servers were located in 48 countries, with the highest concentrations in the US, UK, and Germany. Assuming the typical webserver involved hosted an average of 10 sites, that leaves the possibility that 20,000 sites were infected over that period. The attacks were documented as early as August on researcher Denis Sinegubko’s Unmask Parasites blog. They were observed infecting the LA Times website in February and the blog of hard drive manufacturer Seagate last month, an indication the attacks are ongoing. Landesman said the Seagate infection affected media.seagate.com, which was hosted by Media Temple, began no later than February 12, and was active through March 18. Representatives for both Seagate and the LA Times said the sites were disinfected once the compromises came to light.

“I regularly receive e-mails and comments to my blog posts about new cases,” Sinegubko told Ars last week. “Sometimes it’s a shared server with hundreds or thousands of sites on it. Sometimes it’s a dedicated server with some heavy-traffic site.”

Referring to the rogue Apache modules that are injected into infected sites, he added, “Since late 2012 people have sent me new versions of the malicious modules, so this malware is in active development, which means that it pays off well and the number of infected servers can be high (especially given the selectivity of the malware that prefers to stay under the radar rather than infecting every single visitor).”

Landesman picked a random sample of 1,239 compromised websites and found all were running Apache version 2.2.22 or higher, mostly on a variety of Linux distributions. According to recent blog posts published here and here by researchers from security firm Securi, Darkleech uses rogue Apache modules to inject malicious payloads into the webpages of the sites it infects and to maintain control of compromised systems. Disinfecting Web servers can prove extremely difficult since the malware takes control of the secure shell (SSH) mechanism that legitimate administrators use to make technical changes and update content to a site.

“We have noticed that they are modifying all SSH binaries and inserting a version that gives them full access back to the server,” Securi CTO Daniel Cid wrote in January. “The modifications not only allow them to remote into the server bypassing existing authentication controls, but also allow them to steal all SSH authentications and push it to their remote servers.”

Researchers from a variety of other organizations, including antivirus provider Sophos and the Malware Must Die blog, have also stumbled on servers infected by Darkleech. They note the third-party attack sites host malicious code from the Blackhole exploit kit, a suite of tools that targets vulnerabilities in Oracle’s Java, Adobe’s Flash and Reader, and a variety of other popular client software.

“It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root,” the writer of the latter blog post wrote last week, adding that he wasn’t at liberty to discuss the precise method. “Since the root [was] gained in all infected servers, there is no way we can trust the host or its credentials anymore.”

The writer went on to recommend that admins take infected servers offline and use backup data to reinstall the software. He also suggested that users take care to change all server credentials, since there’s a strong chance all previous administrator logins have been compromised.

Déjà vu

The Apache server compromise in many ways resembles a mass infection from 2008 that also used tens of thousands of sites to silently expose visitors to malware attacks. The challenge white hats often face in fighting these hacks is that each researcher sees only a small part of the overall damage. Because the server malware is designed to conceal itself and because so many individual systems are affected, it can be next to impossible for any one person to gain a true appreciation for the scope of attack.

Since there’s not yet consensus among researchers about exactly how Darkleech takes hold of infected systems, it’s still unclear exactly how to protect them. And as already noted, disinfecting systems can also prove challenging since backdoor and possibly even rootkit functionality may allow attackers to maintain control of servers even after the malicious modules are uninstalled. Landesman has published her own blog post about the infection here.

“This is a latent infection,” Sinegubko wrote. “It hides from server and site admins using blacklists and IPs and low-level server APIs (something that normal site scripts don’t have access to). “It hides from returning visitors. It constantly changes domains so you can’t reduce it to the facts were some particular domain was involved. I’m still waiting for someone to share any reliable information about the attack vector.”

Source:  arstechnica.com

Recent reports of DHS-themed ransomware

Monday, March 25th, 2013

US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division.

Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or perform a clean reinstallation of their OS after formatting their computer’s hard drive.

US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns that attempt to frighten and deceive a recipient for the purpose of illegal gain.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Source:  US-CERT

Malware strikes with valid digital certificate

Tuesday, February 5th, 2013

One of the foundational elements of ecommerce is the web of trust enabled by digital certificates. When you go to a web site, you can feel confident that it’s legitimate because it has a certificate from a recognized certificate authority that validates it. But the certificates themselves can be vulnerable. Case in point: Security firm Malwarebytes recently discovered some malware in the wild with a valid, signed digital certificate.

“One of our security researchers identified this piece of malware,” says Jerome Segura, senior security researcher at Malwarebytes. “It’s a typical Trojan with one peculiarity: It was signed, and unlike a lot of malware that uses signatures, this one was valid.”

The malware is a banking/password stealer that Segura says uses email to spread. It appears to be a PDF invoice with a valid certificate issued to a real Brazilian software company called “Buster Paper Comercial Ltda,” Segura says. The certificate was issued by SSL certificate authority DigiCert. Segura notes that although DigiCert has been notified about the malware, the certificate has not yet been revoked.

“I don’t think it’s stolen, per se,” Segura says. “It looks like what [the criminals] did is they looked at this company in Brazil, which is a software company, and essentially made a request in their name to DigiCert. From the point of view of the certificate authority, it looks normal. [The criminals] probably spoofed the email address to buy the certificate. It looks to me as if it’s too easy for anybody who does a bit of research to either impersonate a company or set up a fake web site as if it were a company and then buy a certificate.”

When someone clicks on this particular piece of malware, Segura says, it opens what appears to be a PDF invoice. But it also creates a number of processes that connect to an enterprise cloud storage company.

“This is a sub-domain for a cloud storage company focusing on file sharing for the enterprise,” Segura says. “Well, in our case, it’s file storage for the criminals.”

The fake PDF downloads two very large files–WIDEAWAKE1.zip and WIDEAWAKE1.ecl. Segura notes that Malwarebytes has also reached out to the cloud storage company about the issue but have yet to receive a response.

Segura notes that ThreatExpert, provider of an automated threat analysis system, found a similar Trojan with a valid digital certificate last November. That Trojan’s certificate has since been revoked.

“What we have here is a total abuse of hosting services, digital certificates and repeat offenses from the same people,” Segura says. “Clearly if digital certificates can be abused so easily, we have a big problem on our hands.”

Digital certificates used for spear-phishing attacks

“Digital certificate theft can be used in targeted attacks as [for] spear phishing, for example,” Segura says. “As we know, one of the weakest links in the security chain is the end-user (and this is especially true in the enterprise world). An attacker can easily find out or guess what antivirus a company is running and craft a piece of malware that will not be detected by it. Because such attacks are very narrow, the sample will not be disseminated around the world, making its discovery less likely.”

Segura recommends that end-users still check for valid digital certificates before opening an attachment received via email (even if they know the sender). But he also recommends following two basic but “powerful” rules:

  • Check the file extension and beware the multiple file extension trick (i.e., document.pdf.xls.exe)
  • Never trust file icons; just because it looks like a Word document or PDF, that doesn’t mean it is

Source:  pcadvisor.co.uk

New ransomware trojan encrypts files to make you pay up

Friday, February 1st, 2013

A new type of ransomware has appeared, and it’s got the potential to be a lot more nasty than other trojans in the category. This as-yet unnamed trojan follows through on the threats made by other malware authors. It actually encrypts files on a PC in an attempt to force users to pay up.

Ransomware started popping up a few years ago with a now-familiar MO. An infected user is confronted by a message claiming that their PC has been somehow used in a criminal act or is at risk in some way. In order to rectify the imaginary problem, a fee has to be paid. This extortion scheme is sometimes accompanied by the locking down of parts of the system, but never before has ransomware gone to the extremes of actually encrypting files and holding them hostage. There’s no way to reclaim access to the files by simply removing the trojan.

When a PC picks up the new trojan, it goes to work by creating two encryption keys based on the PC’s ID. It also spawns a new instance of ctfmon.exe or svchost.exe and injects its own code there. This allows it to run in the background more stealthily. The first of the encryption keys is used to encrypt communications with the command and control server. The second key is the one causing all the heartache.

The second key is encrypted by the first, and sent to the command and control server for safekeeping. The server then determines which files should be locked up. It goes after images, documents, and some executables, using the second key to encrypt them. In this case, the scary warning that pops up is not making idle threats — those files aren’t coming back without the key.

The goal here is not to cripple a computer, so the Windows files are left intact. However, the malware does block regedit, task manager, and msconfig. Since the malware controller has the encryption keys, he or she could technically remove the file encryption if the fee is paid. That’s far from a guarantee, though.

Source:  geek.com

Cyberwarfare now menacing the enterprise, Kaspersky Lab says

Friday, February 1st, 2013

Stuxnet, Flame, Gauss and other state-sponsored cyberwarfare malware is increasingly disrupting operations in organizations

Enterprise security managers have yet another worry to add to their list: cyberwarfare attacks.

Now, in addition to guarding against targeted attacks from cybercriminals and activists, enterprise security managers must increasingly guard against potential damage from nation-state cyberwarfare as well, according to the head of research from Kaspersky Labs.

“There are actually a lot of cyber weapons [out there now], but they are very hard to discover,” said Costin Raiu, Kaspersky Lab’s director of global research, who spoke at the Kaspersky Cyber-Security Summit of 2013 Wednesday.

Raiu pointed to how Red October, software that Kaspersky discovered last year, was surreptitiously monitoring computers for at least five years before it was discovered. “This is really shocking for us. We never expected to live in such a stealthy world where we simply don’t know how many other similar attacks are out there,” Raiu said.

Malicious software from profit-minded cybercriminals still accounts for the majority of malware in circulation today, but malware developed by the military, military contractors or other government agencies is becoming increasingly prevalent as well. Cyberwarfare takes place when one nation deploys malware to disrupt the activities of another nation. Also related is cyberespionage, where malware is planted on computers to spy on governments, corporations and important people.

While an antivirus vendor’s warnings about emerging threats can appear to be self-serving, Kaspersky Lab has had a lot of success in the past few years discovering and helping to understand malware supposedly created by governments for purposes of spying and attacking network infrastructure. And Raiu’s remarks have already proved to be timely. On Thursday, the New York Times reported that malicious Chinese hackers, using techniques developed by the Chinese military, had infiltrated its computers.

Raiu pointed to recently discovered malware such as Flame, Gauss, Red October and Stuxnet as examples of cyberwarfare malware.

Such cyberwarfare malware can be better-funded, better written and much more difficult to detect and decode than typical malware. “We are now discovering malware that has been active for [as long as] 10 years,” Raiu said. “The malware that comes from the nation-state is completely different from what is produced by cybercriminals,” he added.

When Kaspersky first unearthed Flame, which it classified as cyberespionage malware, Raiu estimated that, despite the fact it was only 20MB in size, that it would take up to 10 years to truly understand how it works. “No anti-virus company has figured out how Flame works,” Raiu said. “There is so much code, so many subroutines, so much obfuscation and encryption that you need a lot of super highly talented people … to understand what it does.”

Gauss is another allegedly state sponsored piece of sophisticated malicious software. Again, this software has been difficult for researchers to decipher. “The true purpose of the Gauss malware remains unknown,” Raiu said. Buried in Gaus is a “warhead,” or a block of code that has been encrypted multiple times, Raiu said. “Nobody has been able to decrypt it to know what it actually does,” Raiu said.

Kaspersky’s most recent find was Red October. “Red October was extremely targeted,” Raiu said. Raiu said that the software targeted government diplomatic institutions, which is not the normal target for profit minded malware writers. It also specifically targeted governments, energy companies, military contractors and aerospace companies.

Red October is also more sophisticated than the average profit-driven malware. It is a modular system. It “looks at what you have on your computer and depending on what you have, and what you do with your computer, [it] will send you dedicated modules for different purposes,” Raiu said. One module, for instance, steals data from mobile phones. Another module can retrieve deleted data from USB memory sticks.

The rise of nation state malware is bad news for enterprises in a number of ways, Raiu said.

Cyberwarfare “has a lot of hidden dangers,” Raiu said. Weaponized exploits developed by governments can be reused by cyber criminals for profit. Another danger is unintended proliferation. “Cyberweapons, which have the ability to multiply by themselves, can simply get out of control,” Raiu said.

In either case, organizations and individuals can suffer from damage from this software, either intentionally or accidentally.

For instance, in January 2010, Google — rather than a U.S. government agency — alerted the world about the Aurora malware attack that took place against Google and other large IT companies, charging that the Chinese government was behind the attacks.

Aurora brought about “the first general acceptance of the fact that nation-states were actively developing cyberweapons and fighting against each other,” Raiu said. “And the targets weren’t necessarily other nation-states, but rather companies from the states.”

Even when companies are not the targets, they can still suffer collateral damage, Raiu warned.

For instance, U.S. oil company Chevron reported that its systems were hampered by the Stuxnet virus. It’s widely believed in the security community that U.S. and Israeli intelligence agencies created Stuxnet to spy on and disrupt Iran’s nuclear operations, though official sources have never confirmed the allegations.

Duqu, widely considered the successor to Stuxnet, has also been inflicting damage on bystanders. This malware is currently spreading across PCs at an alarming rate. In a single day last month, Kaspersky saw a jump of 23 percent in the number of new copies of Duqu that infected PCs Kaspersky monitored, from 31,159 to 38,375.

Source:  computerworld.com

Your antivirus software probably won’t prevent a cyberattack

Friday, February 1st, 2013

During a four-month long cyberattack by Chinese hackers on the New York Times, the company’s antivirus software missed 44 of the 45 pieces of malware installed by attackers on the network.

That’s a stunning wake-up call to people and businesses who think they are fully protected by their antivirus software.

“Even the most modern version of antivirus software doesn’t give consumers or enterprises what they need to compete in the hacker world,” said Dave Aitel, CEO of security consultancy Immunity. “It’s just not as effective as it needs to be.”

The New York Times said it had an antivirus system from Symantec (SYMC, Fortune 500) installed on devices connected to its network. The Chinese hackers built custom malware to, among other things, retrieve the usernames and passwords of Times’ reporters. Since that brand-new malware wasn’t on Symantec’s list of forbidden software, most of it was allowed to pass through undetected.

Symantec responded that it offers more advanced solutions than the one the New York Times (NYT) deployed.

“Advanced attacks like the ones the New York Times described underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions,” the company said in a written statement. “Antivirus software alone is not enough.

“The cold fact is that no single solution can prevent all cyberthreats. Sophisticated attacks on networks routinely bypass network security systems, no matter how rock-solid they are — or claim to be.

“Commercially available solutions are available to everyone,” said Rohit Sethi, head of product development for SD Elements, a security firm. “It’s not hard for attackers to learn how to evade detection, and they’re coming up with ingenious ways of doing just that.”

The solution, security experts say, is to deploy technology that keeps a very, very close eye on what’s happening inside your network. You can’t always prevent attackers from getting in, but you can at least set tripwires to alert you when they do.

In the New York Times’ case, the company suspected that it would be attacked because of its investigation into Chinese Prime Minister Wen Jiabao’s family finances. It asked AT&T (T, Fortune 500) to monitor its network. AT&T quickly picked up suspicious signs. Two weeks later, when the extent of the infiltration became clear, the Times hired security consultancy Mandiant to track the attackers’ movements through its systems.

“Attackers no longer go after our firewall,” Michael Higgins, the Times’ chief security officer, told Times reporter Nicole Perlroth. “They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

From there, the best thing companies can do is track what attackers are doing.

“The question we always ask our customers is, ‘Do you know every program running on your network?” said Immunity’s Aitel. “When you know the answer to that question, you don’t need antivirus software. When you don’t, you’re screwed.”

Experts say that antivirus software is still a good, basic thing to have. Owning an antivirus solution is like putting the Club in your car — it’s not going to stop a determined thief, but it’s going to make stealing your stuff more difficult.

Antivirus software maker Avast, whose free antivirus software is among the most widely used, says there’s a major distinction between the kinds of threats encountered by everyday Web surfers and the carefully targeted attack the Times faced.

“Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired — say by a hired killer,” said Jindrich Kubec, Avast’s threat intelligence director. “Does it mean you will stop using airbags and seatbelts?”

Some antivirus solutions are better than others. In a recent analysts, Immunity simulated attacks against networks protected by the top-of-the-line software built by Symantec, Kaspersky Labs and Intel’s (INTC, Fortune 500) McAfee security division.

Immunity was able to break into the systems protected by Kaspersky and McAfee in two days. Symantec was the best of the breed, with Immunity unable to penetrate it in the several days it gave itself to achieve the task.

“New reputational-based software works to an extent,” Aitel said, referring to systems that aim to contextualize the threats they detect. “But deep down, nothing is as good has having a proper awareness about what’s going on in your network.”

Source:  CNN

Android malware mimics Play, performs DDoS attacks, sends text spam

Monday, December 31st, 2012

Those of you with an Android device should be on the lookout — the security firm Dr. Web is warning users of a new trojan that disguises itself using the Google Play icon. Dubbed Android.DDoS.1.origin, the malware creates an application icon that looks just like the Google Play icon. When opened, the malware actually opens Google Play, helping disguise the malicious activity taking place in the background.

Google Play iconOnce Android.DDoS.1.origin is running, it attempts to connect to a remote server and sends the device’s phone number down the pipeline. If successfully connected, the device is now compromised, and remains in a state awaiting commands from whoever is on the receiving end of the phone number. The cyber hooligans can then make the compromised device send SMS messages, or perform DDoS attacks on a specified target.

Aside from having your device compromised and responsible for a DDoS attack, the criminals controlling the device could also run up SMS and data charges depending on how frequently they send messages and perform DDoS attacks. Of course, the frequency and intensity of this malicious activity could affect the performance of a compromised device, based on simple processor and memory allocations and usage.

At the moment, Dr. Web reports that how the trojan spreads is unclear, but is most likely spread through social media tactics, getting users to download the code themselves in some manner.

As one might expect of a security company, Dr. Web notes that users running Dr. Web products for Android will be protected from the trojan. If you aren’t cool with that, just pay attention to what you download, or don’t enable the feature that allows you to download apps that didn’t come from the Google Play store.

Symantec finds a new trojan that steals data from US banks, customers

Thursday, December 27th, 2012

Nearly half of detected infections are on financial institutions’ servers.

Symantec has discovered a new piece of malware that appears to be targeting financial institutions and their customers in the US. Dubbed Trojan.Stabuniq by Symantec, the malware has been collecting information from infected systems—potentially for the preparation of a more damaging attack.

According to a post on Symantec’s blog contributed by Symantec employee Alan Neville, Trojan.Stabuniq appears to be aimed at a very specific set of victims. While the number of reported systems compromised by the Trojan are relatively low, nearly 40 percent of the systems are financial institutions’ mail servers, firewalls, proxies, and gateways. Half of the systems infected are consumer PCs, and the remainder of the detected infections are on systems belonging to network security companies—likely because they are evaluating the threat posed by the Trojan.

The malware appears to be spread by a “phishing” attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Once installed, it changes the Windows registry to disguise itself—usually as a Microsoft Office or Java component, or in the guise of an Internet Explorer “helper” module, InstallShield update scheduler, or sound driver agent—and makes sure it is activated at reboot. Then it collects information about the computer it has infected (including its computer name, IP address, the operating system version and which service packs are installed, and the names of running processes on the computer), and dumps that data to a command and control server at one of eight domain names.

On the surface, this theft seems relatively benign, and Stabuniq is fairly easily removed and blocked once it is discovered. But it could be just a proof-of-concept for another attack in preparation for deployment of a much more malignant set of code.

Source:  arstechnica.com

Apache plugin turns legit sites into bank-attack platforms

Wednesday, December 19th, 2012

http://cdn.arstechnica.net/wp-content/uploads/2012/12/apache-malware-plugin1-640x480.png

Module found operating in the wild causes sites to push malware on visitors.

A malicious Apache module found operating in the wild turns sites running the Internet’s most popular Web server into platforms that surreptitiously install malware on visitors’ computers.

The plugin, which was discovered by researchers from antivirus provider Eset, is an x64 Linux binary that streamlines the process of injecting malicious content into compromised websites. It was found running on an undisclosed website that exposed end users to a variety of exploits that installed the ZeuS banking trojan, also known as Win32/Zbot. It also pushed malware from Sweet Orange, a newer exploit kit hosted by servers in Lithuania that competes with ZeuS. When Eset discovered the plugin last month, it was connecting to command and control servers in Germany and was being used to target banking customers in Russia and elsewhere in Europe.

“This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate,” Pierre-Marc Bureau, Eset’s security intelligence program manager, wrote in a blog post. “It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot.”

The Apache plugin, which Eset software flags as Linux/Chapro.A, contains several features designed to make infections stealthy. To prevent being widely detected, it doesn’t serve malicious content when a visitor’s browser user agent indicates it’s coming from Google or another automated search-engine agent. It also holds its fire against IP addresses that connect to the Web server over SSH-protected channels, preventing site administrators from being exposed. It also uses browser cookies and IP logging to prevent visitors from being exposed to exploits more than once. By hiding the attacks from search engines and admins—and making it hard to determine how end-user machines are infected—the features make it harder to identify the site as compromised.

The compromised site found by Bureau was injecting invisible iframe tags into otherwise legitimate webpages. The iframes he observed attempted to exploit at least four previously patched security bugs in Microsoft Internet Explorer, Adobe Reader, and Oracle’s Java software framework. The plugin has the capability to inject malicious JavaScript into Web content, giving it another powerful avenue for attack.

Bureau didn’t say how the site running the plugin was hacked. Many legitimate websites used in malware attacks are commandeered after administrator credentials are compromised. He said the malicious Apache plugin is separate from a Linux rootkit discovered last month that also injects malicious content into otherwise legitimate webpages.

Engineers who develop and maintain Apache offer programming interfaces that allow anyone to write modules that give the Web server additional capabilities. The module discovered by Eset is almost certainly written by a third party that has no affiliation with the Apache Foundation.

Source:  arstechnica.com

Another data-wiping malware program found in Iran

Tuesday, December 18th, 2012

New Batchwiper malware is unsophisticated but can cause a lot of damage, security researchers say

A new piece of malware that deletes entire partitions and user files from infected computers has been found in Iran, according to an alert issued  by Maher, Iran’s Computer Emergency Response Team Coordination Center (CERTCC).

Maher Center described the new threat as a targeted attack, but said that it has a simple design and is not similar to other sophisticated targeted attacks previously seen in the region. “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software,” the center said in its advisory.

Several security companies have confirmed Maher’s findings and said the threat is unsophisticated.

The malware is designed to delete all data from disk partitions identified with letters D to I, as well as files located on the desktop of the currently logged in user, security researchers from antivirus vendor Symantec said Monday in a blog post.

The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware’s configuration, suggesting that it may have been in distribution for at least two months.

The Maher Center said the malware’s installer, also known as the dropper, is called GrooveMonitor.exe. That filename was likely chosen as a disguise because it is normally associated with a legitimate Microsoft Office 2007 document collaboration feature called Microsoft Office Groove.

According to an analysis of the new threat by researchers from security firm AlienVault, when the installer is executed, it adds a registry entry that ensure the malware’s persistence across system reboots and creates a Windows batch file containing the data wiping routine.

Because of its use of batch files — script files to be executed by the Windows shell program — the malware has been dubbed “Batchwiper.”

It’s not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email.

Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said.

Batchwiper is not the first data wiping malware found in the Middle East. Earlier this year, an investigation into a mysterious piece of malware that reportedly destroyed data from Iranian energy sector servers led to the discovery of the Flame cyberespionage threat.

In August, security researchers identified another unrelated piece of malware with data wiping capabilities called Shamoon. The malware is believed to have been used in an attack against Saudi Aramco, Saudi Arabia’s national oil company, and affected of thousands of computer systems.

“Kaspersky Lab is currently researching the latest form of data wiping malware that was reported on December 16, 2012 by the Iranian Maher CERT,” a representative of Kaspersky Lab said Monday via email. “Preliminary analysis suggests the malware is unsophisticated and does not appear to be related to the Wiper or Shamoon/DistTrack malware from earlier this year.”

The malware nonetheless points to a trend of destructive code being used in the Middle East region.

“I do agree that this is not common in other parts of the world, and it can suggest that in the Middle East it might be easier for attackers to decide to take such actions to cover their tracks,” Aviv Raff, chief technology officer of Israel-based IT security firm Seculert said via email. Seculert researchers have analyzed Batchwiper and confirm that it doesn’t appear to have any direct connection to Shamoon, he said.

Source:  infoworld.com

The Russian underground economy has democratised cybercrime

Friday, November 2nd, 2012

If you want to buy a botnet, it’ll cost you somewhere in the region of $700 (£433). If you just want to hire someone else’s for an hour, though, it can cost as little as $2 (£1.20) — that’s long enough to take down, say, a call centre, if that’s what you were in the mood for. Maybe you’d like to spy on an ex — for $350 (£217) you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you’re just in the market for some good, old-fashioned spamming — it’ll only cost you $10 (£6.19) for a million emails. That’s the hourly minimum wage in the UK.

This is the current state of Russia’s underground market in cybercrime — a vibrant community of ne’er-do-wells offering every conceivable kind of method for compromising computer security. It’s been profiled in security firm Trend Micro‘s report, Russian Underground 101, and its findings are as fascinating as they are alarming. It’s an insight into the workings of an entirely hidden economy, but also one that’s pretty scary. Some of these things are really, really cheap.

Rik Ferguson, Trend Micro’s director of security research and communications, explains to Wired.co.uk that Russia’s cybercrime market is “very much a well-established market”. He says: “It’s very mature. It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.” Russia is one of the major centres of cybercrime, alongside other nations like China and Brazil (“the spiritual home of banking malware”).

Russian Underground 101 details the range of products on offer in this established market — Ferguson says that they can be for targeting anyone “from consumers to small businesses”. He points to ZeuS, a hugely popular trojan that’s been around for at least six years. It creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered within the networks of large organisations like Bank of America, Nasa and Amazon. In 2011, the source code for ZeuS was released into the wild — now, Ferguson says, “it’s become a criminal open source project”. Versions of ZeuS go for between $200 (£124) to $500 (£309).

Cybercriminal techniques go in and out of fashion like everything else — in that sense, ZeuS is a bit unusual in its longevity. That’s in large part because viruses and trojans can be adapted to take advantage of things in the news to make their fake error messages or spam emails seem more legitimate. For example, fake sites, and fake ads for antivirus software, aren’t as popular as they once were because people are just more computer literate these days. Exploits which take advantage of gaps in browser security to install code hidden in the background of a webpage have also become less common as those holes are patched up — but programs which embed within web browsers still pose a threat, as the recent hullabaloo over a weakness in Java demonstrates.

Ferguson points to so-called “ransomware” as an example of a more recent trend, where the computer is locked down and the hard drive encrypted. All the user sees on the screen is that tells them that their local law enforcement authority (so, in the UK, often the Metropolitan Police) has detected something like child pornography or pirated software on their PC, and if they want to unlock it they’ll have to send money to a certain bank account. No payment, no getting your hard drive back.

Amazingly, if you pay that “fine”, then you will actually get your information back, says Ferguson. “But you’ve labelled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says. Child pornography and pirated software have been in the news a lot over the past few years, for obvious reasons, and that kind of thing directly influences the thinking of hackers and programmers.

Taking the time to adapt these tools to recent trends can be very lucrative. DNSChanger, a popular trojan from 2007 to 2011, would infect a machine and change its DNS settings. When the user went to a webpage with ads on it, that traffic would give affiliate revenue to the scammers. One prominent DNSChanger ring (Rove Digital) was busted in Estonia in 2011 — the FBI had been tracking them for six years, and during that time it was estimated that they’d earned around $14 million (£8.7 million) from this little trick. It also meant that the FBI was left with some critical web infrastructure on its hands — those infected machines (which included machines at major organisations) could only access the web through those Rove Digital servers. Months were spent trying to get people to check their computers for infection and ensuring that when those Estonian servers were shut off, it didn’t take down, say, a bank.

The most recent trends in cybercrime, though, are very much focused on mobile — particularly Android, Ferguson explains: “We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year. Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site. Similarly, there aren’t any malicious iOS apps in the wild, on the App Store, but that only applies to iPhones aren’t jailbroken — downloading from other places puts your phone at risk.”

These threats aren’t going away, either. In fact, according to Ferguson, “prices are going down” across the Russian underground: “Let’s not pretend that these people aren’t taking advantage of technology just like normal businesses — improvements in technology are getting faster, and there are things like cloud services which they also use. The bad guys are using technologies to drive down costs in the same way businesses are.”

Ferguson cites the recent case of someone claiming to have bought the personal information of 1.1 million Facebook users for only $5 (£3.19) as further evidence of the growing problem of online information leaking into the hands of these cybercrime communities. Hackers and other cybercriminals make it their job to analyse security measures and find ways around them, because that information is where the value lies.

While hackers and other cyber criminals can save by buying in bulk, the cost to the individual (or the business) that falls victim to one of these techniques is potentially much higher. So, be vigilant, OK?

Here’s some of what you can buy on the Russian underground…

Basic crypter (for inserting rogue code into a benign file): $10-$30 (£6.19-£19)
SOCKS bot (to get around firewalls): $100 (£62)
Hiring a DDoS attack: $30-$70 (£19-£43) for a day, $1,200 (£742) for a month
Email spam: $10 (£6.19) per one million emails
Expensive email spam (using a customer database): $50-$500 (£31-£310) per one million emails
SMS spam: $3-$150 (£1.86-£93) per 100-100,000 messages
Bots for a botnet: $200 (£124) for 2,000 bots
DDoS botnet: $700 (£433)
ZeuS source code: $200-$500 (£124-£310)
Windows rootkit (for installing malicious drivers): $292 (£180)
Hacking a Facebook or Twitter account: $130 (£80)
Hacking a Gmail account: $162 (£100)
Hacking a corporate mailbox: $500 (£310)
Scans of legitimate passports: $5 (£3.10) each
Winlocker ransomware: $10-20 (£6.19-£12.37)
Unintelligent exploit bundle: $25 (£15)
Intelligent exploit bundle: $10-$3,000 (£6.19-£1,857)
Traffic: $7-$15 (£4.33-£9.29) per 1,000 visitors for the most valuable traffic (from the US and EU)

Source:  Wired

Cybercriminals plot massive banking Trojan attack

Friday, October 5th, 2012

Gang plans to use sophisticated malware to initiate illegal wire transfers, RSA says

An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks, security firm RSA warned.

In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to U.S. banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.

If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA’s FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against U.S. banking customers in return for a share of the loot, she said.

Each botmaster will be backed by an “investor” who will provide money to buy the hardware and software needed for the attacks, Ahuvia said.

“This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale,” Ahivia said. “We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale.”

RSA’s warning comes at a time when U.S. banks are already on high alert. Over the past two weeks, the online operations of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo were disrupted by what appeared to be coordinated denial-of-service attacks.

A little-known group called “Cyber fighters of Izz ad-din Al qassam” claimed credit for the attacks, but some security experts think a nation may have been behind the campaign because of the scale and organized nature of the attacks.

In mid-September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned banks to be on guard against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud. Specifically, the alert warned banks to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.

FS-ISAC also noted that the FBI had seen a new trend where cyber criminals use stolen bank employee credentials to transfer hundreds of thousands of dollars from customer accounts to overseas locations.

Over the past few years, cyber crooks have siphoned off millions of dollars from small businesses, school districts and local governments by stealing online usernames and passwords and using those credentials to make the transfers.

The latest discussion suggests that they now have individual consumer accounts in their crosshairs, Ahuvia said, warning that the gang plans to attempt to infiltrate computers in the U.S. with a little known Trojan malware program called Gozi Prinimalka.

The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from U.S. banks. The group’s plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.

The Trojan is triggered when the user of an infected computer types out certain words — such as the name of a specific bank — into a URL string.

Unlike the original Gozi, the new version is capable not only of communicating with a central command-and-control server but also of duplicating the victim’s PC settings. The Trojan essentially supports a virtual machine cloning feature that can duplicate the infected PC’s screen resolutions, cookies, time zone, browser type and version and other settings. That allow the attacker to access a victim’s bank website using a computer that appears to have the infected PC’s real IP address and other settings, Ahuvia said.

“Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website,” she said in her alert.

Victims of fraudulent wire transfers will not immediately know of the theft because the gang plans on using VoIP flooding software to prevent victims from getting bank notifications on their mobile devices, she added.

Consumers need to ensure that their browsers are properly updated to protect against drive by downloads, she said. They also need to watch for any suspicious behavior or transactions on their accounts.

RSA has also notified U.S. law enforcement and its own FraudAction Global Blocking Network about the threat, she said. Banks, meanwhile, should consider implementing stronger authentication procedures and anomaly detection tools for spotting unusual wire transfers.

Source:  computerworld.com