Advertisement
  • About the Author
  • About this Blog

    • Other

    Other10 Comments
    28
    Jul 10

    Alleged Mariposa Botnet Author Nabbed

    Police in Slovenia have arrested a 23-year-old man in Maribor believed to be responsible for creating the Mariposa botnet, a collection of hacked PCs that spanned an estimated 12 million computers across the globe, according to reports.

    The Associated Press cites FBI officials in Washington, D.C. stating that authorities had arrested “Iserdo,” the nickname used by the hacker alleged to have created Mariposa, a botnet that first surfaced in December 2008 and grew to infect more than half of the Fortune 1,000 companies, as well as at least 40 major banks.

    Earlier this year, police in Spain arrested three of Iserdo’s associates, who allegedly used the Mariposa botnet to steal credit card accounts and online banking credentials.

    The AP story doesn’t identify Iserdo, saying officials declined to release his name and the exact charges filed against him, but says that the arrest took place about 10 days ago, and that the man has been released on bond.

    According to information obtained by KrebsOnSecurity.com, Iserdo’s real name is Dejan Janžekovic. Local Slovenian press reports at the time of his arrest said Iserdo was a former student at the Maribor Faculty of Computer and Information Science, but that information could not be independently confirmed.

    Individuals close to the case say Janžekovic charged a few hundred dollars for each copy of the bot kit, and that sales frequently were handled by a former classmate who accepted Western Union transfers on his behalf. According to two sources, one of those who helped with the transactions was a 24-year-old woman named Nuša Čoh, pictured here in her high school photo.

    Neither Janžekovic nor Čoh could be immediately reached for comment.

    Update, July 29, 4:45 p.m: Janzekovic appears only to have been a person of interest in this investigation, according to a law enforcement official I spoke with today. Also, I heard back from Janzekovic himself, who acknowledged having been investigated by the FBI and Slovenian police in connection with Mariposa, and taken in to the police station for questioning. But he said he is not Iserdo, and that the authorities somehow had him mixed up with someone else. From his e-mail to me:

    “I am 23 years old (the picture you found is very outdated). I am single, I work as a senior systems administrator for a telco in Slovenia. Fact is that I love technology, I love life (even though the past two weeks it was hell on earth for me), but most of all – I am innocent. Yes, you read right, innocent. I am smarter than this and such things do interest me only from the technological point, as in how to protect against them.

    Oh, not to forget, my net nick was and will never be Iserdo.

    It is true, that I had the FBI and Slovenian police investigating me but it is also true, that I had nothing to hide. During the investigation I was very cooperative with authorities – I even gave them password for my encrypted partitions. What was the lead to me? It had to be some kind of mix-up and/or identity theft – the only person known to me in this whole story is the girl who I went to school with (as you have already found out).

    Neither of authorities did explain to me how they came to conclusion that I was iserdo. I strongly believe the case was identity theft (obviously someone who knew enough about me, to know that I would easily fit in the case) and/or connection through Nusa. And believe me, it was also to my great surprise, when they woke me up at 6 a.m. to search my home on basis of me selling some ‘nasty code’.

    But know this – I do not know any technical details about the botnet, program or anything about the criminal backgrounds as I have never seen it or worked with it.”

    Continue reading →

    Other18 Comments
    28
    Jul 10

    Hacked Companies Hit by the Obvious in 2009

    As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

    Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

    -Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

    -85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

    -94 percent of compromised records were the result of breaches at companies in the financial services industry.

    -45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

    Among the most counter-intuitive findings in the report?

    There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

    “Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

    Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

    Continue reading →

    Other45 Comments
    27
    Jul 10

    Rogue Antivirus Victims Seldom Fight Back

    Recently I came into possession of a series of documents showing the financial books of an organization that orchestrates the distribution of rogue anti-virus attacks or “scareware,” programs that hijack victim PCs with misleading security alerts in an effort to frighten the user into purchasing worthless security software. I found many interesting details in this data cache, but one pattern in the data explains why scareware continues to be a major scourge: Relatively few people victimized by it dispute the transaction with their bank.

    The documents list the amounts charged to more than 2,000 people around the world (the screen shots show the distribution of victims globally and in the United States). Victims paid anywhere from $50 to $100 for the fake anti-virus software. The file lists the amounts charged, partially obscured credit card numbers, and the names, addresses and e-mails of all victims.

    More importantly, they show that only 367 victims — fewer than 20 percent — bothered to contact their bank or the scammers to reverse the fraudulent charges after the fact.

    A second wave of attacks apparently conducted by the same malware gang in early April shows that only 163 out of 1,678 victims – fewer than 10 percent — initiated chargebacks or disputed the sales (the geographic distribution of victims of this second wave is not included in the Google Maps graphics shown here).

    I interviewed more than a dozen victims of the first scareware attack, which occurred between April 12 and April 15. All said their computers became unusable and that the only way they could figure out how to regain control of the machine was to surrender and purchase the software. In each case, immediately after the victims submitted their payment information, the hijacking program disappeared, leaving no trace of itself, and no hint of any fake security program on the victim’s machine.

    Some victims reported receiving a follow-up e-mail thanking them for their purchase, and directing support inquiries to support@browsing-solutions.com. Others never got an e-mail, but only saw a charge on their credit card statement from Browsing Solutions, Moscow. Other victims saw charges from an EBD-Software.com.

    None of the victims I was able to track down had successfully reversed the charges with their credit card provider, although a few did have the charges canceled after contacting the phone number listed in the customer support e-mail. Some said they had tried to contact their credit card provider or the scam company but got the runaround and simply gave up; others said they were confused because they were in the process of trying to purchase legitimate anti-virus software when their computers were hijacked.

    Continue reading →

    Other9 Comments
    26
    Jul 10

    Services Let Malware Purveyors Check Their Web Reputation

    Virus writers and botmasters increasingly are turning to new subscription services that test when and whether malicious links have been flagged by Web reputation programs like Google Safe Browsing and McAfee SiteAdvisor.

    Nothing puts a crimp in the traffic to booby-trapped Web sites like being listed on multiple Internet reputation services that collect and publish information on the location of nasty Web sites. People who maintain the bad sites can stay ahead of such services by moving their malware to new domains once the present hosts start showing up on too many blacklists. But constantly checking these lists can be a time-consuming pain.

    Enter sites like check-crypt.com. For a mere 20 cents, subscribers can check to see whether their malicious sites are flagged by any of 18 different blacklists, including Spamhaus, ZeuSTracker, SpamCop, SmartScreen (anti-malware and anti-phishing technology built into IE7/IE8), Norton Safe Web, Phishtank, Malwaredomainlist and MalwareURL.

    As we can see from the screen shot here, this service acts as a kind of Virustotal for bad domains, listing the percentage of blacklists that detect any submitted malware sites.

    The name and address of the person who registered check-crypt.com is protected by a domain privacy service, but if we dig far enough back in the WHOIS history we see it was registered to someone named Oleg Lojko in Rogatin, Ukraine. A search for the e-mail address attached to that record turns up a domain (vinni-trinni3.net) that a couple of the malware blacklists have flagged for distributing the infamous Zeus Trojan, a powerful password-stealing strain of malicious software.

    I wanted to test this service, and so I thought I’d pick on vinni-trinni, because that site was first flagged by Malwaredomainlist and MalwareURL back in March of this year. The results were underwhelming: As we can see from the above screen shot, this service detects that three out of 18 blacklists have flagged it as malicious, but the author’s own service fails to show listings by either Malwaredomainlist or MalwareURL.

    Other / Time to Patch14 Comments
    20
    Jul 10

    Adobe: ‘Sandbox’ Will Stave Off Reader Attacks

    Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

    Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

    “The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

    Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

    Continue reading →

    Other12 Comments
    20
    May 10

    Apple Ships Java Security Update

    Apple has pushed out an update that fixes at least 30 security vulnerabilities in its version of Java for Mac OS X systems.

    The patch appears to fix a flaw in Java that Oracle shipped more than a month ago that attackers were using to install malicious software on Microsoft Windows systems.

    Updates are available for Mac OS X v10.5.8 and Mac OS X v10.6.3 or later, via Apple Downloads or Software Update. The new release brings Java on the Mac to the current version, Java 6 Update 20.

    A Little Sunshine / Other15 Comments
    7
    May 10

    Fun with ATM Skimmers, Part III

    ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.

    According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

    EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.

    ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.

    Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

    While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).

    Other13 Comments
    6
    May 10

    New Software Turns iPad into iSpy

    A new commercial software program marketed to employers, parents and suspicious spouses lets customers surreptitiously monitor their Apple iPads remotely and view a record of all e-mail and Web use on the devices.

    The software-as-a-service is the latest offering from Jacksonville, Fla. based Retina-X Studios, a company whose  Mobile Spy products have long allowed people to remotely spy on iPhones, Blackberries and other smartphones. For $99.97 a year, customers get access to a Web interface that allows them to view a list of every Web site visited, every e-mail sent and received, as well as any contacts added to the iPad.

    Mobile Spy pitches the product thusly:

    Are your kids viewing pornography while you are alseep? [sic] Are your employees sending company secrets through their personal email? You will have the answers to all these questions answered. Logs are instantly uploaded and viewable inside your control panel.

    The company said in a press release that it plans to roll out even more capabilities for its iPadspy product, such as the ability to record the target’s location (by tapping the built-in GPS), and rifle through photos and notes stored on the device.

    I haven’t used the service (I don’t even own an iPad, sadly). But these kinds of services are a good reminder about the importance of physical security for your computers and gadgets: In most cases, once an attacker has physical access to a device, it’s game over.

    The software only works on jailbroken iPads, as the iPad is not able to run more than one program at a time unless it’s jailbroken.

    Other29 Comments
    21
    Apr 10

    Krebsonsecurity.com Partners with Federated Media

    Readers may notice over the next day or so advertisements in one or two prominent spots on this blog. This is the result of a new partnership between Krebs on Security and Federated Media Publishing, a company that connects independent Web site authors with advertisers.

    Federated Media currently represents more than 100 of the most respected social media properties on the Web, including The New York Times, BoingBoing, Breitbart, Mashable, and ReadWriteWeb, to name a few.

    The reporting and investigations I have been conducting through krebsonsecurity.com take up a substantial amount of my time, and this partnership should help ensure that I can continue to dedicate my attention to this vital and highly relevant beat. Thank you for your continued support and readership.

    A Little Sunshine / Other33 Comments
    14
    Apr 10

    Immunet: A Second Opinion Worth a Second Look

    Security experts have long maintained that running two different anti-virus products on the same Windows machine is asking for trouble, because the programs inevitably will compete for resources and slow down or even crash the host PC.

    But an upstart anti-virus company called Immunet Protect is hoping Windows users shrug off this conventional wisdom and embrace the dual anti-virus approach. Indeed, the company’s free product works largely by sharing data about virus detections from other anti-virus products already resident on the PCs of the Immunet user community.

    Users can run Immunet alone, and many do: The program scans files using two types of threat profiles: specific definitions or fingerprints of known threats, and generic signatures that are more akin to looking for a specific malware modus operandi.

    But what makes Immunet different from other anti-virus products is that it also incorporates detections for malware from other anti-virus products that may be resident on users’ machines. For example, each time someone’s PC in the Immunet user base encounters a virus, that threat is logged and flagged on a centralized server so that all Immunet users can be protected from that newly identified malware.

    I’ve been running Immunet in tandem with Kaspersky Internet Security 2010 for the past three months, and have haven’t noticed any impact on system resources or stability issues. Immunet’s creators are especially proud of that last aspect of the program, and say it’s due to the fact that the program does most of its scanning and operations “in-the-cloud,” – that is, not on the user’s system. Immunet currently has about 133,000 active users, and that number changes constantly: Each time you reboot a system with it installed, chances are you will see a different – usually higher – number of users in the community.

    I spoke recently with Immunet’s vice president of engineering, Alfred Huger, a former VP at Symantec Corp., and Adam O’Donnell, director of cloud engineering for the startup. That conversation — excerpts of which are included below — provides interesting insights into how the anti-virus industry operates, how consumers interact with these products, and how Immunet hopes to differentiate itself in already crowded field.

    Continue reading →

    ← Older Entries