Web Fraud 2.0


19
Nov 13

Don’t Like Spam? Complain About It.

Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession.  The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding “yes!”

atball

Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and “installs” — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.

But among the most consistently popular services on spammer forums are those that help junk emailers manage gigantic email address lists. More specifically, these services specialize keeping huge distribution lists “scrubbed” of inactive addresses as well as those belonging to known security firms and anti-spam activists.

Just as credit card companies have an ironic and derisive nickname for customers who pay off their balances in full each month — these undesirables are called “deadbeats” — spammers often label anti-spam activists as “abusers,” even though the spammers themselves are the true abusers. The screen shot below shows one such email list management service, which includes several large lists of email addresses for people who have explicitly opted out of receiving junk messages (people who once purchased from spam but later asked to be removed or reported the messages as spam). Note the copyright symbol next to the “Dark Side 2012″ notation, which  is a nice touch:

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.

The bottom line shows that this service also includes a list of more than 580,000 email addresses thought to be associated with anti-spam activists, security firms and other “abusers.” This list included a number of “spamtrap” addresses created specifically for collecting and reporting spam. The note in the above entry — “abusers_from_severa” — indicates that this particular list was provided by an infamous Russian spammer known as Peter Severa. This blog has featured several stories about Severa, including one that examines his possible identity and role in the development and dissemination of the Waledac and Storm worms.

Continue reading →


6
Nov 13

CryptoLocker Crew Ratchets Up the Ransom

Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.

This message is left by CryptoLocker for victims whose antivirus software removed the file needed to pay the ransom.

This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.

To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.

Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.

“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.

“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCU\Software\Cryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.

“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”

CRYPTOLOCKER DECRYPTION SERVICE

On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.

The "Cryptolocker Decryption Service."

The “Cryptolocker Decryption Service.”

“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site – yet another potential hurdle for victims to jump through.

According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.

Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.

Continue reading →


25
Sep 13

Data Broker Giants Hacked by ID Theft Service

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

ssndobhomeThe Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

Until very recently, the source of the data sold by SSNDOB has remained a mystery. That mystery began to unravel in March 2013, when teenage hackers allegedly associated with the hacktivist group UGNazi showed just how deeply the service’s access went. The young hackers used SSNDOB to collect data for exposed.su, a Web site that listed the SSNs, birthdays, phone numbers, current and previous addresses for dozens of top celebrities — such as performers Beyonce, Kanye West and Jay Z — as well as prominent public figures, including First Lady Michelle Obama, CIA Director John Brennan, and then-FBI Director Robert Mueller.

Earlier this summer, SSNDOB was compromised by multiple attackers, its own database plundered. A copy of the SSNDOB database was exhaustively reviewed by KrebsOnSecurity.com. The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Frustratingly, the SSNDOB database did not list the sources of that stolen information; it merely indicated that the data was being drawn from a number of different places designated only as “DB1,” “DB2,” and so on.

But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers. This botnet appears to have been in direct communications with internal systems at several large data brokers in the United States.  The botnet’s Web-based interface (portions of which are shown below) indicated that the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.

The botnet interface used by  the miscreants who own and operate ssndob[dot]ms

The botnet interface used by the miscreants who own and operate ssndob[dot]ms

DATA-BROKER BOTNET

Two of the hacked servers were inside the networks of Atlanta, Ga.-based LexisNexis Inc., a company that according to Wikipedia maintains the world’s largest electronic database for legal and public-records related information. Contacted about the findings, LexisNexis confirmed that the two systems listed in the botnet interface were public-facing LexisNexis Web servers that had been compromised.

One of two bots connected to SSNDOB that was inside of LexisNexis.

One of two bots connected to SSNDOB that was inside of LexisNexis.

The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet.

Two other compromised systems were located inside the networks of Dun & Bradstreet, a Short Hills, New Jersey data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management. According to the date on the files listed in the botnet administration panel, those machines were compromised at least as far back as March 27, 2013.

The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides employment background, drug and health screening. Kroll Background America is now part of HireRight, a background-checking firm managed by the Falls Church, Va.-based holding company Altegrity, which owns both the Kroll and HireRight properties. Files left behind by intruders into the company’s internal network suggest the HireRight breach extends back to at least June 2013.

An initial analysis of the malicious bot program installed on the hacked servers reveals that it was carefully engineered to avoid detection by antivirus tools. A review of the bot malware in early September using Virustotal.com – which scrutinizes submitted files for signs of malicious behavior by scanning them with antivirus software from nearly four dozen security firms simultaneously — gave it a clean bill of health: none of the 46 top anti-malware tools on the market today detected it as malicious (as of publication, the malware is currently detected by 6 out of 46 anti-malware tools at Virustotal).

Continue reading →


18
Sep 13

Crooks Hijack Retirement Funds Via SSA Portal

If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that: The SSA and financial institutions say they are tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have that retiree’s benefits diverted to prepaid debit cards that the crooks control.

The SSA's "my Social Security" portal.

The SSA’s “my Social Security” portal.

Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program. The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal, which opened last year and allows individuals to create online accounts with the SSA to check their earnings and otherwise interact with the agency relative to their accounts.

Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General, said that for several years the agency was receiving about 50 such allegations a day, though those numbers have begun to decline. But thieves didn’t go away: They just changed tactics. The trouble really began earlier this year, when the Treasury started requiring that almost all beneficiaries receive payments through direct deposit (though the SSA says paper checks are still available to some beneficiaries under limited circumstances).

At the same time, the SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site. According to Lasher, as of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity. Lasher said while some of the complaints are the result of unsuccessful attempts to open an account fraudulently, some are indeed fraud.

“Social Security has already improved security over this online feature, and we continue to work with them to make additional improvements, while also investigating allegations we receive,” Lasher said. “While it’s an issue we’re taking very seriously, it’s important to keep in mind that about 62 million people receive some type of payment from SSA every month, so the likelihood of becoming a victim is very small, particularly if you’re careful about protecting your personal information.”

Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam. Lasher said in the SSA’s systems, every record is tied to the SSN rather than a person’s name, since there are so many duplicate names.

“Of course, the one way to ensure that no one opens an account in your name is to open one yourself,” Lasher said. “Given the nature of other articles on your site, I think it’s important that I point out that there is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.”

Continue reading →


19
Aug 13

A Closer Look: Perkele Android Malware Kit

In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, we’ll take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using mobile bots to fleece banks and their customers.

Perkele disguises itself as an various Android security applications and certiifcates.

Perkele disguises itself as various Android security applications and certificates.

Perkele is sold for $1,000, and it’s made to interact with a wide variety of malware already resident on a victim’s PC. When a victim visits his bank’s Web site, the Trojan (be it Zeus or Citadel or whatever) injects malicious code into the victim’s browser, prompting the user to enter his mobile information, including phone number and OS type.

That information is relayed back to the attacker’s control server, which injects more code into the victim’s browser prompting him to scan a QR code with his mobile device to install an additional security mechanism.

Once the victim scans the QR code, the Perkele malware is downloaded and installed, allowing the attackers to intercept incoming SMS messages sent to that phone. At that point, the malware on the victim’s PC automatically initiates a financial transaction from the victim’s account.

When the bank sends an SMS with a one-time code, Perkele intercepts that code and sends it to the attacker’s control server. Then the malicious script on the victim’s PC receives the code and completes the unauthorized transaction.

Web site security firm Versafe located a server that was being used to host malicious scripts tied to at least one Perkele operation. The company produced this report (PDF), which delves a bit deeper into the behavior and network activity generated by the crimeware kit.

Versafe’s report includes several screenshots of the Perkele application as offered to would-be victims. The malware is presented as a security certificate; it’s named “zertificate” because the victim in this case banked at a German financial institution.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

A few weeks ago, I encountered the back end system for what appears to be a Perkele distribution, or perhaps some other mobile malware bot; I should note that disguising an Android banking Trojan as a security certificate is not a ruse that’s limited to Perkele: The Pincert SMS malware also employs this trick, according to F-Secure.

Anyhow, I scarcely had time to examine this particular mobile bot control panel before it was either taken down by German authorities or was moved elsewhere by the fraudsters. But it, too, was intercepting one-time codes from German banking victims using an Android malware component similarly disguised as a “zertificate.”

This Android SMS bot control panel targeted German bank customers.

This Android SMS bot control panel targeted German bank customers.

Apparently, it was fairly successful, stealing one-time codes from online banking customers of several German financial institutions, including Postbank and Comdirect.

Dozens of German banking customers were victimized by this Android bot control panel.

Dozens of German banking customers were victimized by this Android bot control panel.

In the screen grab below, we can see the main administrative page of this panel, which controls which banks should be targeted and from where the fraudulent text messages should be sent.

Continue reading →


14
Aug 13

Buying Battles in the War on Twitter Spam

The success of social networking community Twitter has given rise to an entire shadow economy that peddles dummy Twitter accounts by the thousands, primarily to spammers, scammers and malware purveyors. But new research on identifying bogus accounts has helped Twitter to drastically deplete the stockpile of existing accounts for sale, and holds the promise of driving up costs for both vendors of these shady services and their customers.

Image: Twitterbot.info

Image: Twitterbot.info

Twitter prohibits the sale and auto-creation of accounts, and the company routinely suspends accounts created in violation of that policy. But according to researchers from George Mason University, the International Computer Science Institute and the University of California, Berkeley, Twitter traditionally has done so only after these fraudulent accounts have been used to spam and attack legitimate Twitter users.

Seeking more reliable methods of detecting auto-created accounts before they can be used for abuse, the researchers approached Twitter last year for the company’s blessing to purchase credentials from a variety of Twitter account merchants. Permission granted, the researchers spent more than $5,000 over ten months buying accounts from at least 27 different underground sellers.

In a report to be presented at the USENIX security conference in Washington, D.C. today, the research team details its experience in purchasing more than 121,000 fraudulent Twitter accounts of varying age and quality, at prices ranging from $10 to $200 per one thousand accounts.

The research team quickly discovered that nearly all fraudulent Twitter account merchants employ a range of countermeasures to evade the technical hurdles that Twitter erects to stymie the automated creation of new accounts.

“Our findings show that merchants thoroughly understand Twitter’s existing defenses against automated registration, and as a result can generate thousands of accounts with little disruption in availability or instability in pricing,” the paper reads. “We determine that merchants can provide thousands of accounts within 24 hours at a price of $0.02 – $0.10 per account.”

SPENDING MONEY TO MAKE MONEY

For example, to fulfill orders for fraudulent Twitter accounts, merchants typically pay third-party services to help solve those squiggly-letter CAPTCHA challenges. I’ve written here and here about these virtual sweatshops, which rely on low-paid workers in China, India and Eastern Europe who earn pennies per hour deciphering the puzzles.

topemailThe Twitter account sellers also must verify new accounts with unique email addresses, and they tend to rely on services that sell cheap, auto-created inboxes at HotmailYahoo and Mail.ru, the researchers found. “The failure of email confirmation as a barrier directly stems from pervasive account abuse tied to web mail providers,” the team wrote. “60 percent of the accounts were created with Hotmail, followed by yahoo.com and mail.ru.”

Bulk-created accounts at these Webmail providers are among the cheapest of the free email providers, probably because they lack additional account creation verification mechanisms required by competitors like Google, which relies on phone verification. Compare the prices at this bulk email merchant: 1,000 Yahoo accounts can be had for $10 (1 cent per account), and the same number Hotmail accounts go for $12. In contrast, it costs $200 to buy 1,000 Gmail accounts.

topcountriesFinally, the researchers discovered that Twitter account merchants very often spread their new account registrations across thousands of Internet addresses to avoid Twitter’s IP address blacklisting and throttling. They concluded that some of the larger account sellers have access to large botnets of hacked PCs that can be used as proxies during the registration process.

“Our analysis leads us to believe that account merchants either own or rent access to thousands of compromised hosts to evade IP defenses,” the researchers wrote.

Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said the top sources of the proxy IP addresses were computers in developing countries like India, Ukraine, Thailand, Mexico and Vietnam.  “These are countries where the price to buy installs [installations of malware that turns PCs into bots] is relatively low,” McCoy said.

Continue reading →


30
Jul 13

Mail from the (Velvet) Cybercrime Underground

Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.

“Flycracker,” the administrator of thecc.bz crime forum, hatches plan to send drugs to my home.

“Flycracker,” the administrator of thecc.bz crime forum, hatches plan to send drugs to my home.

But the most recent attempt to embarrass and fluster this author easily takes the cake as the most elaborate: Earlier this month, the administrator of an exclusive cybercrime forum hatched and executed a plan to purchase heroin, have it mailed to my home, and then spoof a phone call from one of my neighbors alerting the local police. Thankfully, I had already established a presence on his forum and was able to monitor the scam in real time and alert my local police well in advance of the delivery.

This would-be smear campaign was the brainchild of a fraudster known variously online as “Fly,” “Flycracker,” and MUXACC1 (muxa is transliterated Russian for “муха” which means “fly”). Fly is the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

On July 14, Flycracker posted a new  forum discussion thread titled, “Krebs Fund,” in which he laid out his plan: He’d created a bitcoin wallet for the exclusive purpose of accepting donations from other members. The goal: purchase heroin in my name and address from a seller on the Silk Road, an online black market that is only reachable via the Tor network.  In the screenshot pictured above, Flycracker says to fellow members:

“Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the “Helping Brian Fund”, and shortly we will create a bitcoin wallet called “Drugs for Krebs” which we will use to buy him the purest heroin on the Silk Road.  My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!”

Together, forum members raised more than 2 bitcoins – currently equivalent to about USD $200. At first, Fly tried to purchase a gram of heroin from a Silk Road vendor named 10toes, an anonymous seller who had excellent and plentiful feedback from previous buyers as a purveyor of reliably good heroin appropriate for snorting or burning and inhaling (see screnshot below).

Flycracker discussing the purchase of a gram of heroin from Silk Road seller "10toes."

Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

For some reason, that transaction with 10toes fell through, and Flycracker turned to another Silk Road vendor — Maestro — from whom he purchased a dozen baggies of heroin of “HIGH and consistent quality,” to be delivered to my home in Northern Virginia earlier today. The purchase was made using a new Silk Road account named “briankrebs7,” and cost 1.6532 bitcoins (~USD $165).

Flycracker ultimately bought 10 small bags of smack from Silk Road seller "Maestro."

Flycracker ultimately bought 10 small bags of smack from Silk Road seller “Maestro.” The seller threw in two extra bags for free (turns out he actually threw in three extra bags).

In the screen shot below, Fly details the rest of his plan:

“12 sacks of heroin [the seller gives 2 free sacks for a 10-sacks order] are on the road, can anyone make a call [to the police] from neighbors, with a record? Seller said the package will be delivered after 3 days, on Tuesday. If anyone calls then please say that drugs are hidden well.”

h3

Last week, I alerted the FBI about this scheme, and contacted a Fairfax County Police officer who came out and took an official report about it. The cop who took the report just shook his head incredulously, and kept saying he was trying to unplug himself from various accounts online with the ultimate goal of being “off the Internet and Google” by the time he retired. Before he left, the officer said he would make a notation on my report so that any officer dispatched to respond to complaints about drugs being delivered via mail to my home would prompted to review my report.

FOLLOWING THE MONEY

I never doubted Flycracker”s resolve for a minute, but I still wanted to verify his claims about having made the purchase. On that front I received assistance from Sara Meiklejohn, a graduate student at the University of California, San Diego who’s been analyzing the role of bitcoin and anonymity on the Silk Road. Meiklejohn confirmed that the bitcoin wallet linked to in Fly’s forum thread was indeed used to deposit two bitcoins into a purse controlled by anonymous individuals who help manage commerce on the Silk Road.

Meiklejohn and fellow researcher Damon McCoy, an assistant professor of computer science at George Mason University, have been mapping out a network of bitcoin wallets that are used exclusively by the curators of the Silk Road. If you wish to transact with merchants on the Silk Road, you need to fund your account with bitcoins. The act of adding credits appears to be handled by a small number of bitcoin purses.

“All Silk Road purchases are handled internally by Silk Road, which means money trades hands from the Silk Road account of the buyer to the Silk Road account of the seller,”  explained Meiklejohn, author of the paper, A Fistful of Bitcoins: Characterizing Payments Among Men with No Names, to be released in October 2013 at the ACM Internet Measurement Conference in Barcelona, Spain.

Continue reading →


25
Jul 13

Haunted by the Ghosts of ZeuS & DNSChanger

One of the challenges in malware research is separating the truly novel innovations in malcoding from new nasties that merely include nominal or superficial tweaks. This dynamic holds true for both malware researchers and purveyors, albeit for different reasons. Researchers wish to avoid being labeled alarmist in calling special attention to what appears to be an emerging threat that turns out to be old news; the bad guys just want to avoid getting scammed into paying for an old malware kit dressed up as the new next big thing.

Source: RSA

Source: RSA

On Tuesday, RSA Security somewhat breathlessly announced that it had spotted KINS, a ZeuS Trojan variant that looked like “a new professional-grade banking Trojan” that was likely to emerge as the “next Trojan epiphany” in the cybercrime underground. RSA said the emergence of KINS was notable because the reigning ZeuS Trojan derivative – the Citadel Trojan — had long ago been taken off the market, and that crooks were anxiously awaiting the development and sale of a new botnet creation kit based on the leaked ZeuS source code.

Since December 2012, when the spokesperson of the Citadel team took the Trojan off the semi-open underground market, cyber criminals have been scrambling to find a replacement,” RSA’s Limor Kessem wrote. “In early February 2013, RSA fraud intelligence researchers began tracing hints about a new crimeware tool called ‘KINS’. At the time, the information about the Trojan just a rumor, but in sporadic comments, fraudsters were associating a Trojan named KINS with the Citadel source code, looking for its developer in order to reach out to him and purchase KINS. The rumors were soon hushed and ties to Citadel were denied, mostly in what appeared as a case of fearful fraudsters who did not want to be denied the possibility to buy the next Trojan.”

But according to Fox-IT, a security research and consulting group based in The Netherlands, KINS has been used in private since at least December 2011 to attack financial institutions in Europe, specifically Germany and The Netherlands. Fox-IT says KINS is short for “Kasper Internet Non-Security,” which is likely the malware author’s not-so-subtle dig at the security suite offered by Russian antivirus maker Kaspersky.

Source: Fox-IT

Source: Fox-IT

In its own analysis of the banking Trojan malware, Fox-IT said KINS is fully based on the leaked ZeuS source code, and includes only minor additions. What’s more, Fox-IT notes, many of the users of KINS have already migrated to yet another ZeuS variant, suggesting that perhaps they were unsatisfied with the product and that it didn’t deliver as advertised.

“While the technical additions are interesting, they are far from ground breaking,” wrote Michael Sandee, principal security expert at Fox-IT. “With an array of fairly standard features, and relatively simple additions to the standard ZeuS, such as reporting of installed security product information, the malware platform does not bring anything really new. There are however some features of this malware, not aimed at the functionality for the person using it, but aimed at complicating malware analysis.”

OLD MALWARE, NEW PAINTJOB?

From the bad-guy perspective, this infighting over malware innovation is on display in a new malware offering that surfaced today on a semi-private forum: The seller is pitching a resurrected and modified version of the DNSChanger Trojan, a global contagion that once infected millions of PCs. The DNSChanger botnet, which hooked into infected systems quite deeply and spread to both Windows and Mac computers, was eradicated only by a worldwide, concerted digital quarantine and vaccination effort — combined with the arrest of its creators.

Continue reading →


23
Jul 13

One-Stop Bot Chop-Shops

New fraudster-friendly content management systems are making it more likely than ever that crooks who manage botnets and other large groupings of hacked PCs will extract and sell all credentials of value that can be harvested from the compromised machines.

Templates like this are helping to spread one-stop-fraud shops.

Templates like this are helping to spread one-stop-fraud shops.

I’ve often observed that botmasters routinely fail to fully eat what they kill. That is, they tend to chronically undervalue the computers at their disposal, and instead focus on extracting specific resources from hacked PCs, such as using them as spam relays or harvesting online banking credentials. Meanwhile, other assets on the hacked PC that have street value go unused and “wasted” from the fraudster’s perspective.

More often, when miscreants do seek to extract and monetize all of the account credentials from their hacked PCs, they do so by selling access to their raw botnet “logs” — huge text files that document the notable daily activities of the botted systems. To borrow from another food metaphor, this is the digital equivalent of small farms selling their fruits and vegetables as “pick-your-own;” such commerce produces some added revenue without requiring much more work on the seller’s part.

Recently, I’ve been spotting more online fraud shops set up using what appear to be pre-set templates that can be used to sell all manner of credentials from hacked PCs. These shops all sell credit and debit card information, of course, but also lists of emails culled from victim computers, hacked VPN and RDP credentials, Cpanel installations, PHP mailers, FTP access, SSH logins, and online gambling accounts. Some of the panels are even reselling hacked credentials at popular porn sites. Goods can be purchased via virtual currencies such as Perfect Money and bitcoin.

The shop shown below — blackhatstore[dot]ru — borrows the trademarked image of the Black Hat security conference franchise. It’s sometimes said that there’s no such thing as bad press, but I’m pretty sure the folks at Black Hat don’t want their brand advertised or associated in this way (by the way, I’ll be speaking at this year’s Black Hat in Las Vegas next week). I alerted the Black Hat organizers to this fraudulent site, so I wouldn’t expect it to remain live much longer.

This bot chop shop trades on the good name and trademarks of the Black Hat security conference franchise owned by UBM Tech.

This bot chop shop trades on the good name and trademarks of the Black Hat security conference franchise owned by UBM Tech.

Continue reading →


18
Jul 13

Botcoin: Bitcoin Mining by Botnet

An increasing number of malware samples in the wild are using host systems to secretly mine bitcoins. In this post, I’ll look at an affiliate program that pays people for the mass installation of programs that turns host machines into bitcoin mining bots.

The FeodalCash bitcoin mining affiliate program.

The FeodalCash bitcoin mining affiliate program.

Bitcoin is a decentralized, virtual currency, and bitcoins are created by large numbers of CPU-intensive cryptographic calculations. As Wikipedia explains, the processing of Bitcoin transactions is secured by servers called bitcoin miners. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peerfilesharing technology. In addition to archiving transactions, each new ledger update creates some newly minted bitcoins.

Earlier this week, I learned of a Russian-language affiliate program called FeodalCash which pays its members to distribute a bitcoin mining bot that forces host PCs to process bitcoin transactions (hat tip to security researcher Xylitol). FeodalCash opened its doors in May 2013, and has been recruiting new members who can demonstrate that they have control over enough Internet traffic to guarantee at least several hundred installs of the bitcoin mining malware each day.

The FeodalCash administrator claims his mining program isn’t malware, although he cautions all affiliates against submitting the installer program to multi-antivirus scanners such as Virustotal; sending the program that installs bitcoin mining bot to Virustotal “greatly complicates the work with antivirus” on host PCs. Translation: Because services like Virustotal share information about new malware samples with all participating antivirus vendors, scanning the installer will make it more likely that antivirus products on host PCs will flag the program as malicious. Rather, the administrator urged users who want to check the files for antivirus detection to use a criminal friendly service like scan4u[dot]net or chk4me[dot]com, which likewise scan submitted files with dozens of different antivirus tools but block those tools from reporting home about new and unidentified malware variants.

This Google-translated version of the site shows the builder for the installer.

This Google-translated version of the site shows the builder for the installer.

I gained access to an affiliate account and was able to grab a copy of the mining program. I promptly submitted the file to Virustotal and found it was flagged as a trojan horse program by at least two antivirus products. This analysis at automated malware scanning site malwr.com shows that the mining program installer ads a Windows registry key so that the miner starts each time Windows boots up. It also indicates that the program beacons out to pastebin.com (perhaps to deposit a note about each new installation).

The FeodalCash administrator also claims that his affiliates are not permitted to distribute the installer file in any way that violates the law, but of course it’s unclear which national laws he might be talking about. At the same time, the affiliate program’s Web site includes a graphical tool that helps affiliates create a custom installer program that can install silently and be disguised with a variety of program icons that are similar to familiar Windows icons.

Also, the administrator demands that new users demonstrate the ability to garner hundreds to thousands of installs per day. This is a rather high install rate, and it appears many if not all affiliates are installing the mining program by bundling it with other executable programs distributed by so-called pay-per-install (PPI) programs. This was apparent because a source managed to gain administrative-level access to the back-end database for the FeodalCash program, which includes hundreds of messages between affiliates and the administrator; most of those messages are from new registrants sending the administrator screenshots  of their traffic and installs statistics at various PPI affiliate programs.

Continue reading →