Posts Tagged: Kaspersky

A Little Sunshine / Web Fraud 2.036 Comments
6
Mar 13

Mobile Malcoders Pay to (Google) Play

An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.

An Underweb ad for Perkele

An Underweb ad for Perkele

I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that  is tied to a dedicated server.

Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.

This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.

Continue reading →

A Little Sunshine / The Coming Storm12 Comments
18
Jan 13

Polish Takedown Targets ‘Virut’ Botnet

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

Source: Symantec

Source: Symantec

NASK, the domain registrar that operates the “.pl” Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.”

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010.

SELF-PERPETUATING CRIME MACHINE

A file-infecting virus that has long been used to steal information from infected PCs, Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive  malware deployment systems known as pay-per-install (PPI) networks. One such example was “exerevenue.com,” a popular PPI network that once shared Internet resources with the aforementioned .pl domains.

exerevenuessPPI networks attract entrepreneurial malware distributors, hackers who are given custom “installer” programs that bundle malware and adware. In return, the distributors are paid a set amount for each 1,000 times their installer programs are run on new PCs. Access to the PPI networks is sold to miscreants in the underground, particularly spammers who are looking to increase the size of their spam botnets.  Those clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges varying rates per thousand successful installations, depending on the requested geographic location of the desired victims.

The Exerevenue.com PPI program died off in 2010, but cached copies of the site offer a fascinating glimpse into the Virut business model. The following snippet of text was taken from Exerevenue’s software end-user license agreement  (EULA, and yes, this malware had a EULA). It aptly described how Virut worked: As a file-infecting virus that injected copies of itself into all .EXE and .HTML files found on victim PCs. According to the Exerevenue administrators, the program’s installer relied on a trademarked “QuickBundle™” technology that bundled adware with other programs.

“3) The software will especially target .EXE and .HTML files in the process of bundling. Other types of files may also be affected. HTML files are bundled with adware indirectly, through Internet links, and it relies upon certain features of Web browsers that are often considered undesired. Therefore, you agree you will not deliver your bundled files to anyone who can be offended by the QuickBundle technology described earlier. In order to prevent a file from being bundled with adware, you can change its name to begin with PSTO or WINC (in case of .EXE and .SCR files) or change its extension (in case of .HTM(heart), .ASP, and .PHP files), for example to .TXT. Apart from enriching your files with ad-supported content, your Windows HOSTS file will be modified to block certain domains used for adware loading automatization.”

Continue reading →

A Little Sunshine / The Coming Storm / Web Fraud 2.011 Comments
28
Mar 12

Researchers Clobber Khelios Spam Botnet

Experts from across the security industry collaborated this week to quarantine more than 110,000 Microsoft Windows PCs that were infected with the Khelios worm, a contagion that forces infected PCs to blast out junk email advertising rogue Internet pharmacies.

Most botnets are relatively fragile: If security experts or law enforcement agencies seize the Internet servers used to control the zombie network, the crime machine eventually implodes. But Khelios (a.k.a. “Kelihos”) was built to withstand such attacks, employing a peer-to-peer structure not unlike that used by popular music and file-sharing sites to avoid takedown by the entertainment industry.

Update, 11:07 a.m. ET: Multiple sources are now reporting that within hours of the Khelios.B takedown, Khelios.C was compiled and launched. It appears to be spreading via Facebook.

Original post: The distributed nature of a P2P botnet allows the botmaster to orchestrate its activities by seeding a few machines in the network with encrypted instructions. Those systems then act as a catalyst, relaying the commands from one infected machine to another in rapid succession.

P2P botnets can be extremely resilient, but they typically posses a central weakness: They are only as strong as the encryption that scrambles the directives that the botmaster sends to infected machines. In other words,  anyone who manages to decipher the computer language needed to talk to the compromised systems can send them new instructions, such as commands to connect to a control server that is beyond the reach of the miscreant(s) who constructed the botnet.

That’s precisely the approach that security researchers used to seize control of Khelios. The caper was pulled off by a motley band of security experts from the Honeynet Project, Kaspersky, SecureWorks, and startup security firm CrowdStrike. The group figured out how to crack the encryption used to control systems infected with Khelios, and then sent a handful of machines new instructions to connect to a Web server that the researchers controlled.

That feat allowed the research team to wrest the botnet from the miscreants who created it, said Adam Meyers, director of intelligence for CrowdStrike. The hijacking of the botnet took only a few minutes, and when it was complete, the team had more than 110,000 PCs reporting to its surrogate control server.

“Once we injected that information in the P2P node, it was essentially propagating everything else for us,” Meyers said. “By taking advantage of the intricacies of the protocol, we were providing the most up-to-date information that all of hosts were spreading.”

The group is now working to notify ISPs where the infected hosts reside, in hopes of cleaning up the bot infestations. Meyers said that, for some unknown reason, the largest single geographic grouping of Khelios-infected systems – 25 percent — were located in Poland. U.S.-based ISPs were home to the second largest contingent of Khelios bots. Meyers said about 80 percent of the Khelios-infected systems they sinkholed were running Windows XP, an increasingly insecure operating system that Microsoft released more than a decade ago. Continue reading →

Latest Warnings / Web Fraud 2.017 Comments
5
Aug 11

Is That a Virus in Your Shopping Cart?

Six million Web pages have been booby-trapped with malware, using security vulnerabilities in software that hundreds of thousands of e-commerce Web sites use to process credit and debit card transactions.

Web security firm Armorize said it has detected more than six million Web pages that were seeded with attack kits designed to exploit Web browser vulnerabilities and plant malicious software. The company said the hacked sites appear to be running outdated and insecure versions of osCommerce, an e-commerce shopping cart program that is popular with online stores.

Armorize said the compromised pages hammer a visitor’s browser with exploits that target at least five Web browser plug-in vulnerabilities, including two flaws in Java, a pair of Windows bugs, and a security weakness in Adobe‘s PDF Reader. Patches are available for all of the targeted browser vulnerabilities.

Continue reading →