Advertisement
<a href="http://krebsonsecurity.com/monster-spam-campaigns-lead-to-cyberheists/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: zeus

    Target: Small Businesses27 Comments
    3
    Oct 11

    Monster Spam Campaigns Lead to Cyberheists

    Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

    These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

    Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

    Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

    On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.018 Comments
    26
    Sep 11

    ‘Right-to-Left Override’ Aids Email Attacks

    Computer crooks and spammers are abusing a little-known encoding method that makes it easy to disguise malicious executable files (.exe) as relatively harmless documents, such as text or Microsoft Word files.

    The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020″.

    The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.

    This threat is not new, and has been known for some time. But an increasing number of email based attacks are taking advantage of the RLO character to trick users who have been trained to be wary of clicking on random .exe files, according to Internet security firm Commtouch.

    Take the following file, for example, which is encoded with the RLO character:

    “CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

    Looks like a Microsoft Word document, right? This was the lure used in a recent attack that downloaded Bredolab malware. The malicious file, CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.

    Continue reading →

    Latest Warnings / The Coming Storm8 Comments
    24
    Aug 11

    Hybrid Hydras and Green Stealing Machines

    Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.

    Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms  capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.

    Continue reading →

    A Little Sunshine / Latest Warnings / Target: Small Businesses / Web Fraud 2.060 Comments
    28
    Jul 11

    Trojan Tricks Victims Into Transferring Funds

    It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

    The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

    When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

    Continue reading →

    A Little Sunshine / The Coming Storm28 Comments
    6
    Jun 11

    Criminal Classifieds: Malware Writers Wanted

    The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.

    Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.

    The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.

    The Russian text in the above ad translates to:

    “We invite you to join our team of crypto-programmers, including programmers with no experience in this field.

    We offer:

    * Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
    * Payments are made ​​weekly.
    * Long-term cooperation (with many programmers, we have been in business for more than two years).

    Please fill in your application only if you understand what is at stake. Thank you.”

    Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.

    There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.

    Continue reading →

    A Little Sunshine / Web Fraud 2.08 Comments
    16
    May 11

    Something Old is New Again: Mac RATs, CrimePacks, Sunspots & ZeuS Leaks

    New and novel malware appears with enough regularity to keep security researchers and reporters on their toes. But, often enough, there are seemingly new perils that  really are just old threats that have been repackaged or stubbornly lingering reports that are suddenly discovered by a broader audience. One of the biggest challenges faced by  the information security community is trying to decide which threats are worth investigating and addressing.  To illustrate this dilemma, I’ve analyzed several security news headlines that readers forwarded  to me this week, and added a bit more information from my own investigations.

    I received more than two dozen emails and tweets from readers calling my attention to news that the source code for the 2.0.8.9 version of the ZeuS crimekit has been leaked online for anyone to download. At one point last year, a new copy of the ZeuS Trojan with all the bells and whistles was fetching at least $10,000. In February, I reported that the source code for the same version was being sold on underground forums. Reasonably enough, news of the source leak was alarming to some because it suggests that even the most indigent hackers can now afford to build their own botnets.

    A hacker offering to host and install a control server for a ZeuS botnet.

    We may see an explosion of sites pushing ZeuS as a consequence of this leak, but it hasn’t happened yet. Roman Hüssy, curator of ZeusTracker, said in an online chat, “I didn’t see any significant increase of new ZeuS command and control networks, and I don’t think this will change things.” I tend to agree. It was already ridiculously easy to start your own ZeuS botnet before the source code was leaked. There are a number of established and relatively inexpensive services in the criminal underground that will sell individual ZeuS binaries to help novice hackers set up and establish ZeuS botnets (some will even sell you the bulletproof hosting and related amenities as part of a package), for a fraction of the price of the full ZeuS kit.

    My sense is that the only potential danger from the release of the ZeuS source code  is that more advanced coders could use it to improve their current malware offerings. At the very least, it should encourage malware developers to write more clear and concise user guides. Also, there may be key information about the ZeuS author hidden in the code for people who know enough about programming to extract meaning and patterns from it.

    Are RATs Running Rampant?

    Last week, the McAfee blog included an interesting post about a cross-platform “remote administration tool” (RAT) called IncognitoRAT that is based on Java and can run on Linux, Mac and Windows systems. The blog post featured some good details on the functionality of this commercial crimeware tool, but I wanted to learn more about how well it worked, what it looks like, and some background on the author.

    Those additional details, and much more, were surprisingly easy to find. For starters, this RAT has been around in one form or another since last year. The screen shot below shows an earlier version of IncognitoRAT being used to remotely control a Mac system.

    IncognitoRAT used to control a Mac from a Windows machine.

    The kit also includes an app that allows customers to control botted systems via jailbroken iPhones.

    Incognito ships with an app that lets customers control infected computers from an iPhone

    The following video shows this malware in action on a Windows system. This video was re-recorded from IncognitoRAT’s YouTube channel (consequently it’s a little blurry), but if you view it full-screen and watch carefully you’ll see a sequence in the video that shows how the RAT can be used to send e-mail alerts to the attacker. The person making this video is using Gmail; we can see a list of his Gchat contacts on the left; and his IP address at the bottom of the screen.  That IP traces back to a Sympatico broadband customer in Toronto, Canada, which matches the hometown displayed in the YouTube profile where this video was hosted. A Gmail user named “Carlo Saquilayan” is included in the Gchat contacts visible in the video.

    Continue reading →

    Latest Warnings / The Coming Storm / Web Fraud 2.051 Comments
    2
    May 11

    ‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

    A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

    The Mac malware builder in action.

    KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

    Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

    The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

    The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

    The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

    ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.073 Comments
    26
    Apr 11

    SpyEye Targets Opera, Google Chrome Users

    The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

    The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

    SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

    Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

    Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

    Continue reading →

    A Little Sunshine / Web Fraud 2.015 Comments
    23
    Mar 11

    Big Scores and Hi-Scores

    Business gurus have long maintained that time = $$, but that doesn’t mean that playtime necessarily decreases the bottom line. Many corporations have discovered that their employees tend to be more productive when they have time to give their brains a break, and gameplay is the perfect escape. So it’s not surprising that some cyber criminals have taken this lesson to heart, and are crafting crime machines to include games that allow their evildoing customers to steal money and set their hi-scores at the same time.

    I had a laugh when I stumbled upon the administrative panel shown in the video below. It’s a back-end Web database designed to interact with a collection of Windows PCs infected by the ZeuS Trojan. This panel receives financial data stolen from victim machines, including PayPal and Bank of America account credentials. This video shows the Bank of America tab of the tool, which also allows the criminal to inject specific “challenge/response” questions into BofA’s Web page as displayed in the victim’s browser, as a way to steal the answers to these questions should the criminal later be asked for them when later logging in to victim accounts.

    Directly to the right of an option to export all stolen credentials to an easy-to-read .csv file is a button labeled “Pacman”. Clicking launches a playable, exact replica of the 1980s arcade game (enlarge the video by clicking the icon in the bottom right corner of the video panel):

    I can’t help but wonder whether we will witness some perverse kind of Moore’s law with future criminal Web administration panels. I can just see it now: In 18 months, crooks writing these panels will be bundling Halo 3 and Counter-Strike with their creations!

    Continue reading →

    A Little Sunshine / Web Fraud 2.041 Comments
    16
    Mar 11

    ZeuS Innovations: ‘No-$H!+ Reports’

    Security experts often warn computer users about “keystroke-logging” malware, digital intruders capable of recording your every keystroke. But the truth is, real bad guys don’t care about your everyday chit-chat: They’re after the financial information. I was reminded of this reality by a feature built into a recent version of the infamous ZeuS trojan that makes it even easier for the crooks to ignore everything except for the goods they’re seeking.

    Pictured here is part of an administration panel for a botnet of PCs infected with the ZeuS trojan (version 2.0.8.9). ZeuS’ data-stealing components are legion, but one of its most useful features is what’s known as a “form grabber,” which will automatically steal any data the victim submits to a Web site inside of a form, such as an address, credit card number or password. It doesn’t matter if the Web site the victim is on uses encryption (https://), ZeuS extracts and stores user-submitted data before it can be encrypted and sent by the browser.

    But even when a botmaster has configured his bots to only record data when the victim browses to https:// sites, the amount of data harvested from the entire botnet can easily exceed hundreds of megabytes per day, because many botnets are lifting this data from thousands of infected systems simultaneously.

    So what if you only want only the cream of the crop? The ZeuS control panel I encountered has a handy feature, called “Enable No-Shit reports,” which when checked only stores very specific information sought by the criminals, such as 16-digit credit card numbers, and data that victims are submitting to pre-selected online banking sites.

    ← Older Entries