Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: zeus

    Latest Warnings / The Coming Storm / Web Fraud 2.051 Comments
    2
    May 11

    ‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

    A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

    The Mac malware builder in action.

    KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

    Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

    The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

    The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

    The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

    ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

    Continue reading →

    Other51 Comments
    27
    Apr 11

    FBI: $20M in Fraudulent Wire Transfers to China

    The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

    The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

    The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

    From the advisory (PDF):

    “In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.073 Comments
    26
    Apr 11

    SpyEye Targets Opera, Google Chrome Users

    The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

    The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

    SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

    Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

    Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

    Continue reading →

    A Little Sunshine / Web Fraud 2.015 Comments
    23
    Mar 11

    Big Scores and Hi-Scores

    Business gurus have long maintained that time = $$, but that doesn’t mean that playtime necessarily decreases the bottom line. Many corporations have discovered that their employees tend to be more productive when they have time to give their brains a break, and gameplay is the perfect escape. So it’s not surprising that some cyber criminals have taken this lesson to heart, and are crafting crime machines to include games that allow their evildoing customers to steal money and set their hi-scores at the same time.

    I had a laugh when I stumbled upon the administrative panel shown in the video below. It’s a back-end Web database designed to interact with a collection of Windows PCs infected by the ZeuS Trojan. This panel receives financial data stolen from victim machines, including PayPal and Bank of America account credentials. This video shows the Bank of America tab of the tool, which also allows the criminal to inject specific “challenge/response” questions into BofA’s Web page as displayed in the victim’s browser, as a way to steal the answers to these questions should the criminal later be asked for them when later logging in to victim accounts.

    Directly to the right of an option to export all stolen credentials to an easy-to-read .csv file is a button labeled “Pacman”. Clicking launches a playable, exact replica of the 1980s arcade game (enlarge the video by clicking the icon in the bottom right corner of the video panel):

    I can’t help but wonder whether we will witness some perverse kind of Moore’s law with future criminal Web administration panels. I can just see it now: In 18 months, crooks writing these panels will be bundling Halo 3 and Counter-Strike with their creations!

    Continue reading →

    A Little Sunshine / Web Fraud 2.041 Comments
    16
    Mar 11

    ZeuS Innovations: ‘No-$H!+ Reports’

    Security experts often warn computer users about “keystroke-logging” malware, digital intruders capable of recording your every keystroke. But the truth is, real bad guys don’t care about your everyday chit-chat: They’re after the financial information. I was reminded of this reality by a feature built into a recent version of the infamous ZeuS trojan that makes it even easier for the crooks to ignore everything except for the goods they’re seeking.

    Pictured here is part of an administration panel for a botnet of PCs infected with the ZeuS trojan (version 2.0.8.9). ZeuS’ data-stealing components are legion, but one of its most useful features is what’s known as a “form grabber,” which will automatically steal any data the victim submits to a Web site inside of a form, such as an address, credit card number or password. It doesn’t matter if the Web site the victim is on uses encryption (https://), ZeuS extracts and stores user-submitted data before it can be encrypted and sent by the browser.

    But even when a botmaster has configured his bots to only record data when the victim browses to https:// sites, the amount of data harvested from the entire botnet can easily exceed hundreds of megabytes per day, because many botnets are lifting this data from thousands of infected systems simultaneously.

    So what if you only want only the cream of the crop? The ZeuS control panel I encountered has a handy feature, called “Enable No-Shit reports,” which when checked only stores very specific information sought by the criminals, such as 16-digit credit card numbers, and data that victims are submitting to pre-selected online banking sites.

    A Little Sunshine / The Coming Storm / Web Fraud 2.051 Comments
    9
    Mar 11

    SpyEye, ZeuS Users Target Tracker Sites

    Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result.

    The creations of Swiss security expert Roman Hüssy, ZeusTracker and its sister service SpyEye Tracker have endured countless distributed denial-of-service (DDoS) attacks from botmasters apparently retaliating for having their network infrastructure listed by these services. At one point, someone wrote a fake suicide in Hüssy’s name and distributed it to his family and friends, prompting local police to rouse him from slumber to investigate his well-being. But, those attacks haven’t deterred Hüssy or sidelined his services.

    Now, the attackers are beginning to consider stealthier and more diabolical ways to strike back. A  series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution that puts Hüssy and/or his tracking services out of commission once and for all (click the images in this post twice to read along).

    “DDoSing doesn’t bring satisfactory results. We’re now working on mapping his entire infrastructure, flag his scripts,” writes a user named Sal, who claims to specialize in providing bulletproof servers. “Now we will engage in a pinpointed assault. This should be cheaper + should bring results at least temporarily….Let’s brainstorm here.”

    Other members join the discussion. One suggests pooling funds to hire a hitman. “It’s easier and more productive to just use a joint fund to hire a killer, and story’s over,” writes user “Femar.” Another forum member named “Deviant” recommends dosing Hüssy with organic mercury. “Dimethylmercury – the fluid has no color. One drop on your hand will penetrate thick latex gloves. Lethal result is guaranteed within one month.”

    But forum members seemed to coalesce around an idea for seeding the ZeuS and SpyEye configuration files (those that list the location of key parts of the botnet, such as the place to deposit stolen data) with legitimate Web sites. Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers.

    I caught up with Hüssy via instant message yesterday, and asked whether he’d seen any SpyEye or ZeuS configuration files seeded with legitimate sites. He just laughed.

    “ZeusTracker checks if a command and control server is really up before adding it to the blocklist,” Hüssy said. “These guys have no clue how ZeusTracker works.”

    Continue reading →

    Target: Small Businesses157 Comments
    23
    Feb 11

    Sold a Lemon in Internet Banking

    An online bank robbery in which computer crooks stole $63,000 from a Kansas car dealership illustrates the deftness with which cyber thieves are flouting the meager security measures protecting commercial accounts at many banks.

    At 7:45 a..m. Monday, Nov. 1, 2010, the controller for Abilene, Kansas based Green Ford Sales, Inc. logged into his account at First Bank Kansas to check the company’s accounts. Seven hours later, he logged back in and submitted a payroll batch for company employees totaling $51,970. The bank’s authentication system sent him an e-mail to confirm the batch details, and the controller approved it.

    The controller didn’t know it at the time, but thieves had already compromised his Microsoft Windows PC with a copy of the ZeuS trojan, which allowed them to monitor his computer and log in to the company’s bank account using his machine. Less than an hour after the bookkeeper approved the payroll batch, bank records show, the thieves logged in to Green Ford’s account from the same Internet address normally used by the dealership, using the controller’s correct user name and password.

    The attackers cased the joint a bit — checking the transaction history, account summary and balance — and then logged out. They waited until 1:04 p.m. the next day to begin creating their own $63,000 payroll batch, by adding nine new “employees” to the company’s books. The employees added were in fact money mules, willing or unwitting individuals recruited through work-at-home job scams to help crooks launder stolen funds.

    Green Ford’s controller never received the confirmation email sent by the bank to verify the second payroll batch initiated by the fraudsters, because the crooks also had control over the controller’s e-mail account.

    “They went through and deleted it,” said Green Ford owner Lease Duckwall. “If they had control over his machine, they’d have certainly had control over his email and the password for that, too.”

    To me, this attack gets to the heart of why these e-banking thefts continue unabated at banks all over the country every week: An attacker who has compromised an account holder’s PC can control every aspect of what the victim sees or does not see, because that bad guy can then intercept, delete, modify or re-route all communications to and from the infected PC. If a bank’s system of authenticating a transaction depends solely on the customer’s PC being infection-free, then that system is trivially vulnerable to compromise in the face of today’s more stealthy banking trojans.

    It is difficult to believe that there are still banks that are using nothing more than passwords for online authentication on commercial accounts. Then again, some of the techniques being folded into today’s banking trojans can defeat many of the most advanced client-side authentication mechanisms in use today.

    Banks often complain that commercial account takeover victims might have spotted thefts had the customer merely reconciled its accounts at day’s end. But several new malware strains allow attackers to manipulate the balance displayed when the victim logs in to his or her account.

    Perhaps the most elegant fraud techniques being built into trojans involve an approach known as “session riding,” where the fraudster in control of a victim PC simply waits until the user logs in, and then silently hijacks that session to move money out of the account.

    Amit Klein, chief technology officer at Trusteer, blogged this week about a relatively new strain of malware dubbed OddJob, which hijacks customers’ online banking sessions in real time using their session ID tokens. According to Klein, OddJob keeps online banking sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed.

    All of these developments illustrate the need for some kind of mechanism on the bank’s end for detecting fraudulent transactions, such as building profiles of what constitutes normal customer activity and looking for activity that appears to deviate from that profile. For example, in almost every case I’ve written about, the victim was robbed after thieves logged in and added multiple new names to the payroll. There are most certainly other such markers that are common to victims of commercial account fraud, and banks should be looking out for them. Unfortunately, far too many small to mid-sized banks outsource much of their visibility at the transaction level to third-party service providers, most of whom have been extremely slow to develop and implement solutions that would enable partner banks to flag many warning signs of account takeovers.

    Continue reading →

    Other46 Comments
    4
    Feb 11

    ZeuS Source Code for Sale. Got $100,000?

    Late last year, online crime forums were abuzz with talk that development of the world’s most notorious banking Trojan — ZeuS — was being retired, after its maker handed the malware’s secret blueprints to a rival developer. The recipient of those plans — the author of the SpyEye Trojan– has been hard at work on a malware strain that blends the two malware families. But new evidence suggests that the source code for the latest ZeuS version may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground, a development that could soon guarantee the production of a whole new ZeuS lineage.

    Sources say the ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — gave the SpyEye author Gribodemon stewardship over the ZeuS code base, on the condition that Gribodemon agreed to provide ongoing support for existing ZeuS clients, a sizable user base that demands considerable care and attention. Sources also believe Slavik may have separately sold the code itself, ostensibly to the same individual shown in the screen shot below.

    Established crime forums are built upon reputation, which is earned over a period of time by points awarded from other members for positive or negative transactions — much like eBay’s buyer and seller feedback system. The solicitation in the above screen shot is unlikely to be a fake: It indicates that the seller has been a member of this particular vetted crime forum since June 13, 2009, and has 18 positive reputation points and zero negative.

    Continue reading →

    A Little Sunshine / Web Fraud 2.028 Comments
    3
    Feb 11

    Revisiting the SpyEye/ZeuS Merger

    In October 2010, I discovered that the authors of the SpyEye and ZeuS banking Trojans — once competitors in the market for botnet creation and management kits — were planning to kill further development of ZeuS and fuse the two malware families into one supertrojan. Initially, I heard some skepticism from folks in the security community about this. But three months later, security experts are starting to catch glimpses of this new hybrid Trojan in the wild, with the author(s) shipping a series of beta releases that include updated features on a nearly-daily basis.

    It probably didn’t help that the first report of a blended version of SpyEye/ZeuS (referred to as SpyZeuS for the remainder of this post) — detailed in a McAfee blog post — turned out to be a scam. But a little more a week ago, Trend Micro spotted snapshots and details of SpyZeuS components, noting that the author appears to have received help from other criminals in polishing this latest release; in particular, an add-on that grabs credit card numbers from hacked PCs, and a plugin designed to attack the anti-Trojan tool Rapport from Trusteer. (Trusteer’s Amit Klein addresses this component in a blog post here).

    Seculert, a new threat alert service started by former RSA fraud expert Aviv Raff, includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to users of both Trojans, by allowing customers to control and update their botnets using either the traditional ZeuS or SpyEye Web interface.

    The hybrid SpyZeuS Trojan lets users interact with bots via the ZeuS control panel (left) or the SpyEye interface.

    Continue reading →

    A Little Sunshine / The Coming Storm / Web Fraud 2.078 Comments
    3
    Jan 11

    ‘White House’ eCard Dupes Dot-Gov Geeks

    A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters.

    The attack appears to be the latest salvo from ZeuS malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines. This activity is unusual because most criminals using ZeuS are interested in money-making activities – such as swiping passwords and creating botnets – whereas the hoovering up of sensitive government documents is activity typically associated with so-called advanced persistent threat attacks, or those deployed to gather industrial and military intelligence.

    On Dec. 23, the following message was sent to an unknown number of recipients;

    “As you and your families gather to celebrate the holidays, we wanted to take
    a moment to send you our greetings. Be sure that we’re profoundly grateful
    for your dedication to duty and wish you inspiration and success in
    fulfillment of our core mission.

    Greeting card:

    hxxp://xtremedefenceforce.com/[omitted]
    hxxp://elvis.com.au/[omitted]

    Merry Christmas!
    ___________________________________________
    Executive Office of the President of the United States
    The White House
    1600 Pennsylvania Avenue NW
    Washington, DC 20500

    Recipients who clicked either of the above links and opened the file offered were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus.  I was able to analyze the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims.  I feel reasonably confident I have identified several victims,  all of whom appear to be employees of some government or another. Among those who fell for the scam e-mail were:

    -An employee at the National Science Foundation’s Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

    -An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person’s cache of documents is a Department of Homeland Security tip sheet called “Safeguarding National Security Information.”

    -An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

    -An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

    -An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

    The most interesting component of this attack was not the ZeuS variant, which by most accounts was an older, well-understood version of the banking Trojan. Rather, researchers are focusing on the component responsible for stealing documents, which suggests the handiwork of a novice who was quite active in 2010.

    Continue reading →

    ← Older Entries
    Newer Entries →