Posts Tagged: zeus


12
Jul 12

EU to Banks: Assume All PCs Are Infected

An agency of the European Union created to improve network and data security is offering some blunt, timely and refreshing advice for financial institutions as they try to secure the online banking channel: “Assume all PCs are infected.”

Source: zeustracker.abuse.ch

The unusually frank perspective comes from the European Network and Information Security Agency, in response to a recent “High Roller” report (PDF) by McAfee and Guardian Analytics on sophisticated, automated malicious software strains that are increasingly targeting high-balance bank accounts. The report detailed how thieves using custom versions of the ZeuS and SpyEye Trojans have built automated, cloud-based systems capable of defeating multiple layers of security, including hardware tokens, one-time transaction codes, even smartcard readers. These malware variants can be set up to automatically initiate transfers to vetted money mule or prepaid accounts, just as soon as the victim logs in to his account.

“Many online banking systems….work based on the assumption that the customer’s PC is not infected,” ENISA wrote in an advisory issued on Thursday. “Given the current state of PC security, this assumption is dangerous. Banks should instead assume that PCs are infected, and still take steps to protect customers from fraudulent transactions.”

Continue reading →


16
Apr 12

Microsoft Responds to Critics Over Botnet Bruhaha

Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”

Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.

“In light of the whole Responsible Disclosure debate  [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.

Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.

Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.

The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.

Continue reading →


26
Mar 12

Microsoft Takes Down Dozens of Zeus, SpyEye Botnets

Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

Microsoft, U.S. Marshals pay a surprise visit to a Scranton, Pa. hosting facility.

In a consolidated legal filing, Microsoft received court approval to seize several servers in Scranton, Penn. and Lombard, Ill. used to control dozens of ZeuS and SpyEye botnets. The company also was granted permission to take control of 800 domains that were used by the crime machines.The company published a video showing a portion of the seizures, conducted late last week with the help of U.S. Marshals.

This is the latest in a string of botnet takedowns executed by Microsoft’s legal team, but it appears to be the first one in which the company invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act.

“The RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets,” wrote Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.”

It’s too soon to say how much of an impact this effort will have, or whether it will last long. Previous takedowns by Microsoft — such as its targeting of the Kelihos botnet last fall — have produced mixed results. There also are indications that this takedown may have impacted legitimate — albeit hacked — sites that crooks were using in their botnet operations. According to data recorded by Abuse.ch, a Swiss security site that tracks ZeuS and SpyEye control servers, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure. Among them is a site in Italy that sells iPhone cases, a Thai social networking forum, and a site in San Diego that teaches dance lessons.

The effort also shines a spotlight on an elusive group of cyber thieves operating out of Ukraine who have been tagged as the brains behind a great deal of the ebanking losses over the past five years, including the authors of ZeuS (Slavik/Monstr) and SpyEye (Harderman/Gribodemon), both identities that were outed on this blog more than 18 months ago. Over the past few years, KrebsOnSecurity has amassed a virtual treasure trove of data about these and other individuals named in the complaint. Look for a follow-up piece with more details on these actors.

A breakdown of the court documents related to this case is available at zeuslegalnotice.com.


17
Feb 12

Zeus Trojan Author Ran With Spam Kingpins

The cybercrime underground is expanding each day, yet the longer I study it the more convinced I am that much of it is run by a fairly small and loose-knit group of hackers. That suspicion was reinforced this week when I discovered that the author of the infamous ZeuS Trojan was a core member of Spamdot, until recently the most exclusive online forum for spammers and the shady businessmen who support the big spam botnets.

Thanks to a deep-seated enmity between the owners of two of the largest spam affiliate programs, the database for Spamdot was leaked to a handful of investigators and researchers, including KrebsOnSecurity. The forum includes all members’ public posts and private messages — even those that members thought had been deleted. I’ve been poring over those private messages in an effort to map alliances and to learn more about the individuals behind the top spam botnets.

The Zeus author’s identity on Spamdot, selling an overstock of “installs.”

As I was reviewing the private messages of a Spamdot member nicknamed “Umbro,” I noticed that he gave a few key members his private instant message address, the jabber account bashorg@talking.cc. In 2010, I learned from multiple reliable sources that for several months, this account was used exclusively by the ZeuS author to communicate with new and existing customers. When I dug deeper into Umbro’s private messages, I found several from other Spamdot members who were seeking updates to their ZeuS botnets. In messages from 2009 to a Spamdot member named “Russso,” Umbro declares flatly, “hi, I’m the author of Zeus.”

Umbro’s public and private Spamdot postings offer a fascinating vantage point for peering into an intensely competitive and jealously guarded environment in which members feed off of each others’ successes and failures. The messages also provide a virtual black book of customers who purchased the ZeuS bot code.

In the screen shot above, the ZeuS author can be seen selling surplus “installs,” offering to rent hacked machines that fellow forum members can seed with their own spam bots (I have added a translation beneath each line). His price is $60 per 1,000 compromised systems. This is a very reasonable fee and is in line with rates charged by more organized pay-per-install businesses that also tend to stuff host PCs with so much other malware that customers who have paid to load their bots on those machines soon find them unstable or unusable. Other members apparently recognized it as a bargain as well, and he quickly received messages from a number of interested takers.

The image below shows the Zeus author parceling out a small but potentially valuable spam resource that was no doubt harvested from systems compromised by his Trojan. In this solicitation, dated Jan. 2008, Umbro is selling a mailing list that would be especially useful for targeted email malware campaigns.

Continue reading →


21
Nov 11

DDoS Attack on KrebsOnSecurity.com

Last week, not long after I published the latest installment in my Pharma Wars series, KrebsOnSecurity.com was the target of a sustained distributed denial-of-service (DDoS) attack that caused the site to be unavailable for some readers between Nov. 17 and 18. What follows are some details about that attack, and how it compares to previous intimidation attempts.

The DDoS was caused by incessant, garbage requests from more than 20,000+ PCs around the globe infected with malware  that allows criminals to control them remotely for nefarious purposes. If you’ve noticed that a few of the features on this site haven’t worked as usual these past few days, now you know why. Thanks for your patience.

I shared the log files of the attack with Joe Stewart, director of malware research at Dell SecureWorks. Stewart discovered that the botnet responsible for hitting my site appears to have been created with Russkill, a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground. Russkill, sometimes called Dirt Jumper, does its dirty work by forcing infected systems to rapidly request the targeted site’s homepage.

Stewart said he suspects — but can’t prove – that the control center for this botnet is noteye.biz, based on traffic analysis of Internet addresses in the logs I shared with him.

“I did not already have [noteye.biz] under monitoring so it is impossible to say for sure what targets were hit in the past,” Stewart wrote in an email. He noted that the same attacker also apparently runs a Dirt Jumper botnet at xzrw1q.com, which also is currently attacking Ukrainian news site genshtab.censor.net.ua, and kidala.info (“kidala” is Russian slang for “criminal,” and kidala.info is a well-known Russian crime forum).

“According to my logs this botnet did attack your site back in April, so this is some additional circumstantial evidence that suggests the noteye.biz [control network] may have been involved in the recent attack on your site,” Stewart wrote.

As Stewart notes, this is not the first time my site has been pilloried, although it was arguably the most disruptive. In October 2010, a botnet typically used to spread spam for rogue Internet pharmacies attacked krebsonsecurity.com, using a hacked Linux server at a research lab at Microsoft, of all places.

I’ve spoken at more than a dozen events this year, and the same question nearly always comes up: Do you ever get threatened or attacked? For the most part, the majority of the threats or intimidation attempts have been light-hearted.

Yes, occasionally crooks in the underground will get a bit carried away – as in these related threads from an exclusive crime forum, where I am declared the “enemy of carding;” or in the love I received from the guys at Crutop.nu, a major Russian adult Webmaster forum (the site now lives at Crutop.eu).

Continue reading →


3
Oct 11

Monster Spam Campaigns Lead to Cyberheists

Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Continue reading →


26
Sep 11

‘Right-to-Left Override’ Aids Email Attacks

Computer crooks and spammers are abusing a little-known encoding method that makes it easy to disguise malicious executable files (.exe) as relatively harmless documents, such as text or Microsoft Word files.

The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020″.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.

This threat is not new, and has been known for some time. But an increasing number of email based attacks are taking advantage of the RLO character to trick users who have been trained to be wary of clicking on random .exe files, according to Internet security firm Commtouch.

Take the following file, for example, which is encoded with the RLO character:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Looks like a Microsoft Word document, right? This was the lure used in a recent attack that downloaded Bredolab malware. The malicious file, CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.

Continue reading →


24
Aug 11

Hybrid Hydras and Green Stealing Machines

Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.

Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms  capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.

Continue reading →


28
Jul 11

Trojan Tricks Victims Into Transferring Funds

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

Continue reading →


6
Jun 11

Criminal Classifieds: Malware Writers Wanted

The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.

Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.

The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.

The Russian text in the above ad translates to:

“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.

We offer:

* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made ​​weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).

Please fill in your application only if you understand what is at stake. Thank you.”

Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.

There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.

Continue reading →