Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and… Read More »
Millions of computers infected with the stealthy and tenacious DNSChanger Trojan may be spared a planned disconnection from the Internet next month if a court approves a new request by the U.S. government. Meanwhile, six men accused of infecting and managing the huge collection of hacked PCs are expected to be extradited from their native Estonia to face charges in the United States.
Late last month I wrote about Citadel, an “open source” version of the ZeuS Trojan whose defining feature is a social networking component where users can report and fix programming bugs, suggest and vote on new features in upcoming versions, and generally guide development of the botnet malware. Since then, I’ve been given a peek inside that social networking space, and it suggests that Citadel’s collaborative approach is fueling rapid growth of this new malware strain.
A customer who bought a license to the Citadel Trojan extended an invitation to drop in on that community of hackers. Those who have purchased the software can interact with the developers and other buyers via comments submitted to the Citadel Store, a front-end interface that is made available after users are validated through a two-step authentication process.
Anyone who’s run a Web site is probably familiar with the term “malvertising,” which occurs when crooks hide exploits and malware inside of legitimate-looking ads that are submitted to major online advertising networks. But there’s a relatively new form of malware-based advertising that’s gaining ground — I’m calling it “crimevertising” for lack of a better term — that involves running otherwise harmless ads for illicit services inside of commercial crimeware kits.
At its most basic, crimevertising has been around for many years, in the form of banner ads on underground forums that hawk everything from hacking services to banking Trojans and crooked cashout services. More recently, malware authors have started offering the ability to place paid ads in the administrative panesl that customers use to control their botnets. Such placements allow miscreants an unprecedented opportunity to keep their brand name in front of the eyeballs of their target audience, and for hours on end.
More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows.
The malware, known as the “DNSChanger Trojan,” quietly alters the host computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections. DNSChanger frequently was bundled with other types of malware, meaning that systems infected with the Trojan often also host other, more nefarious digital parasites.
Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as the first offering that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.
Amnesty International’s homepage in the United Kingdom is hacked and is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack may be opportunistic, or it may be part of a more nefarious scheme to target human rights workers.
Thousands of Twitter accounts apparently created in advance to blast automated messages are being used to drown out Tweets sent by bloggers and activists this week who are protesting the disputed parliamentary elections in Russia, security experts said.
It wasn’t long ago that I felt comfortable recommending CNET’s download.com as a reputable and trustworthy place to download software. I’m going to have to take back that advice: Unfortunately, CNET now is bundling invasive and annoying toolbars with much of the software on its site, even some open-source software whose distribution license prohibits such activity.
I first became aware of this after reading mailing list posting by Gordon “Fyodor” Lyon, the software developer behind the ever useful Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download, recently began distributing Nmap and many other titles with a “download installer,” that bundles titles with browser toolbars like the Babylon toolbar.
The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious surveillance for law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.
But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.
