Inside a ‘Reveton’ Ransomware Operation

August 13, 2012

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam impersonating FBI

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading

‘Booter Shells’ Turn Web Sites into Weapons

August 10, 2012

Hacked Web sites aren’t just used for hosting malware anymore. Increasingly, they are being retrofitted with tools that let miscreants harness the compromised site’s raw server power for attacks aimed at knocking other sites offline.

It has long been standard practice for Web site hackers to leave behind a Web-based “shell,” a tiny “backdoor” program that lets them add, delete and run files on compromised server. But in a growing number of Web site break-ins, the trespassers also are leaving behind simple tools called “booter shells,” which allow the miscreants to launch future denial-of-service attacks without the need for vast networks of infected zombie computers.

absoboot.com’s configuration page

According to Prolexic, an anti-DDoS company I’ve been working with for the past few weeks to ward off attacks on my site, with booter shells DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. “Web servers typically have 1,000+ times the capacity of a workstation, providing hackers with a much higher yield of malicious traffic with the addition of each infected web server,” the company said in a recent advisory.

The proliferation of booter shells has inevitably led to online services that let paying customers leverage these booter shell-backdoored sites. One such service is absoboot.com, also reachable at twbooter.com. Anyone can sign up, fund the account with Paypal or one of several other virtual currencies, and start attacking. The minimum purchase via PayPal is $15, which buys you about 5 hours worth of keeping a site down or at least under attack.

If you’d prefer to knock an individual internet user offline as opposed to a Web site, absoBoot includes a handy free tool that lets users discover someone’s IP address. Just select an image of your choice (or use the pre-selected image) and send the target a customized link that is specific to your absoBoot account. The link to the picture is mapped to a domain crafted to look like it takes you to imageshack.us; closer inspection of the link shows that it fact ends in “img501.ws,” and records the recipients IP address if he or she views the image. Continue reading

Advertisement

Triple DDoS vs. KrebsOnSecurity

August 8, 2012

“When nobody hates you, nobody knows you’re alive.” – Diplomacy, by Chris Smither

During the last week of July, a series of steadily escalating cyber attacks directed at my Web site and hosting provider prevented many readers from being able to reach the site or read the content via RSS. Sorry about that. What follows is a post-mortem on those digital sieges, which featured a mix of new and old-but-effective attack methods.

Junk traffic sent by a DNS amplification attack.

I still don’t know who was attacking my site or why. It’s not as if the perpetrator(s) sent a love letter along with the traffic flood. There was one indication that a story I published just hours before the attacks began — about a service for mass-registering domain names used for malware, spam and other dodgy business — may have struck a nerve: In one of the attacks, all of the assailing systems were instructed to load that particular story many times per second.

Oddly enough, the activity began just one day after I’d signed up with Prolexic. The Hollywood, Fla. based company helps businesses fend off distributed denial of service (DDoS) attacks, assaults in which miscreants knock targeted sites offline by flooding them with garbage traffic. Prolexic was among several anti-DDoS companies that offered to help earlier this year, when KrebsOnSecurity.com came under a separate spate of debilitating attacks.

The first DDoS campaigns consisted of several hundred systems repeatedly requesting image-heavy pages on my site. Prolexic’s analysts say the traffic signatures of these attacks matched that of a family of kits sold in the underground that allow anyone to quickly create their own botnet specifically for launching DDoS attacks. Both are believed to have been created by the same individual(s) behind the Dirt Jumper DDoS toolkit. The traffic signatures from the attack strongly suggest the involvement of two Dirt Jumper progeny: Di-BoTNet and Pandora.

Image courtesy Prolexic

Pandora is the latest in the Dirt Jumper family, and features four different attack methods. According to Prolexic, the one used against KrebsOnSecurity.com was Attack Type 4, a.k.a “Max Flood”; this method carries a fairly unique signature of issuing POST requests against a server that are over a million bytes in length.

Pandora’s creators boast that it only takes 10 PCs infected with the DDoS bot to bring down small sites, and about 30 bots to put down a mid-sized site that lacks protection against DDoS attacks. They claim 1,000 Pandora bots are enough to bring Russian search engine giant yandex.ru to a crawl, but that strikes me as a bit of salesmanship and exaggeration. Prolexic said more than 1,500 Pandora-infected bots were used in the assault on my site.

Continue reading

How to Break Into Security, Miller Edition

August 7, 2012

For this fifth edition in a series of advice columns for folks interested in learning more about security as a craft or profession, I interviewed Charlie Miller, a software bug-finder extraordinaire and principal research consultant with Accuvant LABS.

Probably best known for his skills at hacking Apple‘s products, Miller spent five years at the National Security Agency as a “global network exploitation analyst.” After leaving the NSA, Miller carved out a niche for himself as an independent security consultant before joining Accuvant in May 2011.

BK: How did your work for the NSA prepare you for a job in the private sector? Did it offer any special skill sets or perspectives that you might otherwise not have gotten in the private sector?

Miller: Basically, it provided on the job training.  I got paid a decent salary to learn information security and practice it at a reasonable pace.  It’s hard to imagine other jobs that would do that, but if you have a lot of free time, you could simulate such an experience.

BK: The U.S. Government, among others, is starting to dedicate some serious coin to cybersecurity. Should would-be cyber warriors be looking to the government as a way to get their foot in the door of this industry? Or does that option tend to make mainly sense for young people?

Miller: For me, it made sense at the beginning, but there are some drawbacks.  The most obvious drawback is government pay isn’t as competitive as the private industry.  This isn’t such a big deal when you’re starting out, but I don’t think I could work for the government anymore for this reason.  Because of this, many people use government jobs as a launching point to higher paying jobs (like government contracting).  For me, I found it very difficult to leave government and enter a (non govt contracting) industry.  I had 5 years of experience that showed up as a couple of bullet points on my resume.  I couldn’t talk about what I knew, how I knew it, experience I had, etc. I had a lot of trouble getting a good job after leaving NSA.

BK: You’ve been a fairly vocal advocate of the idea that companies should not expect security researchers to report bugs for free. But it seems like there are now a number of companies paying (admittedly sometimes nominal sums) for bugs, and there are several organizations that pay quite well for decent vulnerabilities. And certainly you’ve made a nice chunk of change winning various hacking competitions. Is this a viable way for would-be researchers to make a living? If so, is it a realistic rung to strive for, or is bug-hunting for money a sort of Olympic sport in which only the elite can excel?

Miller: In some parts of the world, it is possible to live off bug hunting with ZDI-level payments.  However, given the cost of living in the US, I don’t think it makes sense.  Even if you mix in occasional government sales, it would be a tough life living off of bug sales.  If I thought it was lucrative, I’d being doing it!  For me, it is hard to imagine making more than I do now as a consultant by selling bugs, and the level of risk I’d have to assume would be much higher.

Continue reading

Harvesting Data on the Xarvester Botmaster

August 6, 2012

In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.

In this screenshot from Spamdot.biz, Ronnie chats with “Tarelka” the Spamdot nickname used by the Rustock botmaster. The two are discussing an M86 report on the world’s top botnets.

Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at reactormailer.com. That domain was registered to a mserver@mail.ru, an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.

When reactormailer.com was shuttered, Srizbi customers were instructed to log in at a new domain, reactor2.com. Historic WHOIS records show reactor2.com was registered by someone using the email address ronnich@gmail.com. As I wrote in January, leaked SpamIt affiliate records show that the ronnich@gmail.com address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.

The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.

But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.

Continue reading

Uptick in Cyber Attacks on Small Businesses

August 3, 2012

New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the  end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money).  But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

Continue reading

Tech Support Phone Scams Surge

August 2, 2012

The bogus tech support boiler rooms must be working overtime lately. I’ve recently been inundated with horror stories from readers who reported being harassed by unsolicited phone calls from people with Indian accents posing as Microsoft employees and pushing dodgy PC security services.

These telemarketing scams are nothing new, of course, but they seem to come and go in waves, and right now it’s definitely high tide.  One reader’s story in particular really creeped me out. “Ron” wrote in to say his friend’s young daughter was the latest target.

“A friend called me to tell me that someone called his house, and using some ruse, convinced his 11 year-old daughter to ‘type in some numbers’ into the Run window,” Ron wrote. “When he got home, he turned the computer off, and we assume that it’s compromised and will need to be reformatted.”

Ron said that not long after that incident, he received a similar call. The woman on the phone told him that she was “the authorized security monitoring service for Microsoft Windows,” and that they had detected that his computer was infected with malware, which naturally he needed to have removed.

“The phone number was a Georgia area code, but I’m pretty sure she was from somewhere in India or Pakistan, based on the delay,  her accent and use of English — she said her name was Nancy,” Ron said. “She was also calling me at 7:30 am.”

IF AT FIRST YOU DON’T SUCCEED…

Wednesday evening, I heard from “J.C.,” an information security officer from a community bank in Maine. J.C. said he’d just been contacted by two customers who called after being snookered by these scams.

“The scammers said they were from Microsoft and had been shadowing the customers’ computer, and saw they had a virus on their PCs, and would they please open a command prompt and download something,” said J.C., who spoke on the condition that I not print his full name or that of his employer.

J.C. said both customers had been bamboozled by a company in India called NIAS E Business Solutions, to the tune of $199. J.C. said the bank blocked the transactions and canceled the customers’ debit cards. But that didn’t stop NIAS from trying to put through the charges two more times. The first time for a lesser amount of $99. When that failed, the NIAS tried to put through a $120 charge via Western Union!

Continue reading

Dropbox: Password Breach Led to Spam

July 31, 2012

Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked.

In a statement released on its blog this evening, DropBox’s Aditya Agarwal wrote:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

A Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.

Continue reading

Email-Based Malware Attacks, July 2012

July 31, 2012

Last month’s post examining the top email-based malware attacks received so much attention and provocative feedback that I thought it was worth revisiting. I assembled it because victims of cyberheists rarely discover or disclose how they got infected with the Trojan that helped thieves siphon their money, and I wanted to test conventional wisdom about the source of these attacks.

Top malware attacks and their antivirus detection rates, past 30 days. Source: UAB

While the data from the past month again shows why that wisdom remains conventional, I believe the subject is worth periodically revisiting because it serves as a reminder that these attacks can be stealthier than they appear at first glance.

The threat data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the number of antivirus products that detected the malware as hostile (virustotal.com scans any submitted file or link using about 40 different antivirus and security tools, and then provides a report showing each tool’s opinion).

As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include such household names as American Airlines, Ameritrade, Craigslist, Facebook, FedEx, Hewlett-Packard (HP), Kraft, UPS and Xerox. In most of the emails, the senders spoofed the brand name in the “from:” field, and used embedded images stolen from the brands being spoofed.

The one detail most readers will probably focus on most this report is the atrociously low detection rate for these spammed malware samples. On average, antivirus software detected these threats about 22 percent of the time on the first day they were sent and scanned at virustotal.com. If we take the median score, the detection rate falls to just 17 percent. That’s actually down from last month’s average and median detection rates, 24.47 percent and 19 percent, respectively.

Continue reading

Tagging and Tracking Espionage Botnets

July 30, 2012

A security researcher who’s spent 18 months cataloging and tracking malicious software that was developed and deployed specifically for spying on governments, activists and industry executives says the complexity and scope of these cyberspy networks now rivals many large conventional cybercrime operations.

Joe Stewart, senior director of malware research at Atlanta-based Dell SecureWorks, said he’s tracked more than 200 unique families of custom malware used in cyber-espionage campaigns. He also uncovered some 1,100 Web site names registered by cyberspies for hosting networks used to control the malware, or for “spear phishing,” highly targeted emails that spread the malware.

Although those numbers may seem low in the grand scheme of things (antivirus companies now deal with many tens of thousands of new malware samples each day), almost everything about the way these cyberspying networks are put together seems designed to mask the true scope of the operations, he found. For instance, Stewart discovered that the attackers set up almost 20,000 subdomains on those 1,100 domain names; but these subdomains were used for controlling or handing out new malware for botnets that each only controlled a few hundred computers at a time.

“Unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets,” Stewart wrote in a paper released at last week’s Black Hat security convention in Las Vegas. “So each botnet…tends to look like a fairly small-scale operation. But this belies the fact that for every [cyber-espionage] botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks.”

Once you get past all the technical misdirection built into the malware networks by its architects, Stewart said, the infrastructure that frames these spy machines generally points in one of two directions: one group’s infrastructure points back to Shanghai, the other to Beijing.

“There have to be hundreds of people involved, just to maintain this amount of infrastructure and this much activity and this many spear phishes, collecting so many documents, and writing this much malware,” Stewart said. “But when it comes time to grouping them, that’s when it gets harder. What I can tell from the clustering I’m doing here is that there are two major groups in operation. Some have dozens of different malware families that they use, but many will share a common botnet command and control infrastructure.”

Domains connected to different cyber-espionage botnets typically trace back to one of two destinations in China, according to Dell SecureWorks.

Continue reading