Bredolab Botmaster ‘Birdie’ Still at Large

March 21, 2012

Employee and financial records leaked from some of the world’s largest sponsors of spam provide new clues about the identity of a previously unknown Russian man believed to have been closely tied to the development and maintenance of “Bredolab,” a massive collection of hacked machines that was disassembled in an international law enforcement sweep in late 2010.

Bredolab grew swiftly after Birdie introduced his load system.

In October 2010, Armenian authorities arrested and imprisoned 27-year-old Georg Avanesov on suspicion of running Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers that were used to direct the botnet’s activities.

Dutch and Armenian investigators have long suspected that Avanesov worked closely with an infamous Russian botmaster who used the nickname “Birdie,” but so far they have been unable to learn the Russian’s real identity or whereabouts.

“He was a close associate of Gregory A.,” Pim Takkenberg, team leader of the National High Tech Crime Unit in the Netherlands, said of the hacker known as Birdie. “Actually, we were never able to fully identify him.”

According to records leaked from SpamIt — a pharmacy affiliate program that was the victim of a data breach in 2010 — Birdie was an affiliate with SpamIt along with Avanesov. Neither affiliates earned much from SpamIt directly; they both made far more money selling other spammers access to Bredolab.

Birdie was also the nickname of a top member of Spamdot.biz, a now-defunct forum that once counted among its members nearly all of the big names in Spamit, as well as a dozen competing spam affiliate programs. Birdie’s core offering on Spamdot was the “Birdie Load System,” which allowed other members to buy “installs” of their own malware by loading it onto machines already infected with Bredolab.

So successful and popular was the Birdie Load System among Spamdot members that Birdie eventually had to create a customer queuing system, scheduling new loads days or weeks in advance for high volume customers. According to his own postings on Spamdot, Birdie routinely processed at least 50,000 new loads or installs for customers each day.

“Due to the fact that many of my clients very much hate waiting in line, we’ve begun selling access to weekly slots,” Birdie wrote. “If a ‘slot’ is purchased, independently from other customers, the person who purchased the slot is guaranteed service.”

Using Birdie’s Bredolab load system, spammers could easily re-seed their own spam botnets, and could rely upon load systems like this one to rebuild botnets that had been badly damaged from targeted takedowns by anti-spam activists and/or law enforcement. Bredolab also was commonly used to deploy new installations of the ZeuS Trojan, which has been used in countless online banking heists against consumers and businesses.

Below is a translated version of Birdie’s Dec. 2008 post to Spamdot describing the rules, prices and capabilities of his malware loading machine (click the image below twice for an enlarged version of the Spamdot discussion thread from which this translation was taken). Continue reading

Twitter Bots Target Tibetan Protests

March 20, 2012

Twitter bots — zombie accounts that auto-follow and send junk tweets hawking questionable wares and services — can be an annoyance to anyone who has even a modest number of followers. But increasingly, Twitter bots are being used as a tool to suppress political dissent, as evidenced by an ongoing flood of meaningless tweets directed at hashtags popular for tracking Tibetan protesters who are taking a stand against Chinese rule.

It’s not clear how long ago the bogus tweet campaigns began, but Tibetan sympathizers say they recently noticed that several Twitter hashtags related to the conflict — including #tibet and #freetibet — are now so constantly inundated with junk tweets from apparently automated Twitter accounts that the hashtags have ceased to become a useful way to track the conflict.

The discovery comes amid growing international concern over the practice of self-immolation as a means of protest in Tibet. According to the Associated Press, about 30 Tibetans have set themselves on fire since last year to protest suppression of their Buddhist culture and to call for the return of the Dalai Lama — their spiritual leader who fled during a failed 1959 uprising against Chinese rule.

I first heard about this trend from reader Erika Rand, who is co-producing a feature-length documentary about Tibet called State of Control. Rand said she noticed the tweet flood and Googled the phenomenon, only to find a story I wrote about a similar technique deployed in Russia to dilute Twitter hashtags being used by citizens protesting last year’s disputed parliamentary elections there.

“We first discovered these tweets looking at Twitter via the web, then looked at TweetDeck to see how quickly they were coming,” Rand said in an email to KrebsOnSecurity.com late last week. “They no longer appear when searching for Tibet on Twitter via the web, but are still flooding in fast via TweetDeck. This looks like an attempt to suppress news about recent activism surrounding Tibet. We’re not sure how long it’s been going on for. We noticed it last night, and it’s still happening now.” Continue reading

Advertisement

Avast Antivirus Drops iYogi Support

March 15, 2012

iYogi Refers to Incident as ‘Tylenol Moment’

Avast, an antivirus maker that claims more than 150 million customers, is suspending its relationship with iYogi, a company that it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi by KrebsOnSecurity.com indicating that the company was using the relationship to push expensive and unnecessary support contracts onto Avast users.

In a blog post published today, Avast said it came to the decision after reports on this blog that “iYogi’s representatives appear to have attempted to increase sales of iYogi’s premium support packages by representing that user computers had issues that they did not have.”

“Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage,” Avast CEO Vince Steckler wrote. “We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable.”

Steckler said Avast had initial reports of the unnecessary upselling a few weeks ago and met with iYogi’s senior executives to ensure the behavior was being corrected.

“Thus, we were shocked to find out about Mr. Krebs’ experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products,” Steckler said. “We believe that this type of service, when performed in a correct manner, provides immense value to users. As such, over the next weeks, we will work with iYogi to determine whether the service can be re-launched.”

Steckler added that Avast will also work to ensure that any users who feel they have been misled into purchasing a premium support receive a full refund. The company asked that users send any complaints or concerns to support@avast.com or even to the CEO himself, at vince.steckler@avast.com.

iYogi executives posted several comments to this blog yesterday and today in response to my reporting. After Avast announced its decision to drop iYogi, Larry Gordon, iYogi’s president of global channel sales, sent me a formal letter that was unapologetic, but which promised that the company would endeavor to do better. Gordon called the incident, a “Tylenol moment for iYogi and the leadership team.” His letter is reprinted in its entirety below.

Continue reading

Hackers Offer Bounty for Windows RDP Exploit

March 15, 2012

A Web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of newly disclosed and dangerous security hole in all supported versions of Microsoft Windows.

That reward, which is sure to only increase with each passing day, is offered to any developer who can devise an exploit for one of two critical vulnerabilities that Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP is designed as a way to let administrators control and configure machines remotely over a network).

Update, 8:47 a.m.: The RDP exploit may already be available. There are unconfirmed reports that a working exploit for the RDP bug has been posted to Chinese-language forums.

Original post:

The bounty comes courtesy of contributors to gun.io (pronounced gun-yo), a site that advances free and open software. The current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research. But the site shows promise for organizing a grassroots effort at crafting exploits that can be used by attackers and defenders alike to test the security of desktops and the networks in which they run.

“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.

Gun.io is the brainchild of Rich Jones, a 23-year-old Bostonite who just moved to Berkeley, Calif. Most recently, Jones ran a research P2P project called Anomos, which is an anonymous variant of the BitTorrent protocol. He also runs the OpenWatch Project, which uses mobile technology as a way of surveilling the police and other people in positions of power.

“I started Gun.io after working for a few years as a freelance developer and open source programmer,” Jones said in an email interview. “I wanted a way to get high quality, short term freelance jobs while also continuing to contribute back to the open source community. I’m particularly interested in the things that happen when people pool their money together, so we provide a free group fundraising platform for open source projects.”

Gun.io quietly launched about six months ago, and has already gained thousands of contributors. Until this week it had never offered a bounty for a software exploit, Jones said. Continue reading

Aghast at Avast’s iYogi Support

March 14, 2012

The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support.

A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.

Adam Riley, Avast’s third party support manager, wrote in a post on the company’s blog that “during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam.  Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from ‘Avast customer service’ reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.”

I’d first heard about the issue when a reader wrote in to say he’d received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.

I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast’s user forum that iYogi was using support requests to push expensive “maintenance and support” packages.

A call to the support number listed on Avast’s site put me through to a technician named Kishore Chinni; I told Mr. Chinni that I had just installed a copy of Avast, but that I couldn’t be certain it was updating correctly. He asked for a phone number and an email address, and then said the first thing he needed to do was take remote control over my system. He directed me to use Internet Explorer to visit a Web site that requested permission to install two ActiveX add-ons. Those add-ons installed a remote control client called Bomgar Support.

Chinni asked if I had previously installed any antivirus software, and I said I wasn’t sure (I hadn’t). He then fired up the Windows Registry Editor (regedit), poked around some entries, and then opened up the Windows System Configuration Utility (msconfig) and the Windows Event Viewer. Chinni somberly read aloud a few of the entries in the event viewer marked with yellow exclamation points, saying they were signs that my computer could have a problem. He then switched over to the “services” panel of the system configuration tool and noted that the “manufacturer” listing next to avast! antivirus read “unknown.”

“When it says unknown like that, these are warnings that there could be an infection running on the computer,” Chinni explained. He proceeded to install an iYogi “tune up” tool called PCDiagnostics, which took about 60 seconds to complete a scan of my system. The results showed that my brand new installation of Windows had earned a 73% score, and that it had to detected 17 registry errors and a problem with Windows Update (this was unlikely, as I had already enabled Windows Update and Automatic Updates before I made the support call, and had installed all available security patches). Chinni explained that the “antispyware” warning generated by the PCDiagnostics scan was an indication that a previously installed security software program had not been cleanly removed and was probably causing problems with my computer.

He said another technician could help me with these problems if I wanted. When I inquired whether it would be free, Chinni told me that the company sells support packages for one- to three-year durations, and that the starting price for a support package was $169.99. Continue reading

RDP Flaws Lead Microsoft’s March Patch Batch

March 13, 2012

Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys. Continue reading

Hacked Inboxes Lead to Bank Fraud

March 13, 2012

Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

Good Morning,

Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

Thanks.

Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

Continue reading

Half of All ‘Rogue’ Pharmacies at Two Registrars

March 12, 2012

Half of all “rogue” online pharmacies — sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars, a study released today found. The findings illustrate the challenges facing Internet policymakers in an industry that is largely self-regulated and rewards companies who market their services as safe havens for shadowy businesses.

Source: LegitScript

There are about 450 accredited domain name registrars worldwide, but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript, a verification and monitoring service for online pharmacies.

LegitScript President John Horton said the company began to suspect that Internet.bs was courting the rogue pharmacy business when it became clear that the registrar has only two-tenths of one percent of the market share for new Web site name registrations. In a report (PDF) being released today, LegitScript said that a separate analysis of more than 9,000 “not recommended” pharmacies compiled by the National Association of Boards of Pharmacy suggested that Internet.bs is sponsoring nearly 44 percent of the Internet’s dodgy pill shops.

Asked whether he was concerned about allegations that his firm was targeting an industry that seeks out registrars who turn a blind eye to questionable businesses, Internet.bs President Marco Rinaudo replied that, on the contrary, LegitScript’s report was bound to be “excellent advertising for our company.”

Reached via phone at his home in Panama, Rinaudo said he was under no obligation to police whether his customers’ business may be in violation of some other nation’s laws, absent clear and convincing evidence that his registrants were operating illegally from their own country.

“Even though I understand they could bother some pharmacy lobby, if an industry likes us, what’s the problem with an online pharmacy, as long as they are operating legally from their own country?” Rinaudo asked. “We cannot accept pressure to shut down a legitimate business just because it is not pleasing to some political lobbying group. We and I personally make sure that all the domains that are in breach of an applicable law and for which we receive a complete report, will be acted on the same day.”

Continue reading

Banking on Badb in the Underweb

March 8, 2012

Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and more brazen card shops are indicative of a trend, the market for these commodities has never been more cutthroat.

Visa, Amex cards for sale at Badb.su

Badb.su is distinguishable from dozens of underground carding shops chiefly by its slick interface and tiny domain name, which borrows on the pseudonym and notoriety of the Underweb’s most recognizable carder. It’s difficult to say whether “Badb” himself would have endorsed the use of his brand for this particular venture, but it seems unlikely: The man alleged by U.S. authorities to be Badb — 29-year-old Vladislav Anatolievich Horohorin — has been in a French prison since his arrest there in 2010. Authorities believe Horohorin is one of the founding members of CarderPlanet, a site that helped move millions of stolen accounts. He remains jailed in France, fighting extradition to the United States (more about his case in an upcoming story).

Badb.su’s price list shows that purloined American Express and Discover accounts issued to Americans cost between $2.50 and $3 apiece, with MasterCard and Visa accounts commanding slightly lower prices ($2-$3). Cards of any type issued by banks in the United Kingdom or European Union fetch between $4-$7 each, while accounts from Canadian financial institutions cost between $3 to $5 a pop.

The site also sells verified PayPal and eBay accounts. Verified PayPal accounts with credit cards and bank accounts attached to them go for between 2-3$, while the same combination + access to the account holder’s email inbox increases the price by $2. PayPal accounts that are associated with bank and/or credit accounts and include a balance are sold for between 2 and 10 percent of the available balance. That rate is considerably lower than the last PayPal underground shop I reviewed, which charged 8 to 12 percent of the total compromised account balance.

Verified PayPal accounts with positive balances sell for between 2-10% of the available balance.

Ebay auction accounts are priced according to the number of positive “feedback” points that each victim account possesses (feedback is the core of eBay’s reputation system, whereby members evaluate their buying and selling experiences with other members). eBay accounts with fewer than 75 feedback history sell for $2 each, while those with higher levels of feedback command prices of $5 and higher apiece, because these accounts are more likely to be perceived as trustworthy by other eBay members.

But don’t count on paying for any of these goods with a credit card; Badb.su accepts payment only through virtual currencies such as Liberty Reserve and WebMoney.

Badb.su, like many other card shops, offers an a-la-carte, card-checking service that allows buyers to gauge the validity of stolen cards before or after purchasing them. Typically, these services will test stolen card numbers using a hijacked merchant account that initiates tiny charges or so-called pre-authorization checks against the card; if the charge or pre-auth clears, the card-checking service issues a “valid” response for the checked card number.

Continue reading

Court: 4 More Months for DNSChanger-Infected PCs

March 6, 2012

Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic.

The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI.”

Continue reading