Microsoft Takes Down Dozens of Zeus, SpyEye Botnets

March 26, 2012

Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

Microsoft, U.S. Marshals pay a surprise visit to a Scranton, Pa. hosting facility.

In a consolidated legal filing, Microsoft received court approval to seize several servers in Scranton, Penn. and Lombard, Ill. used to control dozens of ZeuS and SpyEye botnets. The company also was granted permission to take control of 800 domains that were used by the crime machines.The company published a video showing a portion of the seizures, conducted late last week with the help of U.S. Marshals.

This is the latest in a string of botnet takedowns executed by Microsoft’s legal team, but it appears to be the first one in which the company invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act.

“The RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets,” wrote Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit. “By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the “organization” were not necessarily part of the core enterprise.”

It’s too soon to say how much of an impact this effort will have, or whether it will last long. Previous takedowns by Microsoft — such as its targeting of the Kelihos botnet last fall — have produced mixed results. There also are indications that this takedown may have impacted legitimate — albeit hacked — sites that crooks were using in their botnet operations. According to data recorded by Abuse.ch, a Swiss security site that tracks ZeuS and SpyEye control servers, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure. Among them is a site in Italy that sells iPhone cases, a Thai social networking forum, and a site in San Diego that teaches dance lessons.

The effort also shines a spotlight on an elusive group of cyber thieves operating out of Ukraine who have been tagged as the brains behind a great deal of the ebanking losses over the past five years, including the authors of ZeuS (Slavik/Monstr) and SpyEye (Harderman/Gribodemon), both identities that were outed on this blog more than 18 months ago. Over the past few years, KrebsOnSecurity has amassed a virtual treasure trove of data about these and other individuals named in the complaint. Look for a follow-up piece with more details on these actors.

A breakdown of the court documents related to this case is available at zeuslegalnotice.com.

A Busy Week for Cybercrime Justice

March 26, 2012

Last week was a bad one to be a cybercrook. Authorities in Russia arrested several men thought to be behind the Carberp banking Trojan, and obtained a guilty verdict against the infamous spammer Leo Kuvayev. In the United States, a jury returned a 33-month jail sentence against a Belarusian who ran a call service for cyber thieves. At the same time, U.S. prosecutors secured a guilty plea against a Russian man who was part of a gang that stole more than $3 million from U.S. businesses fleeced with the help of the ZeuS Trojan.

Kuvayev in Thailand, 2001

In August 2010, KrebsOnSecurity broke the news that spam king Leonid “Leo” Aleksandorovich Kuvayev, was being held in a Russian prison awaiting multiple child molestation charges.  Late Friday, a Moscow City court judge rendered a guilty verdict against Kuvayev for crimes against the sexual integrity of minors, according to Russian news agency Lenta.ru.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say that at the time, BadCow was raking in more than $30 million each year.

Russian prosecutors said Kuvayev sexually abused at least 11 girls aged 13 to 18 years, many of them suffering from mental and psychological problems and pupils of orphanages and boarding schools nearby Kuvayev’s business and residence in Moscow.

According to information obtained by KrebsOnSecurity, Russian prosecutors had help from Kuvayev’s old nemesis Microsoft, which had hired a local forensics company in 2010 to keep tabs on his activities. Microsoft’s Samantha Doerr confirmed that Microsoft Russia consulted with Moscow-based cyber forensics firm Group-IB, but said the nature of the investigation was related to Kuvayev’s spamming activities. Lenta.ru reports that it’s not clear when Kuvayev may be sentenced, but that the most serious offense he faces carries a penalty of 20 years in prison.

Group-IB also assisted in another investigation that bore fruit last week: The arrest of eight men — including two ringleaders from Moscow — alleged to have been responsible for seeding computers worldwide Carberp and RDPdor, powerful banking Trojans. Russian authorities say the crime gang used the malware to raid at least 130 million rubles (~$4.43 million USD) from more than 100 banks around the world, and from businesses in Russia, Germany and the Netherlands. Russian police released a video showing one of the suspects loudly weeping in the moments following a morning raid on his home.

The arrests help explain why the makers of Carberp abruptly stopped selling the Trojan late last year. Until recently, Carberp was sold on shadowy underground forums for more than $9,000 per license. In the screen shot below, a lead coder for the Carberp Trojan can be seen announcing on Nov. 1, 2011 that he will be immediately suspending new sales of the malware, and will not be reachable going forward. Continue reading

Advertisement

Bredolab Botmaster ‘Birdie’ Still at Large

March 21, 2012

Employee and financial records leaked from some of the world’s largest sponsors of spam provide new clues about the identity of a previously unknown Russian man believed to have been closely tied to the development and maintenance of “Bredolab,” a massive collection of hacked machines that was disassembled in an international law enforcement sweep in late 2010.

Bredolab grew swiftly after Birdie introduced his load system.

In October 2010, Armenian authorities arrested and imprisoned 27-year-old Georg Avanesov on suspicion of running Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers that were used to direct the botnet’s activities.

Dutch and Armenian investigators have long suspected that Avanesov worked closely with an infamous Russian botmaster who used the nickname “Birdie,” but so far they have been unable to learn the Russian’s real identity or whereabouts.

“He was a close associate of Gregory A.,” Pim Takkenberg, team leader of the National High Tech Crime Unit in the Netherlands, said of the hacker known as Birdie. “Actually, we were never able to fully identify him.”

According to records leaked from SpamIt — a pharmacy affiliate program that was the victim of a data breach in 2010 — Birdie was an affiliate with SpamIt along with Avanesov. Neither affiliates earned much from SpamIt directly; they both made far more money selling other spammers access to Bredolab.

Birdie was also the nickname of a top member of Spamdot.biz, a now-defunct forum that once counted among its members nearly all of the big names in Spamit, as well as a dozen competing spam affiliate programs. Birdie’s core offering on Spamdot was the “Birdie Load System,” which allowed other members to buy “installs” of their own malware by loading it onto machines already infected with Bredolab.

So successful and popular was the Birdie Load System among Spamdot members that Birdie eventually had to create a customer queuing system, scheduling new loads days or weeks in advance for high volume customers. According to his own postings on Spamdot, Birdie routinely processed at least 50,000 new loads or installs for customers each day.

“Due to the fact that many of my clients very much hate waiting in line, we’ve begun selling access to weekly slots,” Birdie wrote. “If a ‘slot’ is purchased, independently from other customers, the person who purchased the slot is guaranteed service.”

Using Birdie’s Bredolab load system, spammers could easily re-seed their own spam botnets, and could rely upon load systems like this one to rebuild botnets that had been badly damaged from targeted takedowns by anti-spam activists and/or law enforcement. Bredolab also was commonly used to deploy new installations of the ZeuS Trojan, which has been used in countless online banking heists against consumers and businesses.

Below is a translated version of Birdie’s Dec. 2008 post to Spamdot describing the rules, prices and capabilities of his malware loading machine (click the image below twice for an enlarged version of the Spamdot discussion thread from which this translation was taken). Continue reading

Twitter Bots Target Tibetan Protests

March 20, 2012

Twitter bots — zombie accounts that auto-follow and send junk tweets hawking questionable wares and services — can be an annoyance to anyone who has even a modest number of followers. But increasingly, Twitter bots are being used as a tool to suppress political dissent, as evidenced by an ongoing flood of meaningless tweets directed at hashtags popular for tracking Tibetan protesters who are taking a stand against Chinese rule.

It’s not clear how long ago the bogus tweet campaigns began, but Tibetan sympathizers say they recently noticed that several Twitter hashtags related to the conflict — including #tibet and #freetibet — are now so constantly inundated with junk tweets from apparently automated Twitter accounts that the hashtags have ceased to become a useful way to track the conflict.

The discovery comes amid growing international concern over the practice of self-immolation as a means of protest in Tibet. According to the Associated Press, about 30 Tibetans have set themselves on fire since last year to protest suppression of their Buddhist culture and to call for the return of the Dalai Lama — their spiritual leader who fled during a failed 1959 uprising against Chinese rule.

I first heard about this trend from reader Erika Rand, who is co-producing a feature-length documentary about Tibet called State of Control. Rand said she noticed the tweet flood and Googled the phenomenon, only to find a story I wrote about a similar technique deployed in Russia to dilute Twitter hashtags being used by citizens protesting last year’s disputed parliamentary elections there.

“We first discovered these tweets looking at Twitter via the web, then looked at TweetDeck to see how quickly they were coming,” Rand said in an email to KrebsOnSecurity.com late last week. “They no longer appear when searching for Tibet on Twitter via the web, but are still flooding in fast via TweetDeck. This looks like an attempt to suppress news about recent activism surrounding Tibet. We’re not sure how long it’s been going on for. We noticed it last night, and it’s still happening now.” Continue reading

Avast Antivirus Drops iYogi Support

March 15, 2012

iYogi Refers to Incident as ‘Tylenol Moment’

Avast, an antivirus maker that claims more than 150 million customers, is suspending its relationship with iYogi, a company that it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi by KrebsOnSecurity.com indicating that the company was using the relationship to push expensive and unnecessary support contracts onto Avast users.

In a blog post published today, Avast said it came to the decision after reports on this blog that “iYogi’s representatives appear to have attempted to increase sales of iYogi’s premium support packages by representing that user computers had issues that they did not have.”

“Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage,” Avast CEO Vince Steckler wrote. “We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable.”

Steckler said Avast had initial reports of the unnecessary upselling a few weeks ago and met with iYogi’s senior executives to ensure the behavior was being corrected.

“Thus, we were shocked to find out about Mr. Krebs’ experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products,” Steckler said. “We believe that this type of service, when performed in a correct manner, provides immense value to users. As such, over the next weeks, we will work with iYogi to determine whether the service can be re-launched.”

Steckler added that Avast will also work to ensure that any users who feel they have been misled into purchasing a premium support receive a full refund. The company asked that users send any complaints or concerns to support@avast.com or even to the CEO himself, at vince.steckler@avast.com.

iYogi executives posted several comments to this blog yesterday and today in response to my reporting. After Avast announced its decision to drop iYogi, Larry Gordon, iYogi’s president of global channel sales, sent me a formal letter that was unapologetic, but which promised that the company would endeavor to do better. Gordon called the incident, a “Tylenol moment for iYogi and the leadership team.” His letter is reprinted in its entirety below.

Continue reading

Hackers Offer Bounty for Windows RDP Exploit

March 15, 2012

A Web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of newly disclosed and dangerous security hole in all supported versions of Microsoft Windows.

That reward, which is sure to only increase with each passing day, is offered to any developer who can devise an exploit for one of two critical vulnerabilities that Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP is designed as a way to let administrators control and configure machines remotely over a network).

Update, 8:47 a.m.: The RDP exploit may already be available. There are unconfirmed reports that a working exploit for the RDP bug has been posted to Chinese-language forums.

Original post:

The bounty comes courtesy of contributors to gun.io (pronounced gun-yo), a site that advances free and open software. The current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research. But the site shows promise for organizing a grassroots effort at crafting exploits that can be used by attackers and defenders alike to test the security of desktops and the networks in which they run.

“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.

Gun.io is the brainchild of Rich Jones, a 23-year-old Bostonite who just moved to Berkeley, Calif. Most recently, Jones ran a research P2P project called Anomos, which is an anonymous variant of the BitTorrent protocol. He also runs the OpenWatch Project, which uses mobile technology as a way of surveilling the police and other people in positions of power.

“I started Gun.io after working for a few years as a freelance developer and open source programmer,” Jones said in an email interview. “I wanted a way to get high quality, short term freelance jobs while also continuing to contribute back to the open source community. I’m particularly interested in the things that happen when people pool their money together, so we provide a free group fundraising platform for open source projects.”

Gun.io quietly launched about six months ago, and has already gained thousands of contributors. Until this week it had never offered a bounty for a software exploit, Jones said. Continue reading

Aghast at Avast’s iYogi Support

March 14, 2012

The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support.

A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.

Adam Riley, Avast’s third party support manager, wrote in a post on the company’s blog that “during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam.  Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from ‘Avast customer service’ reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.”

I’d first heard about the issue when a reader wrote in to say he’d received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.

I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast’s user forum that iYogi was using support requests to push expensive “maintenance and support” packages.

A call to the support number listed on Avast’s site put me through to a technician named Kishore Chinni; I told Mr. Chinni that I had just installed a copy of Avast, but that I couldn’t be certain it was updating correctly. He asked for a phone number and an email address, and then said the first thing he needed to do was take remote control over my system. He directed me to use Internet Explorer to visit a Web site that requested permission to install two ActiveX add-ons. Those add-ons installed a remote control client called Bomgar Support.

Chinni asked if I had previously installed any antivirus software, and I said I wasn’t sure (I hadn’t). He then fired up the Windows Registry Editor (regedit), poked around some entries, and then opened up the Windows System Configuration Utility (msconfig) and the Windows Event Viewer. Chinni somberly read aloud a few of the entries in the event viewer marked with yellow exclamation points, saying they were signs that my computer could have a problem. He then switched over to the “services” panel of the system configuration tool and noted that the “manufacturer” listing next to avast! antivirus read “unknown.”

“When it says unknown like that, these are warnings that there could be an infection running on the computer,” Chinni explained. He proceeded to install an iYogi “tune up” tool called PCDiagnostics, which took about 60 seconds to complete a scan of my system. The results showed that my brand new installation of Windows had earned a 73% score, and that it had to detected 17 registry errors and a problem with Windows Update (this was unlikely, as I had already enabled Windows Update and Automatic Updates before I made the support call, and had installed all available security patches). Chinni explained that the “antispyware” warning generated by the PCDiagnostics scan was an indication that a previously installed security software program had not been cleanly removed and was probably causing problems with my computer.

He said another technician could help me with these problems if I wanted. When I inquired whether it would be free, Chinni told me that the company sells support packages for one- to three-year durations, and that the starting price for a support package was $169.99. Continue reading

RDP Flaws Lead Microsoft’s March Patch Batch

March 13, 2012

Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys. Continue reading

Hacked Inboxes Lead to Bank Fraud

March 13, 2012

Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

Good Morning,

Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

Thanks.

Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

Continue reading

Half of All ‘Rogue’ Pharmacies at Two Registrars

March 12, 2012

Half of all “rogue” online pharmacies — sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars, a study released today found. The findings illustrate the challenges facing Internet policymakers in an industry that is largely self-regulated and rewards companies who market their services as safe havens for shadowy businesses.

Source: LegitScript

There are about 450 accredited domain name registrars worldwide, but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript, a verification and monitoring service for online pharmacies.

LegitScript President John Horton said the company began to suspect that Internet.bs was courting the rogue pharmacy business when it became clear that the registrar has only two-tenths of one percent of the market share for new Web site name registrations. In a report (PDF) being released today, LegitScript said that a separate analysis of more than 9,000 “not recommended” pharmacies compiled by the National Association of Boards of Pharmacy suggested that Internet.bs is sponsoring nearly 44 percent of the Internet’s dodgy pill shops.

Asked whether he was concerned about allegations that his firm was targeting an industry that seeks out registrars who turn a blind eye to questionable businesses, Internet.bs President Marco Rinaudo replied that, on the contrary, LegitScript’s report was bound to be “excellent advertising for our company.”

Reached via phone at his home in Panama, Rinaudo said he was under no obligation to police whether his customers’ business may be in violation of some other nation’s laws, absent clear and convincing evidence that his registrants were operating illegally from their own country.

“Even though I understand they could bother some pharmacy lobby, if an industry likes us, what’s the problem with an online pharmacy, as long as they are operating legally from their own country?” Rinaudo asked. “We cannot accept pressure to shut down a legitimate business just because it is not pleasing to some political lobbying group. We and I personally make sure that all the domains that are in breach of an applicable law and for which we receive a complete report, will be acted on the same day.”

Continue reading