Criminal Classifieds: Malware Writers Wanted

June 6, 2011
28 Comments

The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.

Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.

The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.

The Russian text in the above ad translates to:

“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.

We offer:

* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made ​​weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).

Please fill in your application only if you understand what is at stake. Thank you.”

Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.

There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.

Continue reading

Flash Player Patch Fixes Zero-Day Flaw

June 5, 2011
16 Comments

Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23).  To find out what version of Flash you have, go here.

Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.

Adobe said it is still investigating whether this is exploitable in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems, and that it is not aware of any attacks targeting Adobe Reader or Acrobat in the wild.

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Advertisement

Spotting Web-Based Email Attacks

June 2, 2011
41 Comments

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour — first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Continue reading

Rustock Botnet Suspect Sought Job at Google

June 1, 2011
34 Comments

Microsoft has fingered  a possible author of the late Rustock spam botnet – a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers,  and confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, “Cosma2k,” possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

To help in the hunt, I hereby offer some details about him.

Microsoft helped to dismantle Rustock in March after a coordinated and well-timed “stun” targeting the spam botnet’s infrastructure, which was mainly comprised of servers based in U.S. hosting facilities. Two weeks after that takedown, I tracked down a Web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author. That reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators I spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin. By consulting a leaked database I obtained last year of the top earners for Spamit.com — at the time the world’s largest rogue online pharmacy network — I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates.

The information from the reseller and from the Spamit database traced back to a Spamit affiliate who used the pseudonym “Cosma2k.” The email address tied to that Cosma2K account was “ger-mes@ger-mes.ru”. When I came into possession of the Spamit.com data back in August 2010, the site ger-mes.ru was still responding to requests, and the homepage presented some very interesting information. It included a job résumé, underneath a picture of a young man holding a mug. Above the image was the name “Sergeev, Dmitri A.” At the very top of the page was a simple message: “I want to work in Google.” Beneath the résumé is the author’s email address, followed by the message, “Waiting for your job”!

Here is the complete page and résumé, in case anyone wants a closer look at this Belorussian-educated job seeker. I shared the information with Google in August 2010, to find out if they’d received a job application from this person, or if they’d considered flying him to Mountain View, Calif. for an interview. I still don’t have an answer to either question. I shared this same information with Microsoft in March.

Microsoft seems determined to bring the Rustock malefactors to court. Maybe the mug shot in this résumé will help to identify at least one of them.

Apple Update Targets Mac Malware

May 31, 2011
20 Comments

Apple released a security update today designed to address the recent scourge of scareware targeting Mac users. The update comes as security experts spotted new versions of the rogue application family MacDefender making the rounds via poisoned links on Facebook.

Security Update 2011-003, available for Mac OS X v. 10.6.7 and Mac OS X Server v. 10.6.7, includes a component that checks for the MacDefender malware and its known variants. In its most recent advisory, Apple states: “If MacDefender scareware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files. After MacDefender is identified and removed, the message below will be displayed the next time an administrator account logs in.”

The update also adds malware definitions to warn users away from downloading MacDefender, and sets the computer to check daily for updates to the malware definition list. Mac users who apply this update and later try to download a version of this malware via Safari, iChat or Mail should see a warning similar to the following dialog box: I’m glad that Apple has released this update, although I think they probably waited too long to do so. Some Windows users are no doubt experiencing a twinge of schadenfreude at this development, considering how Apple and many hardcore fans of the Mac platform have held out OS X as an unbreachable fortress. What the defenders of the Myth of Apple Invulnerability have long ignored is that a growing share of their user base is made up of people who are not technically sophisticated, and are just as prone to falling for clever social engineering attacks as their Windows counterparts.

A reader captured this thought nicely in a comment on my post last week about an apparent source of MacDefender scams: “Yes, many Mac users are technically sophisticated. But many others are not. Many bought Macs in hopes of staying safe despite having no computer training, or they may even have been advised to get a Mac by friends and relatives who feared the worse if they were let loose on the internet with a Windows machine. Many users are elementary school children and their teachers, since Mac is strong in educational software. It isn’t necessary for the perpetrators to be able to infect every Mac for this scheme to be profitable.”

As Apple’s share of the marketplace continues to grow, let me remind readers again that the staying-safe advice often posted on KrebsonSecurity applies with equal urgency to the Mac community as it does to users of other OS platforms.

DNS Filtering Bill Riles Tech Experts, Hacktivists

May 31, 2011
33 Comments

A bill moving through the U.S. Senate that would grant the government greater power to shutter Web sites that host copyright-infringing content is under fire from security researchers, who say the legislation raises “serious technical and security concerns.” Meanwhile, hacktivists protested by attacking the Web site of the industry group that most actively supports the proposal.

Earlier this month, the Senate Judiciary Committee passed the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PDF), a bill offered by committee chairman, Sen. Patrick Leahy (D-Vt.), that would let the Justice Department obtain court orders requiring U.S. Internet service providers to filter customer access to domains found by courts to point to sites that are hosting infringing content. The bill envisions that ISPs would do this by filtering DNS requests for targeted domains. DNS, short for “domain name system,” transforms computer-friendly IP addresses (such as 94.228.133.163) into words that are easier for humans to remember. For example, typing “krebsonsecurity.com” into a browser brings you to 94.228.133.163, and vice versa.

But the idea of blocking piracy by asking ISPs to filter DNS requests has touched a nerve with several prominent security experts, who say it would be “minimally effective and would present technical challenges that could frustrate important security initiatives.” The comments came in a whitepaper sent to Senate leaders this month by DNS experts Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson and Paul Vixie. For a brief explanation of why these individuals are worth hearing from on this subject, see the “About the Authors” section at the end of their paper.

The Protect IP Act “would promote the development of techniques and software that circumvent use of the DNS,” the experts wrote. “These actions would threaten the DNS’s ability to provide universal naming, a primary source of the Internet’s value as a single, unified, global communications network.”

Continue reading

ChronoPay Fueling Mac Scareware Scams

May 27, 2011
47 Comments

Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia’s largest online payment processor and something of a pioneer in the rogue anti-virus business.

Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security. The attacks began on May 2, spreading through poisoned Google Image Search results. Initially, these attacks required users to provide their passwords to install the rogue programs, but recent variants do not, according to Mac security vendor Intego.

A few days after the first attacks surfaced, experienced Mac users on Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called mac-defence.com. Others spotted fake Mac security software coming from macbookprotection.com. When I first took a look at the registration records for those domains, I was unsurprised to find the distinct fingerprint of ChronoPay, a Russian payment processor that I have written about time and again as the source of bogus security software.

The WHOIS information for both domains includes the contact address of fc@mail-eye.com. Last year, ChronoPay suffered a security breach in which tens of thousands of internal documents and emails were leaked. Those documents show that ChronoPay owns the mail-eye.com domain and pays for the virtual servers in Germany that run it. The records also indicate that the fc@mail-eye.com address belongs to ChronoPay’s financial controller Alexandra Volkova.

Continue reading

Blocking JavaScript in the Browser

May 25, 2011
38 Comments

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

The NoScript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it’s not uncommon when you’re shopping online to come across a site that won’t let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you’ve already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted.

Continue reading