Bredolab Mastermind Was Key Spamit.com Affiliate

October 30, 2010

The man arrested in Armenia last week for allegedly operating the massive “Bredolab” botnet — a network of some 30 million hacked Microsoft Windows PCs that were rented out to cyber crooks — appears to have generated much of his clientele as an affiliate of Spamit.com, the global spamming operation whose members are blamed for sending a majority of the world’s pharmaceutical spam.

Armenian authorities arrested 27-year-old Georg Avanesov on suspicion of being the curator of Bredolab, a botnet that infected an estimated 3 million PCs per month through virus-laden e-mails and booby-trapped Web sites. The arrest resulted from a joint investigation between Armenian police and cyber sleuths in the Netherlands, whose ISPs were home to at least 143 servers used to direct the botnet’s activities. In tandem with the arrest and the unplugging of those servers, Dutch service providers began redirecting local Internet users to a disinfection and cleanup page if their PCs showed signs of Bredolab infections.

Investigators allege that Avanesov made up to US$139,000 each month renting the botnet to criminals who used it for sending spam and for installing password-stealing malicious software. Avanesov, who is thought to have made millions over a career spanning more than a decade, was arrested after hopping a flight from Moscow to his home in Yerevan, Armenia’s capital.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said Avanesov frequently used the hacker aliases “padonaque” and “Atata,” and for many years used the e-mail address “i.am@padonaque.info.” The domain padonaque.info has long been associated with a variety of malicious software families, and the malware that once called home to it reflects the varied clientele that investigators say Avanesov attracted over the years.

Atata’s ICQ Avatar

According to information obtained by KrebsOnSecurity, that e-mail address and Atata nickname were used to register at least two affiliate accounts at spamit.com. With online pharmacy sales generating him less than $2,000 each month over the last several years, Atata wasn’t pulling in anywhere near as much as the top earners in the program, some of whom earned six figures monthly promoting counterfeit pills via spam. But Takkenberg and others say it is likely that Atata used Spamit as a place to sign up new customers who were interesting in renting his Bredolab botnet to promote their pharmacy sites.

“The main thing he did was build this botnet — mainly using a lot of hacked Web sites,” Takkenberg said. “Then he sold parts of that botnet to other clients of his, who could upload their own malware loaders, FTP [password] grabbers, whatever they wanted.”

Continue reading

Critical Fixes for Shockwave, Firefox

October 28, 2010

Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.  The software maker also is warning that attackers are targeting a previously unidentified security hole in its Acrobat and PDF Reader products.

The Shockwave patch plugs 11 security holes in program, most of which attackers could use remotely to take control over an affected system.  Updates are available for Mac and Windows computers, from this link. The latest version is 11.5.9.615.  Before you blithely click through the process, keep a lookout for pre-checked “free” software that will install alongside this Shockwave update if you simply accept all the default options. When I tested the Shockwave installer, it included a “free PC performance scan from PC Tools’s Registry Mechanic. I opted to untick the check mark next to that option before proceeding with the rest of the install, which was otherwise uneventful.

Due to Adobe’s huge market share and apparent abundance of as-yet-undiscovered security holes, life with Adobe’s products can feel a bit like playing Whac-a-Mole: Just when you’ve patched one Adobe product it seems like there’s another one under assault by attackers. True to form, Adobe released a separate advisory today warning that hackers were targeting a critical flaw in the latest version of its Acrobat and PDF Reader products.

Continue reading

Advertisement

Demystifying KB976902, a.k.a. Microsoft’s “Blackhole” Update

October 28, 2010

I’ve received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.

Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding “knowledgebase” article that describes in great detail what the patch does and why users should install it — and how applying the update may impact current and future operations on the system.

This fix went out via Windows Update on Oct. 26 as a “recommended” and “important” patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update — which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.

To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the “Blackhole” update.

I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you’d like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world’s largest software company fails — for whatever reason — to be fully transparent with a user base that has come to expect detailed advisories with every patch.

When I was researching this patch, I found an amusing thread on the Microsoft Answers forum — where several Microsoft most valuable professional experts urged other forum members to hold off installing the patch until more information was available. Others offered more speculative answers, suggesting that the patch was instead:

-A new service pack for Windows 7

-A “heuristic scanner to the machine that turned on whenever the machine went idle, and searched all attached storage devices for ‘terrorism-related’ information, then alerting ‘somebody’ over the Internet”

-The result of Microsoft having been hacked, with the patch being some kind of malicious third-party code being sent out to infect all Windows machines

-A new anti-piracy check from Microsoft.

Continue reading

Koobface Worm Targets Java on Mac OS X

October 27, 2010

A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:

Intego notes that if the download is allowed, “it runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.”

SecureMac also has a writeup on what appears to be the same threat, which it calls OSX.Boonana.a. SecureMac says that “there have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now.”

It is not surprising that attackers would begin leveraging Java to attack Mac users with threats that have traditionally only menaced Windows users. My research shows that Java is now the leading vector of attacks against Windows systems, findings that recently were buttressed by oodles of attack data released by Microsoft. Also, Java was designed to be a cross-platform technology that would allow applications to run seamlessly regardless of the operating system relied upon by the user. It makes sense for attackers to consider Java as a platform-agnostic vehicle for delivering platform-specific malicious software.

Continue reading

Firesheep: Baaaaad News for the Unwary

October 27, 2010

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”

In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”

Continue reading

Nobel Peace Prize Site Serves Firefox 0day

October 26, 2010

The Web site for the Nobel Peace Prize has been serving up malicious software that takes advantage of a newly-discovered security hole in Mozilla Firefox, computer security experts warned today.

Oslo-based Norman ASA warned that visitors who browsed the Nobel Prize site with Firefox while the attack was active early Tuesday may have had malicious software silently installed on their computers without warning.

Mozilla just posted a blog entry saying it is aware of a critical vulnerability in Firefox 3.5 and 3.6, and that it has received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild. The software firm isn’t saying much more about the flaw for now.

Mozilla says it is developing a fix, which it plans to deploy as soon as it has been tested. In the meantime, Firefox users can mitigate the threat from this flaw by using a script-blocking add-on like NoScript.

Update, 6:40 p.m. ET: I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what’s going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a “use-after-free condition” in certain objects, exploited through Javascript.

“Shellcode and a large heapspray is involved,” Fagerland wrote. “The script that does this checks for the following versions:

firefox/3.6.8
firefox/3.6.9
firefox/3.6.10
firefox/3.6.11

…and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS’s. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this.”

Update, Oct. 27, 11:50 p.m. ET: Mozilla has opened up the bug report on this flaw.

SpyEye v. ZeuS Rivalry Ends in Quiet Merger

October 24, 2010

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

In an era when it has become a truism to say that malicious hackers seek riches over renown, the SpyEye author — a coder known as either “Harderman” and “Gribodemon” on different forums — appears to have sought both, boasting on numerous forums about the greatness of his malware, using flashy logos to promote it (see below), and granting an interview with security researchers about the riches it will bring him. Although the ZeuS author chose to license his botnet creation kit to private groups through multiple intermediaries, the SpyEye creator has peddled his kit directly to buyers via online forums and instant messages.

But — very recently — the public rivalry died down, and forum members on different sites where Harderman maintained a presence began complaining that they could no longer reach him for support issues. In an Oct. 11 message to one of the UnderWeb’s most exclusive hacker forums, Harderman can be seen breaking the news to fellow forum members. A screen shot of that message is below, followed by a translated version of it:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

Continue reading

Pill Gangs Besmirch LegitScript Founder

October 21, 2010

Individuals who normally promote unlicensed, fly-by-night Internet pharmacies recently registered hundreds of hardcore porn and bestiality Web sites using contact information for the founder of a company that has helped to shutter more than 10,000 of these Internet pill mills over the past year, KrebsOnSecurity.com has learned.

The reputation attack is the latest sortie in an increasingly high-profile and high-stakes battle among spammers, online pill purveyors and those trying to shed light on their activities. Around the same time that these fake domains were registered, KrebsOnSecurity.com came under a sustained denial of service attack that traced back to Russian pill gangs.

In the third week of September, hundreds of domains were registered using the name, phone number and former business address of John Horton, founder of LegitScript, an Internet pharmacy verification service. The domains, many containing the word “adult,” all redirect to a handful of porn and bestiality sites (a partial list is available here, but please tread lightly with these sites because they are definitely not safe for work and may not be safe for your PC).

The sites were registered just days after LegitScript finalized a deal with eNom Inc., the world’s 5th-largest domain name registrar. At the time of that agreement, roughly 40 percent of the unlicensed online pharmacies selling drugs without requiring a prescription were registered through eNom, according to Horton.

Since then, many affiliates who promote pill sites via online pharmacy affiliate programs have been scrambling to move their domains to other registrars, with varying degrees of success.

Continue reading

Critical RealPlayer Update

October 20, 2010

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

The new versions listed in the chart below are not vulnerable to these flaws. Real Networks says it has no evidence that attackers are exploiting any of these flaws yet. The latest versions for all operating systems are available here.

Microsoft: ‘Unprecedented Wave of Java Exploitation’

October 18, 2010

Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.

In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

Continue reading