Krebs on Security

Nobel Peace Prize Site Serves Firefox 0day

October 26, 2010

The Web site for the Nobel Peace Prize has been serving up malicious software that takes advantage of a newly-discovered security hole in Mozilla Firefox, computer security experts warned today.

Oslo-based Norman ASA warned that visitors who browsed the Nobel Prize site with Firefox while the attack was active early Tuesday may have had malicious software silently installed on their computers without warning.

Mozilla just posted a blog entry saying it is aware of a critical vulnerability in Firefox 3.5 and 3.6, and that it has received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild. The software firm isn’t saying much more about the flaw for now.

Mozilla says it is developing a fix, which it plans to deploy as soon as it has been tested. In the meantime, Firefox users can mitigate the threat from this flaw by using a script-blocking add-on like NoScript.

Update, 6:40 p.m. ET: I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what’s going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a “use-after-free condition” in certain objects, exploited through Javascript.

“Shellcode and a large heapspray is involved,” Fagerland wrote. “The script that does this checks for the following versions:

firefox/3.6.8
firefox/3.6.9
firefox/3.6.10
firefox/3.6.11

…and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS’s. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this.”

Update, Oct. 27, 11:50 p.m. ET: Mozilla has opened up the bug report on this flaw.

SpyEye v. ZeuS Rivalry Ends in Quiet Merger

October 24, 2010

39 Comments

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

In an era when it has become a truism to say that malicious hackers seek riches over renown, the SpyEye author — a coder known as either “Harderman” and “Gribodemon” on different forums — appears to have sought both, boasting on numerous forums about the greatness of his malware, using flashy logos to promote it (see below), and granting an interview with security researchers about the riches it will bring him. Although the ZeuS author chose to license his botnet creation kit to private groups through multiple intermediaries, the SpyEye creator has peddled his kit directly to buyers via online forums and instant messages.

But — very recently — the public rivalry died down, and forum members on different sites where Harderman maintained a presence began complaining that they could no longer reach him for support issues. In an Oct. 11 message to one of the UnderWeb’s most exclusive hacker forums, Harderman can be seen breaking the news to fellow forum members. A screen shot of that message is below, followed by a translated version of it:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

Continue reading →

Pill Gangs Besmirch LegitScript Founder

October 21, 2010

54 Comments

Individuals who normally promote unlicensed, fly-by-night Internet pharmacies recently registered hundreds of hardcore porn and bestiality Web sites using contact information for the founder of a company that has helped to shutter more than 10,000 of these Internet pill mills over the past year, KrebsOnSecurity.com has learned.

The reputation attack is the latest sortie in an increasingly high-profile and high-stakes battle among spammers, online pill purveyors and those trying to shed light on their activities. Around the same time that these fake domains were registered, KrebsOnSecurity.com came under a sustained denial of service attack that traced back to Russian pill gangs.

In the third week of September, hundreds of domains were registered using the name, phone number and former business address of John Horton, founder of LegitScript, an Internet pharmacy verification service. The domains, many containing the word “adult,” all redirect to a handful of porn and bestiality sites (a partial list is available here, but please tread lightly with these sites because they are definitely not safe for work and may not be safe for your PC).

The sites were registered just days after LegitScript finalized a deal with eNom Inc., the world’s 5th-largest domain name registrar. At the time of that agreement, roughly 40 percent of the unlicensed online pharmacies selling drugs without requiring a prescription were registered through eNom, according to Horton.

Since then, many affiliates who promote pill sites via online pharmacy affiliate programs have been scrambling to move their domains to other registrars, with varying degrees of success.

Continue reading →

Critical RealPlayer Update

October 20, 2010

12 Comments

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

The new versions listed in the chart below are not vulnerable to these flaws. Real Networks says it has no evidence that attackers are exploiting any of these flaws yet. The latest versions for all operating systems are available here.

Microsoft: ‘Unprecedented Wave of Java Exploitation’

October 18, 2010

34 Comments

Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.

In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago: Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

Continue reading →

Earn a Diploma from Scam U

October 17, 2010

15 Comments

Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can’t be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.

Take the program currently being marketed on several fraud forums — it’s called Cash Paradise University (see screen shot below). For $50, a newbie scammer can learn the basics of online fraud, such as hiding one’s identity and location online, and how to obtain reliable stolen credit card numbers. For a $75 fee and an investment of about 2 to 3 hours, one can become fluent in the ways of “Skype carding,” or selling hacked and newly-created Skype accounts that have been loaded with funds from stolen credit cards.

The prices go up as the fledgling fraudster progresses from the Scam 101 courses to the more crafty classes, which naturally depend on the earlier courses as prerequisites (“for those who passed the basic,” admonishes the Scam U. professor). Learning the basics of “carding” merchandise — such as intercepting the shipments and selling the loot online — requires an investment of four to six hours and at least $250, with course materials adding as much as $150 to the cost of the class.

Tackling the tenets of cashing out stolen credit card numbers using Internet gambling sites could take up to seven hours of study time and require a $300 admittance fee. The master class — learning how to bootstrap and build out a botnet of computers infected with the ZeuS Trojan — can take upwards of 18 hours of classroom instruction, and cost at least $500 (although a copy of ZeuS bot builder is not included in the price of tuition!).

According to this fraud instructor’s profile on a top scammer forum, more than a dozen novice hackers have already paid for and progressed through the course work, and most appear to be giving their teacher high marks.

“Please note: due to change in the place of stay, I’ll be offline on 12-13 September,” the headmaster of CPU says to potential new students. “Classes take place from September 14, do not waste! Good luck in business.” For those ADHD students who need more individual attention, there is private tutoring available starting at $20 extra per class.

But don’t count paying for the classes with a (stolen?) credit card: This institution only accepts irreversible forms of payment, such as Western Union or virtual currencies like WebMoney and Liberty Reserve.

[EPSB]

Have you seen:

I’ll Take Two MasterCards and a Visa, Please…When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

[/EPSB]

Cyber Deterrence Group Urges Greater Disclosure, Transparency

October 14, 2010

11 Comments

A group tasked with devising strategies to deter cyber attacks is calling for mandatory public disclosure of fraud and hacking incidents by governments and organizations of all sizes, including banks.

The recommendations were a major thrust of a report issued earlier this month by the National Research Council, which was asked to examine the issue by the Office of the Director of National Intelligence. The 400-page document is actually well worth the time to read, or at least skim. The bulk of the paper addresses how solving the problems associated with cyber crime requires aligning incentives and liabilities so that those in the best position to fix the problems have an incentive to do so.

But to me, the most interesting and useful components of the report come at the end, where the group makes several broad policy recommendations, including:

Mitigating malware infections via ISPs by subsidized cleanup
Mandatory disclosure of fraud losses and security incidents
Mandatory disclosure of industrial control system incidents and intrusions
Aggregating reports of cyber espionage and reporting to the World Trade Organization

I don’t know how effective or realistic the last two recommendations would be, but as a reporter I’m naturally inclined toward disclosing data whenever possible. Loyal readers no doubt know where I stand on the first two points. I have long called for some kind of system in which ISPs are encouraged or given incentives to regularly scrub their networks for bot-infested customers and compromised Web sites.

And hardly a month goes by when I don’t hear from someone asking me where to find aggregated statistics on the costs of cybercrime and Internet banking fraud in the United States. The banks don’t have to publish reports of their losses, and although they are supposed to publish indicators of fraud (through suspicious activity reports) financial institutions seem to be spotty and begrudging about this level of reporting as well. Writing for SC Magazine earlier this summer, Charles Jeter of security software maker ESET penned a useful three part series on the lack of reporting by banks about the costs of online banking Trojans.

The free report is available at this link.

Speaking of global trends in cybercrime, Microsoft published its biannual Security Intelligence Report covering cybercrime activity it has observed in the first half of 2010. Anyone looking for granular data on which threats are most prevalent (at least from Microsoft’s perspective in scrubbing millions of PCs) should have a look at this informative report. Unsurprisingly, the United States (or more accurately — US-based ISPs) continues to lead the world in botnet infections.

While we’re on the subject of data breach and attack disclosure, now seems like a perfect time to mention that Arbor Networks is seeking additional perspective for its annual Worldwide Infrastructure Security Threat Report. Arbor is looking for a few clueful network administrators to anonymously share experiences and perspectives about operational risks and challenges involved in building, operating and defending large networks. If this describes you, check out their survey.

ZeuS Busts Bring Botnet Beatdown?

October 14, 2010

16 Comments

Authorities in the United States, United Kingdom and Ukraine launched a series of law enforcement sweeps beginning late last month against some of the world’s most notorious gangs running botnets powered by ZeuS, a powerful password-stealing Trojan horse program. ZeuS botnet activity worldwide took a major hit almost immediately thereafter, but it appears to be already on the rebound, according to one prominent ZeuS-watching site.

Statistics collected by the Web site Zeus Tracker indicate that while ZeuS botnet activity was already on the wane in the weeks leading up to the end of last month, that activity positively tanked following the recent busts, dipping to its lowest level since the Troyak takedowns earlier this year. For instance, prior to the arrests that began on Sept 29, Zeus Tracker was tracking more than 90 active Zeus control domains. By Oct. 3, that number had fallen to just 20.

I contacted Roman Hüssy, the Swiss information technology expert who maintains the tracking site, to see if there could be some technical or glitchy explanation for the dramatic drop. Hüssy said while there are criminal technologies being built into malware that try to prevent ZeuS Tracker from being able to follow ZeuS botnet infrastructure, he’s fairly sure he has managed to bypass it.

“Another thing which I’ve seen is that some [ZeuS botnet command servers] are using geo-IP location, [so that] if a ZeuS group just targets U.K. banks, they will do a geo-location restriction on the [control] server, and allow just bots from the U.K.” to ping the servers, he wrote in an instant message.

Some folks who probably know more about what’s really going on here (targeted takedowns, maybe?) aren’t responding at the moment, which tells me we may hear more about other factors that contributed to this drop in the days or weeks ahead. Stay tuned.

Pill Gang Used Microsoft’s Network in Attack on KrebsOnSecurity.com

October 13, 2010

56 Comments

An organized cyber crime gang known for aggressively pushing male enhancement drugs and other knockoff pharmaceuticals used Internet addresses belonging to Microsoft as part of a massive denial-of-service attack against KrebsOnSecurity.com late last month.

The attack on my Web site happened on Sept. 23, roughly 24 hours after I published a story about a criminal online service that brazenly sold stolen credit card numbers for less than $2 each (see: I’ll Take Two MasterCards and a Visa, Please). That story got picked up by BoingBoing, Gizmodo, NPR and a variety of other sites, public attention that no doubt played a part in the near-immediate suspension of that criminal Web site.

At first, it wasn’t clear what was behind the attack, which at one point caused a flood of traffic averaging 2.3 gigabits of junk data per second (see graph above). Not long after the attack ended, I heard from Raymond Dijkxhoorn and Jeff Chan, co-founders of SURBL, which maintains a list of Web sites that have appeared in spam. Chan sent me a message saying he had tracked the attack back to several Internet addresses, including at least one that appeared to be located on Microsoft’s network — 131.107.202.197.

According to SURBL, the culprits were botnets under the thumb of “the usual Russian pill gangs”: Dozens of domains that resolve(d) to online pharmacy sites — including bridgetthefidget.com, crazygraze.com, firstgang.com, triplefixes.com and philsgangdirect.com — were using a compromised machine at that Microsoft address as a domain name server.

The attackers then told machines they controlled to access a number of non-existent pages at sites that were pointing to the Internet address my hosting provider has assigned to KrebsOnSecurity.com (94.228.133.16). This forced several hundred or thousand machines to direct their traffic at my site, all in an attempt to prevent legitimate visitors from visiting it.

For example, the attack packets included DNS for false requests such as:

mzkzalczdznzjzfbszvzazd.jumpgirlsaloud.nl A 94.228.133.163

sdfsdfsdfsdfsdffbszvzazd.youralveolarbone.nl A 94.228.133.163

zzncmzkzalczdznzjzfbszvzazd.cheapxenonbulbs.com A 94.228.133.163

zzncmzkzalczdznzjzfbszvzazd.expletivedirect.com A 94.228.133.163

I found the unusual method of attack interesting because it called attention to a significant amount of infrastructure used by the bad guys. For all I know, this may have been intentional, either to let me know who was responsible, or to make me think I knew who was responsible.

Continue reading →

Java Update Clobbers 29 Security Flaws

October 12, 2010

20 Comments

Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

Most consumers on Microsoft Windows PCs will have some version of Java installed (if you’re not sure whether you have Java or what version might be installed, click this link). Existing users can grab the latest version — Java 6 Update 22 — by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the “Update Now” button on the “Update” tab. If you don’t already have this software, I recommend that you keep it that way.

Per Oracle’s advisory, updates are available for Windows, Solaris and Linux versions of Java. Apple maintains its own version of Java for OS X systems, and typically issues fixes for its version several months after the official Java release.

Be aware that Java’s updater may by default also include free “extras” that you may not want, such as the Yahoo! Toolbar or whatever other moneymaker they decide to bundle with their software this time around, so be sure to de-select that check box during installation if you don’t want the add-ons.

Last »