SpyEye vs. ZeuS Rivalry

April 1, 2010

It’s common for malware writers to taunt one another with petty insults nested within their respective creations. Competing crime groups also often seek to wrest infected machines from one another. A very public turf war between those responsible for maintaining the Netsky and Bagle worms back in 2005, for example, caused a substantial increase in the volume of threats generated by both gangs.

The latest rivalry appears to be budding between the authors of the Zeus Trojan — a crime kit used by a large number of cyber thieves — and “SpyEye,” a relatively new kit on the block that is taking every opportunity to jeer at, undercut and otherwise siphon market share from the mighty Zeus.

Symantec alluded to this in a February blog post that highlighted a key selling point of the SpyEye crimeware kit:  If the malware created with SpyEye lands on a computer that is already infected with Zeus, it will hijack and/or remove the Zeus infection.

Now, just a few months later, the SpyEye author is releasing a new update (v. 1.1) that he claims includes the ability to inject content into Firefox and Internet Explorer browsers, just as Zeus does (this screen shot shows the result of a demo configuration file on the left, which instructs the malware to inject SpyEye and “Zeuskiller”  banner ads into a live Bank of America Web site). It is precisely this injection ability that allows thieves using Zeus to defeat the security tokens that many banks require commercial customers to use for online banking.

The new version comes as the Zeus author is pushing out his own updates (v. 1.4), along with a hefty price tag hike. The old Zeus kit started at around $4,000, while the base price of the newer version is double that. According to research from Atlanta-based security firm SecureWorks, Zeus plug-ins that offer additional functionality raise the price even more. For example:

Continue reading

Advertisement

Spam Site Registrations Flee China for Russia

March 31, 2010

A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China’s beginning April 1.

In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.

Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet. Nevertheless, the policy clearly caught the attention of the world’s most profligate spammers, who spam experts say could always count on Chinese registrars as a cheap and reliable place to buy domains for Web sites that would later be advertised in junk e-mail.

According to data obtained from two anti-spam experts, new registrations for sites advertised in spam began migrating from .cn to .ru just a few weeks after the Chinese domain policy took effect.

Continue reading

Monster Mac OS X Update

March 30, 2010

Apple released a software update on Monday that includes fixes for a massive number of security vulnerabilities in Mac OS X and associated software.

The update corrects more than 90 security flaws and weaknesses in a variety of Apple and third-party products included in versions of OS X, such as ClamAV, Firewall, iChat, Mail, PHP and QuickTime.

Updates are available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2, through Software Update or via Apple Downloads. You might want to schedule the download when you have some time to be away from the computer: Depending on which version you’re downloading, the size of the update may weigh in at more than 750 megabytes.

Online Thieves Take $205,000 Bite Out of Missouri Dental Practice

March 30, 2010

Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.

Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.

Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.

“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”

Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.

“The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.

Continue reading

Microsoft to Issue Emergency IE Fix

March 29, 2010

Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.

Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.

Redmond initially said it was aware of only “targeted” attacks that leveraged this vulnerability. But Microsoft’s statement that accompanied this announcement suggests that these attacks may have become more widespread.

“We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement on its Security Response Center blog today.

Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).

Removing Viruses from a PC That Won’t Boot

March 29, 2010

One of the more common questions I hear from readers with computer virus infections is, “How do I get rid of a virus if I can’t even boot up into Windows to run an anti-virus scan?” Fortunately, there are a number of free, relatively easy-to-use tools that can help on this front.

The tools in this review are known as a “rescue CDs.” These are all free, Linux-based operating systems that one can download and burn to a CD-Rom. Once you’ve configured your PC to boot from the CD you’ve just burned, you can use the CD to scan your hard drive, and — depending on the type of rescue CD you choose — even copy files to a removable drive.

Continue reading

Would You Have Spotted this ATM Fraud?

March 25, 2010

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.

Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.

Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.

Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.

Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.

Continue reading

Cybersecurity Policy Roundup

March 24, 2010

There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.

As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.

Continue reading

AVprofit: Rogue AV + Zeus = $

March 24, 2010

The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year.

Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.

What’s remarkable about this entire ecosystem is that in many cases, victims who have this installer run on their systems often end up paying for the rogue anti-virus, in addition to unknowingly giving up their passwords and handing complete control of their computer to the bad guys running this distribution network.

Continue reading