Krebs on Security

Bad BitDefender Antivirus Update Hobbles Windows PCs

March 20, 2010

A faulty update is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.

BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5”.

The Romanian software firm said the glitchy update has been removed and that the company is working on a fix for the problem. BitDefender’s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.

“We are creating a patch that will restore all quarantined files,” the company said in a statement on its site. “The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.”

BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company’s Twitter feed indicated they were still unable to boot after following the instructions.

Meanwhile, Bitdefender representatives on Twitter are warning users that malware writers already are taking advantage of the situation, and urging users to download the fix — whenever it is made available — only from BitDefender’s Web site.

Naming and Shaming ‘Bad’ ISPs

March 19, 2010

64 Comments

Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online.

Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points. [A few notes about the graphic below: The ISPs or hosts that show up more frequently than others on these lists are color-coded to illustrate consistency of findings. The ISPs at the top of each list are the “worst,” or have the most number of outstanding abuse issues. “AS” stands for “autonomous system” and is mainly a numerical way of keeping track of ISPs and hosting providers. Click the image to enlarge it.]

What you find when you start digging through these various community watch efforts is not that the networks named are entirely or even mostly bad, but that they do tend to have more than their share of neighborhoods that have been overrun by the online equivalent of street gangs. The trouble is, all of these individual efforts tend to map ISP reputation from just one or a handful of perspectives, each of which may be limited in some way by particular biases, such as the type of threats that they monitor. For example, some measure only phishing attacks, while others concentrate on charting networks that play host to malicious software and botnet controllers. Some only take snapshots of badness, as opposed to measuring badness that persists at a given host for a sizable period of time.

Also, some organizations that measure badness are limited by their relative level of visibility or by simple geography. That is to say, while the Internet is truly a global network, any one watcher’s view of things may be colored by where they are situated in the world geographically, or where they most often encounter threats, as well as their level of visibility beyond their immediate horizon.

In February 2009, I gave the keynote address at a Messaging Anti-Abuse Working Group (MAAWG) conference in San Francisco, where I was invited to talk about research that preceded the Atrivo and McColo takedowns. The biggest point I tried to hammer home in my talk was that there was a clear need for an entity whose organizing principle was to collate and publish near real-time information on the Web’s most hazardous networks. Instead of having 15 or 20 different organizations independently mapping ISP reputation, I said, why not create one entity that does this full-time?

Unfortunately, some of the most clear-cut nests of badness online — the Troyaks of the world and other networks that appear to designed from the ground up for cyber criminals — are obscured for the most part from surface data collation efforts such as my simplistic attempt above. For a variety of reasons, unearthing and confirming that level of badness requires a far deeper dive. But even at its most basic, an ongoing, public project that cross-correlates ISP reputation data from a multiplicity of vantage points could persuade legitimate ISPs — particularly major carriers here in the United States — to do a better job of cleaning up their networks.

What follows is the first in what I hope will be a series of stories on different, ongoing efforts to measure ISP reputation, and to hold Internet providers and Web hosts more accountable for the badness on their networks.

Continue reading →

Researchers Map Multi-Network Cybercrime Infrastructure

March 17, 2010

32 Comments

Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.

But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike.

Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement (pictured in red in the graphic below). RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish.

Continue reading →

MSE Users: Check for Updates, Piracy

March 16, 2010

18 Comments

One of the systems that just sits here idling all the time in what the wife lovingly calls the Krebs on Security “command center” runs Microsoft’s free Security Essentials anti-virus and security tool. Late last week, I just happened to notice that for who-knows-how-long, a pending upgrade to the program has left that system “potentially unprotected,” according to Microsoft.

I’m not terribly concerned, as I don’t use that system to browse the Web. But if you depend on MSE, check to see if you’ve applied this upgrade, which brings MSE from version 1.0.1959 to version 1.0.1961. You can check the version number by clicking the “Help” tab on the right edge of the MSE main screen, and the selecting “About Microsoft Security Essentials.”

It took a little digging, but here’s Microsoft’s account of what’s new in this updated version of MSE:

The latest version of Microsoft Security Essentials includes improved messaging on the Update tab, improved scan reports on the Home tab, performance improvements, and enforcement of runtime Windows Activation Technology (WAT) in Microsoft Security Essentials.

More here. Unfortunately, this update comes with another attempt by Microsoft to check whether their customers are in fact software pirates. I would assume that people who are running a pirated version of Windows probably wouldn’t install MSE, but then again, we have seen time and again how Microsoft’s various anti-piracy checks often flag users who have purchased legitimate copies of Windows. I don’t fault Microsoft for trying to tackle the piracy problem, which is undoubtedly enormous in the Windows space, but at least now I understand why information about what was in this update or why it was being offered wasn’t so easy to find.

It seems that around the time Microsoft shipped this update, crooks peddling rogue anti-virus products began marketing a rogue app that mimics Microsoft’s Security Essentials offering. True to form, scammers never miss an opportunity to cash in on user confusion over updates like these.

eBanking Victim? Take a Number.

March 16, 2010

57 Comments

Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. One of the most frequent questions I get from readers and from my journalist peers is, “How many of these stories are you going to tell?”

The answer is simple: As many as I can verify. The reason is just as plain: I’m finding that most small business owners have no clue about the threats they face or the liability they assume when banking online, even as the frequency and sophistication of attacks appears to be increasing.

I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection (last week I spoke with people from four different companies that had been victimized over the past two months alone). In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

In most cases I’ve followed, the banks will do what they can to reverse the fraudulent transactions. But beyond that, the bank’s liability generally ends, because — unlike consumers — businesses do not have the same protection against fraud that consumers enjoy. Indeed, most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them.

Earlier this month, I spoke with the CEO of Eskola LLC, a Treadway, Tenn. roofing firm that had $130,000 stolen from its online bank accounts in a series of five unauthorized wire transfers in late January. The bank was able to reverse most of those transfers, but Eskola was unable to recover more than $30,000 of the stolen money.

“It really took our bank by surprise and triggered a whole series of internal reviews, because they told me they’ve been hit several other times since then,” Jon Eskola said. “They said so far this year, it’s been the number one thing that’s come across their plate, and that this type of crime had increased 500 to 600 percent over a year ago.”

Continue reading →

Stopgap IE Fix, Safari Update Available

March 15, 2010

11 Comments

Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.

Microsoft warned last week that it was aware of public reports that criminal hackers were using the vulnerability — present in IE 6 and IE 7 — in limited attacks. A few days later, a security researcher put together a working exploit for the flaw, based on a snippet of code he said he found referenced on a McAfee blog post (McAfee says it will be closely reviewing future blog posts to make sure they don’t inadvertently help the bad guys).

Continue reading →

FBI: Online Fraud Costs Skyrocketed in 2009

March 13, 2010

19 Comments

Source: ic3.gov

Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

The figures come from complaints referred to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Last year, the IC3 received some 336,655 complaints, a 22.3 percent increase from the year prior.

Ironically, among the largest sources of complaints (16.6 percent) were e-mail scams that fraudulently used the FBI’s name to gain information from the recipient. Of the top five categories reported to law enforcement during 2009, non-delivered merchandise and/or payment fraud ranked nearly 20 percent; identity theft 14 percent; credit card and auction fraud, just over 10 percent each. The median dollar loss was $575, while the highest median losses were associated with investment fraud ($3,200), overpayment fraud ($2,500) and advanced-fee fraud ($1,500).

The full report is available from this link at ic3.gov (.pdf).

Crooks Crank Up Volume of E-Banking Attacks

March 11, 2010

46 Comments

Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.

The latest victim is Clarke Collision Center, an auto body shop in Hudson, Ohio. According to Craig Kintz, owner of Kintz Tech, a local security consulting company that responded to the incident, on Feb. 23 an employee of the victim firm noticed something strange when she went to log in to the company’s online bank accounts: The site said the bank’s system was down for maintenance.

Clark Collision’s bank, Cincinnati-based Fifth Third Bank, requires business customers to enter their user name and password, and a one-time passcode generated by a battery-operated key fob that is synched up to the bank’s back end servers. This approach — what banking regulators call “multi-factor authentication” — involves asking the user to provide something they know (a user name and password) in addition to something they have (a code generated by a security token).

But Kintz said that when the body shop employee visited the bank’s site and entered her user name, password and the output from the security token, she was directed to a page that said the bank’s site was temporarily unavailable. The page she was sent to even included a 1-800 number supposedly for the bank’s customer service line.

Kintz said the woman called that number, but quickly found that it was not in service. When the employee looked up the real customer service number for the bank and called to complain about the suspicious activity, she learned that there had just been a large number of wires and money transfers out of the company’s accounts to individuals in the United States and overseas, Kintz said.

“She reported it to the bank at 9 o’clock that morning,” Kintz told Krebs on Security. “By 11:30 a.m. the bank had frozen all of the company’s accounts, but by that time those accounts had all been emptied.”

Continue reading →

Secret Obsession: Odd Windows Crash Alerts

March 11, 2010

26 Comments

Microsoft Windows isn’t restricted to just laptops and tower PCs: It is also common for Windows to serve as the dominant operating system these days inside of ATMs, cars, vending machines, kiosks, taxi meters, medical imaging devices, advertising display boards and so many of the computerized screens that we gaze upon and take for granted every day.

That is, until they stop working. Indeed, often the first indication that these things are run by Windows is when something causes them to crash, at which point the all-too-familiar Windows error messages or dreaded Blue Screen of Death (BSoD) splashes up on the device’s display. True, malicious software can cause BSoDs, which is the operating system’s way of shutting down to prevent irreparable damage to the underlying system. Just as often, however, a BSoD or critical stop error is the result of some kind of hardware malfunction, such as faulty memory, a failing power supply, or overheating.

It seems I’ve been seeing these BSoDs and “fatal error” type messages in the oddest places lately. Below is a gallery of just a few that I’ve shot recently with my trusty iPhone (aside from that last three, which came from friends and readers). Click one of the images to cycle through a slideshow.

: Funny BSoD that was powering an iPhone display booth at a security conference I attended in Washington, D.C.

: I hate seeing this stuff at airports, like this one on the way into my American flight from Chicago recently

: A BSoD at a payphone in the Madrid airport.

: No Fare: This Redtop cabbie was cranky, as you can see the meter isn’t running because the program kept crashing.

: This error kept causing the local Redbox DVD rental machine to crash. Supermarket mgr. didn’t want me to take this.

: I don’t even like to think the word “crash” while at airports.

: No Soda for You! This was supplied by a reader, who took the photo at a mall in Edison, NJ

: Another airport BSoD submitted by a reader.

: Reader-submitted fatal error image from a taxi in New York City

: Reader-submitted embedded OS fail at a N. Va. gas pump

: Reader submitted BSoD at St. Pancras International railway station in London, UK.

Continue reading →

Dozens of ZeuS Botnets Knocked Offline

March 10, 2010

25 Comments

NB: This story has been updated several times. Please read through to the end

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Image courtesy ZeusTracker

Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

Continue reading →

Last »