Dozens of ZeuS Botnets Knocked Offline

March 10, 2010
25 Comments

NB: This story has been updated several times. Please read through to the end

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Image courtesy ZeusTracker

Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

Continue reading

Microsoft Warns of Internet Explorer 0day

March 9, 2010
8 Comments

Microsoft issued two security patches today to plug important security holes in its Windows operating system and Office software. The software giant also warned that it is aware of hackers exploiting yet another unpatched security flaw in older versions of its Internet Explorer Web browser.

Microsoft said it is investigating public reports that hackers have worked out how to exploit a previously unknown security hole in IE versions 6 and 7 as a vehicle for installing malicious software. Redmond says it is only seeing this flaw being used in “targeted” attacks at this point, but of course these types of pinprick attacks on unpatched vulnerabilities in IE often precede their much wider exploitation by the criminal hacking community.

If you depend on IE for browsing the Web, upgrade to IE8 if possible. Otherwise, consider switching to an alternative browser, particularly something like Firefox with an add-on that blocks scripts by default, such as Noscript or Request Policy. Yes, these add-ons take a bit getting used to, but from where I sit, allowing Javascipt and Flash to load unrestricted as you browse the web is simply unsafe on today’s Internet.

One of the updates Microsoft released today fixes a problem with the Windows Movie Maker application as shipped on Windows XP and Vista. The second patch fixes at least seven vulnerabilities in Microsoft Excel that Microsoft said are present in all supported versions of Microsoft Office, included Mac Office 2004 and 2008.

Updates (including IE8) are available through the Microsoft Update Web site, or via Automatic Update.

Advertisement

Monoprice.com Shuttered After Fraud Complaints

March 9, 2010
36 Comments

Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information.

Vincent Lim, monoprice.com’s operations manager, said the company took the site offline around midnight on Friday, Mar. 5, after it received e-mails and phone calls from several customers complaining about fraudulent charges on their cards that they had used on monoprice.com.

“A few of our customers recently reported to us that information from credit cards they used on the Monoprice website had been misused,” Lim said. “We promptly began an investigation with the help of expert computer forensic investigators to determine if any card data had been stolen from our computers.”

To date, he said, investigators have found no evidence that card information has been stolen from Monoprice’s computer network. The site is now allowing customers to browse products, but Monoprice won’t be taking any new orders until the investigation is completed, Lim said.

“We want to ensure that there is no security vulnerability in any part of our computer network system. We notified local and federal law enforcement agencies, our credit card processing business partners, and all credit card companies that some of our customers reported concerns regarding their card information to us,” the company said in a statement that now frames the top of its Web site. “We also advised these entities that we are working with outside security specialists to determine if there was breach of our computer system. We will post additional information when it is available.”

Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Cyber Crooks Leave Traditional Bank Robbers in the Dust

March 9, 2010
30 Comments

Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

Speaking at the RSA Security Conference in San Francisco last week, David Nelson, an examination specialist with the Federal Deposit Insurance Corporation (FDIC), said online banking attacks against small businesses of the sort I have chronicled countless times over the past year netted thieves $25 million between July and September of 2009.

I wondered how that stacked up against real-life bank robbers here in the U.S., so I had a look at the FBI‘s published bank crime statistics for that same time period last year. Turns out, traditional bank robbers committed a total of 1,184 bank robberies during those three months, netting slightly more than $9.4 million (including $3,071 in travelers checks).

In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.

Small wonder that the haul from cyber bank robberies has overtaken that of physical heists:  Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

Continue reading

Energizer Battery Charger Software Included Backdoor

March 9, 2010
16 Comments

Security experts at Symantec have discovered a software application made for a USB-based battery charger sold by Energizer actually included a hidden backdoor that allowed unauthorized remote access to the user’s system. The backdoor Trojan is easily removed, but Symantec believes the tainted software may have been in circulation since May 2007.

The product is the Energizer Duo USB battery charger, a device that charges batteries by drawing power from a USB port. The downloadable software that goes with the product — designed to monitor the charger’s performance and status — was available for both Mac and Windows, but according to the U.S. Computer Emergency Response Team (US-CERT) only the Windows version was affected.

Symantec said it found the backdoor after analyzing a component of the USB charger software sent to it by US-CERT. The backdoor is designed to run every time the computer starts, and then listen for commands from anyone who connects. Among the actions an attacker can take after connecting include downloading a file; running a file; sending a list of files on the system; and offloading the files to the remote attacker.

U.S. CERT has published an advisory that explains in greater detail how to remove this backdoor, should you have been unlucky enough to have installed the software. But the incident is the latest reminder that USB-based devices should always be considered hostile. At the very least, users should disable the autorun capability in Windows (which many malware families use to piggyback on removable media), and thoroughly scan any removable media for malicious files.

In another incident of malware hitchhiking on USB devices, Panda Security published a blog post Monday saying it had found a brand new Vodaphone HTC Magic mobile with Google’s Android operating system that came factory-packed with malicious software. According to Panda, the malware, which took advantage of the autorun functionality in Windows, was set up to enslave the host computer in the Mariposa botnet.

Victim Asks Capital One, ‘Who’s in Your Wallet?’

March 8, 2010
7 Comments

In December, I wrote about how a Louisiana electronics testing firm was suing its bank, Capital One, to recover the losses after cyber thieves broke in and stole nearly $100,000. It looks like another small firm in that state that was similarly victimized by organized crooks also is suing Capital One to recover their losses.

Joseph Mier

Joseph Mier and Associates Inc., a real estate appraisal company based in Hammond, L.a., lost more than $27,000 last year when five four unauthorized automated clearing house (ACH) withdrawals were made from its accounts and sent to individuals around the United States.

“I immediately contacted the bank, and for about a week dealt with them to correct the error,” Owner Joseph Mier said. “Finally, they said, ‘From what we can see, whoever did this used your credentials, but nobody breached our system and we’re not responsible.’ I told them maybe they should change their slogan to, “Who’s in your wallet?'”

A spokesperson for Capital One said the company does not comment on pending litigation.

Continue reading

Fiserv to Banks: Stay on Outdated Adobe Reader

March 8, 2010
19 Comments

One of the nation’s largest providers of money-transfer and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader, the very application most targeted by criminal hackers and malicious software.

At issue is a non-public advisory issued by Fiserv, a Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide.

A reader who works in security for a mid-sized credit union shared with me a notice posted prominently to the “collaborative care” portion of Fiserv’s site, a section dedicated to security and IT managers at partner financial institutions.

In the notice, dated Feb. 16, 2010, Fiserv instructed its customers to avoid the latest Adobe Reader updates, apparently in favor of one that was released two years ago:

“NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.”

Continue reading

Yep, There’s a Patch for That

March 5, 2010
55 Comments

The average Microsoft Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely, according to an insightful new study released this week.

The figures come from security research firm Secunia, which looked at data gathered from more than two million users of its free Personal Software Inspector tool. The PSI is designed to alert users about outdated and insecure software that may be running on their machines, and it is an excellent application that I have recommended on several occasions.

Stefan Frei, Secunia’s research analyst director, said the company found that about 50 percent of PSI users have more than 66 programs of installed.

“Those programs come from more than 22 vendors, so as a first order estimate the number of different vendors you have on your box is the number of different update mechanisms you have to master,” Frei said. “This is doomed to fail.”

Continue reading

‘Mariposa’ Botnet Authors May Avoid Jail Time

March 4, 2010
18 Comments

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

Continue reading

Krebsonsecurity Author Twice Honored

March 4, 2010
27 Comments

There is perhaps no greater compliment than to have your most esteemed peers recommend your work.  I am now blogging from the RSA Conference in San Francisco, and over the past two days krebsonsecurity.com has received two peer recognition awards, one from the SANS Institute – among the nation’s top security research and training groups – and another from the Security Bloggers Network, an organization that has sought to recognize blogs that provide valuable content on computer security issues.

The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field. True to form, I showed up late to the awards ceremony on Tuesday, and Alan Paller, director of research for SANS, called me up on stage and said I’d received twice as many votes as the next guy in the contest, Robert McMillan, a reporter whose work is almost certainly the most widely syndicated and quoted of virtually anyone in this industry. Likewise, I am proud to have shared this honor with reporters whose work I recommend and admire, including USA Today’s Byron Acohido, Wired.com’s Kim Zetter, as well as Dan Goodin from The Register.

In related news, the delegates who were party to the Security Bloggers Awards at RSA this year picked krebsonsecurity.com as the top “non-technical security blog.” Somehow, I managed to show up late for this as well. Again, it was wonderful to have been nominated alongside security bloggers such as Taosecurity’s Richard Bejtlich, and security curmudgeon-in-chief Bruce Schneier.