Posts Tagged: crimeware


2
Feb 16

Good Riddance to Oracle’s Java Plugin

Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.

javamessAccording to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9. Continue reading →


2
May 11

‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Continue reading →


16
Apr 10

iPack Exploit Kit Bites Windows Users

Not long ago, there were only a handful of serious so-called “exploit packs,” crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

These days, however, it seems like we’re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation — depending on the features and plugins requested.

Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500.

Continue reading →