Posts Tagged: Roman Hüssy


9
Mar 11

SpyEye, ZeuS Users Target Tracker Sites

Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result.

The creations of Swiss security expert Roman Hüssy, ZeusTracker and its sister service SpyEye Tracker have endured countless distributed denial-of-service (DDoS) attacks from botmasters apparently retaliating for having their network infrastructure listed by these services. At one point, someone wrote a fake suicide in Hüssy’s name and distributed it to his family and friends, prompting local police to rouse him from slumber to investigate his well-being. But, those attacks haven’t deterred Hüssy or sidelined his services.

Now, the attackers are beginning to consider stealthier and more diabolical ways to strike back. A  series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution that puts Hüssy and/or his tracking services out of commission once and for all (click the images in this post twice to read along).

“DDoSing doesn’t bring satisfactory results. We’re now working on mapping his entire infrastructure, flag his scripts,” writes a user named Sal, who claims to specialize in providing bulletproof servers. “Now we will engage in a pinpointed assault. This should be cheaper + should bring results at least temporarily….Let’s brainstorm here.”

Other members join the discussion. One suggests pooling funds to hire a hitman. “It’s easier and more productive to just use a joint fund to hire a killer, and story’s over,” writes user “Femar.” Another forum member named “Deviant” recommends dosing Hüssy with organic mercury. “Dimethylmercury – the fluid has no color. One drop on your hand will penetrate thick latex gloves. Lethal result is guaranteed within one month.”

But forum members seemed to coalesce around an idea for seeding the ZeuS and SpyEye configuration files (those that list the location of key parts of the botnet, such as the place to deposit stolen data) with legitimate Web sites. Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers.

I caught up with Hüssy via instant message yesterday, and asked whether he’d seen any SpyEye or ZeuS configuration files seeded with legitimate sites. He just laughed.

“ZeusTracker checks if a command and control server is really up before adding it to the blocklist,” Hüssy said. “These guys have no clue how ZeusTracker works.”

Continue reading →


3
Mar 11

ChronoPay’s Scareware Diaries

If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments.

Tens of thousands of documents stolen and leaked last year from ChronoPay offer a fascinating look into a company that has artfully cultivated and handsomely profited from the market for scareware, programs that infiltrate victim PCs to display fake security alerts in a bid to frighten users into paying for worthless security software.

Click image for PDF version of timeline. Each entry is clickable and links to supporting documents.

ChronoPay handles Internet bill payments for a variety of major Russian companies, including domestic airlines and utilities. But ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning.

In June 2009, The Washington Post published the results of a six-month investigation into ChronoPay’s high-risk business. At the time, ChronoPay was one of a handful of processors for Pandora Software, the most prevalent brand of rogue software that was besieging consumers at the time. That story drew links between ChronoPay and an entity called Innovagest2000, which was listed as the technical support contact in the end-user license agreements that shipped with nearly all Pandora rogue anti-virus products.

When I confronted ChronoPay’s CEO Pavel Vrublevsky in 2009 about the apparent ties between Innovagest and his company, he insisted that there was no connection, and that his company’s processing services were merely being abused by scammers. But the recently leaked ChronoPay documents paint a very different picture, showing that Innovagest2000 was but one example of a cookie-cutter operation that ChronoPay has  refined and repeated over the last 24 months.

The documents show that Innovagest was a company founded by ChronoPay’s Spanish division, and that ChronoPay paid for everything, from the cost of Innovagest’s incorporation documents to the domain registration, virtual hosting and 1-800 technical and customer support lines for the company.

The same dynamic would play out with other ChronoPay “customers” that specialized in selling rogue anti-virus software. For example, leaked internal documents indicate that ChronoPay employees created two companies in Cyprus that would later be used in processing rogue anti-virus payments: Yioliant Holdings; and the strangely named Flytech Classic Distribution Ltd. ChronoPay emails show that employees also paid for domains software-retail.com and creativity-soft.com, rogue anti-virus peddling domains that were registered in the names and addresses of Yioliant Holdings and Flytech, respectively. Finally, emails also show that ChronoPay paid for the virtual hosting and telephone support for these operations. This accounting document, taken from one of the documents apparently stolen from ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft.com (the amounts in the document are in Russian Rubles, not dollars, and the document has been edited to remove full credit card numbers and victim names).

Further, the purloined documents show these domains were aggressively promoted by external rogue anti-virus affiliate programs, such as Gelezyaka.biz, as well as a rogue anti-virus affiliate program apparently managed in-house by ChronoPay, called “Crusader.”

MEETING IN MOSCOW

Last month, I traveled to Moscow and had a chance to sit down with Vrublevsky at his offices. When I asked him about Innovagest, his tone was much different from the last time we discussed the subject in 2009. This may have had something to do with my already having told him that someone had leaked me his company’s internal documents and emails, which showed how integral ChronoPay was to the rogue anti-virus industry.

“By the time which correlates with your story, we didn’t know too much about spyware, and that Innovagest company that you tracked wasn’t used just for spyware only,” Vrublevsky said. “It was used for a bunch of shit.”

Vrublevsky further said that some of ChronoPay’s customers have in the past secretly sub-let the company’s processing services to other entities, who in turn used it to push through their own shady transactions. He offered, as an example, an entity that I wasn’t previously aware had been a customer of ChronoPay’s: A rogue anti-virus promotion program called TrafficConverter.biz.

Continue reading →


8
Nov 10

Keeping an Eye on the SpyEye Trojan

Last month, I published evidence suggesting that future development of the ZeuS banking Trojan was being merged with that of the up-and-coming SpyEye Trojan. Since then, a flood of new research has been published about SpyEye, including a new Web site that helps track the location of SpyEye control networks worldwide.

Roman Hüssy, the curator of Zeustracker — a site that has spotlighted ZeuS activity around the globe since early 2009 — late last week launched SpyEye Tracker, a sister service designed to help Internet service providers keep tabs on miscreants using SpyEye (take care with the IP address links listed at this service, because they can lead to live, malicious files).

Hüssy said he’s not convinced that the SpyEye crimeware kit will usurp the mighty ZeuS. “Why should they give up something which works and pay for a new tool?” he said in an online chat with KrebsOnSecurity.com. Instead, Hüssy said he’s launching the new tracking service to help prevent that shift.

Continue reading →


14
Oct 10

ZeuS Busts Bring Botnet Beatdown?

Authorities in the United States, United Kingdom and Ukraine launched a series of law enforcement sweeps beginning late last month against some of the world’s most notorious gangs running botnets powered by ZeuS, a powerful password-stealing Trojan horse program. ZeuS botnet activity worldwide took a major hit almost immediately thereafter, but it appears to be already on the rebound, according to one prominent ZeuS-watching site.

Statistics collected by the Web site Zeus Tracker indicate that while ZeuS botnet activity was already on the wane in the weeks leading up to the end of last month, that activity positively tanked following the recent busts, dipping to its lowest level since the Troyak takedowns earlier this year. For instance, prior to the arrests that began on Sept 29, Zeus Tracker was tracking more than 90 active Zeus control domains. By Oct. 3, that number had fallen to just 20.

I contacted Roman Hüssy, the Swiss information technology expert who maintains the tracking site, to see if there could be some technical or glitchy explanation for the dramatic drop. Hüssy said while there are criminal technologies being built into malware that try to prevent ZeuS Tracker from being able to follow ZeuS botnet infrastructure, he’s fairly sure he has managed to bypass it.

“Another thing which I’ve seen is that some [ZeuS botnet command servers] are using geo-IP location, [so that] if a ZeuS group just targets U.K. banks, they will do a geo-location restriction on the [control] server, and allow just bots from the U.K.” to ping the servers, he wrote in an instant message.

Some folks who probably know more about what’s really going on here (targeted takedowns, maybe?) aren’t responding at the moment, which tells me we may hear more about other factors that contributed to this drop in the days or weeks ahead. Stay tuned.