Tag Archive for Zeus

| December 1, 2011
2 comments

Blackhole Malware

Blackhole Malware Dark Reading reports that attackers are increasingly using the Blackhole exploit kit in phishing campaigns. The latest phishing scam poses as an email notification from an HP (HPQ) OfficeJet Printer that has sent around 36,000 per minute resulting in nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

BotnetResearchers at AppRiver told Dark Reading the trend demonstrates how Blackhole is following the pattern of popular malware kits Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. “This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time,” says Fred Touchette, senior security analyst for AppRiver.

Blackhole, which was previously marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit according to the AppRiver blog.

Appriver logoMr. Touchette said that attackers using Blackhole have changed tactics, “This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites,” he says.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims’ online banking credentials according to Dark Reading. It works a lot like Zeus and others, using browser vulnerabilities on victims’ machines and creating a backdoor for downloading and installing the Trojans. AppRiver’s Touchette says Blackhole appears to favor Sun Oracle (ORCL) Java (I wrote about Java holes here) and Adobe (ADBE) bugs (I wrote about Adobe bugs here).

HPThis most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals … we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute,” Mr. Touchette says.

Recent botnet takedowns have spurred an increase in malware attacks recently as botnet operators try to rebuild, AppRiver’s Touchette told Dark Reading.

rb-

Yeap- We are still seeing these trickling in and still have users reporting they can’t access their OfficeJet.

Related articles
  • Positive Trend in Malware: Rootkit Developers Killing Each Other’s Code (pcworld.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized | Tags: , , , , , , , , , , , ,
| November 15, 2011
Comments Off on Which Mobile OS is Most Hit by Malware?

Which Mobile OS is Most Hit by Malware?

Which Mobile OS is Most Hit by Malware? Help Net Security reminds us that most mobile phone users still don’t have a mobile AV solution installed on their devices making. This makes it hard to gauge just how many of them have been hit by mobile malware. To overcome this fact, Microsoft (MSFT) researchers observed that mobile phones often get synched with the users’ computers. Also, users often use their computers to search for mobile apps on third-party application markets and file-sharing sites. These habits allow mobile malware to occasionally end up on their desktop/laptop computers and gets detected by desktop anti-virus software.

MicrosoftResearchers at the Microsoft Malware Protection Center (MMPC) were able to use thes detection to get an idea of what malware attacks the various mobile operating systems. The MMPC found was that Symbian users’ devices are getting hit with a disproportionately bigger number of threats than those targeting other operating systems. In August 2011, Microsoft detected around 42,000 of them.

Malware attacks

Microsoft’s Marianne Mallen says that Symbian-specific malware seems to be evolving and Zeus-in-the-mobile (“ZItmo“) and SpyEye-in-the-mobile (“Spitmo“) are the most recently detected malware and arguably the most dangerous for the user.

JavaThe Sun Oracle (ORCL) Java ME platform takes second place in the MSFT research, with nearly 24,000 threats detected in August 2011, mostly apps sending text messages to premium-rate numbers.

The MMPC found that Google‘s (GOOG) Android malware numbers were rather low when compared to Symbian and Java ME platforms. There were around 2,800 hits in August, but have been steadily rising since February. Much of the Android malware uses privilege-escalation exploits to install itself or other components on the device without having to ask the user for permission.

At the end of the MSFT list are Apple (AAPL) iOS and Research In Motion (RIMM). No new threats for Apple’s mobile OS have been discovered this year, and the total number of threats detected in August was around 590. RIM brings up the rear with only 5 malicious apps detected during that month and can boast of only one completely new threat springing up for it this year:.

Apple ComputersMs. Mallen’s advice to mobile users is to scan applications downloaded when possible, even when it’s already on a mobile device. Ms. Mallen says that even apps from the official app stores, may have been repackaged with malware that can run stealthily without the user being made aware of the underlying payload,” she points out. “The payload can include data-theft, silent SMS-sending in the background, and downloading and installing of other malware components, among other things. This malware (or links to it) could also be spammed or sent through email, using social engineering to entice the user to download a copy of the malware onto the desktop.”

rb-

UMMM no critique of mobile malware issues on WinPhones?

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| January 19, 2010
Comments Off on Zeus Raids School

Zeus Raids School

Zeus Raids SchoolA New York school district was a victim of an apparent Zeus trojan attack which appears to have netted nearly $500,000. InformationWeek is reporting that the FBI and New York State Police Cyber Crime and Critical Infrastructure Unit are investigating an attempt last month to steal about $3.8 million from the Duanesburg Central School District near Schenectady, New York.

According to the January 6 article, online thieves made a series of unauthorized funds transfers from the school district’s NBT Bank account to an overseas bank between December 18 and 22, 2009. The third transfer during this period was flagged as abnormal activity by the bank, which began blocking pending transactions after the school district confirmed the transfers had not been authorized. Working with foreign banks, NBT Bank recovered about $2.5 million out of $3 million stolen during the four-day period, but two previous unauthorized transactions were discovered.

Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered,” wrote Superintendent Christine Crowley in a letter on Monday to district parents and community members. “However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds.

The district website says, “At this time, we do not have any more information on how this happened and do not expect to have any more information to share until the investigation concludes.

Security researchers at Trusteer point out in a recent DarkReading article that Zeus is detected only 23 percent of the time by up-to-date anti-virus applications. The massive Zbot botnet is made up of 3.6 million PCs in the U.S., according to Damballa data  The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to display its own content mimicking, for instance, a bank’s Web page.

Zeus’ infection rate is higher than that of any other financial Trojan. We are seeing actual fraud linked to Zeus — accounts being compromised, [and] money transferred from accounts of customers infected with Zeus,Mickey Boodaei, founder and CEO of Trusteer told DarkReading. “When we investigate some of our banking customers’ [machines infected by it], we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.

The security blog says that organizations can’t control the transmission vectors, which are increasingly social networking and/or webmail applications. Given the high degree of user trust and huge user populations, malware developers have been targeting social networks aggressively (webmail is a well-established transmission vector). Some of the threats come in the form of social network-specific threats (e.g., koobface, fbaction), but many times they’re re-using existing or older threats delivered in a new, hybrid way – exploiting the trust associated with social networks – which has given threats like Zeus a huge boost. If you can’t control the transmission vector, it’s much harder to manage the threat…especially when users click first, and think later.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| May 9, 2009
Comments Off on Lessons From Botnet Demise

Lessons From Botnet Demise

Lessons From Botnet DemiseBrian Krebs on the Washington Post blog Security Fix profiled a case where a bot-herder killed 100,000 zombie clients in his botnet. The bot-herder implemented a “kill operating system” or kos command resident in the Zeus bot-net crimeware. The kos command caused the infected PCs to Blue Screen of Death (BSOD). The Madrid-based security services firm S21sec reports that invoking the kos command only results in a blue screen and subsequent difficulty booting the OS. There appears to be no significant data loss and neither the Trojan binaries nor the start-up registries are removed, In this post, they look at what happens to an infected computer when it receives a Zeus kos.

Russian botnet

The Zeus crimeware was designed by the Russian A-Z to harvest financial and personal data from PCs with a Trojan. UK Computer security firm Prevx found the Zeus crimeware available for just $4,000. The fee includes a DIY “exe builder” which incorporates a kernel-level rootkit. According to the Prevx this means it can hide from even the most advanced home or corporate security software. RSA detailed the capabilities of Zeus crimeware in 2008. Zeus also includes advanced “form injection capabilities” that allows it to change web pages displayed by websites as they are served on the user’s PC. For example, criminals can add an extra field or fields to a banking website asking for credit card numbers, social security numbers, etc. The bogus field makes it look like the bank is asking you for this data after you have logged on and you believe you are securely connected to your bank.

rb-

The reason for BSODing 100,000 machines isn’t quite clear. Several security experts have offered up their opinions including S21sec and Zeustracker (currently down due to an apparent DDOS). What is clear are the implications of this action.

Botnets and their related crimeware are dangerous for more and more reasons. They can steal massive amounts of personal data. They can launch denial-of-service attacks and they can execute code. I agree with Krebs that the scarier reality about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker.

Politically motivated attackers

For the time being, it is still in the best interests of the attackers to leave the compromised systems in place. They can plunder more information. However, imagine the social chaos created if 9 million PCs infected with Conflicker including hospitals from Utah to the UK were under the control of Al-Queda or other similarly minded groups. These politically motivated attackers could order all the infected machines to BSOD, creating computer-enhanced chaos. One of the forgotten lessons of 9-11 is that our technology can be hi-jacked and turned against us.  This could be the opening into a new type of cyber warfare.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,