02. February 2011 · Comments Off on Seculert Research Lab: The New Trend in “Malware Evolution” · Categories: blog · Tags: , , ,

Seculert Research Lab: The New Trend in “Malware Evolution”.

This post by Seculert Research Labs provides an overview of the evolution of Carberp. Carberp is a relatively new botnet which is rapidly evolving into the one of the most sophisticated pieces of malware ever seen.

Some say it will be the successor to Zeus. Whether that happens remains to be seen, but its developers are surely competing for the cybercriminals’ software budget.

24. January 2011 · Comments Off on Zeus evolves to target online payment providers · Categories: blog · Tags: , ,

Zeus Latest Evolution in Malware Trends – Targets Online Payment Providers.

Trusteer is reporting on the evolution of the Zeus malware. Originally it targeted users performing online bank transactions. It’s now targeting online payment providers like Money Bookers, Web Money, netSpend, and e-gold. These types of companies have millions of users. If one of these users has his or her account looted, what recourse does the person have? After all, these are not banks and are most probably not legally bound to make good to their abused clients.

14. November 2010 · Comments Off on Pursuing Koobface and ‘Partnerka’ — Krebs on Security · Categories: blog · Tags: , , , , ,

Pursuing Koobface and ‘Partnerka’ — Krebs on Security.

Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.

The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.

In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.

The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.

Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.

New preventive and detective controls are needed to combat this new generation of malware. Think about this:

A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.

Next-generation defense-in-depth includes both preventive and detective controls.

Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.

Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.

25. October 2010 · Comments Off on SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security · Categories: Fraud, Malware · Tags: , , , ,

SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security.

Brian Krebs today is providing an update on banking Trojan activity. While ZeuS has been in the public eye, another banking Trojan SpyEye seems to be ascending.

In the last several years, it is estimated that the ZeuS Trojan enabled the theft of more than $70 million from nearly 400 organizations.

15. March 2010 · Comments Off on Defending Against the Zeus E-Banking Attacks · Categories: blog · Tags: , , , ,

Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user’s bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on “to control what the user sees on his or her browser.”

One is left to ask, is there is no “inline” defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?

It appears that the best choices at present are:

  • Use a dedicated PC, preferably one that boots from a CD, to do your online banking
  • Depend on your bank to:
    • Use behavior anomaly detection systems to catch/stop fraudulent transactions
    • Refund fraudulent transactions after the fact

Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?

In addition, the bank could add another step to the “add a payee process” where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.

Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.

13. March 2010 · Comments Off on Latest Zeus Trojan software release added hardware-based anti-piracy control · Categories: Botnets, Innovation, Malware · Tags: , ,

The Register reports:

The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.

To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing. 

In addition The Register reported:

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

No information was provided as to where you could submit your feature requests.

31. July 2009 · Comments Off on Clampi malware plus exploit raises risk to extremely high · Categories: Uncategorized · Tags: , , , , , , , , , ,

The risk associated with a known three year old Trojan-type virus called Clampi has gone from low to extremely high due the sophisticated exploit created and being executed by an Eastern European cyber-crime group.

Just as businesses can differentiate themselves by applying creative processes to commodity technology, so now are cyber-criminals. Clampi has been around since 2007. Symantec as of July 23, 2009 considered the risk posed by Clampi as Risk Level 1: Very Low. I don’t mean to pick on Symantec. McAfee, which calls the virus LLomo, has the Risk Level set to Low as of July 16, 2009. TrendMicro’s ThreatInfo site was so slow, I gave up trying to find the Risk Level they chose.

The exploit process used was first reported (to my knowledge) by Brian Krebs of the Washington Post on July 20, 2009.

On July 29, 2009, Joe Stewart, Director of Malware Research for the Counter Threat Unit (CTU) of SecureWorks released a summary of his research about Clampi and how it’s being used, just prior to this week’s Black Hat Security Conference in Las Vegas.

Clampi is a Trojan-type virus which, when installed on your desktop or
laptop, can be used by this cyber-crime group to steal financial data,
apparently including User Identification and Password credentials used
for online banking and other types of online commerce. Apparently, this
Eastern European cyber-crime group controls a large number of PC’s
infected with Clampi and is stealing money from both consumers and
businesses.

Brian Krebs of the Washington Post ran a story on July 2, 2009 about a similar exploit using a different PC-based Trojan called Zeus. $415,000 was stolen from Bullitt County, KY.

Trojans like Clampi and Zeus have been around for years. What makes these exploits so high risk is the methods by which these Trojans infect us and the sophistication of the exploits’ processes for extracting money from bank accounts.

Security has always been a “cat-and-mouse” game where the bad guys develop new exploits and the good guys respond. So now I am sure we are going to see the creativity of the security vendor industry applied to reducing the risk associated with this type of exploit. At the most basic level, firewalls need to be much more application and user aware. Intrusion detection systems may already be able to detect some aspect of this type of exploit. We also need better anomaly detection capabilities.