A relatively sophisticated trojan is making the rounds stealing money from bank accounts in an intelligent manner. Unlike a ton of “hammer and tongs” malware, this one actually tries to decide how much money should it steal form you bank account without raising alerts.

This is especially interesting n users about as more and more banks now offer customized alerts to warn about potential unauthorized access and seedy transactions.

The so-called URLZone Trojan doesn’t just dupe users into giving up their online banking credentials like most banking Trojans do: instead, it calls back to its command and control server to specific instructions on exactly how much to steal from the victim’s bank account without raising any suspicion, to which money mule account to send it the money, and forges the victim’s on-screen bank statements so the victim and the bank don’t see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, where the cybercriminals stole around 200,000 Euro per day over a period of 22 days in August from several online European bank customers, many of whom were based in Germany. Finjan estimates that the group would make about $7.3 million per year at that rate.

“The Trojan was smart enough to be able to look at the [victim's] bank balance,” says Yuval Ben-Itzhak, CTO of Finjan. “This is more advanced than other banking Trojans like Zeus, whose main goal is get the user to provide his online credentials, credit card numbers, or PINs, by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.”

“But in this attack, everything happens from the victim’s computer. This is more sophisticated than anything we’ve seen in the past,” Ben-Itzhak says.

The attack begins like most Web-based infections: an unsuspecting user visits an infected Website, either a malicious one or a rigged legitimate one. The attack is based on the LuckySpoilt malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they’re difficult to detect.

Finjan found that the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. “They weren’t targeting specific users, but many of the domains were Websites in Germany – they were targeting [certain] German banks,” Ben-Itzhak says. “We also found domains in Russia, China, and Europe, but we didn’t find any U.S. banks on the list.”

Read more:

• darkreading.com

News, Security

Even though users of apple products are somewhat safer than windows users, this news article is  just another example of the fact that “ignorance is no panacea”.

The bad news is that the bad guys are looking at infected Macs as a potential money-maker. Sophos researcher Dmitry Samosseiko at the Virus Bulletin conference in Geneva this week gave an inside view of the Russian “partnerka,” a network of cybercrime affiliates who spew spam and malware (think “Canadian Pharmacy” Website) — including information on one black market Website that a few months ago offered 43 cents per infected Mac OS X machine, which was at least 10 cents less than what infected Windows machines were going for in the cyber underground at the time.

The Website offering the deal, MacCodec.com, also provided malware-laced phony video players to help the affiliates infect the Macs. The site has since disappeared from the Web, according to Sophos.

Read more:

• www.sophos.com
• darkreading.com

News, Security

In a detailed 3 month long study conducted by the guys at Damballa, reports that enterprise networks are deeply infiltrated by bot-nets.

Bot infections are on the rise , and most come from bot-nets which do not get much publicity in the popular press.

“In a three-month study of more than 600 different bot-nets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are bot-nets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name bot-nets, such as Zeus/ZDbot and Koobface.

And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise’s IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. “Of all the enterprises where we’ve gone into who are customers or as proof-of-concept, 100 percent have had botnet infections,” says Gunter Ollmann, vice president of research for Damballa. “It’s more the smaller, customized and targeted types of bot-nets [that infect the enterprise].

“Corporations have become very good at dealing with the larger threats that get publicized — they tend not to get affected widely by Conficker, for instance.”

Ollmann’s colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.

Joe Stewart, a researcher with SecureWorks’ Counter Threat Unit, says bot-net operators who execute targeted attacks do so with fewer bots. “Entities that launch targeted attacks will have a smaller number of bots in their bot-net than non-targeted ones, for sure,” Stewart says.

The bad guys are also finding that deploying a small bot-net inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller bot-nets appear to have more knowledge of the targeted organization as well. “They are very strongly associated with a lot of insider knowledge … and we see a lot of hands-on command and control with these small bot-nets,” he says.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

“I suspect that a sizable percentage of small bot-nets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment,” Ollmann says. “The reason why we know this is the way the malware is constructed — how it’s specific to the host being targeted — and the types of command and control being used. Bot agents are often hard-coded with the command and control channel” so they can bypass network controls with a user’s credentials.

These bot-nets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big bot-nets: “Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise” and infect files, and exploit other hosts in the network, Ollmann says.

But like most other cybercriminals, these mini bot-net operators then try to sell the data they’ve stolen to other criminals. “They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space,” he says”

Read more:

• darkreading.com

News, Security

A russian security group, has exposed the wide spread existence of mis-configured web servers once again. The “exploit” itself is not new, it basically hooks on to the fact that there are usually some change files in the .svn/.cvs directories on a site and then tries to grab these meta-data files and extract source code from them.

At the least one would expect that web admins would restrict access to files starting with a dot.

In any case, to remedy this issue, please prefer to use svn-export/rsync over checkout. If possible consider using something like the below to deny access to the files.

<DirectoryMatch \.svn>
    Order allow, deny
    Deny from all
</DirectoryMatch>

URL-Rewriting can also be used, in case mod_rewrite is enabled in .htaccess

More info:

• habrahabr.ru (via Google Translate)

News, Security

Microsoft has taken a hard line on malicious online advertisers — also known as “malvertisers” — by filing five lawsuits against the suspected fraudsters in what the software giant claims are the first-ever legal moves against malvertising. The software giant’s suits came on the heels of a rogue anti-virus attack on the high-profile New York Times website where what was purported to be a Vonage ad on the Grey Lady turned out to be malware that served readers fake warnings that their computers were infected, along with a link to “anti-virus software” they must purchase to clean them up.

“Although we don’t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits,” according to Microsoft’s associate general counsel Tim Cranton late last week. “The lawsuits allege that individuals using the business names ‘Soft Solutions,’ ‘Direct Ad,’ ‘qiweroqw.com,’ ‘ITmeter INC.,’ and ‘ote2008.info’ used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.”

The software vendor filed its lawsuits in King County Superior Court in Seattle, and is seeking damages and injunctions due to “unjust enrichment and for intentional interference with contractual relationships and business expectancies,” Microsoft wrote in its legal filings.

Microsoft says its own investigators have uncovered “a number of leads” that could be used to subpoena service providers, companies, or people with knowledge of the real identities of the fraudsters.

Some rogue AV programs even “clean” a victim’s machine so they appear legitimate, at least until the victim’s credit-card transaction goes through, according to PandaLabs. And the bad guys are automatically generating new, unique samples of this code that AV engines won’t recognize. The distributors of these applications are typically in Eastern Europe, and can make commissions of 50 to 90 percent, according to researchers.

Read More:

• darkreading.com

News

PandaLabs announced the discovery of an online service that promises to hack into any Facebook account for $100.

The service’s creators claim, “Any Facebook account can be hacked,” promising to provide clients with the login and password credentials to access any account on the popular social networking site.

“The service’s real purpose may be hacking Facebook accounts as they say, or profiting from those that want to try the service,” says Luis Corrons, technical director of PandaLabs. “In any case, the Web page is very well-designed. It is easy to contract the service and become either the victim of an online fraud, or a cybercriminal and accomplice in identity theft.

It is likely that the cybercriminals behind this operation are members of an Eastern European Internet mafia because payments are conducted online through Western Union wire transfers to a payee in Ukraine, PandaLabs says. “The domain that hosts the service is registered in Moscow, providing further evidence of this theory,” the research lab says.

The hackers claim to have been offering this service for four years and that only 1 percent of accounts proved to be hack-proof. In these cases, they offer clients a money-back guarantee.

More info:

• www.pandalabs.com

News

This is something that’s waiting to happen to a ton of other ISPs. In this case a large, well known fashion company went to court because a couple of ISPs were hosting sites selling fake products branded with their logo and name.

Read more:

• darkreading.com

I am pretty sure that the day is not far off when ISPs will get heat from individuals and organizations for doing nothing when websites they host get compromised, and in turn infect innocent visitors. Already one can hear the rumblings of disgruntled customers on various security groups and help forums wherein ISPs provide a canned “its your problem” response to infected website owners.

Once the visitors who get compromised take up the “legal-cudgels” to bash the big boys on the head, things will change, for the good, pretty fast.

News

A lot of people who use Linux based systems often say that “Linux is just so free of problems well, here’s a piece of news that should grab their attention. I do agree though that *nix based systems are somewhat more secure than windows based system, but that’s no reason to be stupid :-) .

This should be of interest to hosting companies or people who run their own VPSs .

“Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache web server to dish up benign content, they’ve also been hacked to run a second web server known as nginx, which serves malware.”

“What we see here is a long awaited bot-net of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,”

The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control.

Read more:

• www.theregister.co.uk

News, Security

Gavin Gorman from Symantec made a post about how Google groups was being used as a back channel to control a bot-net.

“The Web-based newsgroup can store both static ‘pages’ and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.”

Read more:

• www.symantec.com

News, Security