Wednesday, 28 October 2009

Facebook Password Reset Confirmation Spam — Bredolab, Zbot, Adware

Another cybercriminal group is abusing the face of Facebook in another malware spam blast, fooling users to install banking password stealing malware and adware on their systems.
The message of the email claims to arrive from “The Facebook Team”, but in fact, the spam is spoofed and not from the team at all:
“Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
The Facebook Team”
The real Facebook Team maintains threat-related information, “what-to-do-if” information, and security related stuff here.
The emails maintain an attachment that may have various names. Here are a some of the attachment names that when unzipped and run, ThreatFire has protected its community against in the past day:
Facebook_Password_e9081.zip
FACEBOOK_PASSWORD_52132.ZIP
Facebook_Password_6dd19.zip
Facebook_Password_4cf91.zip
FACEBOOK_PASSWORD_50573-1.ZIP
Facebook_Password_c92dd.zip
FACEBOOK_PASSWORD_7A343.zip

So what is being sent out? Unfortunately, the AV vendors that are starting to detect this variant do not always identify what they are detecting accurately (lucky that they are detecting it at all!). But in the end, the zipped attachment contains an armored downloader. Some of the spammed downloader executables drop multiple variants of multiple families. Adware, spyware, spambots, why not all of them? They are all money makers for this malware distribution group.
The malware package, in some cases, includes the highly active and highly malicious Zbot family. It seems that the Bredolab protector and dropper/downloader in active development has proven to be effective enough against AV scanner detections, so the crimeware groups are re-wrapping their zbot malware with it. Also interesting is that these two families of malware have recently been distributed by groups that implement methods to remove the other bot from victim systems. It’s been described as another “War of the Bots” with Bredolab v. Zbot. Clearly, this active cybercrime group is a separate one with different aims and no internal wars.

Koobface, Bredolab, and Zbot-distributing cybercrime groups all spoof Facebook and other highly popular social networking sites to deliver their malware to victim systems. Avoid the confusion and install a behavioral based layer of protection like ThreatFire that reliably and effectively prevents Bredolab, Zbot, and other highly dangerous malware families. Surf where you want, PC Tools Facebook group here.

For Scareware, Every Day is Halloween


Halloween is all about tricks, treats and pretending to be something your not. Scareware must think every day is Halloween.

Computer experts are reporting that scareware is on the rise. Scareware - a sneaky hacker technique used to steal personal information and spread viruses - is being found in more and more places online and even on trusted sites, like the New York Times.
"The recent scareware attacks are cropping up everywhere and can be found on even the most trusted Web sties online," said Alison Southwick, BBB spokesperson. "The threat of scareware undermines consumer trust in compromised Web sites, and on the Internet in general, but there are steps computer useres can take to protect themselves."

How Scareware Tricks and Treats

Scareware usually presents itself as a pop up window on your computer that looks like it is from your computer. It gives some message that your computer has been infected with a virus that needs to be removed. Often the message tells you to go to the link provided to purchase and download anti-virus software. Once the software is purchased the download begins. Unfortunately, it is not anti-virus software that is being downloaded, but more viruses and malware.
If that weren't bad enough, now the hackers have your credit care information too.
This senario is playing out all over the internet. It was in mid-September that visitors to the New York Times web site started getting the infected pop up window. The New York Times traced the infected window back to an unauthorized ad. They later found out that the ad space was sold to hackers posing as Vonage.
But The New York Times is not the only site being affected and pop up windows are only half the story with scareware. According to Computer World Magazine, hackers are also "poisoning Google search results." Hackers monitor popular search topics and then create infected web pages with related content. They work to get those to the top of Google search results and when someone clicks a link in the search results - the infamous pop up window appears.

How to Protect Your Computer

Fortunately there are steps that you can take to protect your computer from scareware:
  • Never let your guard down. It is a fact that scareware can show up on even the most trusted sites, Google, Twitter, The New York Times, etc.
  • Protect your computer. Keep your operating system updated and install a good quality anti-virus program. We recommend the following packages: Norton 360 (includes backup and other features), Norton Internet Security 2010 (good all around option), or avast! (free and good), and keep it up to date. Also make sure that all security patches and updates are installed for your webrowser and programs like Adobe Flash Player.
  • Take immediate action during an attack. If a scareware window opens up force close it using the task manager and then run your trusted anti-virus software.
If you clicked on the link and have downloaded the software all is not lost, but things aren't good. The Washington Post offers advice on their Security Fix blog of how to rid your computer of the viruses and malware. But if you aren't computer savvy, you may think about calling a professional to clean up the mess.

UPDATE: An article from Wired magazine's Threat Level blog sheds more light on how web sites are being targeted for malware distribution:
Web ads have become much more advanced over the years and many now include scripts that provide data tracking and other functions. Because of this, crooks are working to have their "ads" run on popular websites. Their ads also contain scripts, but the code displays scareware instead of tracking clicks or views.
In the article, Gawker Media - a major blog network of sites like Gizmodo, LifeHacker, Jalopnik and others - was targeted for ad placement, but fortunately Gawker has a team of geeks that digs into the code of any ads and confirms that it contains no malicous code. I'm guessing the NY Times now is enforcing a similar policy (yep, it is now).
Heaven help us when we visit sites that have no such team of geeks to protect us from malicious ads...

Clampi Trojan Virus Attacks the World of Online Banking

July 2009 not only brought the hopes of fun summer activities, but it also brought the new vicious Trojan virus called Clampi.

Clampi is a newly sophisticated virus designed to attack online banking systems.  And unlike most Trojan viruses this virus can be picked up from trusted sites like blogs, online magazines, search engines and mainstream news websites, not just gambling and pornography sites.  It also is only designed to attack computers running the Microsoft Windows operating system.  So Mac users are safe from Clampi, for now.

Currently, Clampi is tracking over 4,500 financial websites.  Most Trojan viruses usually track 30-40 sites at a time.  Clampi is designed to watch: banks, credit card companies, e-mails, retail sites, utilities, online casinos, wire transfer services, share brokerages, government sites and mortgage lenders. Clampi is also not just limited to the United States.  It has been found attacking in the United States, Britain and other English speaking countries.

How Clampi Operates

Once Clampi has been picked up it settles into your computer and waits.  What does it wait for?  It waits for the user to log on to a bank account, credit card or some other financial website.  Once the login information is entered, Clampi grabs it and shoots it to the cyber criminal's computer.  From there the criminal uses the information to fulfill their desires.  Whether it is taking money from a bank account, using a credit card to make purchases or reek whatever havoc they may.

What Clampi Can Do

Maybe you're thinking that this can't happen to you and maybe it won't. But it has been reported that through the use of Clampi criminals have stolen $75k from a car parts company in Georgia, $30k from a non-profit childcare organization in Seattle, $480k from an online city bank account, $150k from a public school district in Oklahoma, $350k from a Chicago-are school district and $700k from the Western Beaver School District in Pennsylvania. There have also been reports of companies losing anywhere from $10k to $500k because of this one virus. There is really no telling how many people have been victims of the Clampi virus.

What You Can Do

The most important thing you can do is to be proactive about protecting yourself from getting Clampi. Here are some ways to be proactive:
  • Protect your computer with security software. It should be a natural part of being online. Make sure that you have the most current version of your anitvirus software and download any necessary patches to keep it current.
  • Avoid clicking on suspicious links on blogs, e-mails and social networking sites. If you are not sure that it can be trusted, then don't go there.
  • Don't use e-commerce sites that you are not familiar with and use a credit card instead of a debit card when making online purchases.
  • Use caution when using a wi-fi network - especially one outside your home, like at an airport or coffe shop. Don't access financial web sites when using wifi in these kinds of locations. Make sure that your connection is password protected so that others cannot hack into your connection. Use WPA2 (or stronger) encryption and strong passwords when setting up your wireless network at home.

URLZone, A Newly Discovered Banking Trojan Rewrites History!!!



Well, it's official...Clampi, Zeus and Conficker are NOT alone. I said in earlier posts that it would only be a matter of time before another threat to online banking reared it's ugly head.  No I had to update my War of the World Wide Web graphic to include this one...(below)

I must admit, I didn't think it would happen this quickly.   Again...it avoids detection (see what I mean about prevention being better?) and it takes advantages of the inherent weaknesses in the browser...and the fact that we stupidly (sorry...naivete is no longer an excuse)  continue to "type" versus "swipe" when we authenticate ourselves online. 

Introducing URLZone, a NEW Banking Trojan. You know what IT does? It steals the user's online bank account log-in information, accesses your account, begins draining it and rewrites the code to cover it up. You think I'm kidding right?

Oh...but I'm not...

New Malware Re-Writes Online Bank Statements to Cover Fraud

According to Wired
, the malware, called URLZone, infects a computer when the user visits a compromised site, or a site set up by hackers.

Then, the program steals the user's bank account log-in information  (because it is TYPED) and begins draining funds that it then sends to other designated accounts. However, the victim doesn't realize the money is missing because the program rewrites the text in the html code. So, when the browser displays the page, it looks like either no money has been stolen or just a small amount has been transferred.

Think it's time to start accessing our online bank accounts without typing yet?  No?  Read on:

The new Trojan, called URLZone, features a number of innovations not widely seen in Internet crime. For example, the Trojan can estimate precisely how much money to steal based on how much dough you have in your account, and can even siphon money in small increments to evade detection.




"It's a next generation bank Trojan," Yuval Ben-Itzhak, chief technology officer at Finjan, a cyber-security firm, told CNET News.com. "This is part of a new trend of more sophisticated Trojans designed to evade anti-fraud "detection" systems.

The infected machines ended up with a bank Trojan – in this case, the URLzone bank Trojan. This nasty piece of crimeware has the following features:

  • It logs credentials and activities of bank accounts
  • It takes screenshots of webpages served by the websites mentioned before Installed on the victims’ machines, it steals money from the compromised accounts
  • It hides its fraudulent transaction(s) in the report screen of the compromised account
  • Its C&C server sends instructions over HTTP about the amount to be stolen and where the stolen money should be deposited
  • It also logs and reportson other web accounts (e.g., Facebook, PayPal, Gmail) and banks from other countries
A Trojan horse is a type of malware -- or malevolent software -- that allows criminals unauthorized access to the user's computer system. Details of URLZone appear in a new report by Finjan's Malicious Code Research Center.

URLZone takes advantage of vulnerabilities in web browsers, including Firefox and Internet Explorer, then executes a program on Windows systems -- which means if you're running a Mac, you're safe. For now!

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News