Crooks Seek Revival of ‘Gameover Zeus’ Botnet

Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it.

The researchers who helped dismantle Gameover Zeus said they were surprised that the botmasters didn’t fight back. Indeed, for the past month the crooks responsible seem to have kept a low profile.

But that changed earlier this morning when researchers at Malcovery [full disclosure: Malcovery is an advertiser on this blog] began noticing spam being blasted out with phishing lures that included zip files booby-trapped with malware.

Looking closer, the company found that the malware shares roughly 90 percent of its code base with Gameover Zeus. Part of what made the original GameOver ZeuS so difficult to shut down was its reliance in part on an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

But according to Gary Warner, Malcovery’s co-founder and chief technologist, this new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns.

Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).

In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.

Warner said the original Gameover botnet that was clobbered last month is still locked down, and that it appears whoever released this variant is essentially attempting to rebuild the botnet from scratch. “This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” Warner said.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts.

According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers. According to the U.S. Justice Department, the author of the ZeuS Trojan (and by extension the Gameover Zeus malware) is allegedly a Russian citizen named Evgeniy Mikhailovich Bogachev.

For more details, check out Malcovery’s blog post about this development.

For more information follow the source link below. 

Source: Krebs on Security

Android malware tool iBanking commands $5000 price for attackers

Evolving malicious tool adopts service model, grows increasingly complex

The market for malware tools is expanding, including the purchase of pre-made tools for a hefty fee from underground developers. One such tool aimed at Android, iBanking, promises to conduct a number of malicious actions including intercepting text messages, stealing phone information, pulling geolocation data and constructing botnets with infected devices. All it would cost to obtain the program is $5000, even after its source code leaked earlier in the year.

The iBanking malware has evolved from simply being able to steal SMS information, but has grown to be a much larger Trojan tool for would be data thieves. Applications injected with the iBanking code have hit the marketplace costumed as legitimate banking and social media apps as a way for users to be convinced to use them.

The apps often appear to users who have already been infected on desktop machines, prompting them to fill in personal information which then leads to an SMS message with a download link. Once the app is downloaded and installed, it begins feeding information to the attacker.

According to Symantec the tool is “one of the most expensive pieces of malware” the company has seen, especially for one with that sets up a service business. Other malware applications have paved the way for things like customer support and HTML control panels, but not at such a high price.

Part of the larger problem with iBanking is that it resists most attempts to reverse engineer the software, giving it a better strength against those trying to craft similar tools says an article from Ars Technica. iBanking uses encryption and code obfuscation to hide the commands and actions it carries out. This prevents researchers from breaking down the process of the malware, as well as keeping others from using the code to clone more software.

Source: Electronista

Logins stolen from Facebook, Google, ADP payroll processor

Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed “Pony.”

Another company whose users’ login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave’s SpiderLabs.

It’s expected that cybercriminals will go after main online services, but “payroll services accounts could actually have direct financial repercussions,” he wrote.

ADP moved US$1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.

Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.

It wasn’t clear what kind of malware infected victims’ computers and sent the information to the command-and-control server.

Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called “Pony,” was leaked at some point, Chechik wrote.

The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.

“This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down — outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik wrote.

Information on the server indicated the captured login credentials may have come from as many as 102 countries, “indicating that the attack is fairly global,” he wrote.

Source: Network World

This botnet stole over a million Social Security numbers

The exposed.su website started drawing attention in March when it offered social security numbers and other information for everyone from Beyonce to Michelle Obama and the director of the CIA. Shocked by the breadth of data, both the FBI and Secret Service launched investigations — but today the security blogger Brian Krebs has beaten them to the punch, offering a comprehensive look at how all that personal data made it to the web.   

Krebs traces the exposed.su data back to another site, SSNDOB.ms, which pulled the information through compromised servers at LexisNexis and two other companies that specialize in data for background checks. With this relatively small network, hackers were able to steal nearly 3.1 million date-of-birth records and over a million social security numbers, widely considered a weak point in online security.

Krebs also reports that the malware used had no trouble evading anti-virus software. As of early September, none of the top 46 antivirus services detected the software as malicious. There’s no word yet on who was operating the network, but the FBI says their investigation is ongoing and Krebs has promised more revelations in the coming weeks.

Source: The Verge

The Botnet That Stole 16,000 Facebook Logins

Malware managed to pilfer over 16,000 Facebook credentials in 2012, as well as credit card information linked to user accounts, it was revealed today.

The PokerAgent botnet was in control of 800 systems, as it sought to harvest information on Facebook users running the Zynga Poker app. The botnet was most active in Israel, security company ESET said, revealing the findings today, having worked with police in the country and with Facebook to kill the threat.

Infected users did not have their own Facebook accounts hacked. Their systems were instead used to carry out nefarious activities on other user accounts for which the attackers had acquired details, as the hackers sought to cover their tracks. Those systems carrying the malware were also used to propagate and grow the botnet.

“Facebook was notified and has responded promptly by forcing password resets for all known victims,” Robert Lipovský, ESET malware researcher, told TechWeekEurope.

“We only know that the attacker had at least 16,194 unique entries in his database of stolen logins. On the one hand, there may have been more, on the other, not all of these were valid – so that number is just a rough estimate.”

ESET had no information on how much money was stolen.

The Trojan was programmed to log into Facebook accounts and collect information on Zynga Poker stats for the given Facebook ID and the number of payment methods saved in the Facebook account.

PokerAgent was only interested in gathering gender information, points and rank from poker players. It is unclear what the attackers were doing with the harvested data, but ESET suggested they were amassing databases for future attempts to steal user identities and funds.

“The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account,” Lipovský wrote in a blog post. “Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.”

The malware was also ordered to publish links on the infected Facebook user’s wall. Those links would lead visitors to a fake Facebook login site, where their details would also be phished.

But Facebook users should not have to worry about this threat today. ESET said the malware author seemed to have ceased actively spreading the Trojan mid-February 2012. Efforts from ESET, Israel’s Computer Emergency Response Team (CERT) and law enforcement could well have been the catalyst for the demise of PokerAgent.

ESET noted that two-factor authentication would have prevented the malware from logging into Facebook accounts.

Source: TechWeekEurope

Spam Levels Plummet As Industry Takes Aim At Botnets

Global spam levels continued to fall in 2012 and even the number of malicious attachments was on the wane, new figures from Kaspersky Labs have suggested.

The fall is relative of course; even with an eight-point drop, spam continued still accounted for a staggering 72 percent of all email during the year, equivalent to tens of trillions of messages moving uselessly and malevolently across the Internet every year.

The drop was consistent throughout the year, falling month-on-month, eventually dipping below the 70 percent threshold in the final three months of the year, Kaspersky said.

What is clear is that the exact percentage of spam sent to a user or network varies by country and region, with Asia now accounting for a disproportionate level of activity.

In terms of distribution, China heads the table with one in five of all spam messages sent, ahead of the US with 15.6 percent; Latin America and Europe both dropped. Asia as a whole now accounts for half of all jump email.

Malicious attachments were down slightly to 3.4 percent, although this does not include those with embedded links.

According to Kaspersky, the unprecedented fall can be explained by the gradual improvement in filtering.

Arguably, the disruption of botnets – the platform used to send most spam – has probably had a larger effect, with the downing of several large distribution networks coinciding with the start of spam’s decline in 2010.

Only this week, the Virut Botnet – a major sender of spam across Eastern Europe and the US – found itself on the ropes after the Polish national registrar disrupted its domains and command and control servers. This is only the latest in a line of botnet ‘takedowns’ in the last two years.

It could also be that there are better ways to make money from cybercrime, not least by infiltrating social media.

“This drop is the result of a gradual departure of advertisers from spam to other, more convenient and legal means of promoting goods and services,” said Kaspersky Lab’s Darya Gudkova.

“However, that doesn’t mean spam is headed the way of the dodo anytime soon. Malicious spam, fraud, and advertising of illegal goods cannot simply or easily migrate to legal platforms, due to their own inherently criminal nature. We expect that the decline in spam volumes in 2013 will be negligible at best,” he said.

Doubtless, some will disagree with Kaspersky’s numbers, which only reflect what its customers see. But they do chime with what other security companies have been saying for two years.

The spam percentages being experienced during 2012 by the Russian firm are about the same as those reported by Symantec in late 2011, for instance.

Via: Network World