Friday, November 25, 2011

Zeus: King of Crimeware toolkits


This youtube video from Symantec Security Responseexplains the use of 'Zeus' crimeware toolkit by botnets to infect computers and control them.

http://www.youtube.com/watch?v=CzdBCDPETxk&feature=player_embedded#!


The Zeus Trojan family variants are:
Trojan.Wsnpoem
Infostealer.Banker.C
Packed.Generic.232

The toolkits are used to create the trojans.

Various attack methods are explained:
-drive by download and browser-based iframe attack
-malicious URLs in phishing emails
-malicious attachments.
-web injection for stealing credentials or credit cards

Obfuscation techniques are also indicated.

The botnet command & control server's control panel is also demonstrated.

Further details from:
http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
(Peter Coogan's blog)
Posted by at No comments:

Monday, November 14, 2011

Malware Intelligence: TDL4 evolution to resilient rootkit and crimeware toolkit


http://news.techworld.com/security/3312839/sophisticated-rootkits-becoming-more-resilient/

TechWorld reports on Oct 24, 2011 about the evolution of TDL4 (also known as TDSS) variants being developed to be resilient to antivirus detection. ESET researchers have been tracking TDL4 botnet. Kernel-mode drivers and user-mode payloads are being rewritten while the rootkit components remain the same. It appears that it is being developed as a crimeware toolkit to be licensed to cybercriminals.

TDL or TDSS is a family of rootkits incorporating detection evasion techniques. Kaspersky Labs estimated that 4.5 million computers have been infected by TDL and its version 4.

New innovations include creating hidden partitions on hard disk with an advanced file system storing its components instead of storing them within MBR.  The malicious code and its special boot loader would get executed before the actual Operating System loads.

ComputerWorld also had reported on TDL
http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers?CID=

Detailed analysis of the bot trojan is available at:
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

-Joseph Ponnoly

Posted by at No comments:

DNSChanger Botnet Takedown


Estonian and Russian hackers hijacked over 4 million computers and raked in $14 million dollars over a period of four years from 2007.
They used the DNSChanger botnet trojan to divert web traffic  to advertisers who paid for traffic delivery.

The DNS requests were redirected by the trojan to the botnet server, taking control of all the outbound Internet traffic from the infected system.

The botnet and DNS servers were controlled by Rove Digital, an Estonian company, with its hosting subsidiary Esthost.

The trojan is an installer disguised as a codec required for watching website video content and was spread widely through pornographic websites.  Victim's computers were infected on visiting these websites or by downloading the video viewing software.

In a collaborative effort between FBI and the Estonian police,  Police arrested Tsastsin and five others of Rove Digital. FBI got the command and control server disabled, including rogue DNS servers in New York and Chicago.

F-Secure provides further information on the Trojan:W32/DNSChanger:
http://www.f-secure.com/v-descs/dnschang.shtml
The trojan is a small file (about 1.5 KB), designed to change the 'NameServer' registry keyvalue to a custom IP addess. The IP address is usually encrypted in the body of the trojan. This change will redirect traffic to the new DNS server.
The trojan had names such as 'PayPal-2.5.200-MSWin32-x86-2005.exe'.
-Joseph Ponnoly
Posted by at No comments:

Saturday, November 12, 2011

Brazilian Banking Trojans

Dmitry Bestuzhev, in his blog 'SecureList' has provided an overview of banking trojans originating from Brazil.

http://www.securelist.com/en/analysis/204792084/Brazil_a_country_rich_in_banking_Trojans

Many of the online banking customers in Brazil fall victims to bank frauds facilitated by banking trojans.

The trojans are propagated via infected websites and the customers are lured to these sites through spam mails, phishing mails and social engineering tactics.

Social networking sites are used to collect data on users-- names, date of birth, address, social status, etc. Orkut is popular in Brazil.

The trojan downloaded, in turn downloads and installs other malicious programs-- to steal account data from social networking sites, for anti-virus evasion and for monitoring user activity and connection to banking sites, session hijacking,  data harvesting and data transmission.

Anti-rootkit program such as Avenger is used to combat anti-virus solutions. Partizan, another anti-rootkit is also used.

Stolen data is forwarded to a remote database server. IP addresses and MAC addresses are also stolen and used to spoof source addresses. Stolen email addresses and passwords are sent to remote web servers.

Cyber criminals use money mules to transfer the money and to recover proceeds of the crime.

Banking trojan samples are mostly written in Delphi. some samples are infected with viruses such as Virut . Legal web pages are compromised and used to distribute malicious programs.

The trojan code has huge file size and has Portuguese strings in the code.

Stolen data is sent via secure channels.
An anti-rootkit called Partizan is used to remove bank's security plug-in. This anti-rootkit is part of the Russian edition of the UnHackMe program.

Though the malware writers many be Brazilian, Russian cybercriminals appear to be stealing money from Brazilian banks.
Further details at:

http://www.securelist.com/en/analysis/204792084/Brazil_a_country_rich_in_banking_Trojans


-Joseph Ponnoly

Posted by at No comments:

Friday, November 11, 2011

Duqu trojan analysis

The Kaspersky Labs Analysis report on Duqu can be seen at:
http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter

The file dropper contains the exploit of the vulnerability in win32k.sys (CVE-2011-3402).  The attacks were launched as spearphishing mails with .doc attachments.

What is interesting is that the infection persisted for almost 3 months, gathering information on the network.
-Joseph Ponnoly
Posted by at No comments:

Wednesday, November 9, 2011

Blackhole Crimeware Toolkit


Blackhole Crimeware

Recent phishing campaigns using HP OfficeJet Printer emails are using Blackhole crimeware exploit kit, as reported by Dark Reading article of Oct 13, 2011.
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231900780/blackhole-crimeware-goes-prime-time.html?itc=edit_stub

Recent phishing campaign from HP OfficeJet sent 8 million emails using 2000 domains for malware download. This follows the earlier email compaign using Steve Job theme.  The Blackhole kit targets online banking credentials and works like Zeus and SpyEye.  Email recipients are led to the Blackhole malicious websites.

Blackhole uses drive-by-download infection and the kit cost $1500 for a one-year license.

The AppRiver blog by Fred Touchette (dated Oct 12, 2011) gives further details of the Blackhole Toolkit:
http://blogs.appriver.com/blog/digital-degenerate

-Joseph Ponnoly
Posted by at No comments:

Saturday, October 29, 2011

Malware Forensics- Analysis of a browser-based trojan attack

From MNIN Security Blog, an April 2009 forensic analysis of a downloaded trojan attack, that came from a malicious website that downloaded malicious SWF and PDF files. The source of infection is traced to a malicious ad on the Firefox browser.

http://mnin.blogspot.com/2009/04/malware-forensics-how-ironic-can-it-get.html
Posted by at No comments:
Subscribe to: Comments (Atom)