Online Virus / Malware News

It looks like some of the recent success in taking down Zeus-using cybercriminals is coming to the United States. The FBI has recently announced that it has charged as many as 60 people and has arrested 10 as part of a global cyberfraud scam. Summaries of the incident can be found here, here, and here.

Zeus is one of the nastiest and most persistent pieces of malware we deal with. It steals banking logons, can act as a bot, and recently started targeting mobile devices, as well. Recently one of our McAfee Labs researchers, Chintan Shah, posted an excellent blog on the inner mechanisms of the Zeus Crimeware Toolkit; his article is definitely worth a read. You can also listen to a great AudioParasitics podcast episode in which my podcast-partner-in-crime Jim Walter and I discuss Zeus (also called Spy-Agent.bw).

If you are running any of our DAT-based security technologies and they are up to date, you are already enjoying excellent coverage against Zeus.

———- UPDATE October 1 —————

It now seems that Ukrainian authorities have taken action against individuals with suspected involvement in the Zeus cybercrime and money laundering network. The Ukrainian contingent seems to be associated with the more technical aspects of the infrastructure. Read detailed accounts here and here.

Let’s keep those arrests and takedowns coming and take back our Internet!

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Malware authors have long taken advantage of high-profile incidents and trends to infect naive Internet users with malware. Historically, we have come across innumerable incidents like Michael Jackson’s demise or the Benazir Bhutto assassination as an avenue to spread malware.

We have seen instances from recent times where FIFA World Cup themes have been extensively used as bait to lure unsuspecting users into opening malicious attachments. With lots of recently discovered vulnerabilities and widespread distribution, PDF files are a perfect vector for these kind of attacks. These threats can be delivered as emails or poisoned search-engine results leading to malicious PDFs.

This particular PDF file is directed at certain high-profile targets. Upon executing the malicious PDF file on a vulnerable version of Adobe Reader or Acrobat, it drops an innocent PDF file as shown in the figure below to spoof the unsuspecting user.

This PDF exploits a vulnerability in the way Adobe Acrobat and Reader handle TIFF files and affects all Versions 9.3 and earlier.

This malicious PDF drops and executes a malicious payload detected as BackDoor-ERZ, while the malicious PDF is detected as Exploit-pdf.b with McAfee’s 6022 DATs.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

Last week in Strasbourg, France, the Council of Europe organized the Octopus Interface Conference 2010. More than 300 experts from all over the world, representing governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime.”

On Tuesday, in the opening session, Maud de Boer Buquicchio, Deputy Secretary General of the Council, reminded the attendees that the international principles of human rights and the rule of law must apply online as well as offline. In this way, the Internet itself is now increasingly considered as a basic right. But in this new environment cybercrime is a greater concern than ever; it threatens those rights. Security and the protection of rights is the responsibility of both public authorities and private sector organizations. After a panel discussion run by countries engaged in the fight against cybercrime, Alexander Seger discussed the Budapest Convention on Cybercrime. Currently used by more than 100 countries around the world, it is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security.

Seger recommended the implementation of the convention worldwide to boost legislative reforms already underway in a large number of countries. Nations should consider adopting the policies to make use of the international cooperation provisions of this treaty. Increasing consensus on this treaty as a common framework of reference helps mobilize resources and create partnerships among public- and private-sector organizations. As a result, the ratification of the Budapest Convention by Azerbaijan, Montenegro, and Portugal prior and during the conference, and the expressions of interest from Argentina and other countries serve as examples to other countries.

In the afternoon, I joined a workshop on law enforcement responsibilities. Here, police units from various countries presented their services and discussed their local laws against cybercrime. I was particularly interested, as many of them discussed trends on this matter. In 2009, the Romanian National Police indexed 102 cases (indictments) with 766 offenses, 482 people charged, and 289 people arrested. In that country, 80 percent of IT fraud and phishing attacks are aimed at United States citizens, whereas 80 percent of credit card fraud (skimming) targets West European citizens. In Turkey, the the Organized Crime Department (KOM) made 2,871 arrests in 2009.

However, these figures represent only a small part of the fraud that is committed. In many cases, nobody files a complaint. After fraud is committed and reported, the bank refunds its conned client via their insurance company. The bank is well insured and the victim is compensated. As for the insurance company, its profit is barely affected. There is no need to alert the authorities.

In the second part of this workshop, people from the FBI and SOCA presented three objectives for law enforcement as well as recommendations for ICANN:

1. Due Diligence: ICANN needs to vet potential registrars and registries, through checks of international databases to ascertain an organization’s good standing. Registrars need to validate data received at the time of domain name registration and periodically thereafter.
2. WHOIS: Accurate and public WHOIS is essential. The proxy/privacy registrations have to be limited for private individuals for noncommercial purposes. Companies providing services should be accredited by ICANN.
3. Transparency and accountability: Domain name resellers and all third-party beneficiaries must be held to the same terms and conditions as registrars. ICANN should require all registrars, registries, proxy services, resellers, and all third-party beneficiaries of any contracts or policies of ICANN to publicly display ownership, parent companies, subsidiaries, and business associations.

On Wednesday, I participated in the mapping networks and initiatives workshop. Here, various organizations dealing with cybercrime presented their objectives and initiatives. Among them,the Inhope fight against illegal content (child sexual abuse images, extreme violence, racism and xenophobia, bestiality, online hate and xenophobia websites, adult pornography). Looking at their map representing countries saying “no” to illegal content, the audience realized that there is a long way to go:

In the next workshop, dedicated to technical assistance against cybercrime, two talks grabbed my attention. The first one exposed the situation in India. In this country, only about 10 percent of all cybercrimes committed are actually reported, and fewer than 2 percent result in a conviction. Nevertheless, 30 million judicial actions are pending. The Indian people purchase seven million mobile phones monthly. A large number do not have any traceability mechanism. This is a golden opportunity for terrorists who can use these phones without fear. 

The second talk was given by my colleague Greg Day, Director of Security Strategy for Europe, the Middle East, and Africa at McAfee. He presented various initiatives that industry can use to share intelligence and drive knowledge transfer. Besides training sessions and the direct line to McAfee Labs offered to various police crime units around the world, Day focused on the Industry Connections Security Group. This outfit gathers computer security entities to work on common goals and industry issues. Day sees that cybercriminals have leveraged the underground economy to gain economies of scale and access to specialist tools and services, whereas the security industry has generally responded to threats as individual entities. To tackle this problem, security professional established the ICSG, under the umbrella of the IEEE Standards Association, to pool their experiences and resources in response to the systematic and rapid rise in new malware being introduced to the market.

The last workshop I attended was on Thursday morning. We discussed cloud computing and the law enforcement challenges introduced by this new environment. Christian Aghroum, chief of the French National Unit for Countering Cybercrime, explained the threats facing data and services that are stored somewhere in the “Internet cloud.” His talk was a fitting conclusion for these three days in Strasbourg. Although there are no borders on the Net, the concept of national sovereignty keeps on confronting us. Human rights are acknowledged around the world, international maritime or air rights are usually respected, yet there is no universal right for the extra dimension that is the Internet. Unfortunately the Budapest Convention is far from accepted by all countries worldwide. In everyday police work, this produces a huge gap that greatly favors criminals. If a French neo-Nazi website is hosted in the United States, France really has little possibility of shutting it down. If a company leaves a foreign country after some diplomatic issues, there is no guarantee to ensure the security of its data stored in the cloud. Today, in some cases, we cannot maintain security in our country because of the start of cloud-based services. In one or two years, this will be worse in the “absolute cloud,” which will have no borders. If international laws are not rapidly created, based on the Budapest Convention, the problems will certainly become worse.  

Before ending this post, I have to mention the Nigerian delegation, which offered us a song made by famous Nigerian singers. “Maga No Need Pay!” denounces fraud. (Maga is the Nigerian word for victims of fraud.) To the Nigerian people, the song explains that fraud is not the right way toward a better life. To the rest of the world, it explains that Nigeria is a great country that should not be considered solely corrupt.

Cybercrime must be fought with laws and technology, but it can be also fought with music.

The clip is viewable here.

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.