blog trackingRealtime Web Statistics Trojan Archives | Page 5 Of 12 | Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant - Part 5

Posts Tagged ‘Trojan’

Microsoft disrupts servers used by feared Zeus bank Trojan

In the most significant cybercrime bust of the year so far, Microsoft and US banking organisations say they have disrupted a number of the most active botnets that have been attacking online banking customers across the world with impunity using the Zeus crimeware.

On 19 March, the company filed a court action using the US Racketeer Influenced and Corrupt Organizations (RICO) Act alleging that 39 individuals — “John Does 1-39” — were responsible for Zeus-based botnets that had stolen an alleged $100 million (£63 million) over the past five years by after infecting 13 million PCs.

By 23 March, the company’s Digital Crimes Unit, the Information Sharing and Analysis Center (FS-ISAC) and the Electronic Payments Association NACHA, launched ‘Operation b71’, physically seizing hosted servers allegedly used as command and control for the bots, gathering further evidence against the accused.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” said Microsoft in an official statement.

In addition to Zeus, botnets built using the related SpyEye and Ice-IX variants were also disrupted, Microsoft said.

The action is only the latest in a long line stretching back years that have seen Microsoft and its Digital Crimes Unit become perhaps the most successful anti-cybercrime organisation on the planet, harnessing local laws, trade bodies and the security industry itself to counter a digital crimewave.

The most action significant in recent times was against the infrastructure behind the Rustock botnet in March 2011, which immediately cut global spam levels. In addition to similar campaigns against Waledec and last summer’s anti-Kelihos operation, this has helped reduce the volume of spam circulating on the Internet almost back to levels last seen some years ago.

What of Zeus and why has it become so significant? The simplest answer to this is probably that it is the first banking malware to be turned into what is termed ‘crimeware’, that is a featured crime platform sold to criminals across the world. That has fuelled its popularity and success.

Any action that removes some of the infrastructure will have a short-term impact on its activity but the biggest blow is simply that someone, anyone, has done something. Crybercriminals profiting from effective but common malware such as Zeus have acted in the knowledge that they will probably get away with their crimes. As of today, that assumption might not be as secure.

Microsoft started offering access for third parties to its anti-botnet system in January this year.

Article source:

View full post on National Cyber Security » Computer Hacking

There’s a New Version of the Stuxnet-esque Duqu Trojan Floating Around and Nobody Knows What It Does [Hacking]

A newly surfaced version of the Duqu trojan indicates that the authors of one of the most sophisticated computer worms in recent memory are aggressively trying to figure out how to attack their next target.

Researchers at Symantec have analyzed the mysterious new file, W32.Duqu, which is one of the components of the of the Duqu trojan. Duqu is a snooping bug with some very similar code to the Stuxnet worm, which attacked a nuclear facility in Iran. The trojan crawls the world looking for security weaknesses in target systems.

The new file was compiled on February 23rd and contains several code-level changes—a very scary reminder that whoever was behind the Stuxnet worm is still at it.

Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful One of the more significant changes to the code is the encryption algorithm they use to encrypt the other components on disk.

…Another difference is the old driver file was signed with a stolen certificate-and this one is not. Also the version information is different in this new version compared to the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver.

Without access to more components of Duqu, the researchers can’t be sure what exactly the changes mean, but they’re understandably very concerned with every piece of evidence that they find. [Symantec via ABCNews]

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Russian police arrest notorious ‘Carberp’ Trojan gang

Russian police are reported to have arrested the gang behind the notorious Carberp Trojan used to steal hundreds of millions of roubles from online bank customers during one of the most notorious cybercrime campaigns ever to hit the country.

In a major police operation, The Federal Security Service (FSB) and Ministry of the Interior (MVD) are said to have swooped on the gang’s ringleaders, two Moscow-based brothers in their late 20s, one of whom was wanted for real estate fraud.

Six accomplices of the pair were also detained.

“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialised banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, CEO of Group-IB, a security firm that helped investigate the gang’s attacks.

“The investigations conducted by our Forensics Lab confirmed the use of the Win32/Carberp and Win32/Rdpdor malware by the criminals in order to carry out theft of funds.”

The gang also conducted DDoS attacks, Sachkov said. Police seem confident that they have netted the entire gang.

Often associated with Blackhole Exploit Kit, Carberp achieved notoriety across the online banking world as a follow-up attack in the aftermath of the infamous Zeus Trojan of 2010.

In its signature Russian attacks, the Trojan would steal online logins, which allowed the criminals to transfer sums to mule accounts from where it was removed using ATM transactions.

What marked the Carberp gang out from the start was the apparent impunity with which it attacked ordinary Russians, something that made it public enemy number one in the country. Up to 130 banks around the world were affected, with at least 130 million roubles (£2.8 million) stolen in a recent three-month period in Russia alone.

Worldwide, in the 18 months of its operation Carberp was probably making the gang millions of dollars per month, some of which was cycled back into other cybercrime campaigns.

The full extent of the gang’s activities has still to be established but could take in other high-profile Russian malware activities.

Article source:

View full post on National Cyber Security » Computer Hacking

Unknown Computer Language Found in Trojan

Some of you may recall from the past two years news about some malware which had apparently targeted Iranian nuclear enrichment centers . The Stuxnet worm destroyed 400 centrifuges, which are critical to enriching uranium, and later the Duqu trojan was found. Duqu’s purpose is not yet known as it has not been activated yet, but it could potentially steal, corrupt, or run certain files. While …

View full post on computer worm — Yahoo! News Search Results

View full post on National Cyber Security » Virus/Malware/Worms

Bigger bank-hitting Trojan malware seen

PARIS (Reuters)- Christians far outnumber Muslims as migrants around the world, including in the European Union where debates about immigration usually focus on new Muslim arrivals, according to a new study issued on Thursday. Of the world’s 214 million people who have moved from their home country to live in another, about 106 million (49 percent) are Christians while around 60 million (27 percent) are Muslims, the study by the Pew Forum on Religion and Public Life said. Only 3. …

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Duqu Trojan written in mystery programming language, analysis finds

The mystery of the Stuxnet-like ‘Duqu’ Trojan has deepened with the news that elements of its payload appear to have to have been written in an unidentifiable programming language.

An ongoing analysis effort by Kaspersky Lab researchers has now uncovered much of the inner programming structure of the software, overwhelmingly written quite conventionally in C++.

However, delving inside the Payload.dll, the team discovered a section of the code dedicated to stealthy communication with the Trojan’s command and control servers that defied their analysis.

Dubbing it the ‘Duqu Framework’, the team has not been able to go much further than identifying it as an object-oriented language of considerable sophistication.

“The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked,” said Kaspersky Lab engineer, Igor Soumenkov.

Payload.dll looks to be a critical element of the program. According to Kaspersky, it is used to receive instructions from remote servers but also to relay stolen data, and can operate completely independently of the rest of the program. It was also important for spreading the Trojan to other Windows machines.

“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits,” said Kaspersky’s chief security expert,  Alexander Gostev.
“With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the CCs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”

Discovered by Budapest University security researchers last September, Duqu’s provenance, intention and design matters because it has been plausibly connected to the infamous Stuxnet malware that many believe was created to disrupt vulnerable SCADA systems connected to Iran’s nuclear enrichment program.

The connections between the two programs are contentious but eery, based on the two programs’ use of common elements. What is clear is that Duqu is sophisticated enough to be the work of a well-resourced and skilled team trying to cover its tracks.

In that they have failed as they were always doomed to do. The more sophisticated a piece of software, the more unusual its programming design and structure is likely to be and the more this very expert-level complexity draws attention to itself, raising suspicions.

Despite turning itself into the expert hub on the Trojan, Kaspersky has now appealed to programmers for help in identifying the programming language used to create the Duqu Framework.

Article source:

View full post on National Cyber Security » Computer Hacking

Intego Warns of New Mac Trojan Variant

The company’s researchers say Flashback.G has already infected many OS X users.

View full post on eSecurityPlanet RSS Feed

View full post on National Cyber Security

Apple Mac user logins hunted by Flashback.G Trojan

Apple Mac users have been warned to be on the lookout for a new variant of the Flashback Java Trojan that has already hit an unknown number of victims running OS X 10.6 Snow Leopard.

The new Flashback.G documented by Mac security company Intego shows an interesting development in the sophistication of its social engineering.

The first targets Macs running versions of Java open to one of two common vulnerabilities. If these have been patched or Java is not installed (as would be the case by default when running OS X Lion), the malware throws up a dialog asking users to accept a bogus digital certificate claiming to be from Apple.

Anyone fooled by the ruse will be calling the install procedure for a browser login stealer that puts password-protected websites such as banking sites, PayPal and webmail at severe risk.  

According to Intego, a clue that a Mac has become infected is that the malware’s code injection renders applications such as Safari and Skype prone to frequent crashes. Users will also find a Java applet in ~/Library/Caches.

Despite the very low level of malware that targets the platform compared to Windows, there are signs that Apple now sees the appearance of more sophisticated Java malware as posing a real threat.

Last week the company showed a preview version of its future Mountain Lion OS X release featuring the ‘Gatekeeper’ security feature, a way of locking down which application providers can install apps of any kind on the OS.

Flashback first appeared in mid-2011 as a bogus app masquerading as an Adobe Flash player.

Twitter: @JohnEDunn

Article source:

View full post on National Cyber Security » Computer Hacking

Modified ZeuS botnet Trojan no longer needs C&C servers

The ZeuS Trojan has been modified by cybercriminals in a way that means it no longer relies on command and control (CC) servers for receiving instructions, according to Symantec security researchers.

ZeuS is very popular in the cybercriminal world because it’s capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.

The Trojan’s source code was published on internet underground forums last year, paving the way for many third-party modifications and improvements.

In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.

P2P fallback mechanism

That version of the Trojan still connected to a CC server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.

However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for CC servers. “Every peer in the botnet can act as a CC server, while none of them really are one,” Symantec researcher Andrea Lelli said yesterday.

“Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots,” she said.

In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.


This makes their botnet more resilient to takedowns, because there’s no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.

“Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus CC servers around the world,” Lelli said, adding that Zeus’ switch to P2P for these functions means that the site would no longer be able to produce exact Zeus CC IP block lists.

Organisations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the CC IP addresses also helps companies identify compromised computers within their networks.

Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of CC servers.

“Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture,” Lelli said.

Article source:

View full post on National Cyber Security » Computer Hacking

Trojan Exploits Known Hole in Microsoft Office (February 9, 2012)

Wow! It’s an incident handler’s Christmas morning, tools, tools, tools. Very Applicable!
-Todd Davis, Symantec

Article source:

View full post on National Cyber Security

Page 5 of 12« First...«34567»10...Last »

My Twitter

  • RT @GregoryDEvans: WiFi Pineapple Primer – From Recon to PineAP
    about 2 hours ago
  • RT @GregoryDEvans: How To Reveal The Password Hidden Behind Asterisks
    about 4 hours ago
  • RT @GregoryDEvans: #galaxylife #samsung4life Network Security Company ForeScout Interviews Banks for IPO
    about 5 hours ago
  • RT @GregoryDEvans: Cybersecurity Short Sellers Get More Selective
    about 8 hours ago
  • RT @GregoryDEvans: Cybersecurity Short Sellers Get More Selective
    about 8 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans