blog trackingRealtime Web Statistics Trojan Archives - Page 5 Of 12 - Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant - Part 5

Posts Tagged ‘Trojan’

Russian police arrest notorious ‘Carberp’ Trojan gang

Russian police are reported to have arrested the gang behind the notorious Carberp Trojan used to steal hundreds of millions of roubles from online bank customers during one of the most notorious cybercrime campaigns ever to hit the country.

In a major police operation, The Federal Security Service (FSB) and Ministry of the Interior (MVD) are said to have swooped on the gang’s ringleaders, two Moscow-based brothers in their late 20s, one of whom was wanted for real estate fraud.

Six accomplices of the pair were also detained.

“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialised banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, CEO of Group-IB, a security firm that helped investigate the gang’s attacks.

“The investigations conducted by our Forensics Lab confirmed the use of the Win32/Carberp and Win32/Rdpdor malware by the criminals in order to carry out theft of funds.”

The gang also conducted DDoS attacks, Sachkov said. Police seem confident that they have netted the entire gang.

Often associated with Blackhole Exploit Kit, Carberp achieved notoriety across the online banking world as a follow-up attack in the aftermath of the infamous Zeus Trojan of 2010.

In its signature Russian attacks, the Trojan would steal online logins, which allowed the criminals to transfer sums to mule accounts from where it was removed using ATM transactions.

What marked the Carberp gang out from the start was the apparent impunity with which it attacked ordinary Russians, something that made it public enemy number one in the country. Up to 130 banks around the world were affected, with at least 130 million roubles (£2.8 million) stolen in a recent three-month period in Russia alone.

Worldwide, in the 18 months of its operation Carberp was probably making the gang millions of dollars per month, some of which was cycled back into other cybercrime campaigns.

The full extent of the gang’s activities has still to be established but could take in other high-profile Russian malware activities.

Article source:

View full post on National Cyber Security » Computer Hacking

Unknown Computer Language Found in Trojan

Some of you may recall from the past two years news about some malware which had apparently targeted Iranian nuclear enrichment centers . The Stuxnet worm destroyed 400 centrifuges, which are critical to enriching uranium, and later the Duqu trojan was found. Duqu’s purpose is not yet known as it has not been activated yet, but it could potentially steal, corrupt, or run certain files. While …

View full post on computer worm — Yahoo! News Search Results

View full post on National Cyber Security » Virus/Malware/Worms

Bigger bank-hitting Trojan malware seen

PARIS (Reuters)- Christians far outnumber Muslims as migrants around the world, including in the European Union where debates about immigration usually focus on new Muslim arrivals, according to a new study issued on Thursday. Of the world’s 214 million people who have moved from their home country to live in another, about 106 million (49 percent) are Christians while around 60 million (27 percent) are Muslims, the study by the Pew Forum on Religion and Public Life said. Only 3. …

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Duqu Trojan written in mystery programming language, analysis finds

The mystery of the Stuxnet-like ‘Duqu’ Trojan has deepened with the news that elements of its payload appear to have to have been written in an unidentifiable programming language.

An ongoing analysis effort by Kaspersky Lab researchers has now uncovered much of the inner programming structure of the software, overwhelmingly written quite conventionally in C++.

However, delving inside the Payload.dll, the team discovered a section of the code dedicated to stealthy communication with the Trojan’s command and control servers that defied their analysis.

Dubbing it the ‘Duqu Framework’, the team has not been able to go much further than identifying it as an object-oriented language of considerable sophistication.

“The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked,” said Kaspersky Lab engineer, Igor Soumenkov.

Payload.dll looks to be a critical element of the program. According to Kaspersky, it is used to receive instructions from remote servers but also to relay stolen data, and can operate completely independently of the rest of the program. It was also important for spreading the Trojan to other Windows machines.

“Given the size of the Duqu project, it’s possible that an entirely different team was responsible for creating the Duqu Framework as opposed to the team that created the drivers and wrote the system infection exploits,” said Kaspersky’s chief security expert,  Alexander Gostev.
“With the extremely high level of customisation and exclusivity that the programming language was created with, it is also possible that it was made not only to prevent external parties from understanding the cyber-espionage operation and the interactions with the CCs, but also to keep it separate from other internal Duqu teams who were responsible for writing the additional parts of the malicious program.”

Discovered by Budapest University security researchers last September, Duqu’s provenance, intention and design matters because it has been plausibly connected to the infamous Stuxnet malware that many believe was created to disrupt vulnerable SCADA systems connected to Iran’s nuclear enrichment program.

The connections between the two programs are contentious but eery, based on the two programs’ use of common elements. What is clear is that Duqu is sophisticated enough to be the work of a well-resourced and skilled team trying to cover its tracks.

In that they have failed as they were always doomed to do. The more sophisticated a piece of software, the more unusual its programming design and structure is likely to be and the more this very expert-level complexity draws attention to itself, raising suspicions.

Despite turning itself into the expert hub on the Trojan, Kaspersky has now appealed to programmers for help in identifying the programming language used to create the Duqu Framework.

Article source:

View full post on National Cyber Security » Computer Hacking

Intego Warns of New Mac Trojan Variant

The company’s researchers say Flashback.G has already infected many OS X users.

View full post on eSecurityPlanet RSS Feed

View full post on National Cyber Security

Apple Mac user logins hunted by Flashback.G Trojan

Apple Mac users have been warned to be on the lookout for a new variant of the Flashback Java Trojan that has already hit an unknown number of victims running OS X 10.6 Snow Leopard.

The new Flashback.G documented by Mac security company Intego shows an interesting development in the sophistication of its social engineering.

The first targets Macs running versions of Java open to one of two common vulnerabilities. If these have been patched or Java is not installed (as would be the case by default when running OS X Lion), the malware throws up a dialog asking users to accept a bogus digital certificate claiming to be from Apple.

Anyone fooled by the ruse will be calling the install procedure for a browser login stealer that puts password-protected websites such as banking sites, PayPal and webmail at severe risk.  

According to Intego, a clue that a Mac has become infected is that the malware’s code injection renders applications such as Safari and Skype prone to frequent crashes. Users will also find a Java applet in ~/Library/Caches.

Despite the very low level of malware that targets the platform compared to Windows, there are signs that Apple now sees the appearance of more sophisticated Java malware as posing a real threat.

Last week the company showed a preview version of its future Mountain Lion OS X release featuring the ‘Gatekeeper’ security feature, a way of locking down which application providers can install apps of any kind on the OS.

Flashback first appeared in mid-2011 as a bogus app masquerading as an Adobe Flash player.

Twitter: @JohnEDunn

Article source:

View full post on National Cyber Security » Computer Hacking

Modified ZeuS botnet Trojan no longer needs C&C servers

The ZeuS Trojan has been modified by cybercriminals in a way that means it no longer relies on command and control (CC) servers for receiving instructions, according to Symantec security researchers.

ZeuS is very popular in the cybercriminal world because it’s capable of stealing a wide variety of information, documents and login credentials from infected systems. For many years it was the weapon of choice for most fraudsters targeting online banking systems.

The Trojan’s source code was published on internet underground forums last year, paving the way for many third-party modifications and improvements.

In November 2011, security researchers identified a heavily modified ZeuS variant capable of relaying attacker commands from one compromised host to another, in a peer-to-peer-like (P2P) fashion.

P2P fallback mechanism

That version of the Trojan still connected to a CC server for dropping stolen data and receiving instructions, but used the P2P system as a fallback mechanism in case the server went down.

However, a new variant recently detected by antivirus vendor Symantec has completely removed the need for CC servers. “Every peer in the botnet can act as a CC server, while none of them really are one,” Symantec researcher Andrea Lelli said yesterday.

“Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots,” she said.

In order to implement this functionality, the creators of this ZeuS variant have incorporated the nginx web server into the Trojan, allowing every infected computer to receive and send data over the HTTP protocol.


This makes their botnet more resilient to takedowns, because there’s no longer a single point of failure for security researchers to target, and it also prevents botnet tracking systems like ZeusTracker from doing their job.

“Zeustracker is a site which has had considerable success in tracking and publishing IP block lists for Zeus CC servers around the world,” Lelli said, adding that Zeus’ switch to P2P for these functions means that the site would no longer be able to produce exact Zeus CC IP block lists.

Organisations rely on such lists to block ZeuS traffic at the network level in order to prevent this malware from exfiltrating sensitive data. Monitoring connection attempts for the CC IP addresses also helps companies identify compromised computers within their networks.

Symantec researchers have seen this new ZeuS variant distributing malware like fake antivirus programs. However, they have yet to figure out how it sends the captured information back to the attackers in the absence of CC servers.

“Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture,” Lelli said.

Article source:

View full post on National Cyber Security » Computer Hacking

Trojan Exploits Known Hole in Microsoft Office (February 9, 2012)

Wow! It’s an incident handler’s Christmas morning, tools, tools, tools. Very Applicable!
-Todd Davis, Symantec

Article source:

View full post on National Cyber Security

DNSChanger Trojan Still Needs to be Cleaned from Fortune 500 and US Government Systems (February 3 & 6, 2012)

Half of Fortune 500 companies and nearly half of all US federal government agencies still have the DNSChanger Trojan on their networks, according to researchers…….

View full post on SANS NewsBites

View full post on National Cyber Security

New Ice IX banking Trojan enables fraudsters to hijack phone calls

New variants of the Ice IX online banking Trojan program are tricking victims into exposing their telephone account numbers so that fraudsters can divert post-transaction verification phone calls made by banks to phone numbers under their control, researchers from security vendor Trusteer warned.

Ice IX is a modified version of ZeuS, one of the most successful and sophisticated online banking Trojans to date. Like its parent, Ice IX has the ability to manipulate the content displayed in browsers used by its victims and inject rogue Web forms into online banking websites.

Telephone account numbers exposed

The rogue forms are usually used to extract online banking credentials along with other security information like secret questions/answer pairs and date of birth. However, new Ice IX configurations analysed by Trusteer researchers also display forms that ask victims for their telephone account numbers, a piece of information used by telephone companies to verify the identity of their subscribers.

“The victim is asked to update their phone numbers on record (home, mobile and work) and select the name of their service provider from a drop-down list,” Trusteer’s CTO Amit Klein said in a blog post. “In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky.”

The Trojan then asks victims to input their telephone account number under the pretext of a malfunction of the bank’s anti-fraud system with its landline phone service provider. US online banking customers are also targeted, Klein said.

Post-transaction attacks are easier to hide

Trusteer suspects that this information is used by fraudsters to access the telecom operator’s self-service centre and enable call forwarding for the victims’ phone numbers without their knowledge. However, the security company doesn’t have access to any data proving that such an attack has occurred, Klein said in an email.

The existence of dedicated caller services contracted by cybercriminals to impersonate bank customers and confirm fraudulent transactions can serve as indication that fraudsters need to have post-transaction verification phone calls forwarded to numbers of their choosing.

“Fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank,” Klein said. “This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user.”

Article source:

View full post on National Cyber Security » Computer Hacking

Page 5 of 12« First...«34567»10...Last »

My Twitter

  • Safe Does Not Mean Scared #dating @gregorydevans
    about 5 hours ago
  • RT @GregoryDEvans: Bizarre priest showed kids body in coffin #security #hacker #HTCS
    about 6 hours ago
  • RT @GregoryDEvans: Bizarre priest showed kids body in coffin
    about 6 hours ago
  • The Secret to Being a Survivor on the Street: How to Develop a Combatives Mindset #dating @gregorydevans
    about 6 hours ago
  • 10 Ways to Break Up a Couple Who Shouldn’t Be Together #dating @gregorydevans
    about 10 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans