Hungarian hacker's phishing, data theft, blackmail and arrest

Department of Justice arrested a Hungarian national who used phishing mails to break into the computers of Marriott Hotels Corporation. He stole sensitive company data and blackmailed Marriott Hotels into giving him a job under threat of exposure of sensitive data.
He sent malicious code in phishing emails to few Hotel employees and that gave him a backdoor entry to the Marriot network and computers to steal the company's sensitive data including financial information.
He was arrested by the US Secret Service who laid a trap to interview him for the job and flew him from Hungary to Washington DC.
http://www.justice.gov/opa/pr/2011/November/11-crm-1534.html

Credit Cards of Xbox Live Users Stolen in Phishing Attacks

The Guardian, UK,  reports on fraudulent credit card transactions in the accounts of users of Xbox Live, Microsoft's online gaming service. The users buy Mcrosoft Points for downloading games from EA Sports using their credit cards.

Hackers con people into giving away their account details through phishing attacks. They set up official looking websites purporting to give away free Microsoft Points, but insist on users to give their information including credit card info.  It appears the hackers obtained Xbox Live user account details from EA Sports online gaming services. It is suspected theat EA Sports FIFA 12 servers were compromised earlier. The users detected the fraud when they scrutinized their credit card statements.

This is a case of hackers targeting online gaming.
http://www.guardian.co.uk/technology/2011/nov/22/xbox-live-users-phishing-attacks?intcmp=239

McAfee Threats Report - 3Q 2011

Some highlights from the  McAfee Threats Report- 3Q 2011:

• '2011 continues to be an year of change, challenge and chaos in information security'.
• Increase in steath malware-- rootkits from the TDSS family, mobile malware targeting Android OS, spam and messaging threats, 
• Targeted spam (spear phishing) is getting sophisticated. 'Spearphishing is in many ways the stealth malware or rootkit of spam-- designed to bypass our mental filter using evasion and well-crafted lures'.
• Malicious iFrame infection was the no. 1 global threat.
• Botnets expanding globally
• Significant activity in cybercrime, cyberwarfare and hacktivism with some law enforcement wins.
• 75 million unique malware samples expected by end of 2011.

Further details at:
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf
The previous quarterly reports for 2011 can also be seen at:
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2011.pdf
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdf

-Joseph Ponnoly

Microsoft settles lawsuit against Czech hoster of Kelihos botnet

(CNET, October 26, 2011)

Microsoft had filed lawsuit in a federal court in Virginia against Dominique Alexander Piatti and his company Dotfree Group SRO of Czech Republic and 22 others for hosting the Kelihos botnet. The botnet was responsible for sending pharmaceutical and other spam mails, for harvesting e-mails and passwords, for fraudulent stock scams and for promoting sites dealing with sexual exploitation of children.  Subdomains were used to spread the MacDefender scareware. The botnet had about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam mails per day.

The controllers of the Kelihos botnet leveraged the subdomain services of Dotfree Group.

In Microsoft's settlement with the domain owner, Piatti will delete or transfer to Microsoft all the subdomains used to operate the bonet.  They agreed to prevent misuse of subdomains and to establish a secure top level domain (TLD).

Microsoft's Digital Crimes Unit has been responsible for shutting down three botnets--- Waledac, Rustock and Kelihos.

http://news.cnet.com/8301-27080_3-20126012-245/microsoft-settles-suit-against-alleged-botnet-hoster/

Blocking Port 25- Will it help to control spam emails?

According to Cisco IronPort Senderbase Security Network, around 85% of all email is spam. However, there has been a decline of spam mails during 2011 as a result of the taking down of the Rustock botnet.
http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang_html/

South Korea's Internet and Security Agency has asked all ISPs to block SMTP port 25 and allow emails only from'official' email servers, with the idea to block spam mails. AT&T, Comcast and Verizon already do this.
http://www.zdnet.com/blog/networking/south-korea-proposes-restricting-all-e-mail-sending-to-official-e-mail-servers/1647
ISPs have to block the default SMTP port or port 25 from sending emails. Users will then be forced to use the ISP's mail servers to send emails.

Just blocking port 25 may not prevent spam mails.  Botnet-infected Windows PCs are still the source of most spam. Even if the SMTP port 25 is blocked, the infected PCs could still send spam using SOCKS proxy servers and the Secure SMTP port- port 465. The current trend is that spammers are now moving from Windows PC botnets to compromised Web-mail accounts.

-Joseph Ponnoly

The Botnet War

Tom Brewster's article of November 11, 2011 in ITPRO titled 'The War on Botnets' gives an interesting account of the fight against botnets and  the cyber underworld,  detailing recent successes following collaboration between law enforcement and the security industry, along with international cooperation.
http://www.itpro.co.uk/637312/the-war-on-botnets/

The recent success in bringing down 'DNS Changer' botnet follows a series of botnet discoveries and thier dismantling for eight years, since 2003.  Botnet terminations have been followed by significant drop in spam mails, PC infections and cyber crimes.

Some of the major botnets that were discovered and dismantled since 2008 are:
McColo- 2008
Mariposa (infected 13 million PCs) 2009
Mega-D - 2009
Waledac - 2010
Bredolab (2010)

Coreflood -2011
Rustock - March 2011
Kelihos- October 2011
DNS Changer -November 2011

Only since 2008, there has been noteworthy international cooperation to fight botnets and cybercrime.
The security industry also has colloborated in the efforts. Microsoft was responsible for smashing Waledac, Rustoc and Kelihos botnets, as part of Project MARS (Microsoft Active Response for Security), with the objective to 'annihilate botnets and help make the internet a safe place'.
The MARS team worked with security companies such as Kaspersky and FireEye.  For Kelihos, Kaspersky's live botnet tracking system was used by Microsoft and Kaspersky abs helped to reverse-engineer the bot malware and to deal with the P2P infrastructure used by the botnet.

Legal problems and the sub domain issue are the battles still to be fought.  The sub domain issue concerns top level domains hosting thousands of subdomains that are used for malicious hosting by botnets.

-Joseph Ponnoly








http://www.itpro.co.uk/637312/the-war-on-botnets

Duqu Malware Detection Tool Released

Information Week of November 11, 2011 reports that Duqu Detector Toolkit has been developed by CrySys Lab of the Budapest University of Technology and Economics.

The toolkit is designed to detect even dormant infections.  The malware used in highly targeted attacks, is related to Stuxnet and has a dropper file (installer) to infect computers. The installer is a malicious Word document (.doc file).

Duqu malware was designed for industrial espionage, and is similar to Stuxnet.

Detection techniques include signature-based and heuristics-based scanning to find 'traces of infections', detecting suspicious files.

Duqu exploits zero-day vulnerability in the font parsing flaw in the TrueType engine in 32 bit Windows versions.  Microsoft has issued security alert and is yet to issue a patch.
http://support.microsoft.com/kb/2639658

Further details of the toolkit at:
http://www.crysys.hu/duqudetector.html
http://www.crysys.hu/duqudetector-files/files/manual-v1_02.txt
http://www.informationweek.com/news/security/management/231902866

-Joseph Ponnoly

eCrime Trends Report - IID

The 3Q-2011 eCrime Trend Reports from IID, indicates that DNS threats are emerging as cause for concern. Though phishing attacks were down during the quarter, malware distribution and DNS exploits picked up during the quarter.Zeus malware infection is an ongoing threat.  During the preceding quarters of 2011, phishing attacks were on the rise.
Microsoft took down the Kelihos botnet with around 41,000 infected computers. Facebook and Google fought back against originating domains of massive phishing attacks

Further details at:
http://www.eweekeurope.co.uk/news/malware-soars-as-traditional-phishing-falters-44559
http://www.internetidentity.com/resources/trend-reports
http://www.internetidentity.com/images/stories/docs/ecrime_trends_report-q3-2011_by_iid.pdf

-Joseph Ponnoly

Spear Phishing / PoisonIvy backdoor trojan targeting Chemical and Defense Companies

http://www.fiercegovernmentit.com/story/nitro-hackers-target-chemical-and-defense-companies-says-symantec/2011-11-02

Symantec Report of October 31, 2011 reports  about a wave of spear phishing attacks targeting chemical and defense industry segments in US and Europe, where already 20 companies have been victimized.

The attacks are engineered through spear phishing emails with attachments containing the self-extracting PoisonIvy trojan executable.

PoisonIvy is a backdoor trojan, developed by a Chinese hacker. It sets up http communication channel over port 80 with the command and control (C&C) botnet server. The bot harvests IP addresses and cached passwords and targets intellectual property and other sensitive data.

Read more on the 'Nitro Attacks' report by Symantec:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

Crimeware threats

Phil Mellinger's article published  in today's ComputerWorld (Nov 4, 2011) titled  'A Short History of Crimeware' points to the widespread proliferation of crimeware today. Crimeware is defined as ' the class of malware, specifically designed to automate large-scale financial crime'.  Crimeware undermines today's technologies and sets at naught the concepts of privacy, anonymity and security, surpassing an 'Orwellian world'.

Crimeware that includes financial malware, stealth malware or banking trojans,  traces its origins to 2003, defeating traditional internet defenses of SSL encryption, anti-virus and two factor authentication. Attack tools such as Zeus and Spyeye collect highly sensitive authentication and financial data. Online banking accounts are specially targeted.  Variants of the crimeware are easily created and propagated to infect PCs.

Crimeware Technologies:
Crimeware relies on botnet controlers, sophisticated trojans and data collection technologies.
Some of the major advances since 2003 are listed:
1. Form grabbing within IE browsers, leading to harvesting of banking credentials.  This led FFEIC in 2005 to recommend two factor authentication for online bank accounts. This is an advancement over keystroke logging techniques to steal credentials.
2. Stealth or anti-detection, anti-forensics technologies, preventing detection by signature-based anti-virus or behavior-based (IDS/IPS) techniques.
3. Web injects (Man-in-the browser) for PCs running IE/Windows, defeating two-factor authentication, enabling criminals to take over authenticated connections within compromised PCs, subverting key-entry based authentication techniques and enabling crimeware to control user's connection to the bank.
4. Crimeware expanding to other browsers and OS (Chrome, Firefox, Opera, Safari and Apple OS X)
5. Sourcecode availability for Zeus and SpyEye.
6. Disabling/Circumventing Anti-Crimeware, disabling anti-malware products.
7. Mobile device support (man-in-the-mobile)
subverting mobile devices banks used to validate online banking transactions with customers. Man in the mobile attacks covertly validate the transation without the user's awareness.
8. Anti-removal or persistence

It is all a question of trust in cyberspace.
As Phil Mellinger says, 'crimeare is devastating our security, our privacy and our anonymity. It has jumped across browsers, operating systems, and even devices, to endanger current technologies. He says that we are entering a new phase of security.


Further details at:
http://www.computerworld.com/s/article/9221499/A_short_history_of_crimeware

-Joseph Ponnoly

Zero day malware clearning with Sysinternals Tools

Mark Russinovich's presentation at BlackHat 2011:
Zeroday Malware Cleaning with Sysinternals Tools
http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf
Some of the highlights/points:

1. Identifying malware processes
using Process Explorer v15 for identifying malware processes, network and disk activity, Process tree sort, Svchost and service threads info and  for malware cleaning

Malware processes have no versioning
Malware commonly uses packing  and encryptionto defeat antivirus signature matching
Malware often hides behind Svchost, Rundll32 (hosted DLL) and Dllhost (hosted COM server)
The services tab and process tabs give detailed info on services and processes.
Sigcheck can be used for scanning the system for suspicious executable images.
ListDlls will scan running processes for unsigned DLLs
Strings tab will show the process strings that can provide clues about unknow processes
String Utility can be used to dump strings

Malware hides as a DLL inside a legitimate process (Rundll32, Svchost), loading via autostart or through 'dll injection'.
DLL view shows more than just loaded DLLs to include .exe and 'memory mapped files'.


2. Terminating Malicious Processes:
Don't kill the process but suspend the malicious process.
Record full path to each malicious exe and dll.

3. Cleaning Autostarts
Start-Run-Msconfig
Autoruns:
Identiy malware autostarts

Deals with the Case of Son's Adware

760 large companies hacked!

Source: CNN Money, 28 October 2011
760 Companies hacked!
A Command and Control Server of a Botnet that was breached, showed that it was controlling the computers of 760 companies (including 20 of the Fortune 100 Companies)!
For further details:
http://money.cnn.com/2011/10/27/technology/rsa_hack_widespread/

Phishing Activity Trends Report 2H 2010 - APWG

Phishing Activity Trends Report 2H 2010
published by APWG

http://www.antiphishing.org/reports/apwg_report_h2_2010.pdf
Major highlights of APWG's Phishing Trends Report for the 2nd Half of 2010, are listed below:

Financial Services is the most targeted industry sector, followed by Payment Services.

Crimeware or data-stealing malicious code , is designed to collect information on the end-user to steal credentials.  Phishing-based keyloggers have tracking components, and they monitor specific actions and specific organizations, to target specific information.

Data stealing and generic trojans contain the code designed to send information from the infected machine, control it and open backdoors on it. According to WebSense, downloaders are used (to download the trojans from phishing websites).

During 2H 2010, Panda Labs registered 10.4 million new malware samples making a total collection of 60 million.  55% of the new samples registered are trojans, the favorite weapon used by cybercriminals to infect computers. Countries mostly infected are Thailand (67%), China (63%), Taiwan (60%), Latvia (56%), Saudi Arabia (55%), Russian Federation (54%), Israel (53%).

The report mentions that 'cybercrimals constantly obfuscate and re-use the same samples over and over, employing polymorphism-- server-side or binary side-- subsequently increasing numbers of variants recorded'.

Rogue Anti-Malware Programs (from a few crimeware families such as SystemGuard2009, Malware Doctor, MS AntiSpyware2009, Animalware Doctor, Security Essentials 2010, Privacy Center etc) have also caused computer infections.

USA hosts 84% of the phishing websites hosting malicious code phishing-based keyloggers or trojans downloaders. In the 3rd Quarter of 2010, Sweden had topped the list of countries hosting phishing websites.

The report does not mention about the role of botnets in phishing.

http://www.antiphishing.org/reports/apwg_report_h2_2010.pdf

Safe Browsing API for applications and browsers from Google

Safe Browsing API service is provided by Google for applications, enabling applications to check URLs against suspected phishing and malware pages list maintained by Google.

Safe Browsing API is an application client-side URL lookup.

The protocol is in use by Google Chrome and Mozilla Firefox browser.
http://code.google.com/apis/safebrowsing/

MBR Rootkits

Malware (Rootkits) targeting control of the Master Boot Record (MBR) to get kernel-level privileges to control the system, are increasing:
http://forensicmethods.com/mbr-malware

Protection Against Phishing and Pharming- WhitePaper

Here is a white paper on 'protection against phishing and pharming' (2009) published by EasySolutions.
http://www.apwg.org/sponsors_technical_papers/easysol_wp_phishing_pharming.pdf

This is targeted at the end-user (the weakest link) to create better awareness of the modus operandi of the attacks. The scenarios described pertain to 2008.

The DetectSafe Browsing solution is proposed for secure browsing.

Runtime Malware Forensics and Malware Clustering

Defcon 18 presentation by Jeremy Chiu, Benson Wu and Wayne Huang on
Runtime Malware Forensics and Automated Malware Clustering for detection of known and unknown Zeus variants:
http://www.youtube.com/watch?NR=1&v=Y2IJFonuSaE

Drive-by Cache Attack using Adobe Flash 0 day exploit

Drive-by Cache Attack is a variation of the Drive-by Download Attack.
Here is a detailed account of the attack using Adobe Flash Zero Day Exploit:
http://blog.armorize.com/2011/04/newest-adobe-flash-0-day-used-in-new.html

-Joseph Ponnoly

Adobe Flash - Zero Day Exploits

Adobe has issued patches for a zero day exploit vulnerability in Adobe Flash.
http://www.pcworld.com/businesscenter/article/240376/urgent_patch_adobe_flash_to_protect_against_zeroday_exploit.html#tk.rss_news

Phishing Infrastructure & Modus Operandi

A study on phishing domains and phishing infrastructure. Phishing web sites are short-lived ranging from 55 minutes to 3 days.
http://www.usenix.org/events/leet08/tech/full_papers/mcgrath/mcgrath_html/

Pharming Attack on Brazilian Banks

RSA Report June 2011:
"A typical local pharming Trojan consists of standard malware strains that modify a victim’s
hosts file or intercept a machine’s IP-resolution process. By changing the hosts
file of a computer, specifically the IP address associated with a website, the victim is
redirected to a phishing website set up to capture specific information, such as online
banking credentials, which are then sent to the criminal. "

Read more:
http://www.rsa.com/solutions/consumer_authentication/intelreport/11439_Online_Fraud_report_0611.pdf

RSA Online Fraud Report, Feb 2010

"Online crime is constantly evolving and
fraudsters do not discriminate against any
organization or person. Online attacks
involving phishing, pharming and Trojans
represent one of the most organized and
sophisticated technological crime waves
worldwide. Online criminals work day and
night to steal identities, online credentials,
credit card information, or any other
information that they can efficiently
monetize. They target organizations in all
sectors, as well as any person who uses the
Internet at work or at home.
These online criminals also have new tools
at their disposal and are able to adapt more
quickly than ever with advanced crimeware;
rapidly deployed using stealth mechanisms.
Their supply chains have evolved to match
that of the legitimate business world,
including the ability to provide what RSA
coined “Fraud-as-a-Service”.
------------RSA Online Fraud Report, Feb 2010
http://www.rsa.com/solutions/consumer_authentication/intelreport/10763_Online_Fraud_report_0210.pdf

Phishing Techniques

The Honeynet Project has captured data on three different types of phishing techniques:
1. Compromising web servers
2. Port redirection
3. Using botnets
Details at:
http://www.honeynet.org/node/89

Simple Shellcode Obfuscation

Simple Shellcode Obfuscation
http://funoverip.net/2011/09/simple-shellcode-obfuscation/

Gives practical  information as to how shellcode can be obfuscated using PERL scripts to evade anti-virus and IDS detection.
The deobfuscation technique is also explained.
Obsfuscated code will have to be deobfuscated at run-time.
Run-time code is automatically deobfuscated. The deobfuscation stub in assembly language is given.\

Thus realtime analysis of run-time code will indicate the real behavior of the shellcode.

-Joseph Ponnoly

Phishing Activity Trends - 2 H 2010

The AntiPhishing Work Group's Report on Phishing Activity Trends for the 2nd Half of 2010 is given below:
http://www.antiphishing.org/reports/apwg_report_h2_2010.pdf

Joseph Ponnoly

Banking Scam Revealed- Symantec

The link below gives a detailed account of Symantec's analysis of a phishing email scam involving CitiBank
http://www.symantec.com/connect/articles/banking-scam-revealed

-Joseph Ponnoly

Phishing Threats

Computer users receive emails from their bankers or friends asking for updating their personal information by clicking on links provided in the mail.  They take it for granted that these are genuine mails and in good faith click on the links.  The phishers who are organized criminals redirect the users to malicious websites and harvest their personal information. The users ultimately become victims to identity theft, financial frauds and even more serious crimes leading to blackmail, murder, and so on.

Phishing attacks engineered by criminals through the medium of phishing emails ultimately lead to loss of consumer confidence in online transactions that include financial transactions and social interactions through Facebook and other social networking sites.

This is an attempt to survey the phishing threat landscape, to identify the criminal groups and their modus operandi and to understand the impact of phishing on online users.

-Joseph Ponnoly