Hungarian hacker's phishing, data theft, blackmail and arrest

Department of Justice arrested a Hungarian national who used phishing mails to break into the computers of Marriott Hotels Corporation. He stole sensitive company data and blackmailed Marriott Hotels into giving him a job under threat of exposure of sensitive data.
He sent malicious code in phishing emails to few Hotel employees and that gave him a backdoor entry to the Marriot network and computers to steal the company's sensitive data including financial information.
He was arrested by the US Secret Service who laid a trap to interview him for the job and flew him from Hungary to Washington DC.
http://www.justice.gov/opa/pr/2011/November/11-crm-1534.html

Credit Cards of Xbox Live Users Stolen in Phishing Attacks

The Guardian, UK,  reports on fraudulent credit card transactions in the accounts of users of Xbox Live, Microsoft's online gaming service. The users buy Mcrosoft Points for downloading games from EA Sports using their credit cards.

Hackers con people into giving away their account details through phishing attacks. They set up official looking websites purporting to give away free Microsoft Points, but insist on users to give their information including credit card info.  It appears the hackers obtained Xbox Live user account details from EA Sports online gaming services. It is suspected theat EA Sports FIFA 12 servers were compromised earlier. The users detected the fraud when they scrutinized their credit card statements.

This is a case of hackers targeting online gaming.
http://www.guardian.co.uk/technology/2011/nov/22/xbox-live-users-phishing-attacks?intcmp=239

McAfee Threats Report - 3Q 2011

Some highlights from the  McAfee Threats Report- 3Q 2011:

• '2011 continues to be an year of change, challenge and chaos in information security'.
• Increase in steath malware-- rootkits from the TDSS family, mobile malware targeting Android OS, spam and messaging threats, 
• Targeted spam (spear phishing) is getting sophisticated. 'Spearphishing is in many ways the stealth malware or rootkit of spam-- designed to bypass our mental filter using evasion and well-crafted lures'.
• Malicious iFrame infection was the no. 1 global threat.
• Botnets expanding globally
• Significant activity in cybercrime, cyberwarfare and hacktivism with some law enforcement wins.
• 75 million unique malware samples expected by end of 2011.

Further details at:
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf
The previous quarterly reports for 2011 can also be seen at:
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2011.pdf
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdf

-Joseph Ponnoly

Microsoft settles lawsuit against Czech hoster of Kelihos botnet

(CNET, October 26, 2011)

Microsoft had filed lawsuit in a federal court in Virginia against Dominique Alexander Piatti and his company Dotfree Group SRO of Czech Republic and 22 others for hosting the Kelihos botnet. The botnet was responsible for sending pharmaceutical and other spam mails, for harvesting e-mails and passwords, for fraudulent stock scams and for promoting sites dealing with sexual exploitation of children.  Subdomains were used to spread the MacDefender scareware. The botnet had about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam mails per day.

The controllers of the Kelihos botnet leveraged the subdomain services of Dotfree Group.

In Microsoft's settlement with the domain owner, Piatti will delete or transfer to Microsoft all the subdomains used to operate the bonet.  They agreed to prevent misuse of subdomains and to establish a secure top level domain (TLD).

Microsoft's Digital Crimes Unit has been responsible for shutting down three botnets--- Waledac, Rustock and Kelihos.

http://news.cnet.com/8301-27080_3-20126012-245/microsoft-settles-suit-against-alleged-botnet-hoster/

Blocking Port 25- Will it help to control spam emails?

According to Cisco IronPort Senderbase Security Network, around 85% of all email is spam. However, there has been a decline of spam mails during 2011 as a result of the taking down of the Rustock botnet.
http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang_html/

South Korea's Internet and Security Agency has asked all ISPs to block SMTP port 25 and allow emails only from'official' email servers, with the idea to block spam mails. AT&T, Comcast and Verizon already do this.
http://www.zdnet.com/blog/networking/south-korea-proposes-restricting-all-e-mail-sending-to-official-e-mail-servers/1647
ISPs have to block the default SMTP port or port 25 from sending emails. Users will then be forced to use the ISP's mail servers to send emails.

Just blocking port 25 may not prevent spam mails.  Botnet-infected Windows PCs are still the source of most spam. Even if the SMTP port 25 is blocked, the infected PCs could still send spam using SOCKS proxy servers and the Secure SMTP port- port 465. The current trend is that spammers are now moving from Windows PC botnets to compromised Web-mail accounts.

-Joseph Ponnoly

The Botnet War

Tom Brewster's article of November 11, 2011 in ITPRO titled 'The War on Botnets' gives an interesting account of the fight against botnets and  the cyber underworld,  detailing recent successes following collaboration between law enforcement and the security industry, along with international cooperation.
http://www.itpro.co.uk/637312/the-war-on-botnets/

The recent success in bringing down 'DNS Changer' botnet follows a series of botnet discoveries and thier dismantling for eight years, since 2003.  Botnet terminations have been followed by significant drop in spam mails, PC infections and cyber crimes.

Some of the major botnets that were discovered and dismantled since 2008 are:
McColo- 2008
Mariposa (infected 13 million PCs) 2009
Mega-D - 2009
Waledac - 2010
Bredolab (2010)

Coreflood -2011
Rustock - March 2011
Kelihos- October 2011
DNS Changer -November 2011

Only since 2008, there has been noteworthy international cooperation to fight botnets and cybercrime.
The security industry also has colloborated in the efforts. Microsoft was responsible for smashing Waledac, Rustoc and Kelihos botnets, as part of Project MARS (Microsoft Active Response for Security), with the objective to 'annihilate botnets and help make the internet a safe place'.
The MARS team worked with security companies such as Kaspersky and FireEye.  For Kelihos, Kaspersky's live botnet tracking system was used by Microsoft and Kaspersky abs helped to reverse-engineer the bot malware and to deal with the P2P infrastructure used by the botnet.

Legal problems and the sub domain issue are the battles still to be fought.  The sub domain issue concerns top level domains hosting thousands of subdomains that are used for malicious hosting by botnets.

-Joseph Ponnoly








http://www.itpro.co.uk/637312/the-war-on-botnets

Duqu Malware Detection Tool Released

Information Week of November 11, 2011 reports that Duqu Detector Toolkit has been developed by CrySys Lab of the Budapest University of Technology and Economics.

The toolkit is designed to detect even dormant infections.  The malware used in highly targeted attacks, is related to Stuxnet and has a dropper file (installer) to infect computers. The installer is a malicious Word document (.doc file).

Duqu malware was designed for industrial espionage, and is similar to Stuxnet.

Detection techniques include signature-based and heuristics-based scanning to find 'traces of infections', detecting suspicious files.

Duqu exploits zero-day vulnerability in the font parsing flaw in the TrueType engine in 32 bit Windows versions.  Microsoft has issued security alert and is yet to issue a patch.
http://support.microsoft.com/kb/2639658

Further details of the toolkit at:
http://www.crysys.hu/duqudetector.html
http://www.crysys.hu/duqudetector-files/files/manual-v1_02.txt
http://www.informationweek.com/news/security/management/231902866

-Joseph Ponnoly

eCrime Trends Report - IID

The 3Q-2011 eCrime Trend Reports from IID, indicates that DNS threats are emerging as cause for concern. Though phishing attacks were down during the quarter, malware distribution and DNS exploits picked up during the quarter.Zeus malware infection is an ongoing threat.  During the preceding quarters of 2011, phishing attacks were on the rise.
Microsoft took down the Kelihos botnet with around 41,000 infected computers. Facebook and Google fought back against originating domains of massive phishing attacks

Further details at:
http://www.eweekeurope.co.uk/news/malware-soars-as-traditional-phishing-falters-44559
http://www.internetidentity.com/resources/trend-reports
http://www.internetidentity.com/images/stories/docs/ecrime_trends_report-q3-2011_by_iid.pdf

-Joseph Ponnoly

Spear Phishing / PoisonIvy backdoor trojan targeting Chemical and Defense Companies

http://www.fiercegovernmentit.com/story/nitro-hackers-target-chemical-and-defense-companies-says-symantec/2011-11-02

Symantec Report of October 31, 2011 reports  about a wave of spear phishing attacks targeting chemical and defense industry segments in US and Europe, where already 20 companies have been victimized.

The attacks are engineered through spear phishing emails with attachments containing the self-extracting PoisonIvy trojan executable.

PoisonIvy is a backdoor trojan, developed by a Chinese hacker. It sets up http communication channel over port 80 with the command and control (C&C) botnet server. The bot harvests IP addresses and cached passwords and targets intellectual property and other sensitive data.

Read more on the 'Nitro Attacks' report by Symantec:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

Crimeware threats

Phil Mellinger's article published  in today's ComputerWorld (Nov 4, 2011) titled  'A Short History of Crimeware' points to the widespread proliferation of crimeware today. Crimeware is defined as ' the class of malware, specifically designed to automate large-scale financial crime'.  Crimeware undermines today's technologies and sets at naught the concepts of privacy, anonymity and security, surpassing an 'Orwellian world'.

Crimeware that includes financial malware, stealth malware or banking trojans,  traces its origins to 2003, defeating traditional internet defenses of SSL encryption, anti-virus and two factor authentication. Attack tools such as Zeus and Spyeye collect highly sensitive authentication and financial data. Online banking accounts are specially targeted.  Variants of the crimeware are easily created and propagated to infect PCs.

Crimeware Technologies:
Crimeware relies on botnet controlers, sophisticated trojans and data collection technologies.
Some of the major advances since 2003 are listed:
1. Form grabbing within IE browsers, leading to harvesting of banking credentials.  This led FFEIC in 2005 to recommend two factor authentication for online bank accounts. This is an advancement over keystroke logging techniques to steal credentials.
2. Stealth or anti-detection, anti-forensics technologies, preventing detection by signature-based anti-virus or behavior-based (IDS/IPS) techniques.
3. Web injects (Man-in-the browser) for PCs running IE/Windows, defeating two-factor authentication, enabling criminals to take over authenticated connections within compromised PCs, subverting key-entry based authentication techniques and enabling crimeware to control user's connection to the bank.
4. Crimeware expanding to other browsers and OS (Chrome, Firefox, Opera, Safari and Apple OS X)
5. Sourcecode availability for Zeus and SpyEye.
6. Disabling/Circumventing Anti-Crimeware, disabling anti-malware products.
7. Mobile device support (man-in-the-mobile)
subverting mobile devices banks used to validate online banking transactions with customers. Man in the mobile attacks covertly validate the transation without the user's awareness.
8. Anti-removal or persistence

It is all a question of trust in cyberspace.
As Phil Mellinger says, 'crimeare is devastating our security, our privacy and our anonymity. It has jumped across browsers, operating systems, and even devices, to endanger current technologies. He says that we are entering a new phase of security.


Further details at:
http://www.computerworld.com/s/article/9221499/A_short_history_of_crimeware

-Joseph Ponnoly

Zero day malware clearning with Sysinternals Tools

Mark Russinovich's presentation at BlackHat 2011:
Zeroday Malware Cleaning with Sysinternals Tools
http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf
Some of the highlights/points:

1. Identifying malware processes
using Process Explorer v15 for identifying malware processes, network and disk activity, Process tree sort, Svchost and service threads info and  for malware cleaning

Malware processes have no versioning
Malware commonly uses packing  and encryptionto defeat antivirus signature matching
Malware often hides behind Svchost, Rundll32 (hosted DLL) and Dllhost (hosted COM server)
The services tab and process tabs give detailed info on services and processes.
Sigcheck can be used for scanning the system for suspicious executable images.
ListDlls will scan running processes for unsigned DLLs
Strings tab will show the process strings that can provide clues about unknow processes
String Utility can be used to dump strings

Malware hides as a DLL inside a legitimate process (Rundll32, Svchost), loading via autostart or through 'dll injection'.
DLL view shows more than just loaded DLLs to include .exe and 'memory mapped files'.


2. Terminating Malicious Processes:
Don't kill the process but suspend the malicious process.
Record full path to each malicious exe and dll.

3. Cleaning Autostarts
Start-Run-Msconfig
Autoruns:
Identiy malware autostarts

Deals with the Case of Son's Adware