CyberInsecure.com

Archive for the ‘Targeted Attacks’ Category

Security researchers from antivirus vendor Trend Micro have identified a variant of the infamous ZeuS computer trojan, which targets large banks located in Italy, Germany, France and the United Kingdom. The command and control server has been tracked down to a server in Serbia previously used in other cyber-criminal activities.

According to Trend Micro, amongst the targeted financial institutions are Banca di Roma (Bank of Rome), a subsidiary of UniCredit Group, which dominates the Central and Eastern European markets; Abbey National, the UK bank recently rebranded to Santander after its parent, Grupo Santander, one of the largest banking groups in the world; HSBC, the world’s leading banking group with a very strong presence in Europe; Crédit Mutuel, a major French retail bank; and the FIDUCIA Group, Germany’s top provider of IT services for credit unions and other financial organizations.

“At this point, we do have the data that show that these banks are indeed being currently targeted. We are including some names of the banks here to make people aware,” commented Ivan Macalintal, advanced threat researcher with the antivirus vendor.

Computers infected with this ZeuS variant, detected as TROJ_ZBOT.BYP by Trend Micro, contact two domain names hosted on a Serbian server. According to the security company, this server is known to have hosted domain names used in scareware distribution or spam campaigns in the past.

ZeuS, also known as Zbot, is one of the biggest malware threats currently circulating on the Internet. There are hundreds of ZeuS variants in the wild at any given time, because the trojan client is highly customizable and is being generated with a crimeware toolkit sold to cybercrooks on the underground market.

Zbot is capable of stealing login credentials for a wide array of account types, from social networking to webmail and FTP. However, by far the most targeted information is credit card details inputted into Web forms and online banking passwords.

The latest iteration of the crimeware platform can cost as much as $4,000, but it can also be extended through a series of independently developed and sold modules. Such add-ons are available for prices between $500 and $10,000, depending on their functionality.

Credit: Softpedia.com News

The prolific Pushdo spam botnet has found a new way to penetrate Microsoft’s Live.com by exploiting weaknesses in the audio captchas designed to prevent automated scripts from accessing the popular email service.

A new version of the bot causes infected PCs to pull down Live.com audio captchas and return the correct response within 10 seconds, according to a researcher at anti-virus firm Webroot. The attack allows the zombi machines to send email through accounts with a Live.com address, which are whitelisted by many spam filters. The technique offers spammers an alternative to sending spam through open mail relays, which are often blacklisted.

“In one seven minute test period where I permitted the bot to operate freely, the bot demonstrated [a] remarkable capability to bypass the audio captchas,” Webroot researcher Andrew Brandt wrote Monday Morning. “In most cases, it was able to submit the correct answer within two tries, though in one instance, the bot tried six times before it could proceed, and once it gave the correct answer the first time.”

The attack is the latest to target captchas, the puzzles that websites use to ensure that email and forms are completed by humans rather than automated scripts. Captchas require a person to recognize a series of distorted characters that are hard for computers to read using optical character recognition programs. Audio captchas, which are available in event the user is visually impaired, work in much the same way except that characters are verbally recited amid background static and other noise.

Over the past few years, cybercrooks have used devised attacks on captchas protecting Google, Live.com, sites selling concert tickets and various other web properties. Web masters usually respond by tweaking the puzzles, forcing attackers to find new bypass techniques.

Webroot’s Brandt said it’s the first time he’s heard of an audio captcha being targeted. It remains unclear if the attackers are sending the WAV files to sweat shops where humans then decode the audio puzzles, or if the technique works with the help of speech recognition software.

Once the captcha is solved, the botnet uses a Live.com email address to send spam with a variety of come-ons written with poor English grammar and usage. Our favorite one was “Mamma mia! your grandmother is doing so strange things here! Look at these delineations!”

The spam includes a link to a Yahoo Groups page that uses offers for free porn to coax people into giving up financial information.

A botnet primarily used to spend spam, Pushdo goes by several other names, including Cutwail, Diehard, and Rabbit. Some of the IP addresses used by the audio-captcha buster have been used in the past by the Russian Business Network.

Credit: The Register

Ubisoft has confirmed its rights management servers were hit by a fierce DDoS attack over the weekend that left some customers unable to play its games for much of Sunday.

The attack is an apparent protest at controversial new DRM controls by the video game publisher which mean customers have to be online in order to play its latest PC games such as Assassin’s Creed II and Silent Hunter 5.

The introduction of so-called Online Services Platform technology last month means it’s impossible to play a game without an internet connection or save progress while playing a game if an internet connection is lost. The controls, designed to combat piracy, have sparked much negative comment in the gamer community and apparently inspired action by hacktivists over the weekend that curtailed gameplay for some.

“Apologies to anyone who couldn’t play ACII or SH5 yesterday,” Ubisoft said in a post. to its official Twitter account on Monday. “Servers were attacked which limited service from 2:30pm to 9pm Paris time.”

“95 per cent of players were not affected, but a small group of players attempting to open a game session did receive denial of service errors,” it added in a later update.

Meanwhile Ubisoft’s much criticised controls have been broken by software hackers. A hacker group called Skid-Row managed to bypass DRM restrictions on Silent Hunter 5 less than 24 hours after the game was published.

Credit: The Register

The perpetrators of a ticket fraud operation that made use of a botnet to subvert protection mechanisms enforced by ticket vendors were indicted earlier this week. The dedicated network of computers spread across the U.S. ran software that impersonated legit buyers and solved CAPTCHA tests.

It’s a well known fact that in order to ensure a fair distribution of tickets to the public, online ticket vendors enforced restrictions such as limiting the number of seats a single individual could obtain. In addition, to make sure that only real humans are able to acquire tickets, the order forms are usually accompanied by CAPTCHA challenges.

The indictment filed in Newark, New Jersey, names Kenneth Lowson, Kristofer Kirsch, Joel Stevenson and Faisal Nahdi as defendants. They operated through several companies and are collectively referred to as the “Wiseguys,” after Wiseguys Tickets, Inc., the first and primary firm they controlled.

The operation, which lasted from late 2002 until January 2009, involved fraudulently purchasing thousands of tickets for various events across the United States, and selling them to ticket brokers at higher prices. Investigators estimate that the Wiseguys racked up profits of almost $29 million by re-selling 1.5 million tickets.

In order to pull off the scheme, the gang employed programmers in the United States and Bulgaria, who coded and constantly adapted the software used to acquire the tickets. The program was so good that it solved CAPTCHAs far quicker than humans and was able to snatch up the best seats at high-profile events as soon as tickets went on sale.

But according to prosecutors, the defendants did not only stop at damaging online ticket vendors’ ability to ensure a fair distribution of tickets. Instead, they went as far as setting up a competing company to distribute tickets on behalf of artists or venues and giving assurances that it was capable of doing what the other vendors were failing to do.

“This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies,” notes Francois Paget, threat researcher at McAfee.

Credit: Softpedia.com News

World of Warcraft users won’t be happy to hear that hackers have managed to pull a man-in-the-middle attack on several servers hosted in Europe. This happened even with the extra security barriers added by the use of an external authenticator. The attack is suspected to have came from China or/and Malaysia.

The attack basically happened like this: while a regular user accessed a WoW-themed infected site on the web, they installed a trojan, named Malware.NSPack, thinking that they were installing a game add-on. That trojan would then go to install suspicious files on the user’s computer (emcor.dll copied to ../users/username/appdata/Temp) and log all key strokes, sending back data related to WoW authentication credentials.

The data acquired was then employed by attackers to circumvent WoW’s login system and empty the user’s account of all of their in-game (“fake”) money. Subsequently, those sums can be transferred to other accounts, which then can be put up for sale and turn real profit for the hackers.

The keylogger trojans that infected the users were hosted on Chinese-based websites, were graphically cloned after the WoWMatrix website and advertised using Google AdWords service. The spoofed data was relayed using a server hosted in Malaysia. Websites reported by users as being attack sources are cursea.com, deadlybossmodss.com, gamesacca.com and wowmatrixf.com. The sites were taken down, along with the Google AdWords banner.

WoW tech admins were quick to reply and investigate, offering this answer within 24 hours of the first report, “After looking into this, it has been escalated, but it is a Man in the Middle attack. This is still perpetrated by key loggers, and no method is always 100% secure,“ trying to excuse the authenticator’s failure in supplying full protection.

The attacks themselves don’t differ very much from other man-in-the-middle hacks on banking sites, the only difference being that this latest target wasn’t harboring real money like banks do, but fake in-game gold.

Credit: Softpedia.com News

Security researchers warn that a significant number of WordPress websites have been compromised recently as part of what looks to be a money-generating affiliate scheme. The header.php template files are being injected with obfuscated JavaScript code.

“Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress,” Fraser Howard, principal virus researcher at Sophos, writes on the company’s blog.

The obfuscated script is inserted right after the tag and its purpose is to load additional content via an IFrame and to pass visitors through a series of silent redirects. One of these 302 redirects pass the affiliate account of the attacker to a remote script, probably for remuneration purposes.

According to Mr. Howard’s analysis, a cookie for a domain name rich-traffic.com is set in the visitors’ browsers, this site being a Russian affiliate network allowing users to sell or to buy IFrame traffic. “We sell only high quality iframe traffic for your various needs!” is written on the main page. Apparently, this offer refers to huge amounts of unique visitors spread across a wide variety of countries.

The issue of header.php files being modified without authorization has also been discussed in the support forums over at wordpress.org, with users suggesting that compromised FTP accounts might be the cause. This is consistent with the Sophos researcher’s conclusion, who writes that, “In this particular attack however, an out of date Wordpress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).”

It is worth noting that TechCrunch, one of the most popular technology blogs on the Internet, has recently faced several attacks, which resulted in its home page being altered. At least in one particular attack, the header.php file was modified to include a rogue message.

Credit: Softpedia.com News

The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.

The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.

“What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses,” Shadowserver’ Steven Adair wrote. “This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.”

It’s not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else.

“We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair wrote.

Security mavens aren’t sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve.

Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. Here is the full list of attacked addresses:
(more…)

Over thirty websites of various Representatives and House Committees fell victim to mass defacement yesterday. The incident occurred shortly after President Obama gave his State of the Union address.

The attack seems to be politically motivated as it contained an offensive anti-Obama message. All affected websites are from within the house.gov domain and most of them served House Representatives. However, a few, such as gop.cha.house.gov, republicans.financialservices.house.gov, republicans.oversight.house.gov or resourcescommittee.house.gov, correspond to House committees.

According to Web defacement archive Zone-H, the Red Eye Crew is a prominent hacking group responsible for more than 45,000 defacements in 2009 alone. Around 2,000 of the affected websites are listed as special, meaning they belong to governments, military organizations or important corporations.

Determining a specific point of entry for these attacks without any insider knowledge is hard. However, security researchers from Praetorian Security Group determined that all compromised websites use the Joomla content management system. “But not all of the Joomla CMS web sites [on the same server] are affected. This might indicate that it is a Joomla component that is to blame, however that is just speculation,” they write.

It is worth noting that a significant number of websites within the house.gov domain were defaced last August by a different group. At the time, there was information to suggest that the compromise was the result of default passwords that were left unchanged.

“Unfortunately we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere,” the Praetorian Security Group experts conclude.

Credit: Softpedia.com News

Popular technology site TechCrunch was hit by hackers late on Monday, leaving the site temporarily unavailable.

A notice on TechCrunch.com’s front page on Tuesday morning explains that “TechCrunch.com was compromised by a security exploit”. Access to the site’s story archive has been suspended leaving a two para notice on the hack as the only content visible on the site.

Hackers defaced the front page of the site with a message (recorded by Mikko Hypponen of F-Secure) apparently abusing site admins and including a link to a pornographic content and warez linking website.

The problems began for TechCrunch at around 10:30 pm PST on Monday when unknown hackers modified its home page to only display the word “hi.” The page was later changed to read “We’ll be back shortly,” suggesting that webmasters regained control of the website.

After a while, the site was hacked again and a link called “rapidshare downloads” appeared on the home page. The link actually pointed to DupeDB, a known warez website and was subsequently replaced by a “We’ll be back soon” message.

Hackers took over TechCrunch for a third time and left one offensive message accompanied by a link to the illegal content distribution site mentioned before. A final message from staff after this attack was also repelled, saying “Earlier tonight techcrunch.com was compromised by a security exploit. We’re working to identify the exploit and will bring the site back online shortly.”

Specific technical details regarding the incident are lacking, but a DNS hijacking attack similar to those experienced by Twitter and Baidu is out of the question. According to some sources cited by Praetorian Prefect, TechCrunch was using WordPress 2.8.4 at the time of the incident and 2.9.1 after. This apparent platform upgrade suggests that a WordPress vulnerability might have been exploited.

This defacement was removed by site admins who are in the process of identifying the exploit involved in the hack, securing systems, and bringing TechCrunch back online.

The motives or perpetrators of the attack remain unclear but the timing - a day before Apple’s much anticipated iTab launch in San Francisco - could hardly be worse.

TechCrunch returned to business by Tuesday lunchtime. The site has published a story on the attack, which is still under investigation. Hackers redirected traffic as well as leaving a defacement, TechCrunch explains.

Update (Jan. 27): TechCrunch has been hit by potty-mouth hackers for the second time in 24 hours. The second hack features a foul-mouth rant aimed against site founder Michael Arrington. It also includes a link to the same online smut and warez-peddling Torrents site “promoted” via the previous attack.

Credit: The Register, Softpedia.com News

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC