Showing posts sorted by relevance for query zeus. Sort by date Show all posts
Showing posts sorted by relevance for query zeus. Sort by date Show all posts

RSA Said: Zeus v2.1.0.10 Became The Most Infamous & Propagated Trojan in Cybercrime History

Posted by Avik Sarkar On 10/01/2011 01:12:00 pm


The RSA Research Lab investigated and monitord a large number of malicious cybercrime servers operating in the wild. What RSA researchers discovered was nothing less than the robust mercenary workings of a virtual heist machine, one that has been operational on an ongoing basis, militating and robbing financial data from hundreds of thousands of infected users all over the world. The tool of choice—Zeus v2.1.0.10, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.
According to the official blog of RSA:- 

A Privately Developed Zeus Upgrade:-
Unlike the large majority of banking Trojan, the Zeus Trojan has always been a commercial code, sold by its creator to those who could afford an advanced fraud tool and understood how to use it. With time, Zeus became the most infamous and most propagated Trojan in cybercrime history. In October 2010, nearly one year ago, the bequeathing of the Zeus Trojan’s source code by its owner “Slavik”, to his then biggest rival, the SpyEye Trojan’s coder (“Harderman”), united the future of 2 giant commercial codes and threw a Zeus-faced wildcard into the game when its entire source code was leaked in March 2011.
But it was nearly two months before the announcement of the code ‘merger’ was even made that RSA researchers were already looking at a rather special upgrade of the Zeus Trojan: Zeus v2.1. A surprising and rare new version which included some of the most sophisticated additions to the Zeus code seen in recent times, making it more impervious and hardened thus shutting-out a lot of potential interference with this variant’s configuration and its communication patterns. At the time (early September 2010), our team was in the possession of a single variant of this upgrade and was not entirely sure what it represented as yet. The interesting part of the upgrade was its low propagation numbers and the time lapse it took for the Lab to see more of it in the wild. True Zeus 2.1.0.10 variants were not being sold in underground forums. These two initial observations already suggested that the new upgrade was the property of one cybercriminal or a single cybercrime gang.
Within six months, Zeus 2.1.0.10 was being detected more and more often, and although the number of variants kept growing, the trigger list in each and every one of them was identical – a rare case for Zeus variants in which each operator updates his own list of triggers. This was the third sign pointing to a single operations team for Zeus 2.1.0.10.
June 2011 – a sharp peak in Zeus 2.1.0.10 attacks resulted from the propagation of hundreds of variants of this upgraded version. To date, the RSA Research Lab detected 414 different variants, and yet, each and every variant still went after the exact same trigger list. At this point it was clear that Zeus 2.1.0.10 belongs to one gang who had the Zeus source code way before the merger, way prior to the code leak and before anyone even imagined what would become of Zeus.
This gang developed their own Zeus Trojan using Zeus’ source codes and its mainframe; this gang operates Zeus 2.1.0.10 without sharing their malevolent creation with outsiders.

Zeus 2.1.0.10 Has its Own Techniques:-
More than the actual upgrade of the Trojan code, the new Zeus 2.1.0.10 behaved in a new way, unlike the one observed in other Zeus variants. Unlike other advance Trojans who contact the mothership through reverse proxies, fast flux networks, or those who use their own botnet as proxies – Zeus 2.1.0.10 never communicates directly with the mothership. This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names (URLs) per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.
The cybercriminal operation team behind the scenes has the same algorithm. They know exactly when the whole botnet will attempt to communicate with a specific new domain name, and then simply go and buy that domain name, hosting each one through facilities located all over the world. At that point, the whole botnet queries the new domain with a request for the update file – and receives it, and the C&C queries its bots for the stolen data they have in store – and receives it.  Mission accomplished.
This all happens without anyone outside the gang knowing their algorithm or being able to guess which communication channel they will choose for their botnet next. Even if an external party was to attempt to solve the algorithm, they would have to buy the domains before the gang does, thus engaging in a race against time and paying for numerous domain registrations every hour (!). No matter how many domains an adversary buys, the bot masters will eventually buy one and the botnet will end up communicating with it.
The communication through randomized domains generated by the Trojan is directed through a list of legitimate VPS and legitimate cloud services used as a proxy. This raptures any further tracking possibilities of the true motherships which militate the immense botnet.
Zeus 2.1.0.10’s behavior pattern has never been used in Zeus or SpyEye variants, but it sure is identical to another Trojan’s sophisticated and diuturnal operations – Sinowal. A long standing, privately owned Trojan, operated by an organized cybercrime gang based out of Russia, Sinowal is perhaps one of the most persevering private banking Trojans; one whose nefarious nature has been the intrigue of many security researchers since as early as 2006.
It was initially somewhat surprising to see that Zeus 2.1.0.10 was not only a private version of Zeus, it also behaves exactly in the same manner as Sinowal similarly held by Russian-speaking cybercriminals. These common denominators raised a logical suspicion as to the possibility of the two sharing some links if not operated by the same gang altogether.

For more information and to see the RSA blog article about Zeus click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Seized Two Command & Control Server of Zeus Botnet

Posted by Avik Sarkar On 3/28/2012 12:42:00 am

Microsoft Seized Two Command & Control Server of Zeus Botnet 
Cyber crime investigator at Microsoft have shutdown two botnet server powered by "Zeus". It has been reported that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus on Friday, March 23. After shutting down the servers, It has been found that more than $100 million have already been stolen and also an estimated 13 million computers ware infected and connected with those two CNC server of Zeus. The raid came after Microsoft filed a civil lawsuit, partly under the Racketeer Influenced and Corrupt Organizations Act. The company has combined legal tactics with cyberforensics three other times since 2010 to shut down command-and-control servers used to direct large botnets. Last week Microsoft officially declared that they are working closely with US authorities and financial services companies to disrupt two Zeus botnets. So there is no doubt that this is indeed a huge success for Microsoft. 
Brief Overview of Zeus Trojan:- 
The Zeus banking Trojan intercepted user credentials for online banking accounts with a keylogger and transferred money out of victims’ bank accounts. The malware was sophisticated enough to display a fake page showing the normal account balance instead of the actual amount, which meant victims weren’t aware of the thefts immediately. Zeus crimeware kits are available on underground forums for anywhere between $700 and $15,000. There’s even an “open source” version of the toolkit which is available for free.

"Cybercriminals have built hundreds of botnets using variants of Zeus malware," Richard Boscovich, a senior attorney with Microsoft’s Digital Crimes Unit, wrote on the Official Microsoft Blog.
Last week we have also discussed about another dangerous botnet or in other word the next generation cyber weapon named Duqu. After a decent period finally the researchers have solved the Duqu Mystery

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Posted by Avik Sarkar On 3/04/2012 07:56:00 pm

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Remember the Operation Megaupload (#OpMegaupload) the largest attack ever where 5,635 Anon people bring down the websites of Universal Music, the U.S. Department of Justice and the Recording Industry Association of America while using one of the world's most popular and vastly used DDoSer LOIC.
Now Security software company Symantec have discovered that a piece of Anonymous-recommended DDoS software called Slowloris contained an insidious Trojan that was stealing financial info from people using it. According to the official blog post of Symantec on the 20th day of January after Kim Dotcom was arrested, Anonymous was frequently shearing few pastebin links which was containing the download link of Slowloris which led to a trojanized copy that installed the Zeus trojan on users' systems. The compromised download then replaced itself with a clean version of the tool to avoid detection. 

"It is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies."
"When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. Zeus is an advanced malware program that cannot be easily removed. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns."

Full information can be found Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Zeus Strategy Followed By SpyEye & Here The Victim is Android Users

Posted by Avik Sarkar On 9/18/2011 02:24:00 pm



In the world of Windows malware, SpyEye is a widespread malicious toolkit for creating and managing botnets. It is designed primarily for stealing banking credentials and other confidential information from infected systems. SpyEye is a major competitor of the infamous Zeus toolkit.
Zeus (also known as ZBot) generated a lot of interest in the mobile security community a couple of months ago when an Android version was discovered. Of course, we did not have to wait long before a version of SpyEye targeting Android was also developed, and sure enough a malicious SpyEye Android app was discovered a few days ago.
The functionality of Zeus and SpyEye on Windows is quite similar, so I was curious as to how similar their respective Android versions would be.
Zeus for Android purports to be a version of Trusteer Rapport security software. This social engineering trick is used in an attempt to convince the user that the application they are installing is legitimate.
SpyEye for Android, now detected by Sophos products as Andr/Spitmo-A, uses a slightly different but similar social engineering technique. When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorisation.


The SpyEye application package does not show up as an icon in the "All apps" menu, so the user will only be able to find the package when the "Manage Applications" is launched from the mobile device's settings.
The application uses the display name "System" so that it seems like a standard Android system application.
When installed, Zeus for Android displayed a fake activation screen, and Spitmo is again very similar. However, Spitmo uses different tactics to convince the user that it is a legitimate application.
It applies for the following Android permissions:-
  • android.provider.Telephony.SMS_RECEIVED
  • android.intent.action.NEW_OUTGOING_CALL

This allows the malware to intercept outgoing phone calls. When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions. If the number matches, Spitmo displays a fake activation number, which is always 251340. Once installed, the functionality of Zeus and SpyEye are pretty much the same. A broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request. The submitted information includes the sender's number and the full content of the message.So far, it does not seem that this attack is widespread, but it shows that the developers of major malicious toolkits are closely watching their competition and matching the latest features. It also seems that support for Android is increasingly becoming an important part of their product strategy.

-News Source (N.Security)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Professor Warner Helps FBI To Crack "Trident Breach" ($70 Million Cyber-crime Ring)

Posted by Avik Sarkar On 3/23/2012 03:45:00 pm

Professor Warner Helps FBI To Crack "Trident Breach" ($70 Million Cyber-crime Ring)

Earlier in 2008 cyber criminals have managed to steal more than  $70 million from the payroll accounts of some 400 American companies and organizations – all from the safety of their homes in Eastern Europe. The case was known to us as "Trident Breach". As expected FBI was inspecting that case but hardly get success. 
At the beginning of 2008, the group of hackers compromised hundreds of thousands of Americans computers using a malicious computer “Trojan” bug called ZeuS. When computer users clicked on certain attachments and e-mail links, ZeuS infected their computers. ZeuS is designed to zero in on users’ bank information. For example, when a user visits a bank website, ZeuS knows; and since it is a key logger program, it records the user's keystrokes as he or she enters usernames and passwords. It then sends that information by instant text message to waiting hackers, who then have access to the compromised accounts. Henry is one of the country’s top cybercrime fighters. He says Americans are increasingly prone to “virtual gangs” prying on people’s personal data stored on their computers. In late 2008, they created some 3000 money mules, many of them unwitting Americans, by luring them into work-at-home jobs requiring "employees" to open bank accounts.
Later FBI appoint Prof. Gary Warner of the University of Alabama at Birmingham, who teaches a program that combines computer forensics and justice studies. Warner is also a member of the little-known FBI-affiliated group called InfraGard, comprising some 50,000 members across the United States who keep an eagle eye on U.S . critical infrastructure: power plants, water supply, security and financial services…and the Internet. After the entry of Warner the investigation turns. Warner said hackers transferred cash from business payroll-type "ACH" (Automated Clearing House) accounts to the mule accounts and the mules sent the cash by Western Union or MoneyGram to Eastern Europe, taking eight or 10 percent commission. So stealthy was their ZeuS operation, neither the hackers nor the mules had counted on getting caught. But, using complex data mining techniques, Prof. Warner established links between ZeuS-infected computers and traced the origins of the mass infection to Ukraine; and many of the hackers and their mules were caught. And after the FBI published a wanted poster of the students, Warner’s students began using what they’d learned in class to track the criminals. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Popular Gaming Site of France Infecting Visitors With ZeuS

Posted by Avik Sarkar On 4/17/2012 12:29:00 pm

Popular Gaming Site of France Infecting Visitors With ZeuS 

Researcher from Anti-virus company and security firm Avast, has find out that a French website of popular game Assassin’s Creed has been serving ZeuS malware variants to its visitors for over 8 weeks. The site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise. 
The web site is currently returning a Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /homepages/23/d207590046/htdocs/wp-content/plugins/countdown-timer/fergcorp_countdownTimer.php on line 1050 error message. 
According to Avast official blog post - So far, Avast has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March. The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.” 

-Source (Avast Blog)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab

Posted by Avik Sarkar On 3/30/2012 08:49:00 pm

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab 

Researcher at AhnLab has figure out a significant majority of the domains and hosts for the SpyEye Banking Trojan are in the US. The malicious code has gained attention as of late for the threat it poses to online banking user information. According to SpyEye-relevant host data extracted by the AhnLab Packet Center, 48% of all SpyEye domains were found to be located in the US, followed by Russia at 7%, and the Ukraine at 6%. The AhnLab Packet Center is the company’s malicious packet analysis system, which assesses suspicious packet data, including that from SpyEye C&C servers. The findings indicate that the main targets of SpyEye are mainly in the US, and that North American financial institutions and users should remain especially vigilant.
Since its toolkit first became public in 2010, the SpyEye Trojan has produced many variants. According to analysis by the AhnLab Packet Center, the “10310” variant was identified as the most distributed version at 34.5%. The “10299” and “10290” variants followed at 14.7% and 14.6%, respectively. Additional variants are expected in the future. SpyEye, along with ZeuS, are notorious banking Trojans that have helped thieves steal more than $100 million around the world. Without an end-user PC solution, banks face great difficulty protecting individual customers from the sophisticated threats posed by these malicious codes. AOS ensures comprehensive transaction security with its Anti-keylogger, Firewall and Anti-virus/spyware agents for individual user PCs, as well as Secure Browser which creates an independent online space for safe communication. With AOS’ unique approach to transaction security, banks are able to deliver complete peace of mind to their online customers.

The four components of the AhnLab Online Security (AOS) solution, designed to protect the entire transaction process, include:-
  • AOS Secure Browser: Provides a dedicated security browser that creates an independent and protected environment for online transactions. It secures user banking data against Man-In-The-Browser (MITB) attacks such as SpyEye and ZeuS, memory hacking, webpage alteration, HTML injection, cross-site scripting (XSS), browser help object (BHO) hacking, screen capturing, debugging, and reverse engineering.
  • AOS Anti-keylogger: Delivers the protection needed to keep account information safe and prevent theft of personal banking data during input via a keyboard.
  • AOS Firewall: Protects the user by detecting and blocking unauthorized intrusions and hacking attempts and preventing the leakage of personal information.
  • AOS Anti-virus/spyware: Secures online transactions against the latest malicious codes with AhnLab’s cloud based security technology known as ASD (AhnLab Smart Defense).
Yesterday we have discussed that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus


-Source (Market-Watch)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BlackBerry phones hit by ZeuS Trojan virus

Posted by Avik Sarkar On 5/01/2011 01:36:00 pm


If you thought your phone is virus-proof, think again. There is a virus on the block that has started affecting all BlackBerry devices. And the worse part is that an user will never know whether her phone has been affected or not. 

Amit Nath, country manager, India and SAARC at Trend Micro, claims researchers at the firm were alerted to the discovery of a ZeuS Trojan specifically targeting BlackBerry users. It aims to monitor users' private information especially when they conduct mobile banking, says Nath. 

"It does not display any graphical user interface that can prompt users about the infection. Instead, it removes itself from the list of applications. The virus can view, delete and forward text messages, block calls, change the administrator on the device and block phone numbers. It allows the hacker to change the telephone number the device sends all the data to in the event that it gets shut down," he said. 

"Although there is no definite data on how many phones have been hit, we are sure it is spreading fast even in India. However, as users mostly don't get to know they have been infected, it's difficult to fix a number. We have detected instances of the virus on our clients' networks. This virus have the capability of spreading on its own and infecting phones that do not have anti-virus software installed," Nath points out. 
Jagannath Patnaik, director, channel sales south Asia at Kaspersky Lab , says: "There has been a new wave of malware attack that has started affecting BlackBerry and it has originated from Poland. The aim is to extract banking passwords." 

An email sent to Research In Motion , manufacturers of BlackBerry phones, went unanswered despite repeated reminders. 
Trend Micro Researchers, the ZeuS Trojan is capable of blocking calls, registering a new administrator, adding and removing sender, switch the phone on or off remotely and, most important, hiding text messages and sending it to the hacker without the user's knowledge. 

Abhijit Limaye, director, development at Symantec, said: "BlackBerry has a reputation as being a secure platform. However, it is still susceptible to malware threats and has issued advice documentation for customers to minimise risks. They have also released software applications to help customers protect their data." Vinoo Thomas, technical product manager at McAfee Labs , said: "While Trojan virus can replicate and spread on its own, there are a few spyware that needs to be loaded manually. One can buy the spyware programs like MobiSpy, MobiStelath and FlexiSpy for between $40 and $80." 

One reason for infection could be downloading of out-of-box applications on a BlackBerry. Zaki Qureshi, a professional ethical hacker, said: "BlackBerry phones have high security features, but if users instal out-of-the-box applications, chances of infection rises."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android Botnet!!!

Posted by Avik Sarkar On 5/31/2011 04:03:00 pm




With the advancements made by different security vendors it is seemingly becoming difficult for botnet masters to remain undetected. Reports suggest that operating systems such as the Windows 7 have become 7 times secure than older versions such as Windows XP. Hence the obvious move of a botnet was to another increasingly insecure platform – cellphones. Bots such as Zeus have already recently shown what they can do on BlackBerries. The Symbian operating system is losing its sheen. So, the next target is the Android phone.
To avoid detection, this proof-of-concept code utilizes the Short Messaging Service (SMS) as a command & control channel. This adds fault tolerance because, if a smartphone is not available on the GSM network due to being powered off or out of service range, when an SMS message arrives for delivery, the message is queued and delivered by the network! If only this feature existed in Zeus eh?
  •  Compile with arm-gcc with the -static flag set
  • Copy to anywhere on the underlying OS that is writable (/data/ is good).
  • Rename /dev/smd0/ to /dev/smd0real/
  • Start the bot application
  • Kill the radio application (ps | grep rild)
  • The radio will automatically respawn and now the bot proxy will be working
More interesting stuff such as the botnet structure, possible infection methods are presented by the author in here slides that can be found here.
Download the Android Botnet PoC (botPoCrelease-android.c) here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

Posted by Avik Sarkar On 2/25/2013 02:07:00 pm

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

The month of February is still going from bad to worse for the cyber domain, in this very month cyber criminals swallowed the security system of many giant companies like Facebook, Twitter, Apple, New York Times and many more. But the game is not over yet, as we have just passed a few weeks, when the attack on NY Times took place, which stolen the employ database; yet again the cyber criminals have targeted another media giant National Broadcasting Company widely known as NBC. During the attack, hackers have successfully gain access inside the server of NBC and planted malware, in order to harm innocent readers. Famous security expert and blogger Brian Krebs said that the hackers inserted code into the NBC.com homepage. This caused visiting browsers to load pages from third-party sites that were compromised. While explaining the nature of the attacker, Krebs said; "The compromised sites tried to foist the Citadel Trojan, a variant of the Zeus Trojan." The Zeus is a "sophisticated data theft tool that steals passwords and allows attackers to control machines remotely" he added. Not only the NBC’s home page, also several others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon. Well known security firm Sophos explained how roughly attack played out, and how NBC got sucked into the equation:
  • NBC's hacked pages were altered to add some malicious JavaScript that ran in your browser.
  • The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
  • The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
  • The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
  • If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.
This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialog you might expect. This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.
As soon as this story get spotted the American commercial broadcasting television network, NBC News reported and confirmed that its site had been attacked. The broadcaster released the following statement regarding the website: "We've identified the problem and are working to resolve it. No user information has been compromised."
The emergency response team immediately take the situation under control and restored the website, and confirmed that the site is back again and completely safe for its visitors. But so far there is no evidence of attackers who were involved in this attack. For the safety of VOGH readers we would like to recommend you to update your operating systems and browser plugins. Also note that the attack on NBC was similar to many that have occurred in recent years in that the malicious sites tried to exploit vulnerabilities in Java. So it will better to disable Java, unless it is that much necessary. So stay tuned with VOGH and be safe in the cyber domain. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Twitter Traffic Hits 6,049 Tweets per Second As News of Jobs' Death Spread

Posted by Avik Sarkar On 10/09/2011 07:35:00 pm



Traffic hit near-record levels on Twitter Wednesday after news spread of Apple co-founder Steve Jobs' death. Leaders in the high-tech industry, as well as Apple fans and average people, took to social networking sites Wednesday night and Thursday to spread the word about Jobs and to share memories and tributes to the man behind the iMac, iPod, iPhone and iPad. Around 8 p.m. EDT Wednesday, shortly after news of Jobs' passing was made public, Twitter was handling 6,049 tweets per second, according to Twitter spokeswoman Rachael Horwitz.
"I'm surprised at the number of tweets it got, but I guess I shouldn't be," said Zeus Kerravala, principal analyst with ZK Research. "Social networks are increasingly the de facto place for people to go to when they want to share information. Twitter is perfect for this type of thing."
While Wednesday night didn't set a record for Twitter traffic, it was one of the site's highest number of tweets per second ever recorded.
Horwitz noted that early last May, the death of al-Qaeda leader Osama Bin Laden set a record at that time with a peak of 5,106 tweets per second.
When Brazil was eliminated from the international soccer tournament Copa America in July, Twitter saw 7,166 tweets per second. The current record is 8,868 tweets per second, which was set during the 2011 MTV Video Music Awards in August, Horwitz noted.

Shawn White, vice president of operations at Keynote Systems, an Internet and mobile monitoring company, told Computerworld that the surge in Twitter traffic after Job's death was staggering.
"We saw it with the death of Michael Jackson and the inauguration of President Obama. Sometimes sites just get overwhelmed," White said. "The pattern we saw [with Twitter] was that things hummed a long pretty normally and then right after the announcement of Steve Jobs' passing, the site slowed." He noted that the time to access Twitter's homepage for many users went from 3 seconds to 20 or 30 seconds. The site increasingly struggled under the load, with the first error hitting at 8:10 p.m. ET.
Then the availability of Twitter's homepage dropped nearly 40% between 8:50 and 9:05, according to Keynote.
"During that 15-minute period, roughly 60% of Twitter users would have gotten some kind of error trying to get to the home page. And if they got there, it was probably really slow," White said. "But Twitter recovered pretty quickly."


-News Source (Computer World, BBC, twitter) 




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Malware Named "Gameover" Targeting Bank Accounts

Posted by Avik Sarkar On 1/07/2012 09:31:00 pm


Another malware named "Gameover" is targeting bank accounts via phishing emails. Cyber criminals have found yet another way to steal your hard-earned money: a recent phishing scheme involves spam e-mails—purportedly from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC)—that can infect recipients’ computers with malware and allow access to their bank accounts.
The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.” Gameover is a newer variant of the Zeus malware, which was created several months ago and specifically targeted banking information. Few days ago Ramnit worm did the same thing. It steals more than 45K Facebook Login details not only that but also more than 250K PC has been infected by Ramnit worm. It clearly showing that the rate of this cyber threat is going high and high. 

How The Gameover Malware Is Working:- 
Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.
After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site—probably in an attempt to deflect attention from what the bad guys are doing.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

An army of techies waging war on spam

Posted by Avik Sarkar On 5/09/2011 03:27:00 pm




It's a vast, invisible battle, going on all the time - and, unbeknownst to you, your computer may be one of the battlegrounds.
The struggle pits thousands of smart, evil folks, who send out trillions of pieces of spam e-mail, against the people in law enforcement and business guarding against them and trying to shut them down.
On the front lines against spam and cybercrime, some analyze malicious computer code (malware), and others - in the young science of cyberforensics - examine computers and drives confiscated in investigations.
Spam - hated word - is again in the news. A May 3 FBI alert warned of e-mail carrying purported images or videos of Osama bin Laden. "This will leave you speechless)," the spam says. "See picture of bin laden dead!"
Don't even open it, warned the alert. "This malicious software or malware can embed itself in computers and spread to users' contact lists, thereby infecting the systems of associates, friends, and family members."
Pumped out by networks (botnets) of malware-enslaved personal computers, unwanted e-mail - random junk, ads, porn, viruses, Trojan horses, get-rich-quick offers from Nigerian nobility - makes up most of all e-mail sent in the world. By far. Estimates range around 80 percent - but a 2007 Microsoft security report in October put it at 97 percent. It ranges from crud to criminal. As for malware, the United States has about 2.2 million computers (more than any other country) infected, according to Microsoft numbers (likely to be low).
"I guarantee," says FBI Special Agent Brian Herrick, director of the FBI Cyber Crime Squad in Philadelphia, "that thousands of Inquirer readers probably have computers infected with spam or malware, part of a botnet just pumping out spam."
The cyberthugs have an advantage, says Special Agent Cerena Coughlin, also of the Cyber Crime Squad. "We can stop them for a while, but they always come up with ways to circumvent it. And we're more restricted. We have to follow the letter of the law - they don't."
The extent of it is staggering. Before U.S. marshals took it down in March, the Rustock botnet was pumping out an estimated 30 billion spam e-mails a day. The botnets - big names include ZeuS, SpyEye, Dogma, Koobface, and Alureon - are run by criminal groups that use servers and supercomputers in several countries. Tracing their activity is extremely difficult and calls for highly skilled technical workers.
One of 16 such FBI squads in the country, the Philadelphia Cyber Crime Squad has 15 agents working full-time on cybercrime; the national program began in 1996. Working with national and international agencies, the squad studies and traces viruses, junk, and spam. Cases involve computer intrusions (everything from local hackers to international cyberespionage and terrorism), child exploitation (as in pornography), intellectual-property rights (copyright infringement, movies, music, software, proprietary business secrets), Internet fraud, and identity theft.
Coughlin says, "We are insanely busy. This is the third-busiest squad in the country, because of where it is and all the affected business and government concerns nearby. We don't have enough bodies for all the work there is."
In the Philadelphia area, the FBI joins hands with local businesses such as banks, agribusiness, and utilities (enterprises often attacked by spam and cybercrime) in a group called InfraGard. There are more than 1,400 local members - "So many people want to be part of it that we don't even need to solicit members," Coughlin says.
At monthly meetings, members share information, news, and tips. The FBI gives presentations and talks, and individual members speak about the cases they face. "It's a communication channel," Herrick says, "between the U.S. government and people in industry down in the trenches, looking to protect critical infrastructure."
Current president of the local chapter of InfraGard is Brian Schaeffer, chief information officer of Liberty Bell Bank in Marlton. He says, "I get thousands of cyberattacks a day. A lot of them are idiots just wanting to show what they can do. But a lot of them are looking to access banking information."
Like most banks, Liberty Bell has a strong firewall, "so hackers take a back-door approach," sending bank clients "phishing" e-mails - which pretend to be trustworthy communications but hide nasty intentions. "If a client even opens such an e-mail, they can get into their account information, their contacts, the keys to the kingdom."
Such attacks mean that "not only do I have to defend my own system, but also I try to help the customers with theirs. If their computers get infected, their account and credit information could get sold to strangers, and that could hurt us all." Schaeffer tells of an elderly couple who came to his bank one day, and just by coincidence, a bank clerk brought him a suspicious request "to withdraw a huge amount of money from their account - but there they were, sitting with us, so we knew some hackers had got at their information through e-mail."
He says InfraGard "has given me a network of people I can go to if I see things I never saw before. If I have a question, there's likely to be someone with an answer."
The other side of the battle is cyberforensics. Think of it as CSI with computers. It's happening right now, with the cache of computers, flash drives, and other cyberstuff taken from Osama bin Laden's compound in Abbottabad, Pakistan. U.S. agents instantly began to analyze this precious trove for criminal evidence - and links to other al-Qaeda operatives.
Work much like this goes on in Radnor at the FBI's Regional Computer Forensics Laboratory, one of 16 such labs in the country. As with InfraGard, the flavor is distinctly federal/local. Law enforcement agencies - such as the police departments of Philadelphia, Lancaster, Lower Merion, and Lower Providence - send officers to guest-work at the lab and receive training and experience in fighting computer crime.
Supervisory Special Agent J.P. McDonald directs the lab, which has been involved in some of the highest-profile local investigations of recent years, including the 2007 Fort Dix attack plot, the manhunt for the Coatesville arsonists, the case of former State Sen. Vincent J. Fumo, and the 2007-08 "Bonnie and Clyde" case of Jocelyn Kirsch and Edward Anderton, now in prison for fraud and identity theft.
"You can track the growth of cyberforensics along the same timeline as computers," McDonald says. "The FBI's program began in 1999, and, as of the mid-2000s, cyberevidence now has recognition and a firm track record in courts."
The lab is a techie's paradise, with gadgets and screens galore, racks of digital evidence sealed in antistatic wrap, sophisticated hard-drive readers, radiofrequency-shielded spaces, and kiosks for quick analysis of cell phones and thumb drives. "The majority of what we do," McDonald says, "is analysis of what's in a machine, how it got there, and then making a timeline of the history of what got there when."
"People's electronic devices are really an extension of their thoughts," says Philadelphia Police Lt. Edward Monaghan, deputy director of the lab. "If you're into NASCAR, you're likely to have NASCAR stuff in your computer. Thugs who are into drugs and money like to have their pictures taken with drugs, guns, and money. It sounds dumb, but they love it. That's what cyberevidence is all about."
The FBI's Herrick is resigned to a long battle: "There's probably some high school kid someplace in the Midwest - or maybe Europe or Asia someplace - who's cooking up something nobody's ever seen before. You really have to stay on your game with these guys."



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Releases Patch Fixes for Windows Server and PowerPoint

Posted by Avik Sarkar On 5/14/2011 09:44:00 pm


Microsoft fixed bugs in the WINS name server resolution protocol and a file format vulnerability in PowerPoint for its May Patch Tuesday.

 Microsoft addressed two security bulletins in May’s Patch Tuesday release. Security experts said administrators should apply the fixes immediately—because, despite their small size, they address significant threats.

Microsoft fixed a critical vulnerability affecting Windows Server and an important bug in Microsoft Office PowerPoint, according to the Patch Tuesday advisory released May 10. Microsoft also assigned separate “exploitability” scores for newer versions of the software under the “improved” exploitability index ratings.
The team fixed a critical vulnerability (MS11-035) in the WINS component in Windows Server 2003 and 2008. WINS is a name-resolution service that resolves names in the NetBIOS namespace and does not require authentication to use. While usually not available by default in Windows Server, it is commonly used in the enterprise for internal network servers. Administrators who have enabled WINS in Windows Server should apply the patch immediately as attackers could remotely cause a denial of service, according to Wolfgang Kandek, the CTO of Qualys.
“What might make the WINS vulnerability appealing to attackers is that it is a server-side issue,” Joshua Talbot, security intelligence manager, Symantec Security Response, told eWEEK.
Unlike other threats, attackers don’t have to trick a user into doing anything since it’s just a matter of finding a vulnerable server and feeding the machine “a malicious string of data,” according to Talbot. It is also a more serious issue on Windows Server 2003 than on 2008 because Windows Server 2008 has built-in protections such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). However, attackers can still create exploit code to get past those security features, Talbot said.
The other “important” bulletin (MS11-036) addressed a security flaw in all versions of Microsoft Office Power Point except Office 2010. The bug would allow attackers to take full control of the target machine as soon as the user opens a malicious PPT file.
Both WINS and PowerPoint vulnerabilities are fairly significant, according to Tyler Reguly, technical manager of security research and development at nCircle. File-format vulnerabilities are “popular exploits” but WINS is remote code execution, so it was “difficult” to decide which was the “biggest risk today.”
Microsoft listed both vulnerabilities using the new exploitability ratings. The PowerPoint bulletin was rated a “1” for a consistent exploit code likely for older software releases, but 0 for latest software because Office 2010 is not affected. The WINS patch was rated a “2” on both the latest and older versions because it affected all versions.
The updated rating system is intended to make it easier for IT administrators to determine their risk level, according to Microsoft.
“With massive updates such as we had in April, it’s easy to get overwhelmed. Microsoft’s new index simplifies the process, which will help IT administrators to prioritize which patches they tackle first,” said Dave Marcus, director of security research and communications at McAfee Labs.
The small release means administrators should “brace themselves for a larger update” in June, according to Kandek.
To complicate things for IT administrators, a fake Patch Tuesday update is making the rounds, according to security researchers at Websense Security Labs ThreatSeeker network. The malware is spread via a link inside an email message supposedly from “Microsoft Canada Co.” which informs users that Microsoft has issued a “Security Update for Microsoft Windows OS,” wrote Amon Sanniez, associate security researcher at Websense. Clicking on the link downloads the fake patch to the computer and infects the system with a Zeus Trojan variant, according to Sanniez.
It “ties in almost perfectly” with the real Patch Tuesday updates from Microsoft, Sanniez said.
The email looks quite legitimate and shows “some effort” went into the creation, as the message is presented in both English and French, and the display names within the headers actually say the mail originated from Microsoft Canada.
The malicious executable is currently not being detected by most major antivirus products tracked on VirusTotal, so IT managers should be careful that none of their staff members or users click on the link to get the security update. Websense said it is a low-volume threat, possibly aimed at a handful of companies. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

FBI is on high alert over a multi million dollar Chinese cyber crime operation

Posted by Avik Sarkar On 4/27/2011 10:47:00 pm



CYBER CRIMINALS with access to Chinese bank accounts have robbed US businesses of millions in dollars in the past 12 months by using malware that scarfs up banking details.
The US Federal Bureau of Investigation (FBI) has issued a stark warning about 20 incidents where banking credentials from smallish to medium-sized US businesses were harvested by malware like the Zeus Trojan and Spybot. The FBI said that the companies lost $11 million in these scams.
Often using reasonably cheap off-the-shelf malware, criminals can trap somebody in a company by compromising their computer with a phishing email or getting them to surf to a malicious website. The malware then gets to work, for example by keylogging crucial financial information like account numbers and passwords that the employee types in.
The FBI said that the criminal operation transferred the money to intermediary New York banks and then to the accounts of Chinese businesses that were registered as 'legitimate'. So far it's not known why these businesses received the transfers, that is, whether they were the final destinations or the money was transferred elsewhere.
Each wire transfer was able to shift hundreds of thousands of dollars, with the largest one nearly hitting the $1 million dollar mark. For smaller amounts money mules were used, poor unfortunates who fall for scams where they transfer money for the criminals involved, without realising it's stolen. ยต

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2011 "The Year of The Hack" A Brief Over View & Prediction of 2012

Posted by Avik Sarkar On 12/13/2011 10:51:00 pm


Everyday when you open voiceofgreyhat.com you see lost of hacks, defacement, data breached, server rooted, database hacked, information leaked and so on and on. Here is some summary where all the recent attacks ware covered. If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar

Would 2012 be the year enterprises apply the lessons learned and stop the attacks? 
Apparently not, as security experts are predicting even more sophisticated attacks for 2012. 

Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. 

What’s the security outlook for 2012? 
It’s appears gloomy, as security experts warn that cyber-attackers will target applications, mobile devices and social networking sites. There will be more social engineering as attackers research victims beforehand to craft even more targeted attacks.
2011 was a year in transition, David Koretz, CEO of Mykonos Software, toldthe year when sophisticated Web application attacks came of age. Before, people were talking about the threat to Web applications but were unable to quantify the problem. “2011 is the year people started caring about Web security for the first time,” Koretz said
Attackers targeted applications through SQL injection and cross-site scripting attacks to get access to sensitive data, said Lori MacVittie, senior technical marketing manager at F5 Networks. There are more kits and exploit tools released that exploit certain vulnerabilities, making it easier for even less skilled attackers to launch sophisticated attacks. There will be more of these tools in 2012, she said.
Social media has become more ubiquitous. Forrester estimated 76 percent of enterprises allow some access to social networking sites from within the corporate networks,  and 41 percent allow “unfettered access” to these sites. Many of the data breach and cyber-attack headlines in 2011 were social engineering attacks that exploited email and the Web as an attack vector, according to Rick Holland, a Forrester analyst.
Attacks against social network sites accounted for only 5 percent of total social engineering attacks in Verizon’s 2011 Data Breach Investigations Report. Forrester expects this number to “increase significantly” in 2012, Holland said.
Malware for mobile platforms grabbed headlines in 2011, starting with Google removing apps infected with DroidDream malware from Android Market and then remotely removing them from user devices.
Malware developed for mobile platforms exploded in volume and sophistication, according to Juniper Networks’ Global Threat Center. Criminals released a mobile version of the Zeus Trojan designed to intercept security controls used for online banking for several mobile platforms. Many users were infected with malware that turned their smartphones into zombies participating in a botnet without their knowledge.
Mobile device adoption is on track to reach 60 million tablets and 175 million smartphones in the workforce by 2012, according to Forrester. The majority of users will not be using these devices secured within the corporate environment as they will be working from home offices, public hotspots and third-party networks.
Organizations will increasingly shift their content security operations to the cloud to better protect mobile users. Security professionals have to adapt quickly to multiple mobile form factors and evolving threats from sophisticated malware and social networks, Holland said. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Now anyone can be a cyber criminal

Posted by Avik Sarkar On 5/15/2011 03:26:00 pm



Cyber crime is no longer the exclusive domain of nerds with advanced coding and hacking skills. Thanks to simple and affordable, DIY downloadable crimeware, even novices can jump into what has turned into a global industry.
This is a far cry from the days when hacks were motivated more by the thrill of the kill than monetary gain, with even Steve Jobs and Steve Wozniak (Apple’s co-founders) allegedly on their rolls. It’s in the last decade, with the widening reach of the internet, that cyber crime turned virulent, as viruses like Melissa and I Love You clogged inboxes and spawned a multi-billion-dollar anti-virus software industry. And now, with the DIY attack kits, cybercrime is evolving into an extremely profitable, distributed global entity.
These malware toolkits aren’t just professional, marketable, and easy to deploy, they’re even being sold on a subscription model with after sales support.
Mpack, Neosploit, ZeuS, Nukespoilt P4ck, Phoenix … there’s an array of choices for script kiddies (those with minimal coding skills). “These kits come with features like encryption and hardware-based licensing, which one would find in enterprise-grade software,” says cyber sleuth Prasanna V, principal consultant of information security with Packet Verify. They enable users to launch pre-written threats against computer systems, and also customise them.
The United States, Russia, China, the UK, Germany, Brazil and Eastern European countries like the Ukraine are considered the hotbeds for development of such kits, and the damage they’re causing is already evident. According to a report by Symantec Corp, there was a 93% increase in web-based attacks in 2010 compared to the previous year, driven primarily by the prevalence of attack toolkits.
The modus operandi:
Most of the toolkits share a few common behavioural patterns, say Dr Madhupani and Dr Srinivas, technology experts with Cyber Security Works. “These can include capabilities to penetrate into browser processes, take screenshots of the victim’s machine or control it remotely, hijack e-banking sessions, add pages to a website and monitor them or steal passwords that have been stored by popular programs/browsers.” Users are lured through phishing websites, spam emails, download websites, freeware, or malicious codes inserted in legitimate programs.
What’s more worrying is that malware attacks from toolkits are difficult to monitor and curb because of both technological and legal factors. The cyber laws in most countries are largely inadequate to deal with the scale and reach of the crime. For example, a tool kit can enable a cyber criminal in Nigeria to spoof an Indian bank to send phishing emails to trick users in India. The network of cyber crime is spread so wide that it demands a coordinated effort by law enforcement agencies from all over the world that, as of now, is nonexistent.
On the technical side, “toolkits enable hackers to continuously generate new mutated malware variants, each targeting a different victim, making traditional discovery and fingerprinting of these threats nearly impossible,” says Ajay Goel, managing director, Symantec for India and SAARC.
On your guard:
So what can you do to protect yourself? For starters, realise that security does not start and end with an antivirus kit or a firewall, quips Prasanna. “Do not perform any financial transactions from shared systems like cyber cafes. Avoid connecting to free Wi-Fi hotspots. Scan USB before using. Stay away from suspicious websites and emails, limit the amount of personal information you give out on social networking sites like Facebook or Orkut,” he warns. “Finally, set the ‘automatic update’ option ON in all applications.”
Cyber Security Works issues another guideline: “Treat information the way you would treat your money.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SpyEye is Becoming A Big Threat For Cyber Security

Posted by Avik Sarkar On 8/26/2011 04:29:00 pm


SpyEye, a potentially dangerous hacking tool, has become widely available for anyone to buy, giving rise to concerns about the threat posed by cyber attacks.
According to an article on USA Today, security researchers have predicted a large rise in the number of attacks orchestrated using SpyEye for the rest of the year.
The toolkit, which is far more dangerous and sophisticated than ZeuS, was previously used by a group of elite hackers and was sold for as much as $10,000.
However, after a group of French security researchers managed to crack the toolkit’s activation key, its entire source code has been laid bare for hackers to replicate and sell for as low as $95, making it available for virtual anyone with malicious intent. "SpyEye is very dynamic and versatile," Amit Klein, chief technical officer of Trusteer warns.
“Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,"  Sean Bodmer, senior threat intelligence analyst at network security firm Damballa, told USA Today.
Ever since the toolkit was released online, 14 cyber gangs have taken advantage of it, sending commands to thousands of botnet PCs in the United States.

-News Source (ITPro Portal)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search