Showing posts sorted by date for query Zeus. Sort by relevance Show all posts
Showing posts sorted by date for query Zeus. Sort by relevance Show all posts

Microsoft Along With FBI & EC3 Shattered The Notorious ZeroAccess Botnet

Posted by Avik Sarkar On 12/08/2013 01:14:00 am

Microsoft Along With FBI & EC3 Shattered The Notorious ZeroAccess Botnet Responsible For Infecting More Than 2 Million Computers
Redmond based software giant Microsoft yet again got a huge success against a big racket of cyber criminals while shattering one of the world's largest and most rampant botnets named 'ZeroAccess'. The Sirefef botnet, also known as ZeroAccess, is responsible for infecting more than 2 million computers, specifically targeting search results on Google, Bing and Yahoo search engines, and is estimated to cost online advertisers $2.7 million each month. Tech giant Microsoft working alongside the Federal Bureau of Investigation (FBI), Europol's European Cybercrime Centre (EC3) have successfully disrupted this notorious botnet. This is Microsoft’s first botnet action since the Nov. 14 unveiling of its new Cybercrime Center — a center of excellence for advancing the global fight against cyber crime — and marks the company’s eighth botnet operation in the past three years.

“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3. “EC3 added its expertise, information communications technology infrastructure and analytic capability, as well as provided the platform for high-level cooperation between cyber crime units in five European countries and Microsoft.”
Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cyber criminals to remotely control the botnet from tens of thousands of different computers. ZeroAccess is used to commit a slew of crimes, including search hijacking, which “hijacks” people’s search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks. ZeroAccess also commits click fraud, which occurs when advertisers pay for clicks that are not the result of legitimate, interested human users’ clicks, but are the result of automated Web traffic and other criminal activity. Research by the University of California, San Diego shows that as of October 2013, 1.9 million computers were infected with ZeroAccess, and Microsoft determined there were more than 800,000 ZeroAccess-infected computers active on the Internet on any given day.



How It Happened:- 
Last week, Microsoft filed a civil suit against the cyber criminals operating the ZeroAccess botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. In addition, Microsoft took over control of 49 domains associated with the ZeroAccess botnet. A10 Networks provided Microsoft with advanced technology to support the disruptive action.
As Microsoft executed the order filed in its civil case, Europol coordinated a multijurisdictional criminal action targeting the 18 IP addresses located in Europe. Specifically, Europol worked with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures on computer servers associated with the fraudulent IP addresses located in Europe. This is the second time in six months that Microsoft and law enforcement have worked together to successfully disrupt a prevalent botnet. It demonstrates the value coordinated operations have against cyber criminal enterprises. For more information about this botnet operation click here

ZeroAccess is counted as a very sophisticated malware, blocking attempts to remove it, therefore recommended for every Microsoft user to click Here for detailed instructions on how to remove this threat. As Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or antivirus software as quickly as possible. 
In conversation with press David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said -“Microsoft is committed to working collaboratively — with our customers, partners, academic experts and law enforcement — to combat cybercrime. And we’ll do everything we can to protect computer users from the sinister activities and criminal networks that victimize innocent people and businesses around the world.” 

While talking about ZeroAccess botnet take down, I would like to remind you that in Match, last year Microsoft has successfully shutdown two command and control (C&C) server of world's of the most dangerous banking trojan Zeus.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

Posted by Avik Sarkar On 2/25/2013 02:07:00 pm

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

The month of February is still going from bad to worse for the cyber domain, in this very month cyber criminals swallowed the security system of many giant companies like Facebook, Twitter, Apple, New York Times and many more. But the game is not over yet, as we have just passed a few weeks, when the attack on NY Times took place, which stolen the employ database; yet again the cyber criminals have targeted another media giant National Broadcasting Company widely known as NBC. During the attack, hackers have successfully gain access inside the server of NBC and planted malware, in order to harm innocent readers. Famous security expert and blogger Brian Krebs said that the hackers inserted code into the NBC.com homepage. This caused visiting browsers to load pages from third-party sites that were compromised. While explaining the nature of the attacker, Krebs said; "The compromised sites tried to foist the Citadel Trojan, a variant of the Zeus Trojan." The Zeus is a "sophisticated data theft tool that steals passwords and allows attackers to control machines remotely" he added. Not only the NBC’s home page, also several others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon. Well known security firm Sophos explained how roughly attack played out, and how NBC got sucked into the equation:
  • NBC's hacked pages were altered to add some malicious JavaScript that ran in your browser.
  • The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
  • The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
  • The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
  • If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.
This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialog you might expect. This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.
As soon as this story get spotted the American commercial broadcasting television network, NBC News reported and confirmed that its site had been attacked. The broadcaster released the following statement regarding the website: "We've identified the problem and are working to resolve it. No user information has been compromised."
The emergency response team immediately take the situation under control and restored the website, and confirmed that the site is back again and completely safe for its visitors. But so far there is no evidence of attackers who were involved in this attack. For the safety of VOGH readers we would like to recommend you to update your operating systems and browser plugins. Also note that the attack on NBC was similar to many that have occurred in recent years in that the malicious sites tried to exploit vulnerabilities in Java. So it will better to disable Java, unless it is that much necessary. So stay tuned with VOGH and be safe in the cyber domain. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

3 Russian Cyber Criminal Who Was The Master Mind of Banking Trojan 'Gozi' Charged in New York

Posted by Avik Sarkar On 2/01/2013 08:53:00 pm

3 Russian Cyber Criminal Who Was The Master Mind of Banking Trojan 'Gozi' Charged in New York 

Yet again another serious issue of cyber crime get resolved when the FBI tracked and figured out the master mind of infamous 'Gozi banking Trojan' which effected more than millions of system world wide, including a handful at NASA, leading to tens of millions of dollars in lost banking funds and damages to computer systems and networks. Three alleged international cyber criminals from Russia, responsible for creating and distributing 'Gozi' that infected over one million computers and caused tens of millions of dollars in losses charged in Manhattan Federal Court. Mihai Ionut Paunescu aged 28, a Romanian, Deniss Calovskis, 27, a Latvian, and Nikita Vladimirovich Kuzmin, 25, of the Russian Federation, are charged with computer intrusion, conspiracy to commit bank and wire fraud and access device fraud. Federal authorities said the three were arrested last week; Kuzmin is being held in New York, while Paunescu is in custody in Romania and Calovskis in Latvia. 
According to the press release of FBI -Deniss Calovskis, a/k/a “Miami,” a Latvian national who allegedly wrote some of the computer code that made the Gozi virus so effective, was arrested in Latvia in November 2012. Mihai Ionut Paunescu, a/k/a “Virus,” a Romanian national who allegedly ran a “bulletproof hosting” service that enabled cyber criminals to distribute the Gozi virus, the Zeus trojan, and other notorious malware and to conduct other sophisticated cyber crimes, was arrested in Romania in December 2012. 

The cases are being handled by the Complex Frauds Unit of the United States Attorney’s Office. Assistant United States Attorneys Sarah Lai, Nicole Friedlander, and Thomas G.A. Brown, along with Trial Attorney Carol Sipperly of the Computer Crime and Intellectual Property Section of the Department of Justice on the Paunescu case, are in charge of the prosecution. The charges contained in the Indictments are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

DefendantAge and ResidenceChargesMaximum Penalty
Nikita Kuzmin25; Moscow, RussiaConspiracy to commit bank fraud; bank fraud; conspiracy to commit access device fraud; access device fraud; conspiracy to commit computer intrusion; computer intrusion95 years in prison
Deniss Calovskis27; Riga, LatviaConspiracy to commit bank fraud; conspiracy to commit access device fraud; conspiracy to commit computer intrusion; conspiracy to commit wire fraud; conspiracy to commit aggravated identity theft67 years in prison
Mihai Ionut Paunescu28; Bucharest, RomaniaConspiracy to commit computer intrusion; conspiracy to commit bank fraud; conspiracy to commit wire fraud60 years in prison


Brief About Gozi:-
The Gozi virus is malicious computer code, or “malware,” that steals personal bank account information, including usernames and passwords, from the users of affected computers. It was named by private sector information security experts in the U.S. who, in 2007, discovered that previously unrecognized malware was stealing personal bank account information from computers across Europe on a vast scale, while remaining virtually undetectable in the computers it infected. To date, the Gozi virus has infected over one million victim computers worldwide, among them at least 40,000 computers in the U.S., including computers belonging to the National Aeronautics and Space Administration (NASA), as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey, and elsewhere, and it has caused tens of millions of dollars in losses to the individuals, businesses, and government entities whose computers were infected.

The Gozi virus was distributed to victims’ computers in several different ways. In one method, the virus was disguised as an apparently benign .pdf document which, when opened, secretly installed the Gozi virus on the victim’s computer. Once installed, the Gozi virus—which was intentionally designed to be undetectable by anti-virus software—collected data from the infected computer in order to capture personal bank account information including usernames and passwords. That data was then transmitted to various computer servers controlled by the cyber criminals who used the Gozi virus. These cyber criminals then used the personal bank account information to transfer funds out of the victims’ bank accounts and ultimately into their own personal possession.


For Detailed Information Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers Sending Rogue 'Microsoft Services Agreement' Emails Exploiting Java Vulnerability

Posted by Avik Sarkar On 9/06/2012 04:31:00 pm

Hackers Sending Rogue 'Microsoft Services Agreement' Emails Exploiting Java Vulnerability

Cyber criminals are distributing mass on the internet while sending rogue email notifications about changes in Microsoft's Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malwareOracle left a security flaw in one of the world’s most widely used programs unpatched for four months and then issues a half-baked fix, the company is practically inviting cyber criminals to exploit its users en mass. And as expected the invitation has been accepted.
The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company's Services Agreement that will take effect Oct. 19. "This email is a legitimate announcement regarding updates to the Microsoft Services Agreement and Communication Preferences," a Microsoft program manager for supporting mail technologies who identifies herself as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.
However, she later acknowledged the existence of reports about malicious emails that use the same template. "If you received an email regarding the Microsoft Services Agreement update and you're reading your email through Hotmail or Outlook.com, the legitimate email should have a Green shield that indicates the message is from a Trusted Sender," she said. "If the email does not have a Green shield, you can mark the email as a Phishing scam." 
However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit. Blackhole is a tool used by cybercriminals to launch Web-based attacks that exploit vulnerabilities in browser plug-ins like Java, Adobe Reader or Flash Player, in order to install malware on the computers of users who visit compromised or malicious websites.
This type of attack is known as a drive-by download and is very effective because it requires no user interaction to achieve its goal. The malicious Java applet used in this attack is detected by only eight of the 42 anitivirus engines available on the VirusTotal file scanning service. The Zeus variant has a similarly low detection rate.
"We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences," Russ McRee, security incident handler at the SANS Internet Storm Center, said Saturday in a blog post.


-Source (Info World)






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

C&C Servers of World's Third Largest Spam Botnet "Grum" Been Knocked Down

Posted by Avik Sarkar On 7/21/2012 02:58:00 am


C&C Servers of World's Third Largest Spam Botnet "Grum" Been Knocked Down



Researcher get another big success by taking down two of the command and control(C&C) servers belong to  the world's largest spam botnet named "Grum". Though  this is not complete victory, as there are still two other C&C servers are currently working actively, but researchers are very much optimistic that the volume of spam will drop this take down. 
Atif Mushtaq, senior staff scientist at security firm FireEye, said in a blog post that the botnet known as Grum drew its last dying breath on Wednesday, after six servers in Ukraine and one in Russia were shut down. In a tense faceoff with whitehats, the botnet operators had deployed those servers following the disconnection earlier this week of separate servers in the Netherlands and Panama. Faced with the threat of losing a 100,000-computer network that generated an estimated 18 billion spam messages a day, the Grum operators were desperately trying to transition to those machines when they stopped working.

"Grum's takedown resulted from the efforts of many individuals," Mushtaq wrote. "This collaboration is sending a strong message to all the spammers: 'Stop sending us spam. We don't need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don't send us spam." We would also like to give you reminder that, this year Microsoft closed two C&C server of Zeus, another dangerous botnet. Also researcher from different parts of the world have unveiled the mystery of few other botnets like Bredolab, Rustock, Duqu and so on. 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Popular Gaming Site of France Infecting Visitors With ZeuS

Posted by Avik Sarkar On 4/17/2012 12:29:00 pm

Popular Gaming Site of France Infecting Visitors With ZeuS 

Researcher from Anti-virus company and security firm Avast, has find out that a French website of popular game Assassin’s Creed has been serving ZeuS malware variants to its visitors for over 8 weeks. The site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise. 
The web site is currently returning a Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /homepages/23/d207590046/htdocs/wp-content/plugins/countdown-timer/fergcorp_countdownTimer.php on line 1050 error message. 
According to Avast official blog post - So far, Avast has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March. The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.” 

-Source (Avast Blog)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Edward Pearson Sent To Jail For Stealing 8Million Customers Banking & PayPal Details

Posted by Avik Sarkar On 4/04/2012 02:28:00 pm

Edward Pearson (23 Years Aged Hacker) Sent To Jail For Stealing 8Million Customers Banking & PayPal Details

A 23 years aged hacker from UK named Edward Pearson has been sent to prison to pilfer eight million personal identities (ID fraud). Between January 1 2010 and August 30 2011, he used of malicious computer programs to get his hands on - wait for it - eight MILLION personal identities. According to report he used highly sophisticated cyber-weapons such as Zeus and SpyEye, to hunt down personal details on the Internet. 
One of his programs scanned through 200,000 accounts registered to online payment service PayPal - identifying names, passwords and current balances. Luckily, Pearson got caught after only making a £2,400 ($3,800 USD). The authorities estimate he could have walked away with as much as £800,000 ($1.3M USD).  Authorities were alerted to the problem when his 21-year-old girlfriend, Cassandra Mennim, used stolen credit cards to book rooms at the upmarket Cedar Court Grand and Lady Anne Middleton Hotels. Investigators looking into the case eventually identified him as G-Zero on hacking forms. Pearson has been jailed for 26 months, whilst girlfriend Cassandra Mennim admitted two counts of obtaining services dishonestly and was given 12 months’ supervision.


-Source (NS & DailyMail)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab

Posted by Avik Sarkar On 3/30/2012 08:49:00 pm

SpyEye Banking Trojan Swallowing US, Russia & Ukraine -Said AhnLab 

Researcher at AhnLab has figure out a significant majority of the domains and hosts for the SpyEye Banking Trojan are in the US. The malicious code has gained attention as of late for the threat it poses to online banking user information. According to SpyEye-relevant host data extracted by the AhnLab Packet Center, 48% of all SpyEye domains were found to be located in the US, followed by Russia at 7%, and the Ukraine at 6%. The AhnLab Packet Center is the company’s malicious packet analysis system, which assesses suspicious packet data, including that from SpyEye C&C servers. The findings indicate that the main targets of SpyEye are mainly in the US, and that North American financial institutions and users should remain especially vigilant.
Since its toolkit first became public in 2010, the SpyEye Trojan has produced many variants. According to analysis by the AhnLab Packet Center, the “10310” variant was identified as the most distributed version at 34.5%. The “10299” and “10290” variants followed at 14.7% and 14.6%, respectively. Additional variants are expected in the future. SpyEye, along with ZeuS, are notorious banking Trojans that have helped thieves steal more than $100 million around the world. Without an end-user PC solution, banks face great difficulty protecting individual customers from the sophisticated threats posed by these malicious codes. AOS ensures comprehensive transaction security with its Anti-keylogger, Firewall and Anti-virus/spyware agents for individual user PCs, as well as Secure Browser which creates an independent online space for safe communication. With AOS’ unique approach to transaction security, banks are able to deliver complete peace of mind to their online customers.

The four components of the AhnLab Online Security (AOS) solution, designed to protect the entire transaction process, include:-
  • AOS Secure Browser: Provides a dedicated security browser that creates an independent and protected environment for online transactions. It secures user banking data against Man-In-The-Browser (MITB) attacks such as SpyEye and ZeuS, memory hacking, webpage alteration, HTML injection, cross-site scripting (XSS), browser help object (BHO) hacking, screen capturing, debugging, and reverse engineering.
  • AOS Anti-keylogger: Delivers the protection needed to keep account information safe and prevent theft of personal banking data during input via a keyboard.
  • AOS Firewall: Protects the user by detecting and blocking unauthorized intrusions and hacking attempts and preventing the leakage of personal information.
  • AOS Anti-virus/spyware: Secures online transactions against the latest malicious codes with AhnLab’s cloud based security technology known as ASD (AhnLab Smart Defense).
Yesterday we have discussed that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus


-Source (Market-Watch)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Seized Two Command & Control Server of Zeus Botnet

Posted by Avik Sarkar On 3/28/2012 12:42:00 am

Microsoft Seized Two Command & Control Server of Zeus Botnet 
Cyber crime investigator at Microsoft have shutdown two botnet server powered by "Zeus". It has been reported that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus on Friday, March 23. After shutting down the servers, It has been found that more than $100 million have already been stolen and also an estimated 13 million computers ware infected and connected with those two CNC server of Zeus. The raid came after Microsoft filed a civil lawsuit, partly under the Racketeer Influenced and Corrupt Organizations Act. The company has combined legal tactics with cyberforensics three other times since 2010 to shut down command-and-control servers used to direct large botnets. Last week Microsoft officially declared that they are working closely with US authorities and financial services companies to disrupt two Zeus botnets. So there is no doubt that this is indeed a huge success for Microsoft. 
Brief Overview of Zeus Trojan:- 
The Zeus banking Trojan intercepted user credentials for online banking accounts with a keylogger and transferred money out of victims’ bank accounts. The malware was sophisticated enough to display a fake page showing the normal account balance instead of the actual amount, which meant victims weren’t aware of the thefts immediately. Zeus crimeware kits are available on underground forums for anywhere between $700 and $15,000. There’s even an “open source” version of the toolkit which is available for free.

"Cybercriminals have built hundreds of botnets using variants of Zeus malware," Richard Boscovich, a senior attorney with Microsoft’s Digital Crimes Unit, wrote on the Official Microsoft Blog.
Last week we have also discussed about another dangerous botnet or in other word the next generation cyber weapon named Duqu. After a decent period finally the researchers have solved the Duqu Mystery

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Professor Warner Helps FBI To Crack "Trident Breach" ($70 Million Cyber-crime Ring)

Posted by Avik Sarkar On 3/23/2012 03:45:00 pm

Professor Warner Helps FBI To Crack "Trident Breach" ($70 Million Cyber-crime Ring)

Earlier in 2008 cyber criminals have managed to steal more than  $70 million from the payroll accounts of some 400 American companies and organizations – all from the safety of their homes in Eastern Europe. The case was known to us as "Trident Breach". As expected FBI was inspecting that case but hardly get success. 
At the beginning of 2008, the group of hackers compromised hundreds of thousands of Americans computers using a malicious computer “Trojan” bug called ZeuS. When computer users clicked on certain attachments and e-mail links, ZeuS infected their computers. ZeuS is designed to zero in on users’ bank information. For example, when a user visits a bank website, ZeuS knows; and since it is a key logger program, it records the user's keystrokes as he or she enters usernames and passwords. It then sends that information by instant text message to waiting hackers, who then have access to the compromised accounts. Henry is one of the country’s top cybercrime fighters. He says Americans are increasingly prone to “virtual gangs” prying on people’s personal data stored on their computers. In late 2008, they created some 3000 money mules, many of them unwitting Americans, by luring them into work-at-home jobs requiring "employees" to open bank accounts.
Later FBI appoint Prof. Gary Warner of the University of Alabama at Birmingham, who teaches a program that combines computer forensics and justice studies. Warner is also a member of the little-known FBI-affiliated group called InfraGard, comprising some 50,000 members across the United States who keep an eagle eye on U.S . critical infrastructure: power plants, water supply, security and financial services…and the Internet. After the entry of Warner the investigation turns. Warner said hackers transferred cash from business payroll-type "ACH" (Automated Clearing House) accounts to the mule accounts and the mules sent the cash by Western Union or MoneyGram to Eastern Europe, taking eight or 10 percent commission. So stealthy was their ZeuS operation, neither the hackers nor the mules had counted on getting caught. But, using complex data mining techniques, Prof. Warner established links between ZeuS-infected computers and traced the origins of the mass infection to Ukraine; and many of the hackers and their mules were caught. And after the FBI published a wanted poster of the students, Warner’s students began using what they’d learned in class to track the criminals. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Posted by Avik Sarkar On 3/04/2012 07:56:00 pm

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Remember the Operation Megaupload (#OpMegaupload) the largest attack ever where 5,635 Anon people bring down the websites of Universal Music, the U.S. Department of Justice and the Recording Industry Association of America while using one of the world's most popular and vastly used DDoSer LOIC.
Now Security software company Symantec have discovered that a piece of Anonymous-recommended DDoS software called Slowloris contained an insidious Trojan that was stealing financial info from people using it. According to the official blog post of Symantec on the 20th day of January after Kim Dotcom was arrested, Anonymous was frequently shearing few pastebin links which was containing the download link of Slowloris which led to a trojanized copy that installed the Zeus trojan on users' systems. The compromised download then replaced itself with a clean version of the tool to avoid detection. 

"It is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies."
"When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. Zeus is an advanced malware program that cannot be easily removed. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns."

Full information can be found Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Malware Named "Gameover" Targeting Bank Accounts

Posted by Avik Sarkar On 1/07/2012 09:31:00 pm


Another malware named "Gameover" is targeting bank accounts via phishing emails. Cyber criminals have found yet another way to steal your hard-earned money: a recent phishing scheme involves spam e-mails—purportedly from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC)—that can infect recipients’ computers with malware and allow access to their bank accounts.
The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.” Gameover is a newer variant of the Zeus malware, which was created several months ago and specifically targeted banking information. Few days ago Ramnit worm did the same thing. It steals more than 45K Facebook Login details not only that but also more than 250K PC has been infected by Ramnit worm. It clearly showing that the rate of this cyber threat is going high and high. 

How The Gameover Malware Is Working:- 
Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.
After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site—probably in an attempt to deflect attention from what the bad guys are doing.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2011 "The Year of The Hack" A Brief Over View & Prediction of 2012

Posted by Avik Sarkar On 12/13/2011 10:51:00 pm


Everyday when you open voiceofgreyhat.com you see lost of hacks, defacement, data breached, server rooted, database hacked, information leaked and so on and on. Here is some summary where all the recent attacks ware covered. If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar

Would 2012 be the year enterprises apply the lessons learned and stop the attacks? 
Apparently not, as security experts are predicting even more sophisticated attacks for 2012. 

Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. 

What’s the security outlook for 2012? 
It’s appears gloomy, as security experts warn that cyber-attackers will target applications, mobile devices and social networking sites. There will be more social engineering as attackers research victims beforehand to craft even more targeted attacks.
2011 was a year in transition, David Koretz, CEO of Mykonos Software, toldthe year when sophisticated Web application attacks came of age. Before, people were talking about the threat to Web applications but were unable to quantify the problem. “2011 is the year people started caring about Web security for the first time,” Koretz said
Attackers targeted applications through SQL injection and cross-site scripting attacks to get access to sensitive data, said Lori MacVittie, senior technical marketing manager at F5 Networks. There are more kits and exploit tools released that exploit certain vulnerabilities, making it easier for even less skilled attackers to launch sophisticated attacks. There will be more of these tools in 2012, she said.
Social media has become more ubiquitous. Forrester estimated 76 percent of enterprises allow some access to social networking sites from within the corporate networks,  and 41 percent allow “unfettered access” to these sites. Many of the data breach and cyber-attack headlines in 2011 were social engineering attacks that exploited email and the Web as an attack vector, according to Rick Holland, a Forrester analyst.
Attacks against social network sites accounted for only 5 percent of total social engineering attacks in Verizon’s 2011 Data Breach Investigations Report. Forrester expects this number to “increase significantly” in 2012, Holland said.
Malware for mobile platforms grabbed headlines in 2011, starting with Google removing apps infected with DroidDream malware from Android Market and then remotely removing them from user devices.
Malware developed for mobile platforms exploded in volume and sophistication, according to Juniper Networks’ Global Threat Center. Criminals released a mobile version of the Zeus Trojan designed to intercept security controls used for online banking for several mobile platforms. Many users were infected with malware that turned their smartphones into zombies participating in a botnet without their knowledge.
Mobile device adoption is on track to reach 60 million tablets and 175 million smartphones in the workforce by 2012, according to Forrester. The majority of users will not be using these devices secured within the corporate environment as they will be working from home offices, public hotspots and third-party networks.
Organizations will increasingly shift their content security operations to the cloud to better protect mobile users. Security professionals have to adapt quickly to multiple mobile form factors and evolving threats from sophisticated malware and social networks, Holland said. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Twitter Traffic Hits 6,049 Tweets per Second As News of Jobs' Death Spread

Posted by Avik Sarkar On 10/09/2011 07:35:00 pm



Traffic hit near-record levels on Twitter Wednesday after news spread of Apple co-founder Steve Jobs' death. Leaders in the high-tech industry, as well as Apple fans and average people, took to social networking sites Wednesday night and Thursday to spread the word about Jobs and to share memories and tributes to the man behind the iMac, iPod, iPhone and iPad. Around 8 p.m. EDT Wednesday, shortly after news of Jobs' passing was made public, Twitter was handling 6,049 tweets per second, according to Twitter spokeswoman Rachael Horwitz.
"I'm surprised at the number of tweets it got, but I guess I shouldn't be," said Zeus Kerravala, principal analyst with ZK Research. "Social networks are increasingly the de facto place for people to go to when they want to share information. Twitter is perfect for this type of thing."
While Wednesday night didn't set a record for Twitter traffic, it was one of the site's highest number of tweets per second ever recorded.
Horwitz noted that early last May, the death of al-Qaeda leader Osama Bin Laden set a record at that time with a peak of 5,106 tweets per second.
When Brazil was eliminated from the international soccer tournament Copa America in July, Twitter saw 7,166 tweets per second. The current record is 8,868 tweets per second, which was set during the 2011 MTV Video Music Awards in August, Horwitz noted.

Shawn White, vice president of operations at Keynote Systems, an Internet and mobile monitoring company, told Computerworld that the surge in Twitter traffic after Job's death was staggering.
"We saw it with the death of Michael Jackson and the inauguration of President Obama. Sometimes sites just get overwhelmed," White said. "The pattern we saw [with Twitter] was that things hummed a long pretty normally and then right after the announcement of Steve Jobs' passing, the site slowed." He noted that the time to access Twitter's homepage for many users went from 3 seconds to 20 or 30 seconds. The site increasingly struggled under the load, with the first error hitting at 8:10 p.m. ET.
Then the availability of Twitter's homepage dropped nearly 40% between 8:50 and 9:05, according to Keynote.
"During that 15-minute period, roughly 60% of Twitter users would have gotten some kind of error trying to get to the home page. And if they got there, it was probably really slow," White said. "But Twitter recovered pretty quickly."


-News Source (Computer World, BBC, twitter) 




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

RSA Said: Zeus v2.1.0.10 Became The Most Infamous & Propagated Trojan in Cybercrime History

Posted by Avik Sarkar On 10/01/2011 01:12:00 pm


The RSA Research Lab investigated and monitord a large number of malicious cybercrime servers operating in the wild. What RSA researchers discovered was nothing less than the robust mercenary workings of a virtual heist machine, one that has been operational on an ongoing basis, militating and robbing financial data from hundreds of thousands of infected users all over the world. The tool of choice—Zeus v2.1.0.10, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.
According to the official blog of RSA:- 

A Privately Developed Zeus Upgrade:-
Unlike the large majority of banking Trojan, the Zeus Trojan has always been a commercial code, sold by its creator to those who could afford an advanced fraud tool and understood how to use it. With time, Zeus became the most infamous and most propagated Trojan in cybercrime history. In October 2010, nearly one year ago, the bequeathing of the Zeus Trojan’s source code by its owner “Slavik”, to his then biggest rival, the SpyEye Trojan’s coder (“Harderman”), united the future of 2 giant commercial codes and threw a Zeus-faced wildcard into the game when its entire source code was leaked in March 2011.
But it was nearly two months before the announcement of the code ‘merger’ was even made that RSA researchers were already looking at a rather special upgrade of the Zeus Trojan: Zeus v2.1. A surprising and rare new version which included some of the most sophisticated additions to the Zeus code seen in recent times, making it more impervious and hardened thus shutting-out a lot of potential interference with this variant’s configuration and its communication patterns. At the time (early September 2010), our team was in the possession of a single variant of this upgrade and was not entirely sure what it represented as yet. The interesting part of the upgrade was its low propagation numbers and the time lapse it took for the Lab to see more of it in the wild. True Zeus 2.1.0.10 variants were not being sold in underground forums. These two initial observations already suggested that the new upgrade was the property of one cybercriminal or a single cybercrime gang.
Within six months, Zeus 2.1.0.10 was being detected more and more often, and although the number of variants kept growing, the trigger list in each and every one of them was identical – a rare case for Zeus variants in which each operator updates his own list of triggers. This was the third sign pointing to a single operations team for Zeus 2.1.0.10.
June 2011 – a sharp peak in Zeus 2.1.0.10 attacks resulted from the propagation of hundreds of variants of this upgraded version. To date, the RSA Research Lab detected 414 different variants, and yet, each and every variant still went after the exact same trigger list. At this point it was clear that Zeus 2.1.0.10 belongs to one gang who had the Zeus source code way before the merger, way prior to the code leak and before anyone even imagined what would become of Zeus.
This gang developed their own Zeus Trojan using Zeus’ source codes and its mainframe; this gang operates Zeus 2.1.0.10 without sharing their malevolent creation with outsiders.

Zeus 2.1.0.10 Has its Own Techniques:-
More than the actual upgrade of the Trojan code, the new Zeus 2.1.0.10 behaved in a new way, unlike the one observed in other Zeus variants. Unlike other advance Trojans who contact the mothership through reverse proxies, fast flux networks, or those who use their own botnet as proxies – Zeus 2.1.0.10 never communicates directly with the mothership. This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names (URLs) per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.
The cybercriminal operation team behind the scenes has the same algorithm. They know exactly when the whole botnet will attempt to communicate with a specific new domain name, and then simply go and buy that domain name, hosting each one through facilities located all over the world. At that point, the whole botnet queries the new domain with a request for the update file – and receives it, and the C&C queries its bots for the stolen data they have in store – and receives it.  Mission accomplished.
This all happens without anyone outside the gang knowing their algorithm or being able to guess which communication channel they will choose for their botnet next. Even if an external party was to attempt to solve the algorithm, they would have to buy the domains before the gang does, thus engaging in a race against time and paying for numerous domain registrations every hour (!). No matter how many domains an adversary buys, the bot masters will eventually buy one and the botnet will end up communicating with it.
The communication through randomized domains generated by the Trojan is directed through a list of legitimate VPS and legitimate cloud services used as a proxy. This raptures any further tracking possibilities of the true motherships which militate the immense botnet.
Zeus 2.1.0.10’s behavior pattern has never been used in Zeus or SpyEye variants, but it sure is identical to another Trojan’s sophisticated and diuturnal operations – Sinowal. A long standing, privately owned Trojan, operated by an organized cybercrime gang based out of Russia, Sinowal is perhaps one of the most persevering private banking Trojans; one whose nefarious nature has been the intrigue of many security researchers since as early as 2006.
It was initially somewhat surprising to see that Zeus 2.1.0.10 was not only a private version of Zeus, it also behaves exactly in the same manner as Sinowal similarly held by Russian-speaking cybercriminals. These common denominators raised a logical suspicion as to the possibility of the two sharing some links if not operated by the same gang altogether.

For more information and to see the RSA blog article about Zeus click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Zeus Strategy Followed By SpyEye & Here The Victim is Android Users

Posted by Avik Sarkar On 9/18/2011 02:24:00 pm



In the world of Windows malware, SpyEye is a widespread malicious toolkit for creating and managing botnets. It is designed primarily for stealing banking credentials and other confidential information from infected systems. SpyEye is a major competitor of the infamous Zeus toolkit.
Zeus (also known as ZBot) generated a lot of interest in the mobile security community a couple of months ago when an Android version was discovered. Of course, we did not have to wait long before a version of SpyEye targeting Android was also developed, and sure enough a malicious SpyEye Android app was discovered a few days ago.
The functionality of Zeus and SpyEye on Windows is quite similar, so I was curious as to how similar their respective Android versions would be.
Zeus for Android purports to be a version of Trusteer Rapport security software. This social engineering trick is used in an attempt to convince the user that the application they are installing is legitimate.
SpyEye for Android, now detected by Sophos products as Andr/Spitmo-A, uses a slightly different but similar social engineering technique. When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorisation.


The SpyEye application package does not show up as an icon in the "All apps" menu, so the user will only be able to find the package when the "Manage Applications" is launched from the mobile device's settings.
The application uses the display name "System" so that it seems like a standard Android system application.
When installed, Zeus for Android displayed a fake activation screen, and Spitmo is again very similar. However, Spitmo uses different tactics to convince the user that it is a legitimate application.
It applies for the following Android permissions:-
  • android.provider.Telephony.SMS_RECEIVED
  • android.intent.action.NEW_OUTGOING_CALL

This allows the malware to intercept outgoing phone calls. When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions. If the number matches, Spitmo displays a fake activation number, which is always 251340. Once installed, the functionality of Zeus and SpyEye are pretty much the same. A broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request. The submitted information includes the sender's number and the full content of the message.So far, it does not seem that this attack is widespread, but it shows that the developers of major malicious toolkits are closely watching their competition and matching the latest features. It also seems that support for Android is increasingly becoming an important part of their product strategy.

-News Source (N.Security)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search